Phil Daws wrote:
Hello all:
Have tried to get my lab set up with 389 and secure connections multiple times now with
disasterous results; and yes have tried to follow
http://www.port389.org/docs/389ds/howto/howto-ssl.html
Here is a very brief walkthrough of what I did:
* from my PKI created four certificates - node1 admin and node2 directory + node2 admin
and node2 directory certificates
* on both node1 and node2 installed the following packages:
[root@ads01 ~]# rpm -qa | grep 389
389-adminutil-1.1.22-1.el7.x86_64
389-ds-base-1.3.4.0-21.el7_2.x86_64
389-admin-console-1.1.10-1.el7.noarch
389-console-1.1.9-1.el7.noarch
389-ds-base-libs-1.3.4.0-21.el7_2.x86_64
389-admin-1.1.42-1.el7.x86_64
389-ds-console-1.2.12-1.el7.noarch
* on node1 ran setup-ds-admin.pl and configured the initial directory server
* on node1 configured the admin to use TLS + the directory server so that it bound to
636
* on node2 ran setup-ds-admin.pl and joined the directory server on node1
* on node2 configured the admin to use TLS
* on node2 launch 389-console using https and then try to connect too the directory
server on node2 and it just hangs and fails with an SSL error over and over:
[Fri Jan 15 17:22:14.391824 2016] [:crit] [pid 705:tid 140640199088192] sslinit: NSS is
required to use LDAPS, but security initialization failed [-8015:The certificate/key
database is in an old, unsupported format or failed to open.].
Double-check that the user that 389-ds runs as has read permissions to
the NSS database.
>
> How does one perform an install, with two nodes, that each has an administration
instance plus a directory server running TLS on 636 ?? Have not even been able to attempt
multi-master replication yet :(
>
> All help appreciated. Thanks, Phil
>