On 12/05/2013 10:12 AM, Alberto Viana wrote:

I have 2 389 running (389-Directory/1.3.2.6 and 389-Directory/1.3.1.3) with multiple master configuration.

When I set the option "check hostname against name in certificate for outbound SSL connections" the agreement does not work and shows me this error:

[05/Dec/2013:14:35:55 -0200] slapi_ldap_bind - Error: could not send bind request for id [uid=app.389.w,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5987 (Invalid function argument.), network error 115 (Operation now in progress, host "hmg2.homolog.rnp")

[05/Dec/2013:14:35:55 -0200] NSMMReplicationPlugin - agmt="cn=389-HMG2" (hmg2:636): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((unknown error code))

When I unset the option, everything works as expected.

Here's the subject of my certificates:

Subject: C=BR, ST=Rio de Janeiro, L=Rio de Janeiro, O=Rede Nacional de Ensino e Pesquisa, OU=GTI, CN=hmg3.homolog.rnp

Subject: C=BR, ST=Rio de Janeiro, L=Rio de Janeiro, O=Rede Nacional de Ensino e Pesquisa, OU=GTI, CN=hmg2.homolog.rnp

My DNS is configured correctly (the reverse too).

In my production enviroment this options works fine, but it's a little bit old (389-Directory/1.2.10.12)

What version of NSS do you have in your production environment?
What version of NSS do you have in your test environment?

rpm -q nss

Any clues?

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users