----- On 17 Jan, 2016, at 14:48, Rob Crittenden rcritten(a)redhat.com wrote:
Phil Daws wrote:
> Hello all:
>
> Have tried to get my lab set up with 389 and secure connections multiple times
> now with disasterous results; and yes have tried to follow
>
http://www.port389.org/docs/389ds/howto/howto-ssl.html
>
> Here is a very brief walkthrough of what I did:
>
> * from my PKI created four certificates - node1 admin and node2 directory +
> node2 admin and node2 directory certificates
> * on both node1 and node2 installed the following packages:
>
> [root@ads01 ~]# rpm -qa | grep 389
> 389-adminutil-1.1.22-1.el7.x86_64
> 389-ds-base-1.3.4.0-21.el7_2.x86_64
> 389-admin-console-1.1.10-1.el7.noarch
> 389-console-1.1.9-1.el7.noarch
> 389-ds-base-libs-1.3.4.0-21.el7_2.x86_64
> 389-admin-1.1.42-1.el7.x86_64
> 389-ds-console-1.2.12-1.el7.noarch
>
> * on node1 ran setup-ds-admin.pl and configured the initial directory server
> * on node1 configured the admin to use TLS + the directory server so that it
> bound to 636
> * on node2 ran setup-ds-admin.pl and joined the directory server on node1
> * on node2 configured the admin to use TLS
> * on node2 launch 389-console using https and then try to connect too the
> directory server on node2 and it just hangs and fails with an SSL error over
> and over:
>
> [Fri Jan 15 17:22:14.391824 2016] [:crit] [pid 705:tid 140640199088192] sslinit:
> NSS is required to use LDAPS, but security initialization failed [-8015:The
> certificate/key database is in an old, unsupported format or failed to open.].
Double-check that the user that 389-ds runs as has read permissions to
the NSS database.
Permissions look fine with 0440 and owned by the user that slapd is running under.
>
> How does one perform an install, with two nodes, that each has an administration
> instance plus a directory server running TLS on 636 ?? Have not even been able
> to attempt multi-master replication yet :(
>
> All help appreciated. Thanks, Phil