On 07/10/2013 12:16 PM, Alberto Viana wrote:
Hi Noriko,
DS Base:389-Directory/1.3.1.3 <http://1.3.1.3> B2013.189.1813
389 DS + Win2008 (I use my windows as CA)
The error came out again, so I decide to investigate it.
The error:
[10/Jul/2013:10:52:23 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
(hmg1:636): Trying secure slapi_ldap_init_ext
[10/Jul/2013:10:52:25 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
(hmg1:636): binddn = CN=Conta de sincronizacao do AD com LDAP
389,OU=APLICACOES,DC=homolog,DC=rnp, passwd =
{DES}Zdi9SkO9E8Jpy/LJq528zg==
[10/Jul/2013:10:52:25 -0300] slapi_ldap_bind - Error: could not send
bind request for id [CN=Conta de sincronizacao do AD com LDAP
389,OU=APLICACOES,DC=homolog,DC=rnp] authentication mechanism
[SIMPLE]: error -1 (Can't contact LDAP server), system error -5987
(Invalid function argument.), network error 115 (Operation now in
progress, host "hmg1.homolog.rnp")
[10/Jul/2013:10:52:25 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
(hmg1:636): Replication bind with SIMPLE auth failed: LDAP error -1
(Can't contact LDAP server) ((unknown error code))
The error starts when I set the option "Check hostname against name in
certifcate for outbound SSL connections" in Configuration ->
Encryption tab.
If I uncheck this options, everything works fine again. As far as I
know, this option check if the CN of certificate is the same of the
host in the connection. Am I right?
Right.
I don´t thinks that is something with my certs, because I have the
same envoriment working fine with ds base "389-Directory/1.2.10.12
<http://1.2.10.12> B2012.210.1745" with this options checked.
Either it's something with your certs, or something with your hostname
lookups (/etc/hosts, DNS, NIS, etc.)
I also set nsslapd-errorlog-level to "16384", but it didn´t give me
anything else.
What could be? There´s anything else that I can provide to help to debug?
Thanks
Alberto Viana
On Mon, Jul 8, 2013 at 5:38 PM, Noriko Hosoi <nho...@redhat.com
<mailto:nho...@redhat.com>> wrote:
Alberto Viana wrote:
Hi,
I got it. Everything is working fine now, so it was something in
the old branch (1.3.0.4)
Glad to hear that. Thanks so much for the report. And please
keep us updated...
--noriko
Alberto Viana
On Mon, Jul 8, 2013 at 5:17 PM, Noriko Hosoi <nho...@redhat.com
<mailto:nho...@redhat.com>> wrote:
Alberto Viana wrote:
Hi man,
Where I can find the 1.3.1 source to download? I tried
http://directory.fedoraproject.org/wiki/Source#Directory_Server_Source_Code,
but it´s not available over there.
You can get it here:
A source tarball is available for download at
http://port389.org/sources/389-ds-base-1.3.1.3.tar.bz2
Please see also:
http://directory.fedoraproject.org/wiki/Releases/1.3.1.3
Thanks,
--noriko
Alberto Viana
On Fri, Jul 5, 2013 at 3:24 PM, Alberto Viana
<alberto...@gmail.com <mailto:alberto...@gmail.com>> wrote:
No. It's a new server cert (it's the same name, but i
prefered to revoke it and generate a new one).
Yes, for sure. I will try to rebuild everything on this
branch (and make new certs just to ensure there is
nothing related with it), and if the error persist, I
will try this other branch and let you know.
Alberto Viana
On Fri, Jul 5, 2013 at 3:15 PM, Noriko Hosoi
<nho...@redhat.com <mailto:nho...@redhat.com>> wrote:
Alberto Viana wrote:
Norkio,
No, it's a new machine. I just rebuild everything.
When you switched to the new machine, you reuse the
old server cert from the previous DS or renewed it?
Subject: "CN=hmg2.homolog.rnp,OU=GTI,O=Rede
Nacional de Ensino e Pesquisa,L=Rio de Janeiro,C=BR"
And if you rebuild everything, do you have any
chance to try the branch 389-ds-base-1.3.1 instead
of 1.3.0? (although there should be no difference in
the DS -> AD bind)
--noriko
I'm using Ubuntu 12.04.2 LTS.
Alberto Viana
On Fri, Jul 5, 2013 at 2:50 PM, Noriko Hosoi
<nho...@redhat.com <mailto:nho...@redhat.com>> wrote:
Alberto Viana wrote:
I already imported my certificates into 389
ds and windows 2008. I use win2008 as CA.
Just to remeber that the same enviroment was
working fine with my previous 389DS version.
You upgraded 389-ds-base from 1.2.10.12 to
1.3.0.4 using in-place upgrade? What is your
platform?
--noriko
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
<mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
