Problem trying to use REST api
by Iván Rodríguez Conde
Hi.
My name is Ivan. I’m trying to use 389ds’ rest api but all the queries I’ve made haver returned a “404 Not Found” answer. I’ve made simple queries like:
curl -X GET -G "http://localhost:9830/v1/suffix"
I have installed both 389 directory server and admin server, both properly working in my local machine (Fedora 28). Directory server is accessible from port 389 and admin server is accessible from port 9830.
I’d really appreciate if you could guide me or give me some tips about what can I do in order to make it work.
Thanks in advance for your attention. Regards
5 years, 11 months
Rolling upgrade 389DS infrastructure
by Roberto Lulli
Dear all,
we are running a multi-master and multi-slave 389DS configuration that
involves several DB and then several replication agreement.
All masters are now running 389DS version 1.2 on CentOS 6. Some slaves
are running 389DB 1.3 on CentOS 7 then we know that the replication
agreement and DB propagation from 1.2 to 1.3 works fine.
Do you know if this is true also for the 1.3 to 1.2 propagation? Can we
upgrade the masters to CentOS7 and 389DS version 1.3 and then all
slaves? Or all slaves must run the 389DS version 1.3 in order to receive
DB from 389DS version 1.3?
Our goal is to update a master at a time while keeping the core
infrastructure working.
Regards,
Roberto
--
System & Network Administrator
Dipartimento di Fisica - Università di Roma Tor Vergata
INFN - Sez. di Roma Tor Vergata
Via della Ricerca Scientifica, 1
00133 - Rome - Italy
Tel.: +39-06-72594527 E-Mail: Roberto.Lulli(a)roma2.infn.it
5 years, 11 months
Master-slave replication procedure
by Michal Medvecky
Hello,
I’m trying hard to figure out the right (ansible-automated) procedure for setting up master-slave replication, but I often get RUV errors on agreements pointing to already initialized replicas.
My scenario is with 4 master servers (with multimaster replication working correctly) and 4 (independent) slave servers.
List of steps:
0) setup master-master replication between master servers (works OK)
1) create replication user cn=myreplicationusername,cn=config on all slaves
2) create LDAP entry:
dn: cn=replica,cn=“dc=test,dc=com”,cn=mapping tree,cn=config;
nsds5replicaroot: “dc=test,dc=com"
nsds5replicaid: "{{ range(1,65530) | random }}"
nsds5replicatype: “2"
nsds5ReplicaBindDN: “cn=myreplicationusername,cn=config"
nsds5flags: “0”
3) create ro agreement from every master to every slave
on every master server, create LDAP entry
for every slave:
dn: “cn=ro-to-{{ one of slaves }},cn=replica,cn=“dc=test,dc=com",cn=mapping tree,cn=config"
objectClass:
- nsds5replicationagreement
- top
attributes:
nsds5replicahost: "{{ one of slaves }}"
nsds5replicaport: “389"
nsds5ReplicaBindDN: “cn=myreplicationusername,cn=config"
nsds5replicabindmethod: “SIMPLE"
nsds5ReplicaTransportInfo: “LDAP"
nsds5replicaroot: “dc=test,dc=com"
description: "Agreement between {{ me }} and {{ one of slaves }}"
nsds5replicaupdateschedule: "0001-2359 0123456"
nsds5replicatedattributelist: "(objectclass=*) $ EXCLUDE authorityRevocationList"
nsds5replicacredentials: “unbreakable"
4) refresh replicas (Created in 2)) on all hosts except the first master
on {{ first master server }} update all agreements with nsds5BeginReplicaRefresh: “start”
5) wait until nsds5BeginReplicaRefresh attribute disappears
6) run tests.
And this is the pain point and the reason I’m emailing the list - I add a dummy record to every master server and check it on all slaves.
But tests often fail on a random server.
# ./test.sh
Testing master-slave replication ...
-----------
Adding entry to ldap-master01.test.com
adding new entry "uid=slave-repl-test-1,dc=test,dc=com"
Checking entry on slave servers
Checking uid=slave-repl-test-1 on ldap-slave01 ... 1 results ✓
Checking uid=slave-repl-test-1 on ldap-slave02 ... 1 results ✓
Checking uid=slave-repl-test-1 on ldap-slave03 ... 1 results ✓
Checking uid=slave-repl-test-1 on ldap-slave04 ... 0 results ☠
Removing entry from ldap-master01
deleting entry "uid=slave-repl-test-1,dc=test,dc=com"
-----------
Adding entry to ldap-master02.test.com
adding new entry "uid=slave-repl-test-2,dc=test,dc=com"
Checking entry on slave servers
Checking uid=slave-repl-test-2 on ldap-slave01 ... 1 results ✓
Checking uid=slave-repl-test-2 on ldap-slave02 ... 1 results ✓
Checking uid=slave-repl-test-2 on ldap-slave03 ... 1 results ✓
Checking uid=slave-repl-test-2 on ldap-slave04 ... 0 results ☠
Removing entry from ldap-master02
deleting entry "uid=slave-repl-test-2,dc=test,dc=com"
-----------
Adding entry to ldap-master03.test.com
adding new entry "uid=slave-repl-test-3,dc=test,dc=com"
Checking entry on slave servers
Checking uid=slave-repl-test-3 on ldap-slave01 ... 1 results ✓
Checking uid=slave-repl-test-3 on ldap-slave02 ... 1 results ✓
Checking uid=slave-repl-test-3 on ldap-slave03 ... 1 results ✓
Checking uid=slave-repl-test-3 on ldap-slave04 ... 0 results ☠
Removing entry from ldap-master03
deleting entry "uid=slave-repl-test-3,dc=test,dc=com"
-----------
Adding entry to ldap-master04.test.com
adding new entry "uid=slave-repl-test-4,dc=test,dc=com"
Checking entry on slave servers
Checking uid=slave-repl-test-4 on ldap-slave01 ... 1 results ✓
Checking uid=slave-repl-test-4 on ldap-slave02 ... 1 results ✓
Checking uid=slave-repl-test-4 on ldap-slave03 ... 1 results ✓
Checking uid=slave-repl-test-4 on ldap-slave04 ... 0 results ☠
Removing entry from ldap-master04
deleting entry "uid=slave-repl-test-4,dc=test,dc=com”
List agreement update status on ldap-master01:
ldap-master01:
dn: cn=ro-to-ldap-slave01.test.com,cn=replica,cn=dc\3Dtest\2Cdc\3Dcom,cn=mapping tree,cn=config
cn: ro-to-ldap-slave01.test.com
nsds5replicaLastUpdateStatus: Error (1) Can't acquire busy replica
dn: cn=ro-to-ldap-slave02.test.com,cn=replica,cn=dc\3Dtest\2Cdc\3Dcom,cn=mapping tree,cn=config
cn: ro-to-ldap-slave02.test.com
nsds5replicaLastUpdateStatus: Error (1) Can't acquire busy replica
dn: cn=ro-to-ldap-slave03.test.com,cn=replica,cn=dc\3Dtest\2Cdc\3Dcom,cn=mapping tree,cn=config
cn: ro-to-ldap-slave03.test.com
nsds5replicaLastUpdateStatus: Error (1) Can't acquire busy replica
dn: cn=ro-to-ldap-slave04.test.com,cn=replica,cn=dc\3Dtest\2Cdc\3Dcom,cn=mapping tree,cn=config
cn: ro-to-ldap-slave04.test.com
nsds5replicaLastUpdateStatus: Error (19) Replication error acquiring replica: Replica has different database generation ID, remote replica may need to be initialized (RUV error)
The fourth agreement seems uninitialized; but surely it was. I know that “Can’t acquire busy replica” is fine.
What am I doing wrong?
389-ds 1.3.7.10-1ubuntu1 on Ubuntu 18.04.
Thank you for help
Michal
5 years, 11 months
ldapsearch performance problem
by Jan Kowalsky
Hi all,
while moving 389ds server to another machine (and another version) I
realize performance issues during ldapsearch.
Normaly a query ist quite quick (about 20ms - but sometimes(like every
five seconds) it hangs for one ore even several seconds).
I test this with:
time ldapsearch -h localhost ...
Since the new server should be a log faster (cpu, io) I'm wondering
about what can cause this.
There is a replication with three servers and suppier-supplier config
among each. We have about 50 databases but each only maximum with a few
hundred records. Most of them smaller.
I looked for cache configuration - but these are similar to the old
server and I get entrycachehitratio about 99%.
Any idea for further debugging?
Regards
Jan
5 years, 11 months
Debug password check syntax
by Alberto Viana
Hi Guys,
I'm testing the password policy and want to debug it. Basically I'm trying
so set a valid password (based on my password policy) and 389 returns to me
"19: Constraint violation"
What should be nsslapd-errorlog-level to debug it?
Thanks
5 years, 11 months
Announcing 389 Directory Server 1.4.0.10
by Mark Reynolds
389 Directory Server 1.4.0.10
The 389 Directory Server team is proud to announce 389-ds-base version
1.4.0.10
Fedora packages are available on Fedora 28 and 29(rawhide).
Rawhide(F29)
https://koji.fedoraproject.org/koji/taskinfo?taskID=27497180
<https://koji.fedoraproject.org/koji/taskinfo?taskID=27497180>
F28
https://koji.fedoraproject.org/koji/taskinfo?taskID=27498255
<https://koji.fedoraproject.org/koji/taskinfo?taskID=27498255>
https://bodhi.fedoraproject.org/updates/FEDORA-2018-9bfae55f1c
<https://bodhi.fedoraproject.org/updates/FEDORA-2018-9bfae55f1c>
The new packages and versions are:
* 389-ds-base-1.4.0.10-1
Source tarballs are available for download at Download
389-ds-base Source
<https://releases.pagure.org/389-ds-base/389-ds-base-1.4.0.10.tar.bz2>
Highlights in 1.4.0.10
* Security and Bug fixes
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *dnf install 389-ds-base*, then run *dscreate*. For
Cockput UI plugin use “dnf install cockpit-389-ds”
See Install_Guide <http://www.port389.org/docs/389ds/howto-install-389>
for more information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Bump verson to 1.4.0.10
* Ticket 49640 - Errors about PBKDF2 password storage plugin at
server startup
* Ticket 49571 - perl subpackage and python installer by default
* Ticket 49740 - UI - Replication monitor color coding is not
colorblind friendly
* Ticket 49741 - UI - View/Edit replication agreement hangs WebUI
* Ticket 49703 - UI - Set default values in create instance form
* Ticket 49742 - Fine grained password policy can impact
search performance
* Ticket 49768 - Under network intensive load persistent search can
erronously decrease connection refcnt
* Ticket 49765 - compiler warning
* Ticket 49689 - Cockpit subpackage does not build in PREFIX installations
* Ticket 49765 - Async operations can hang when the server is
running nunc-stans
* Ticket 49745 - UI add filter options for error log severity levels
* Ticket 49761 - Fix test suite issues
* Ticket 49754 - instances created with dscreate can not be upgraded
with setup-ds.pl
* Ticket 47902 - UI - add continuous refresh log feature
* Ticket 49381 - Add docstrings to plugin test suites - Part 1
* Ticket 49646 - Improve TLS cert processing in lib389 CLI
* Ticket 49748 - Passthru plugin startTLS option not working
* Ticket 49732 - Optimize resource limit checking for rootdn
issued searches
* Ticket 48377 - Bundle jemalloc
* Ticket 49736 - Hardening of active connection list
* Ticket 48184 - clean up and delete connections at shutdown (3rd)
* Ticket 49675 - Revise coverity fix
* Ticket 49333 - Do not remove versioned man pages
* Ticket 49683 - Add support for JSON option in lib389 CLI tools
* Ticket 49704 - Error log from the installer is concatenating all
lines into one
* Ticket 49726 - DS only accepts RSA and Fortezza cipher families
* Ticket 49722 - Errors log full of “ WARN - keys2idl - recieved NULL
idl from index_read_ext_allids, treating as empty set” messages
* Ticket 49582 - Add py3 support to memberof_plugin test suite
* Ticket 49675 - Fix coverity issues
* Ticket 49576 - Add support of “;deletedattribute” in ds-replcheck
* Ticket 49706 - Finish UI patternfly convertions
* Ticket 49684 - AC_PROG_CC clobbers CFLAGS set by –enable-debug
* Ticket 49678 - organiSational vs organiZational spelling in lib389
* Ticket 49689 - Fix local “make install” after adding cockpit subpackage
* Ticket 49689 - Move Cockpit UI plugin to a subpackage
* Ticket 49679 - Missing nunc-stans documentation and doxygen warnings
* Ticket 49588 - Add py3 support for tickets : part-1
* Ticket 49576 - Update ds-replcheck for new conflict entries
* Ticket 48184 - clean up and delete connections at shutdown (2nd try)
* Ticket 49698 - Remove unneeded patternfly files from Cockpit package
* Ticket 49581 - Fix dynamic plugins test suite
* Ticket 49665 - remove obsoleted upgrade scripts
* Ticket 49693 - A DB_DEADLOCK while adding a tombstone (RUV) leads to
access of an already freed entry
* Ticket 49696 - replicated operations should be serialized
* Ticket 49669 - Invalid cachemem size can crash the server during
a restore
* Ticket 49684 - AC_PROG_CC clobbers CFLAGS set by –enable-debug
* Ticket 49685 - make clean fails if cargo is not installed
* Ticket 49106 - Move ds_* scripts to libexec
* Ticket 49657 - Fix cascading replication scenario in lib389 API
* Ticket 49671 - Readonly replicas should not write internal ops
to changelog
* Ticket 49673 - nsslapd-cachememsize can’t be set to a value bigger
than MAX_INT
* Ticket 49519 - Convert Cockpit UI to use strictly patternfly stylesheets
* Ticket 49665 - Upgrade script doesn’t enable CRYPT password
storage plug-in
* Ticket 49665 - Upgrade script doesn’t enable PBKDF2 password
storage plug-in
5 years, 11 months
Announcing 389 Directory Server 1.3.8.3
by Mark Reynolds
389 Directory Server 1.3.8.3
The 389 Directory Server team is proud to announce 389-ds-base version
1.3.8.3
Fedora packages are available on Fedora 27.
https://koji.fedoraproject.org/koji/taskinfo?taskID=27563282
<https://koji.fedoraproject.org/koji/taskinfo?taskID=27563282>
https://bodhi.fedoraproject.org/updates/FEDORA-2018-34937d412d
<https://bodhi.fedoraproject.org/updates/FEDORA-2018-34937d412d>
The new packages and versions are:
* 389-ds-base-1.3.8.3-2
Source tarballs are available for download at Download
389-ds-base Source
<https://releases.pagure.org/389-ds-base/389-ds-base-1.3.8.3.tar.bz2>
Highlights in 1.3.8.3
* Security and bug fixes
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* if you have 389-admin installed,
otherwise please run *setup-ds.pl* to set up your directory server.
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* if you have 389-admin installed, otherwise please
run *setup-ds.pl* to update your directory server/admin
server/console information.
See Install_Guide
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
Pagure project: https://pagure.io/389-ds-base
* Bump version to 1.3.8.3-2
* Ticket 49576 - ds-replcheck: fix certificate directory verification
* Ticket 49746 - Additional compiler errors on ARM
* Ticket 49746 - Segfault during replication startup on Arm device
* Ticket 49742 - Fine grained password policy can impact
search performance
* Ticket 49768 - Under network intensive load persistent search can
erronously decrease connection refcnt
* Ticket 49765 - compiler warning
* Ticket 49765 - Async operations can hang when the server is
running nunc-stans
* Ticket 49748 - Passthru plugin startTLS option not working
* Ticket 49736 - Hardening of active connection list
* Ticket 48184 - clean up and delete connections at shutdown (3rd)
* Ticket 49726 - DS only accepts RSA and Fortezza cipher families
* Ticket 49722 - Errors log full of “ WARN - keys2idl - recieved NULL
idl from index_read_ext_allids, treating as empty set” messages
* Ticket 49576 - Add support of “;deletedattribute” in ds-replcheck
* Ticket 49576 - Update ds-replcheck for new conflict entries
5 years, 11 months
389 and Active Directory 2016
by JESSE LUNT
Hello,
Does 389 synchronize with Active Directory 2016? I have found
documentation saying 2003,2008, and 2012 are supported.
-Jesse
--
Jesse Lunt
Director of Network and User Services
Office of Information Services
North Shore Community College
(978)-762-4014
5 years, 11 months
Re: SSL replication error
by Mark Reynolds
What version of openldap is on your system? There is known issue fixed
in openldap-2.4.23-31 and up
Can you do a ldapsearch from one system to the the other?
ldapsearch -ZZ -xLLL -h HOST -p PORT -b "" -s base
Then check the DS access and errors logs. There should be more info
there for the failure.
I just setup self-signed certs on a F28 and everything works for me
(with host name checking set to "on").
-------------------------------------------------------------------------
[root@ibm-ls22-04 slapd-localhost]# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA certificate CTu,Cu,Cu
Server-Cert u,u,Pu
--------------------------------------------------------------------------
Can you run "certutil -L" on your cert db? Do your trust attrs match mine?
Maybe your cert is missing the basic constraints extension (See my CA
cert for an example)?
Here is my info:
Server Cert:
========================================
# certutil -d /etc/dirsrv/slapd-HOST -L -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1001 (0x3e9)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=CAcert"
Validity:
Not Before: Tue Jun 05 11:19:13 2018
Not After : Mon Jun 05 11:19:13 2028
Subject: "CN=ibm-ls22-04.rhts.eng.brq.redhat.com,OU=389
Directory Server"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
cb:16:8f:2d:72:66:b3:35:83:35:ce:df:48:b1:82:cd:
a3:ee:95:5d:a5:21:62:ae:a9:55:52:bb:f3:03:5c:cf:
f0:51:64:83:17:44:1a:58:70:e7:57:9b:5d:3e:6d:0a:
f4:a2:96:28:10:82:03:9c:4a:5c:a1:cf:27:5f:97:62:
d6:c3:57:5f:0d:ca:c1:62:41:43:47:59:5c:b0:31:c6:
f7:fe:18:d9:2d:14:ac:08:c8:82:a3:97:66:bf:b5:6d:
d9:99:9a:7a:19:4e:94:01:52:b5:02:2f:46:70:08:25:
81:7f:82:13:27:95:04:04:1f:2b:4d:21:f9:3e:1c:3d:
19:82:de:d3:8e:7b:80:5c:ff:12:42:19:fa:60:e6:c1:
d4:62:8b:00:21:5a:91:e6:12:b7:82:67:3c:14:18:59:
43:4d:9d:cb:f8:d7:85:a3:26:f3:19:68:96:47:38:c3:
c9:c2:7a:9d:0d:b6:86:a4:f7:bd:7e:f8:5e:a5:a3:b1:
82:f6:b0:f2:e0:18:83:90:95:20:52:5b:73:d6:6d:70:
8d:ad:55:79:43:ba:04:21:aa:e3:e8:9b:24:81:5d:f3:
dd:8d:e0:2c:8f:c9:28:ec:ff:24:d4:ac:85:d1:2b:4e:
03:9d:f8:77:4f:09:88:25:65:27:98:55:a2:30:35:65
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
4a:06:4d:21:b4:be:fe:5f:47:3d:6f:0d:e6:8d:10:52:
0c:74:61:33:e5:f2:4f:68:13:7f:e4:b4:0b:b2:39:52:
79:ca:6e:1c:ce:df:02:a1:01:3b:0d:cd:39:d2:aa:42:
bc:17:2c:29:bf:08:25:dd:3e:8c:24:6b:80:bd:59:f9:
0b:91:2b:f7:41:81:4f:42:7f:1e:30:b5:4e:7b:47:67:
08:58:87:0d:93:76:9a:04:d0:ee:fd:f5:9f:b7:2c:9e:
1e:a5:6f:69:4d:d9:3c:a6:cd:5f:a6:7d:b9:9a:cc:43:
ef:ab:1d:38:b1:9f:33:cd:2e:84:5a:96:38:9d:99:a6:
1a:29:ec:f2:16:2f:e7:a0:8f:56:6d:a5:62:b2:59:3a:
b4:2c:d4:c8:b3:30:1d:23:f6:0a:e7:6d:9b:e1:d5:5c:
c7:27:36:52:33:88:75:1a:be:0d:8e:70:fc:25:75:2f:
6a:70:d4:36:81:81:87:ec:ea:53:f0:22:8f:e0:6c:26:
40:54:ec:29:b9:c9:e3:73:3c:d9:cd:50:b5:45:51:fd:
1f:cb:71:e9:ae:01:65:31:f5:b1:b7:13:3d:63:b7:20:
1c:72:4c:2d:50:2a:be:f7:77:e2:fb:0f:09:59:4a:0c:
ba:83:a6:72:d4:96:77:36:28:bf:56:18:2c:e9:75:6d
Fingerprint (SHA-256):
D9:DB:31:8F:A7:57:03:8F:28:9D:53:C1:32:AE:28:B3:02:F5:CE:E7:72:62:A8:BF:DD:92:39:A9:FD:98:05:C0
Fingerprint (SHA1):
85:C4:0B:3F:FC:A3:57:FB:90:D5:BE:B7:E5:8A:9A:B6:48:CB:63:4C
Mozilla-CA-Policy: false (attribute missing)
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
Terminal Record
Trusted
User
CA Cert:
=========================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1000 (0x3e8)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=CAcert"
Validity:
Not Before: Tue Jun 05 11:19:12 2018
Not After : Mon Jun 05 11:19:12 2028
Subject: "CN=CAcert"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
df:92:6d:6c:82:26:6b:5d:f3:09:d8:68:30:e6:79:24:
ab:34:ec:33:ed:a5:cc:c4:22:c3:ca:d7:b8:3e:cf:27:
70:66:02:37:e5:0f:44:e7:8c:6a:81:44:63:b1:07:98:
1c:15:e1:73:28:a6:b3:54:94:ac:c8:4d:a5:f1:f6:7f:
bb:b2:bf:d4:4e:e0:e9:08:ce:2d:65:28:df:ba:e0:af:
cd:91:43:a9:28:ed:5f:b1:de:0f:38:09:6c:c7:a9:4a:
1e:97:68:d7:dd:3b:f7:c9:c5:62:b5:d4:f6:0b:e2:be:
0d:45:4e:f8:8e:14:f9:35:8e:91:e0:ee:bf:4b:f9:16:
ab:a2:d5:3c:ca:0f:8d:86:e9:69:99:97:1c:ce:1e:01:
99:d3:55:70:6d:9d:a5:76:a2:19:aa:77:40:01:77:62:
dd:6d:37:42:43:5e:fe:c0:38:9e:69:66:41:63:79:a5:
a7:d7:ad:b7:cb:5a:31:aa:7e:4c:20:95:27:46:6b:a8:
5c:16:6a:06:9c:69:51:55:79:71:ba:9a:0a:93:c2:35:
72:25:bc:10:0b:6b:49:64:06:a7:6b:e8:f9:e1:bc:3f:
d7:ea:1e:9b:0e:37:2e:e2:07:59:9d:d1:d0:84:3c:e1:
41:bd:ee:c8:bb:3a:b0:01:37:18:5c:15:0e:d1:bf:5b
Exponent: 65537 (0x10001)
Signed Extensions:
* Name: Certificate Basic Constraints*
Critical: True
Data: Is a CA with no maximum path length.
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
28:c9:c4:0f:2b:67:09:d2:46:f0:06:b2:33:67:c7:dd:
9b:4e:71:ba:57:43:8f:74:d3:d1:b5:30:ea:ba:18:1c:
73:ab:3e:53:99:e4:3a:fc:a3:74:b4:1c:c3:82:38:2c:
ba:30:2c:9f:7c:9b:2c:4e:53:46:bc:ea:d5:54:9f:2e:
61:40:4d:1d:34:5a:9b:fd:91:5b:f9:47:6e:00:46:94:
7d:c7:1d:e1:fd:81:87:de:5e:fb:ad:13:67:c0:c8:ce:
92:d7:ce:ee:9b:c4:fa:b3:2d:1b:7e:79:4a:f3:f7:92:
b5:cb:c7:bb:45:f6:bc:79:ce:f4:6e:63:37:b2:7c:ef:
45:f8:f8:1f:6a:8f:65:2a:3a:40:c6:4a:ed:43:74:2a:
33:30:f1:4b:9a:ed:be:02:12:15:10:1b:1c:20:a7:67:
59:bb:91:01:39:f9:64:cb:ab:ca:cc:72:f0:c2:3f:6b:
20:15:92:10:ad:8b:d6:e3:08:83:cc:f1:28:c7:3e:ae:
e9:8b:15:c5:bf:25:d7:5c:e5:0e:fd:e0:db:03:41:66:
e0:c8:0d:12:45:75:7e:fe:31:98:ef:17:89:f9:04:19:
6c:38:61:f9:66:12:d5:48:ba:ea:25:e2:05:81:26:f1:
ed:25:42:a7:6d:0f:ec:7d:c3:1c:df:5a:8b:5e:8f:ff
Fingerprint (SHA-256):
96:63:89:07:30:CF:27:6F:E9:42:F7:AC:B8:71:47:12:74:52:D8:37:4D:9C:66:22:D1:2A:E3:FF:C6:89:2A:75
Fingerprint (SHA1):
7D:43:C9:FA:E4:53:18:D7:5B:F6:11:76:D9:04:A1:E2:AA:62:FA:4F
Mozilla-CA-Policy: false (attribute missing)
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
I see your hostname is set as an alternative subject DN, but I don't see
a "main" subject in the cert you provided. Run the certutil commands
like I did above and lets see what is different or missing.
HTH,
Mark
On 06/04/2018 11:48 AM, Michal Medvecky wrote:
> Hello,
>
> I tried with Fedora 28:
>
> [root@ldap-master-b01 dirsrv]# rpm -qa|grep 389
> 389-console-1.1.18-5.fc28.noarch
> 389-ds-base-libs-1.4.0.9-2.fc28.x86_64
> 389-admin-console-1.1.12-4.fc28.noarch
> 389-dsgw-1.1.11-15.fc28.x86_64
> 389-ds-console-1.2.16-4.fc28.noarch
> 389-ds-1.2.2-10.fc27.noarch
> 389-ds-base-1.4.0.9-2.fc28.x86_64
> 389-ds-console-doc-1.2.16-4.fc28.noarch
> 389-adminutil-1.1.23-6.fc28.x86_64
> 389-admin-1.1.46-1.fc28.5.x86_64
> 389-admin-console-doc-1.1.12-4.fc28.noarch
>
> I have different error message:
>
> [04/Jun/2018:17:47:20.801041823 +0200] - ERR - slapi_ldap_bind - Could not send bind request for id [cn=MasterMasterReplicationManager,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -8157 (Certificate extension not found.), network error 0 (Unknown error, host "ldap-master-b02.dev.bdc1.hu.sec.in.pan-net.eu:636”)
>
> This is the extension part of my x509 cert:
>
> X509v3 extensions:
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client Authentication
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Subject Key Identifier:
> 5F:9E:9C:0B:0E:A9:37:51:9C:A4:82:3C:45:63:24:F2:37:98:19:3B
> X509v3 Authority Key Identifier:
> keyid:B4:0A:9D:24:72:09:94:A6:F7:F1:18:46:97:F7:8D:39:98:58:D0:80
>
> Authority Information Access:
> OCSP - URI:http://acme-ca.pki.sec.in.pan-net.eu
> CA Issuers - URI:http://info.pki.sec.in.pan-net.eu/crts/acmecax1.crt
>
> X509v3 Subject Alternative Name:
> DNS:ldap-master-b01.dev.bdc1.hu.sec.in.pan-net.eu
> X509v3 Certificate Policies:
> Policy: 2.23.140.1.2.1
> CPS: http://info.pki.sec.in.pan-net.eu/cps
>
> Any hints now?
>
> Thanks
>
> Michal
5 years, 12 months