Phil Daws wrote: > Hello all: > > Have tried to get my lab set up with 389 and secure connections multiple > times now with disasterous results; and yes have tried to follow > http://www.port389.org/docs/389ds/howto/howto-ssl.html > > Here is a very brief walkthrough of what I did: > > * from my PKI created four certificates - node1 admin and node2 directory + > node2 admin and node2 directory certificates > * on both node1 and node2 installed the following packages: > > [root@ads01 ~]# rpm -qa | grep 389 > 389-adminutil-1.1.22-1.el7.x86_64 > 389-ds-base-1.3.4.0-21.el7_2.x86_64 > 389-admin-console-1.1.10-1.el7.noarch > 389-console-1.1.9-1.el7.noarch > 389-ds-base-libs-1.3.4.0-21.el7_2.x86_64 > 389-admin-1.1.42-1.el7.x86_64 > 389-ds-console-1.2.12-1.el7.noarch > > * on node1 ran setup-ds-admin.pl and configured the initial directory server > * on node1 configured the admin to use TLS + the directory server so that it > bound to 636 > * on node2 ran setup-ds-admin.pl and joined the directory server on node1 > * on node2 configured the admin to use TLS > * on node2 launch 389-console using https and then try to connect too the > directory server on node2 and it just hangs and fails with an SSL error over > and over: > > [Fri Jan 15 17:22:14.391824 2016] [:crit] [pid 705:tid 140640199088192] > sslinit: NSS is required to use LDAPS, but security initialization failed > [-8015:The certificate/key database is in an old, unsupported format or > failed to open.].
Double-check that the user that 389-ds runs as has read permissions to the NSS database. > > How does one perform an install, with two nodes, that each has an > administration instance plus a directory server running TLS on 636 ?? Have > not even been able to attempt multi-master replication yet :( > > All help appreciated. Thanks, Phil > -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
