Hello,
We have two LDAP master servers, ldap-dls-master1 and ldap-ral-master1. Two months back, there was a NTP issue and ldap-ral-master1 stopped doing authentication. It means, replication was broken. All clients have both servers in their /etc/ldap.conf so we were not aware that something was broken, because authentication was happening from ldap-dls-master1.
Now that NTP/time issue is fixed and I restarted opends service on ldap-ral-master1. But problem is, when I login to ldap-dls-master1, my login works fine, but when I login to ldap-ral-master1, it says, password expired, please give current password and change it, because I changed my password 20 days back. It was changed on good servers (ldap-dls-master1), but not updated on broken server (ldap-ral-master1)
Is there anyway, I can push configuration from ldap-dls-master1 to ldap-ral-master1. I am not sure, in which way it will replicate. If replication happens in other way (from ldap-ral-master1 to ldap-dls-master1), I may recieve many page-outs saying, their password is showing expired, even though they changed it few days back.
Second question is, why Security tab for ldap-ral-master1 is showing as "Disabled". I am not getting, if I should Enable it and how.
Please suggest
Here is replication status output from both servers, which can give idea about setup.
Code:
[root@ldap-dls-master1 ~]# /export/home/ldap/OpenDS-2.2.1/bin/dsreplication status
>>>> Specify OpenDS LDAP connection parameters
Directory server hostname or IP address [ldap-dls-master1]:
Directory server administration port number [4444]:
Global Administrator User ID [admin]:
Password for user 'admin':
The Certificate presented by the server ldap-dls-master1:4444 could not be
trusted.
There is a name mismatch between the name of the server (ldap-dls-master1) and the
subject DN of the certificate. This could be caused because you are connected
to a server pretending to be ldap-dls-master1:4444.
Before accepting this certificate, you should examine the server's certificate
carefully.
Server Certificate:
User DN : EMAILADDRESS=IDS@xyxyxyx.com, CN=ldap-dls-master1.clc.grgrgrgrgr.com,
OU=Safety and Security Group (SSG), O="Systems Org, Inc.", C=US
Validity : From 'Wed Jul 18 17:37:17 UTC 2012'
To 'Sat Jul 16 17:37:17 UTC 2022'
Issuer : EMAILADDRESS=IDS@xyxyxyx.com, CN=Certificate Authority,
OU=Safety and Security Group (SSG), O="Systems Org, Inc.", C=US
Do you trust this server certificate?
1) No
2) Yes, for this session only
3) Yes, also add it to a truststore
4) View certificate details
Enter choice [2]: 2
The Certificate presented by the server clc-ral-wks1:4444 could not be
trusted.
Possible reasons for this error:
-The Certificate Authority that issued the certificate is not recognized (this
is the case of the self-signed certificates).
-The server's certificate is incomplete due to a misconfiguration.
-The server's certificate has expired.
-There is a time difference between the server machine clock and the local
machine clock.
Before accepting this certificate, you should examine the server's certificate
carefully.
Server Certificate:
User DN : EMAILADDRESS=IDS@xyxyxyx.com, CN=clc-ral-wks1.clc.grgrgrgrgr.com,
OU=Safety and Security Group (SSG), O="Systems Org, Inc.", C=US
Validity : From 'Wed Jul 18 17:46:34 UTC 2012'
To 'Sat Jul 16 17:46:34 UTC 2022'
Issuer : EMAILADDRESS=IDS@xyxyxyx.com, CN=Certificate Authority,
OU=Safety and Security Group (SSG), O="Systems Org, Inc.", C=US
Do you trust this server certificate?
1) No
2) Yes, for this session only
3) Yes, also add it to a truststore
4) View certificate details
Enter choice [2]: 2
dc=ng911,dc=nct911,dc=org - Replication Enabled
===============================================
Server : Entries : M.C. (1) : A.O.M.C. (2) : Port (3) : Security (4)
------------------:---------:----------:--------------:----------:-------------
ldap-dls-master1:4444 : 38 : 0 : N/A : 8989 : Enabled
clc-ral-wks1:4444 : 38 : 0 : N/A : 8989 : Disabled
dc=xypoint,dc=com - Replication Enabled
=======================================
Server : Entries : M.C. (1) : A.O.M.C. (2) : Port (3) : Security (4)
------------------:---------:----------:--------------:----------:-------------
ldap-dls-master1:4444 : 1089 : 0 : N/A : 8989 : Enabled
clc-ral-wks1:4444 : 1089 : 0 : N/A : 8989 : Disabled
[1] The number of changes that are still missing on this server (and that have been applied to at least one of the other servers).
[2] Age of oldest missing change: the date on which the oldest change that has not arrived on this server was generated.
[3] The port used to communicate between the servers whose contents are being replicated.
[4] Whether the replication communication through the replication port is encrypted or not.
[root@ldap-dls-master1 ~]#
**************SECOND SERVER**************
[root@ldap-ral-master1 /]# /export/home/ldap/OpenDS-2.2.1/bin/dsreplication status
>>>> Specify OpenDS LDAP connection parameters
Directory server hostname or IP address [ldap-ral-master1]:
Directory server administration port number [4444]:
Global Administrator User ID [admin]:
Password for user 'admin':
The Certificate presented by the server clc-dls-wks1:4444 could not be
trusted.
Possible reasons for this error:
-The Certificate Authority that issued the certificate is not recognized (this
is the case of the self-signed certificates).
-The server's certificate is incomplete due to a misconfiguration.
-The server's certificate has expired.
-There is a time difference between the server machine clock and the local
machine clock.
Before accepting this certificate, you should examine the server's certificate
carefully.
Server Certificate:
User DN : EMAILADDRESS=IDS@xyxyxyx.com, CN=clc-dls-wks1.clc.grgrgrgrgr.com,
OU=Safety and Security Group (SSG), O="Systems Org, Inc.", C=US
Validity : From 'Wed Jul 18 17:37:17 UTC 2012'
To 'Sat Jul 16 17:37:17 UTC 2022'
Issuer : EMAILADDRESS=IDS@xyxyxyx.com, CN=Certificate Authority,
OU=Safety and Security Group (SSG), O="Systems Org, Inc.", C=US
Do you trust this server certificate?
1) No
2) Yes, for this session only
3) Yes, also add it to a truststore
4) View certificate details
Enter choice [2]: 2
The Certificate presented by the server ldap-ral-master1:4444 could not be
trusted.
There is a name mismatch between the name of the server (ldap-ral-master1) and the
subject DN of the certificate. This could be caused because you are connected
to a server pretending to be ldap-ral-master1:4444.
Before accepting this certificate, you should examine the server's certificate
carefully.
Server Certificate:
User DN : EMAILADDRESS=IDS@xyxyxyx.com, CN=ldap-ral-master1.clc.grgrgrgrgr.com,
OU=Safety and Security Group (SSG), O="Systems Org, Inc.", C=US
Validity : From 'Wed Jul 18 17:46:34 UTC 2012'
To 'Sat Jul 16 17:46:34 UTC 2022'
Issuer : EMAILADDRESS=IDS@xyxyxyx.com, CN=Certificate Authority,
OU=Safety and Security Group (SSG), O="Systems Org, Inc.", C=US
Do you trust this server certificate?
1) No
2) Yes, for this session only
3) Yes, also add it to a truststore
4) View certificate details
Enter choice [2]: 2
dc=ng911,dc=nct911,dc=org - Replication Enabled
===============================================
Server : Entries : M.C. (1) : A.O.M.C. (2) : Port (3) : Security (4)
------------------:---------:----------:--------------:----------:-------------
clc-dls-wks1:4444 : 38 : 0 : N/A : 8989 : Enabled
ldap-ral-master1:4444 : 38 : 0 : N/A : 8989 : Disabled
dc=xypoint,dc=com - Replication Enabled
=======================================
Server : Entries : M.C. (1) : A.O.M.C. (2) : Port (3) : Security (4)
------------------:---------:----------:--------------:----------:-------------
clc-dls-wks1:4444 : 1089 : 0 : N/A : 8989 : Enabled
ldap-ral-master1:4444 : 1089 : 0 : N/A : 8989 : Disabled
[1] The number of changes that are still missing on this server (and that have been applied to at least one of the other servers).
[2] Age of oldest missing change: the date on which the oldest change that has not arrived on this server was generated.
[3] The port used to communicate between the servers whose contents are being replicated.
[4] Whether the replication communication through the replication port is encrypted or not.
[root@ldap-ral-master1 /]#
