If, like me, you have had issues with replication in Sun Directory Server, maybe this post will help.

The dsadm list-certs -C command will show you what CA certificates you are trusting, but it won’t show you how it is trusting a certificate. If you are getting an error like “Bind failed with response: Failed to bind to remote (900).”, and you know SSL should be working properly, you probably want to check to see exactly how your CA certificates are being trusted.

To do this, use the certutil command:

certutil -L -d /var/opt/SUNWdsee/dsins1/alias -P slapd-

The trust should show as “CT,,”. If it is showing as “c,c,c” or pretty much anything else, your CA certificate isn’t trusted properly. You can remove the  certificate and re-add it using certutil in the following ways:

certutil  -D -n "<your CA cert's alias>" -P slapd- -d /var/opt/SUNWdsee/dsins1/alias
certutil  -A -n "<your CA cert's alias>" -P slapd- -d /var/opt/SUNWdsee/dsins1/alias -i <location of your CA cert> -a

Now restart your directory server, and test replication. If you are lucky, this is your problem.

Share:

Related posts:

1. Seamless Smartcard login with pam_pkcs11, and pam_krb5 against an Active Directory Domain using Red Hat Enterprise Linux 5 (Part 1)
2. Seamless Smartcard login with pam_pkcs11, and pam_krb5 against an Active Directory Domain using Red Hat Enterprise Linux 5 (Part 3)
3. Seamless Smartcard login with pam_pkcs11, and pam_krb5 against an Active Directory Domain using Red Hat Enterprise Linux 5 (Part 2)