Open Directory Replica, not using SSL.

Question

Level 1

0 points

Open Directory Replica, not using SSL.

Hi,

I hoping someone can help with the issues that I'm having with 2 Lion Servers, one is an OD Master, the other an OD Replica. Having read a lot about the pain people have been having with OD under Lion, i decided to do new installs on my servers, and then restore all the user data once every thing was functioning correctly. It's taken me 2 weeks to get them to a state were I have a working Open Directory, there have been more reinstalls that I care to count, and i think I've seen most of the issues that have been raised here along the way.

I'm using my own Root CA for certifcates, and have not been able to create an OD that works unless I use the FQDN of the server as the Open Directory name, and use a certificate that matches the directory name, not ideally what I wanted, (i wanted a OD with a name that covers the domain part as I have internal subdomains, e.g. OD.domain.domain, not HOST.SUBDOMAIN.DOMAIN.DOMAIN), but atleast this appears to be working OK. (I could only get this to work using the server.app to create the OD, using the 'old' Server Admin.app, didn't create a working OD.

I can connect to the master, and sucessfully quiery the directory using SSL and sucessfully bind clients.

Having created the Replica,(using the command line), it appears to be working OK, saying that LDAP server, password server & Kerboros are all running,

so I've tried to set it to use SSL, (by going into system preferances, and changing the network account server with in the directory utility). At this point Kerboros stops, and the network account server changes to a red dot.

To further investigate, I removed the network address server, and re-added it using the original address of 127.0.0.1, and I got the following message box:-

This server does not provide a secure (SSL) connection. Do you want to continue?

So it appears that the replica is not setup correctly to use SSL. I have also tried using the FQDN of the replica server in network account server, this also dosn't work and casuses Kerboros to stop.

Can any one point me in the right direction to getting SSL up and running on the Replica?

Many thanks in advace.

Matt

Posted on Jan 21, 2012 2:17 AM

Reply

Answer 1

Best reply

David Kurtz2

Level 1

55 points

Jan 23, 2012 10:47 AM in response to hippy42

Matt:

Have you tried following this kbase article?

http://support.apple.com/kb/HT3745

Reply

Answer 2

hippy42 Author

Level 1

0 points

Jan 23, 2012 11:47 PM in response to David Kurtz2

Hi David,

Many thanks! I appear to have completely missed that artical while seaching for a solution. I have run through the steps, and the replica appears to be using SSL OK, in as much I can connect to it using SSL.

I have looked at the communication between the master & replica, and it appears that they are still using port 389 for comms, which surgests that replication traffic between the two servers is still unencrypted, which seems a little odd, again have I missed something?

Regards

Matt

Reply

Answer 3

SMC Tech

Level 1

0 points

Oct 15, 2012 11:34 AM in response to hippy42

Using Port 398 dose not necissairly mean that the traffic is unencrypted. And if the check box on your Directory Utility app has SSL checked, and you're not getting 2100 erros when browsing your directory it merely means that ldap is using StartTLS to initiate the converstaion with the server, which then diverts it to a secure connection.

Reply