OpenDJ Multi-master replication fails(Hangs at Initializing registration info)

This topic has 10 replies, 4 voices, and was last updated 6 years, 4 months ago by Chris Ridd.

  • Author
    Posts
  • #9416
     apapap
    Participant

    I am using OpenDJ-2.4.6 along with Oracle JDK 7.80 and I want to run Multi-master replication on 2 of my servers, the OS for these servers is Amazon Linux.

    The OpenDJ setup runs perfectly fine; I can start the server too without any errors.

    It is when I run the “dsreplication” script as follows:

    ./dsreplication enable –host1 server1.example,com –port1 4444 –bindDN1 “cn=Directory Manager” –bindPassword1 “Passw0rd” –replicationPort1 1388 –host2 server2.example,com –port2 4444 –bindDN2 “cn=Directory Manager” –bindPassword2 “Passw0rd” –replicationPort2 1388 –adminUID admin –adminPassword “Passw0rd” –baseDN “dc=example,dc=com”

    the script hangs on the following step:

    Initializing registration information on server server2.example.com:4444 with the contents of server server1.example.com:4444 .....
    And on checking the logs, there is no error reported in there.

    But, when I run the following command:

    ./dsreplication status -h localhost -p 4444 –adminUID admin –adminPassword “Passw0rd” -X
    it throws the following error:

    The displayed information might not be complete because the following errors were encountered reading the configuration of the existing servers: Error on server2.example.com:4444: An error occurred connecting to the server. Details: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] Error on server:4444: An error occurred connecting to the server. Details: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
    Please help me.

    Thanks in advance.

    #9417
     Chris Ridd
    Participant

    OpenDJ 2.4.5 had a Java 7-related replication fix (OPENDJ-401), so your setup ought to work. However almost certainly the versions of Java 7 we used with 2.4.x are much older than the one you’re using.

    I wonder if there were some crypto/SSL changes in Java 7u80 that are causing problems? Some recent versions have I believe dropped support for MD5 in certificates, so you could try checking all your certs.

    Personally I would upgrade to OpenDJ 2.6.0 or 3.0.0… Is there any reason you’re sticking with 2.4.6?

    #9418
     apapap
    Participant

    Hi Chris,

    Thanks for the reply.

    No particular reason for using version 2.4.6.
    I was just following a blog for OpenDJ setup which had used version 2.4.6.
    I’ll try using OpenDJ 3.0.0.
    So, which Java setup should I use with OpenDJ 3.0.0; Java 8 or Java 7?

    Regards,
    apapap

    #9419
     Rajesh R
    Participant

    @apapap Java Version 7 or 8. Please see the OpenDJ 3.0 release notes here: http://opendj.forgerock.org/doc/OpenDJ-Release-Notes.pdf

    #9426
     apapap
    Participant

    @cjr, @rajeshr
    I tried OpenDJ 3.0.0 with Java 7, now I get the following error on running the dsreplication enable command via server1 :

    Establishing connections …..
    Error reading data from server server2.example.com:4444. There is an
    error with the certificate presented by the server.
    Details: simple bind failed: server2.example.com:4444

    How do I fix this ?

    Also, post the above step if I run the

    dsreplication status command, it gives the same error as mentioned in the question:

    The provided credentials are not valid in server
    server1.example.com:4444. Details: [LDAP: error code 49 – Invalid
    Credentials]

    Please help me fix this.

    #10538
     garlandm
    Participant

    I’m also receiving the same certificate error.

    Error reading data from server ex-ny-dir-02:4444. There is an error with the
    certificate presented by the server.
    Details: simple bind failed: ex-ny-dir-02:4444

    #10539
     Chris Ridd
    Participant

    Use keytool to display the contents of your server’s certificate from the admin keystore.

    What is the certificate’s validity period?

    What encryption and signature algorithms are being used?

    Do they match with the algorithms that the JVM you’re using supports? You’ll need to check the exact update release too.

    #10540
     garlandm
    Participant

    I’ve checked, it’s valid for another two years, using RSA. Everything on paper looks valid.

    #10541
     Chris Ridd
    Participant

    Enable SSL debugging in the client and try again, and see if there is any more information which precedes the error.

    #10542
     garlandm
    Participant

    The only error I see is:

    verify error:num=18:self signed certificate
    

    Nothing else stands out.

    #10548
     Chris Ridd
    Participant

    That output looks like an error from the openssl command. That’s a good test to make, but in this case you are trying to connect a Java application (dsreplication) to OpenDJ so you should test Java’s SSL code instead. (Java does not use openssl.)

    https://ludopoitou.com/2011/06/29/opendj-troubleshooting-ldap-ssl-connections/ has some tips for doing this. You will get quite a lot of output…

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?