[SOLVED] zcs net edition replicating to zcs os

[cstamas]

Hi,

I want to setup replicated ldap.

The replica server would be zcs-6.0.8_GA_2661.DEBIAN5_64.20100820041743
The master is 6.0.8_GA_2678 network edition Ubuntu10.04 x64.

I am doing it according to Installing a Replica LDAP Server

But when the last step comes the apply option is not available.

Code:

Ldap configuration

   1) Status:                                  Enabled
   2) Create Domain:                           no
   3) Ldap root password:                      set
   4) Ldap replication password:               set

Select, or 'r' for previous menu [r]

Main menu
   
   1) Common Configuration:
        +Hostname:                             jugisgw.ppke.hu
        +Ldap master host:                     zebra.ppke.hu
        +Ldap port:                            389
        +Ldap Admin password:                  set
        +Secure interprocess communications:   yes
        +TimeZone:                             Europe/Belgrade
   
   2) zimbra-ldap:                             Enabled
        +Create Domain:                        no
        +Ldap root password:                   set
        +Ldap replication password:            set
   
   c) Collapse menu
   r) Start servers after configuration        yes
   s) Save config to file
   q) Quit

Address unconfigured (**) items and enable ldap replication on ldap master  (? - help)

I sent the whole day on this and no progress. (removed the zimbra*.deb packages then /opt/zimbra and started again many times, also tried to work around with zmlocalconfig)
Can you please help me what is the obvious I am missing?

Thanks in advance.

[phoenix]

Quote:

Originally Posted by cstamas

I sent the whole day on this and no progress. (removed the zimbra*.deb packages then /opt/zimbra and started again many times, also tried to work around with zmlocalconfig)
Can you please help me what is the obvious I am missing?

Why do you think you can do this with a mixed NE & Open Source configuration (have you been told this is possible and why are you doing it?), the instructions you're following are for the Network Edition.

[cstamas]

Quote:

Originally Posted by phoenix

Why do you think you can do this with a mixed NE & Open Source configuration (have you been told this is possible and why are you doing it?), the instructions you're following are for the Network Edition.

I saw big US university use cases: they buy NE for staff and use OS for students.
(I made some conclusions I should not have.)

Thanks for the info! I will try with NE on both machines. The second is only an LDAP replica anyways.

[cstamas]

Quote:

Originally Posted by cstamas

I saw big US university use cases: they buy NE for staff and use OS for students.
(I made some conclusions I should not have.)

Thanks for the info! I will try with NE on both machines. The second is only an LDAP replica anyways.

I do not know what is happening but two of my posts seems to be lost. This is my last retry.... and I will be brief.

I tried NE too, but the results are exactly the same.

[phoenix]

Quote:

Originally Posted by cstamas

I do not know what is happening but two of my posts seems to be lost. This is my last retry.... and I will be brief.

Your posts are not 'lost' they are in moderation as you're a new member - you would have seen a message explaining that when you posted and it's to reduce spam on the forums. They need to be released by a moderator, I've removed them as they are duplicates.

Quote:

Originally Posted by cstamas

I tried NE too, but the results are exactly the same.

You need to post exact details of your configuration and the exact steps you've taken during installation on the replica, also look in the installation log file for any errors. Is this a completely new installation or what?

[cstamas]

Thanks for your help.

Quote:

Originally Posted by phoenix

Your posts are not 'lost' they are in moderation as you're a new member - you would have seen a message explaining that when you posted and it's to reduce spam on the forums. They need to be released by a moderator, I've removed them as they are duplicates.

You need to post exact details of your configuration and the exact steps you've taken during installation on the replica, also look in the installation log file for any errors. Is this a completely new installation or what?

I was told on my first post and it said only my first post is moderated. I never see that again. (I just get permalinks pointing to nonexistent anchors).

To the second part I will reply shortly (I seems I start to get some results.)

Thanks

[cstamas]

Quote:

Originally Posted by phoenix

You need to post exact details of your configuration and the exact steps you've taken during installation on the replica, also look in the installation log file for any errors. Is this a completely new installation or what?

This is basically a new install with no critical data on it. The ldap master server is meant to be a "full zimbra" install.
I want to install a mail gateway (not Zimbra, custom postfix install) and this is the ldap replica I am trying to set up.

Looking at the logs revealed that acccesslog is missing on the master server. zmenablereplica just exited stating that syncreply is already enabled.
I made some changes (copied the script to /tmp to leave the original untuched). Now the setup seems to be complete, just the replication process does not work.

I already run zmupdateauthkeys. And installed the master server's ssl key to the java keystore

I run the ldap replica server in debug mode and get this:

Code:

TLS certificate verification: Error, unable to get local issuer certificate
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate).
slap_client_connect: URI=ldap://zebra.ppke.hu:389 Error, ldap_start_tls failed (-11)
do_syncrepl: rid=100 rc -11 retrying
TLS certificate verification: Error, unable to get local issuer certificate
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate).
slap_client_connect: URI=ldap://zebra.ppke.hu:389 Error, ldap_start_tls failed (-11)
do_syncrepl: rid=100 rc -11 retrying

How can I get these certificates right?

TIA

[cstamas]

Quote:

Originally Posted by cstamas

How can I get these certificates right?

I tried recreating the certificates from the web admin gui.
I made one cert for each server, but the issuer is not the same!

On one server it is .....CN=zebra on the other .....CN=zebra.ppke.hu

I am not sure if this is right. (and still does not work of course)

[cstamas]

I am trying this:

Code:

/opt/zimbra/bin/zmcertmgr deploycrt self -allserver

but ....

Code:

STARTCMD: jugisgw.ppke.hu sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver

** Retrieving global config key zimbraSSLCertificate...failed.
** Retrieving global config key zimbraSSLPrivateKey...failed.
ENDCMD: jugisgw.ppke.hu sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver

and on the server in question I get:

Code:

root@jugisgw:/opt/zimbra/conf/ca # su - zimbra -c '/opt/zimbra/bin/zmprov -m -l -- gacf zimbraSSLPrivateKey'

ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)

Thanks for your help guys!

[cstamas]

I cannot believe (yet) but it seems to be working.

I transferred the keys by hand (all from the master server's ssl dir) to the replica then manually added ca.pem to the keystore.
Now all the ldap content is on the replica.

The resources I found helpful:

Administration Console and CLI Certificate Tools - Zimbra :: Wiki
Ajcody-Notes-SSLCerts - Zimbra :: Wiki