Hello,
we are new to UCS and are currently in the process of setting up Univention-Servers for the first time.
We are planning to mostly use univention as LDAP-Server with SSO in the future.
Version: “5.0-3 errata609”
I was trying to setup a replication server for one of our remote networks so that the servers that are located there can connect to our ldap in the future. I have tried connection the replication-server to the main-server from a local network and it worked after some troubleshooting. I can’t do the same from remote though unfortunately.
I have reviewed the firewall settings a couple of times and can’t seem to find an issue there. It is also possible to send ldap queries to the main-server from the replication-server.
Ping is possible, ssh is possible.
This is from /var/log/univention/join.log
#########################
Mon Mar 13 19:00:23 CET 2023: starting /usr/sbin/univention-join -dcname 1-1-1-1.static .isp .com -dcaccount Administrator -dcpwd /tmp/tmpz0fb91yl
running version check
OK: UCS version on 1-1-1-1.static. isp. com is higher or equal (5.03) to the local version (5.03).
Check if /var/lib/univention-directory-replication/failed.ldif exists
Stopping slapd (via systemctl): slapd.service.
Starting slapd (via systemctl): slapd.service.
univention-join-hooks: looking for hook type “join/pre-join” on 1-1-1-1.static .isp .com
Exception occurred: {‘desc’: ‘Connect error’, ‘info’: ‘TLS: hostname does not match CN in peer certificate’}
- Join failed! *
- Contact your system administrator *
- Message: Please visit HELPPAGE for common problems during the join and how to fix them – join/pre-join failed, see /var/log/univention/join.log
Mon Mar 13 19:00:48 CET 2023: finish /usr/sbin/univention-join
#########################
1-1-1-1.static .isp .com → reverse DNS of the firewall that our main-server is behind.
The certificate doesn’t seem to be an issue inside the local network
From Internal:
openssl s_client -connect main-server .domain .com:636
OUTPUT:
…
Verify return code: 0 (ok)
…
From External:
openssl s_client -connect main-server .domain .com:636
OUTPUT:
…
Verify return code: 19 (self signed certificate in certificate chain)
…
There are a couple of these lines in the cert, I only included the one - they all say the same “(self signed certificate in certificate chain)”
I also noticed that while joining, the CA-Cert is copied to the replication-server from the main-server.
Anyone got any ideas what could cause this? Or a kind of best practice for a setup like ours?
Mainserver with LDAP - Local net 1
Backupserver - Local net 1
Replicationserver with LDAP (Read-Only) - Local net 2 - no VPN
Please let me know if I need to provide more info!
BR,
vg