Dear List Members,
Release: fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm
A typical replication error log entry now follows (seen repeatedly at both fedora DS servers):
[28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from server 2" (ukstatlap:636): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later.
Believe me, I have been investigating this one for 2 or 3 days now (having just switched from OpenLDAP, since multiple master replication is required) before sending this submission, just in case I missed a configuration item or work-around, but unfortunately no luck (so far).
The only reference I can find for SSL Client Authentication based Multiple Master replication (2 Linux RHEL 3 servers being used) that supplies empty DNs, is the Windows specific entry (whose work-around I tried anyway, but without success).
Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. To workaround the problem, after you modify and save the replication schedule of an agreement, refresh the console, reconfigure the connection settings (to SSL client authentication) for the agreement, and save your changes.
http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.ht ml
The mutual "Current Supplier DNs" are indeed set (cn=Replication Manager,cn=replication,cn=config) and the corresponding directory entries do exist.
The respective server certificates and CA certificates are installed, with Subject DN entries loaded.
I do not have Legacy Consumer enabled.
CertMapping is also defined (though with a NULL DN being supplied, I guess that will not be kicking in just yet, though there are entries for the exact subject DN anyway.)
When using simple authentication, with or without SSL, all is well (although replication did require both servers to Initialize the Consumer, I thought that only one was required e.g. ID 1 initializing ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way replication was achieved).
Any suggestions will be most gratefully received!
Regards,
Kevin
Kevin McCarthy wrote:
Dear List Members,
Release: *fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm*
A typical replication error log entry now follows (seen repeatedly at both fedora DS servers):
[28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from server 2" (ukstatlap:636): Unable to acquire replica: permission denied. The *bind dn ""* does not have permission to supply replication updates to the replica. Will retry later.
Believe me, I have been investigating this one for 2 or 3 days now (having just switched from OpenLDAP, since multiple master replication is required) before sending this submission, just in case I missed a configuration item or work-around, but unfortunately no luck (so far).
The only reference I can find for SSL Client Authentication based Multiple Master replication (2 Linux RHEL 3 servers being used) that supplies empty DNs, is the Windows specific entry (whose work-around I tried anyway, but without success)…
Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. To workaround the problem, after you modify and save the replication schedule of an agreement, refresh the console, reconfigure the connection settings (to SSL client authentication) for the agreement, and save your changes.
http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.ht...
The mutual “Current Supplier DNs” are indeed set (cn=Replication Manager,cn=replication,cn=config) and the corresponding directory entries do exist.
The respective server certificates and CA certificates are installed, with Subject DN entries loaded.
What are the SubjectDNs in the server certificates?
I do _not_ have Legacy Consumer enabled.
You don't need it.
CertMapping is also defined (though with a NULL DN being supplied, I guess that will not be kicking in just yet, though there are entries for the exact subject DN anyway.)
You might want to post your certmap.conf and see here - http://directory.fedora.redhat.com/wiki/Howto:CertMapping
When using simple authentication, with or without SSL, all is well (although replication did require both servers to Initialize the Consumer, I thought that only one was required e.g. ID 1 initializing ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way replication was achieved).
That's odd. You should only need to initialize once one way.
Any suggestions will be _most_ gratefully received!
Regards,
Kevin
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org