This can be caused by replication dn having an expired password.<br><br><div class="gmail_quote">On Tue, Apr 3, 2012 at 4:55 PM, Herb Burnswell <span dir="ltr"><<a href="mailto:herbert.burnswell@gmail.com">herbert.burnswell@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br><div class="gmail_quote"><div class="gmail_quote"><div><div class="h5"><div>---------- Forwarded message ----------<br>
From: <b class="gmail_sendername">Rich Megginson</b> <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span><br>
</div><div><div>
Date: Mon, Apr 2, 2012 at 7:37 PM<br>Subject: Re: [389-users] Fwd: Repair replication<br>To: "General discussion list for the 389 Directory server project." <<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>><br>
Cc: Herb Burnswell <<a href="mailto:herbert.burnswell@gmail.com" target="_blank">herbert.burnswell@gmail.com</a>><br><br><br>
</div></div></div></div><div bgcolor="#FFFFFF" text="#000000"><div><div class="h5"><div><div><div><div>
On 04/02/2012 05:48 PM, Herb Burnswell wrote:
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">---------- Forwarded message ----------<br>
From: <b class="gmail_sendername">Rich Megginson</b> <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span><br>
Date: Mon, Apr 2, 2012 at 3:23 PM<br>
Subject: Re: [389-users] Repair replication<br>
To: "General discussion list for the 389 Directory server
project." <<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>><br>
Cc: Herb Burnswell <<a href="mailto:herbert.burnswell@gmail.com" target="_blank">herbert.burnswell@gmail.com</a>><br>
<br>
<br>
<div bgcolor="#FFFFFF" text="#000000">
<div> On 04/02/2012 04:13 PM, Herb Burnswell wrote:
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On Fri, Mar 23, 2012 at 10:53 AM,
Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 03/23/2012 11:09 AM, Herb Burnswell wrote:
<blockquote type="cite">Thanks for the reply
David.<br>
<br>
>> 1. How can I find out which system(s)
is/are master, consumer, hub, etc?<br>
>>>>You should be able to determine
the role of the Directory Server for each<br>
>>>>system by logging into the LDAP
console under<br>
>>>>"Configuration->Replication".
The role is either "Single Master", "Hub" or<br>
>>>>"Dedicated Consumer".<br>
<br>
>I was able to determine that we have two
"Multiple Master" systems. Let's call >them
'A' and 'B'. System A has been the only system
running for what appears to >be several years
(it is being backed up nightly). System B has
been off for some >time but is running now.<br>
<br>
>> 2. How do I confirm that the systems
have the correct credentials for<br>
>replication? (I am receiving: "Unable to
acquire replica: Permission<br>
>denied.")<br>
>a. How can I change the bind dn
"cn=replication,cn=config" credentials<br>
>on each system to ensure replication will
work?<br>
>>>>You can do that on the console
as well. Just navigate down the directory<br>
>>>>tree and manually reset the
password for the replication user account.<br>
>>>>There's a possibility that your
replication user account's password expired.<br>
<br>
>I can navigate to the screen to reset the
password for the replication user account. I
>have not reset the passwords yet as I am
reading documentation to confirm that >system
B will simply update it's data to system A's
upon resuming replication.<br>
</blockquote>
</div>
>When you change the password of the replication
user on B, you'll also have to update >those
credentials in the replication agreement on A for
the agreement from A to B.<br>
<br>
>Note that if replication has been down for
years, you will have to perform a manual >replica
initialization procedure - replication will not
automatically "catch up" if it has >been down
that long.
<div>
<div><br>
</div>
</div>
</div>
</blockquote>
<div>Rich - Thank you for the response. I was diverted
to another urgent issue but have come back to this
replication fix. <br>
<br>
I've confirmed that there are two Dedicated Consumer's
(C and D) to go along with the two Dual Master's (A
and B). I want to replicate to one of the dedicated
consumers, C, prior to syncing the dual master B. I
changed the passwords for dn:cn=replication,cn=config
on A via the Directory Manager console, and via
ldapmodify on C. I am confident that the passwords are
the same on both systems. <br>
</div>
</div>
</blockquote>
<br>
</div>
>What exactly did you do?<br>
>Note that you'll have to update the password in
cn=replication,cn=config on the >consumer (C) and update
the replication agreement on A for the replication agreement
>between A and C.
<div>
<div><br>
Thanks for the reply Rich. Yes, I updated the password on
A and C. I apologize as I left out the link in my below
reference to section <a href="http://8.10.5.1" target="_blank">8.10.5.1</a>: <a href="http://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Initializing_Consumers.html" target="_blank">http://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Initializing_Consumers.html</a>.
I used bak2db with backup files from A. After which, I
see: "Unable to acquire replica: permission denied. The
bind dn "cn=replication,cn=config" does not have
permission to supply replication updates to the replica.
Will retry later." on system A's error logs.. </div>
</div>
</div>
</div>
</blockquote></div></div>
>I think doing the restore is resetting the password. After doing
the bak2db, change the >passwords.<br><br></div></div>Well, I'm kind of at a loss here. I've reset the passwords on A and C after doing the bak2db. Same error:<div><br><br>Unable to acquire replica: permission denied. The bind dn "cn=replication,cn=config" does not have permission to supply replication updates to the replica. Will retry later.<br>
<br></div>Next, I removed and re-added the replication agreement on Master A to Consumer C, same error above.<br><br>Is there any way that I can output the settings/password information for cn=replication,cn=config on both A and C via the command line to compare? I have read that there needs to be a 'person' entry on the consumer for cn=replication,cn=config that is used for the replication of the data. Is there a way I can confirm this configuration to ensure it is set up correctly?<br>
<br></div></div>I'm also seeing this error in the logs on consumer C:<br><br> NSMMReplicationPlugin - conn=2 op=9 replica="o=myTree": Unable to acquire replica: error: permission denied<div><div class="h5">
<br><div><div><br>
<div><div><br>
<blockquote type="cite">
<div class="gmail_quote">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<blockquote type="cite">
<div class="gmail_quote">
<div> <br>
>I followed section 8.10.5.1 on initializing the
consumer replica from backup files and it >worked
with the following: <br>
<br>
>[02/Apr/2012:11:58:03 -0700] - Add Attribute
readonly Value off <br>
>[02/Apr/2012:11:58:03 -0700] - Add Attribute
nsslapd-directory Value /new/path/from/master/server<br>
>[02/Apr/2012:11:58:04 -0700] - Del Attribute
nsslapd-directory Value /old/path/from/consumer<br>
>[02/Apr/2012:11:58:04 -0700] - WARNING!!:
current Instance Config is different from backed up
configuration; The backup is restored.<br>
<br>
>First, do I need to reset these attributes back
to 'readonly' and the original nsslapd-directory? <br>
<br>
>Second, I am now receiving the following error
from the master A: <br>
>Unable to acquire replica: permission denied.
The bind dn "cn=replication,cn=config" >does not
have permission to supply replication updates to the
replica. Will retry later. <br>
<br>
>On another note, I see plain text passwords in
the error logs on A for the consumers >but passwd
= {SSHA}0bgDq2f1IM/2nNOOIHUh8lXfkG13XUOHTYD== for B,
the other >master. Is there specific reason for
this? <br>
<br>
>As always, any guidance that can be provided is
greatly appreciated. <br>
<br>
TIA, <br>
<br>
Herb <br>
</div>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<blockquote type="cite"> <br>
>> 3. I assume that upon repairing
replication (apparently it has not been<br>
working for several years) the systems will
all replicate to the most<br>
recent information. Correct?<br>
>>>>I think that's the tricky
part. Make sure you backup your directory
on all<br>
>>>>the LDAP first so you have
something to roll back. I *believe* the
last<br>
>>>>step when setting up
replication is initializing the directory
and that<br>
>>>>will wipe out directory on
the other LDAP. Someone on the list might
be<br>
>>>>able to provide a better on
this but I am just giving you a heads up
that<br>
>>>>this can be a complicated
process.<br>
<br>
Given the fact that system B has not been
running for some time, ideally it would
simply replicate to the current data on
system A. After replication is
reestablished the systems are set up to
"Always keep directories in sync". If
anyone can confirm the behavior that will
occur upon replication on these two systems
it would be greatly appreciated.<br>
<br>
Thanks in advance,<br>
<br>
Herb<br>
<br>
<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
------------------------------<br>
<br>
Message: 2<br>
Date: Thu, 22 Mar 2012 10:40:34 -0400<br>
From: Chun Tat David Chu <<a href="mailto:beyonddc.storage@gmail.com" target="_blank">beyonddc.storage@gmail.com</a>><br>
To: "General discussion list for the 389
Directory server project."<br>
<<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>><br>
Subject: Re: [389-users] Repair
replication<br>
Message-ID:<br>
<<a href="mailto:CANCf8oLYKet99sB_ou4U3CER8U89UgwZhGUBTHekcF9HWNKL9g@mail.gmail.com" target="_blank">CANCf8oLYKet99sB_ou4U3CER8U89UgwZhGUBTHekcF9HWNKL9g@mail.gmail.com</a>><br>
Content-Type: text/plain;
charset="iso-8859-1"<br>
<br>
Hey Herb,<br>
<br>
You should refer to the Red Hat
Directory Server administration guide
for<br>
detail about setting up replication
which you can locate in here.<br>
<a href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/" target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/</a><br>
<br>
>> 1. How can I find out which
system(s) is/are master, consumer, hub,
etc?<br>
You should be able to determine the role
of the Directory Server for each<br>
system by logging into the LDAP console
under<br>
"Configuration->Replication". The
role is either "Single Master", "Hub" or<br>
"Dedicated Consumer".<br>
<br>
>> 2. How do I confirm that the
systems have the correct credentials for<br>
replication? (I am receiving: "Unable to
acquire replica: Permission<br>
denied.")<br>
a. How can I change the bind dn
"cn=replication,cn=config" credentials<br>
on each system to ensure replication
will work?<br>
You can do that on the console as well.
Just navigate down the directory<br>
tree and manually reset the password for
the replication user account.<br>
There's a possibility that your
replication user account's password
expired.<br>
<br>
>> 3. I assume that upon repairing
replication (apparently it has not been<br>
working for several years) the systems
will all replicate to the most<br>
recent information. Correct?<br>
I think that's the tricky part. Make
sure you backup your directory on all<br>
the LDAP first so you have something to
roll back. I *believe* the last<br>
step when setting up replication is
initializing the directory and that<br>
will wipe out directory on the other
LDAP. Someone on the list might be<br>
able to provide a better on this but I
am just giving you a heads up that<br>
this can be a complicated process.<br>
<br>
Good luck<br>
<br>
- David<br>
<br>
2012/3/21 Herb Burnswell <<a href="mailto:herbert.burnswell@gmail.com" target="_blank">herbert.burnswell@gmail.com</a>><br>
<br>
> Hi All,<br>
><br>
> I'm new to LDAP administration and
have been tasked with fixing the system<br>
> replication of 4 Linux systems
running Fedora Directory Services. I am<br>
> very comfortable working with
Linux/Unix but am not experienced with
LDAP.<br>
> I've been reading the
communications from this user group and
reading as<br>
> much as I can from documentation.
I believe this environment is not too<br>
> complex but I am looking for some
guidance, any assistance is greatly<br>
> appreciated.<br>
><br>
> Info:<br>
><br>
> OS: Fedora Core 4<br>
> LDAP: Fedora Directory Server v 7.1<br>
><br>
> First, I know that both the systems
and FDS versions are ancient.<br>
> However, at this point I need to
get the replication working prior to<br>
> putting together a migration plan.
I have access to the Directory Manager<br>
> console and am comfortable running
command line commands as well. Either<br>
> way is fine.<br>
><br>
> Questions:<br>
><br>
> 1. How can I find out which
system(s) is/are master, consumer, hub,
etc?<br>
><br>
> 2. How do I confirm that the
systems have the correct credentials for<br>
> replication? (I am receiving:
"Unable to acquire replica: Permission<br>
> denied.")<br>
> a. How can I change the bind dn
"cn=replication,cn=config" credentials<br>
> on each system to ensure
replication will work?<br>
><br>
> 3. I assume that upon repairing
replication (apparently it has not been<br>
> working for several years) the
systems will all replicate to the most<br>
> recent information. Correct?<br>
><br>
> Again, any guidance is greatly
appreciated.<br>
><br>
> Thanks in advance,<br>
><br>
> Herb<br>
><br>
> --<br>
> 389 users mailing list<br>
> <a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.fedoraproject.org/pipermail/389-users/attachments/20120322/edfe5e8f/attachment-0001.html" target="_blank">http://lists.fedoraproject.org/pipermail/389-users/attachments/20120322/edfe5e8f/attachment-0001.html</a>><br>
<br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br>
<fieldset></fieldset>
<br>
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</div>
<br>
<br>
<fieldset></fieldset>
<br>
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</div></div></div></div></div></div></div>
</div><br>
</div><br>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br>