I started with two Redhat EL3U5 servers, setting up the newest available directory server (fedora-ds rpm) on each server with an identical configuration. I set up Single Master replication according to this guide: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1108849. That is, I created a 'cn=replication manager,cn=config' by pasting the example entry from the guide in the config/dse.ldif on the slave (consumer) server. I verified this account works by using LDAP Browser/Editor, I can log in and view my LDAP directory 'dc=foo,dc=net'. I cannot, however, add or delete any foo.net entries when logged in as the replication manager. When I configured a replication agreement on the master/supplier and restarted both servers, it errors out with:

NSMMReplicationPlugin - agmt="cn=myagreement" (192:1389): Unable to acquire replica: permission denied. The bind dn "cn=replication manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later.

I had specified the ip address of the slave/consumer server when setting up the replication agreement, but because it refers to it as '192:1389' in the logs I thought maybe it was looking for a hostname. Getting past the fact that it will not allow underscores in the consumer name (I assume this is a bug), I added an /etc/hosts entry for the consumer on the master and recreated the replication agreement and restarted both servers. I still have the same problem:

NSMMReplicationPlugin - agmt="cn=myagreement" (testappserver2:1389): Unable to acquire replica: permission denied. The bind dn "cn=replication manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later.

Any idea why this is happening? Shouldn't the replication manager have read/write permissions to the userRoot by default since it inherits all the administrator roles?