From: "Jon Detert" <jdetert(a)infinityhealthcare.com&gt; To: "General discussion list for the 389 Directory server project." <389-users(a)lists.fedoraproject.org&gt; Sent: Tuesday, March 18, 2014 3:59:10 PM Subject: [389-users] multi-master replication setup problem: both suppliers do "not have permission to supply replication updates to the replica" Hi, I have two 389-ds servers. I want them to do multi-master replication to each other. Beyond these 2, there are no other servers. I tried to do this via the command-line, following RedHat's guide [2]. However, /var/log/dirsrv/slapd-*/errors says this: [18/Mar/2014:15:02:10 -0500] NSMMReplicationPlugin - conn=22 op=3 replica="o=infinityhealthcare.com": Unable to acquire replica: error: permission denied [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin - agmt="cn=o-ihccom-to-ds2" (test-ds2:389): Unable to acquire replica: permission denied. The bind dn "uid=replica-manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later. [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin - agmt="cn=dc-ihc-dc-com-to-ds2" (test-ds2:389): Unable to acquire replica: permission denied. The bind dn "uid=replica-manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later. Any ideas what to do to fix? In case it helps explain the problem, here is what one of the replication agreements looks like: dn: cn=dc-ihc-dc-com-to-ds2,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c n=mapping tree,cn=config objectClass: top objectClass: nsDS5ReplicationAgreement description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds2 cn: dc-ihc-dc-com-to-ds2 nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaHost: test-ds2.infinityhealthcare.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis t accountUnlockTime memberof nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM= nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 0 nsds5replicaLastUpdateEnd: 0 nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 3 Replication error acquiring replica: permissio n denied nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 and here is the replica on the other server, that this agreement refers to: dn: cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replica objectClass: extensibleObject cn: replica nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaId: 7 nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsState:: BwAAAAAAAACSnChTAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAA== nsDS5ReplicaName: 8d64c603-aecc11e3-b040c130-71875861 nsds5ReplicaChangeCount: 0 nsds5replicareapactive: 0 [1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Serv... [2] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Serv...

From: "Mark Reynolds" <mareynol(a)redhat.com&gt; To: "General discussion list for the 389 Directory server project." <389-users(a)lists.fedoraproject.org&gt; Cc: "Jon Detert" <jdetert(a)infinityhealthcare.com&gt; Sent: Wednesday, March 19, 2014 11:26:23 AM Subject: Re: [389-users] multi-master replication setup problem: both suppliers do "not have permission to supply replication updates to the replica" On 03/18/2014 05:27 PM, Jon Detert wrote: > I reset the password of the replicaBindDn on both servers, and this error > stopped occurring. > > However, I have a new error now: > > [18/Mar/2014:16:22:24 -0500] NSMMReplicationPlugin - > agmt="cn=dc-ihc-dc-com-to-ds2" (test-ds2:389): Replica has a different > generation ID than the local data. This is expected now that you resolved the replica bind issue. This message is stating that the remote replica has not been initialized yet, or it was overwritten, and it needs to be reinitialized. This should help you: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Serv... Regards, Mark > > and the replication agreement has a different status now: > > dn: > cn=dc-ihc-dc-com-to-ds2,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c > n=mapping tree,cn=config > objectClass: top > objectClass: nsDS5ReplicationAgreement > description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds2 > cn: dc-ihc-dc-com-to-ds2 > nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com > nsDS5ReplicaHost: test-ds2.infinityhealthcare.com > nsDS5ReplicaPort: 389 > nsDS5ReplicaBindDN: uid=replica-manager,cn=config > nsDS5ReplicaBindMethod: SIMPLE > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE > authorityRevocationLis > t accountUnlockTime memberof > nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM= > nsds50ruv: {replicageneration} 532892e8000000070000 > nsds50ruv: {replica 7 ldap://test-ds2.infinityhealthcare.com:389} > nsds50ruv: {replica 14 ldap://test-ds1.infinityhealthcare.com:389} > nsruvReplicaLastModified: {replica 7 > ldap://test-ds2.infinityhealthcare.com:38 > 9} 00000000 > nsruvReplicaLastModified: {replica 14 > ldap://test-ds1.infinityhealthcare.com:3 > 89} 00000000 > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 20140318212415Z > nsds5replicaLastUpdateEnd: 20140318212415Z > nsds5replicaChangesSentSinceStartup: > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental > upd > ate started > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 0 > nsds5replicaLastInitEnd: 0 > > Any ideas? > > Thanks, > > Jon > > > ----- Original Message ----- >> From: "Jon Detert" <jdetert(a)infinityhealthcare.com&gt; >> To: "General discussion list for the 389 Directory server project." >> <389-users(a)lists.fedoraproject.org&gt; >> Sent: Tuesday, March 18, 2014 3:59:10 PM >> Subject: [389-users] multi-master replication setup problem: both >> suppliers do "not have permission to supply >> replication updates to the replica" >> >> Hi, >> >> I have two 389-ds servers. I want them to do multi-master replication to >> each other. Beyond these 2, there are no other servers. >> >> I tried to do this via the command-line, following RedHat's guide [2]. >> >> However, /var/log/dirsrv/slapd-*/errors says this: >> >> [18/Mar/2014:15:02:10 -0500] NSMMReplicationPlugin - conn=22 op=3 >> replica="o=infinityhealthcare.com": Unable to acquire replica: error: >> permission denied >> [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin - >> agmt="cn=o-ihccom-to-ds2" (test-ds2:389): Unable to acquire replica: >> permission denied. The bind dn "uid=replica-manager,cn=config" does not >> have >> permission to supply replication updates to the replica. Will retry later. >> [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin - >> agmt="cn=dc-ihc-dc-com-to-ds2" (test-ds2:389): Unable to acquire replica: >> permission denied. The bind dn "uid=replica-manager,cn=config" does not >> have >> permission to supply replication updates to the replica. Will retry later. >> >> Any ideas what to do to fix? >> >> In case it helps explain the problem, here is what one of the replication >> agreements looks like: >> >> dn: >> cn=dc-ihc-dc-com-to-ds2,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c >> n=mapping tree,cn=config >> objectClass: top >> objectClass: nsDS5ReplicationAgreement >> description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds2 >> cn: dc-ihc-dc-com-to-ds2 >> nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com >> nsDS5ReplicaHost: test-ds2.infinityhealthcare.com >> nsDS5ReplicaPort: 389 >> nsDS5ReplicaBindDN: uid=replica-manager,cn=config >> nsDS5ReplicaBindMethod: SIMPLE >> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE >> authorityRevocationLis >> t accountUnlockTime memberof >> nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM= >> nsds5replicareapactive: 0 >> nsds5replicaLastUpdateStart: 0 >> nsds5replicaLastUpdateEnd: 0 >> nsds5replicaChangesSentSinceStartup: >> nsds5replicaLastUpdateStatus: 3 Replication error acquiring replica: >> permissio >> n denied >> nsds5replicaUpdateInProgress: FALSE >> nsds5replicaLastInitStart: 0 >> nsds5replicaLastInitEnd: 0 >> >> and here is the replica on the other server, that this agreement refers >> to: >> >> dn: cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,cn=mapping >> tree,cn=config >> objectClass: top >> objectClass: nsds5replica >> objectClass: extensibleObject >> cn: replica >> nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com >> nsDS5ReplicaId: 7 >> nsDS5ReplicaType: 3 >> nsDS5Flags: 1 >> nsds5ReplicaPurgeDelay: 604800 >> nsDS5ReplicaBindDN: uid=replica-manager,cn=config >> nsState:: BwAAAAAAAACSnChTAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAA== >> nsDS5ReplicaName: 8d64c603-aecc11e3-b040c130-71875861 >> nsds5ReplicaChangeCount: 0 >> nsds5replicareapactive: 0 >> >> >> [1] >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Serv... >> >> >> [2] >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Serv... > -- > 389 users mailing list > 389-users(a)lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users -- Mark Reynolds 389 Development Team Red Hat, Inc mreynolds(a)redhat.com