multi-master replication setup problem: both suppliers do "not have permission to supply replication updates to the replica"
Hi,
I have two 389-ds servers. I want them to do multi-master replication to each other. Beyond these 2, there are no other servers.
I tried to do this via the command-line, following RedHat's guide [2].
However, /var/log/dirsrv/slapd-*/errors says this:
[18/Mar/2014:15:02:10 -0500] NSMMReplicationPlugin - conn=22 op=3 replica="o=infinityhealthcare.com": Unable to acquire replica: error: permission denied [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin - agmt="cn=o-ihccom-to-ds2" (test-ds2:389): Unable to acquire replica: permission denied. The bind dn "uid=replica-manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later. [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin - agmt="cn=dc-ihc-dc-com-to-ds2" (test-ds2:389): Unable to acquire replica: permission denied. The bind dn "uid=replica-manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later.
Any ideas what to do to fix?
In case it helps explain the problem, here is what one of the replication agreements looks like:
dn: cn=dc-ihc-dc-com-to-ds2,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c n=mapping tree,cn=config objectClass: top objectClass: nsDS5ReplicationAgreement description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds2 cn: dc-ihc-dc-com-to-ds2 nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaHost: test-ds2.infinityhealthcare.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis t accountUnlockTime memberof nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM= nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 0 nsds5replicaLastUpdateEnd: 0 nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 3 Replication error acquiring replica: permissio n denied nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0
and here is the replica on the other server, that this agreement refers to:
dn: cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replica objectClass: extensibleObject cn: replica nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaId: 7 nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsState:: BwAAAAAAAACSnChTAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAA== nsDS5ReplicaName: 8d64c603-aecc11e3-b040c130-71875861 nsds5ReplicaChangeCount: 0 nsds5replicareapactive: 0
[1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
[2] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
Thanks,
I reset the password of the replicaBindDn on both servers, and this error stopped occurring.
However, I have a new error now:
[18/Mar/2014:16:22:24 -0500] NSMMReplicationPlugin - agmt="cn=dc-ihc-dc-com-to-ds2" (test-ds2:389): Replica has a different generation ID than the local data.
and the replication agreement has a different status now:
dn: cn=dc-ihc-dc-com-to-ds2,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c n=mapping tree,cn=config objectClass: top objectClass: nsDS5ReplicationAgreement description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds2 cn: dc-ihc-dc-com-to-ds2 nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaHost: test-ds2.infinityhealthcare.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis t accountUnlockTime memberof nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM= nsds50ruv: {replicageneration} 532892e8000000070000 nsds50ruv: {replica 7 ldap://test-ds2.infinityhealthcare.com:389} nsds50ruv: {replica 14 ldap://test-ds1.infinityhealthcare.com:389} nsruvReplicaLastModified: {replica 7 ldap://test-ds2.infinityhealthcare.com:38 9} 00000000 nsruvReplicaLastModified: {replica 14 ldap://test-ds1.infinityhealthcare.com:3 89} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20140318212415Z nsds5replicaLastUpdateEnd: 20140318212415Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate started nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0
Any ideas?
Thanks,
Jon
----- Original Message -----
From: "Jon Detert" jdetert@infinityhealthcare.com To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Sent: Tuesday, March 18, 2014 3:59:10 PM Subject: [389-users] multi-master replication setup problem: both suppliers do "not have permission to supply replication updates to the replica"
Hi,
I have two 389-ds servers. I want them to do multi-master replication to each other. Beyond these 2, there are no other servers.
I tried to do this via the command-line, following RedHat's guide [2].
However, /var/log/dirsrv/slapd-*/errors says this:
[18/Mar/2014:15:02:10 -0500] NSMMReplicationPlugin - conn=22 op=3 replica="o=infinityhealthcare.com": Unable to acquire replica: error: permission denied [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin - agmt="cn=o-ihccom-to-ds2" (test-ds2:389): Unable to acquire replica: permission denied. The bind dn "uid=replica-manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later. [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin - agmt="cn=dc-ihc-dc-com-to-ds2" (test-ds2:389): Unable to acquire replica: permission denied. The bind dn "uid=replica-manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later.
Any ideas what to do to fix?
In case it helps explain the problem, here is what one of the replication agreements looks like:
dn: cn=dc-ihc-dc-com-to-ds2,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c n=mapping tree,cn=config objectClass: top objectClass: nsDS5ReplicationAgreement description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds2 cn: dc-ihc-dc-com-to-ds2 nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaHost: test-ds2.infinityhealthcare.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis t accountUnlockTime memberof nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM= nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 0 nsds5replicaLastUpdateEnd: 0 nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 3 Replication error acquiring replica: permissio n denied nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0
and here is the replica on the other server, that this agreement refers to:
dn: cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replica objectClass: extensibleObject cn: replica nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaId: 7 nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsState:: BwAAAAAAAACSnChTAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAA== nsDS5ReplicaName: 8d64c603-aecc11e3-b040c130-71875861 nsds5ReplicaChangeCount: 0 nsds5replicareapactive: 0
[1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
[2] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
On 03/18/2014 05:27 PM, Jon Detert wrote:
I reset the password of the replicaBindDn on both servers, and this error stopped occurring.
However, I have a new error now:
[18/Mar/2014:16:22:24 -0500] NSMMReplicationPlugin - agmt="cn=dc-ihc-dc-com-to-ds2" (test-ds2:389): Replica has a different generation ID than the local data.
This is expected now that you resolved the replica bind issue. This message is stating that the remote replica has not been initialized yet, or it was overwritten, and it needs to be reinitialized.
This should help you:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
Regards, Mark
and the replication agreement has a different status now:
dn: cn=dc-ihc-dc-com-to-ds2,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c n=mapping tree,cn=config objectClass: top objectClass: nsDS5ReplicationAgreement description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds2 cn: dc-ihc-dc-com-to-ds2 nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaHost: test-ds2.infinityhealthcare.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis t accountUnlockTime memberof nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM= nsds50ruv: {replicageneration} 532892e8000000070000 nsds50ruv: {replica 7 ldap://test-ds2.infinityhealthcare.com:389} nsds50ruv: {replica 14 ldap://test-ds1.infinityhealthcare.com:389} nsruvReplicaLastModified: {replica 7 ldap://test-ds2.infinityhealthcare.com:38 9} 00000000 nsruvReplicaLastModified: {replica 14 ldap://test-ds1.infinityhealthcare.com:3 89} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20140318212415Z nsds5replicaLastUpdateEnd: 20140318212415Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate started nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0
Any ideas?
Thanks,
Jon
----- Original Message -----
From: "Jon Detert" jdetert@infinityhealthcare.com To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Sent: Tuesday, March 18, 2014 3:59:10 PM Subject: [389-users] multi-master replication setup problem: both suppliers do "not have permission to supply replication updates to the replica"
Hi,
I have two 389-ds servers. I want them to do multi-master replication to each other. Beyond these 2, there are no other servers.
I tried to do this via the command-line, following RedHat's guide [2].
However, /var/log/dirsrv/slapd-*/errors says this:
[18/Mar/2014:15:02:10 -0500] NSMMReplicationPlugin - conn=22 op=3 replica="o=infinityhealthcare.com": Unable to acquire replica: error: permission denied [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin - agmt="cn=o-ihccom-to-ds2" (test-ds2:389): Unable to acquire replica: permission denied. The bind dn "uid=replica-manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later. [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin - agmt="cn=dc-ihc-dc-com-to-ds2" (test-ds2:389): Unable to acquire replica: permission denied. The bind dn "uid=replica-manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later.
Any ideas what to do to fix?
In case it helps explain the problem, here is what one of the replication agreements looks like:
dn: cn=dc-ihc-dc-com-to-ds2,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c n=mapping tree,cn=config objectClass: top objectClass: nsDS5ReplicationAgreement description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds2 cn: dc-ihc-dc-com-to-ds2 nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaHost: test-ds2.infinityhealthcare.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis t accountUnlockTime memberof nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM= nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 0 nsds5replicaLastUpdateEnd: 0 nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 3 Replication error acquiring replica: permissio n denied nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0
and here is the replica on the other server, that this agreement refers to:
dn: cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replica objectClass: extensibleObject cn: replica nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaId: 7 nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsState:: BwAAAAAAAACSnChTAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAA== nsDS5ReplicaName: 8d64c603-aecc11e3-b040c130-71875861 nsds5ReplicaChangeCount: 0 nsds5replicareapactive: 0
[1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
[2] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
That fixed the problem.
Only thing is, when I created the replicationAgreement, I included the attribute "nsds5BeginReplicaRefresh: start". Why then did I have to re-init? I realized it couldn't start when i 1st created the agreement because I had the wrong credentials. But why did I have to tell it to start again? Does the refresh attr automatically change after each replication attempt?
Thanks,
Jon
----- Original Message -----
From: "Mark Reynolds" mareynol@redhat.com To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Cc: "Jon Detert" jdetert@infinityhealthcare.com Sent: Wednesday, March 19, 2014 11:26:23 AM Subject: Re: [389-users] multi-master replication setup problem: both suppliers do "not have permission to supply replication updates to the replica"
On 03/18/2014 05:27 PM, Jon Detert wrote:
I reset the password of the replicaBindDn on both servers, and this error stopped occurring.
However, I have a new error now:
[18/Mar/2014:16:22:24 -0500] NSMMReplicationPlugin - agmt="cn=dc-ihc-dc-com-to-ds2" (test-ds2:389): Replica has a different generation ID than the local data.
This is expected now that you resolved the replica bind issue. This message is stating that the remote replica has not been initialized yet, or it was overwritten, and it needs to be reinitialized.
This should help you:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
Regards, Mark
and the replication agreement has a different status now:
dn: cn=dc-ihc-dc-com-to-ds2,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c n=mapping tree,cn=config objectClass: top objectClass: nsDS5ReplicationAgreement description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds2 cn: dc-ihc-dc-com-to-ds2 nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaHost: test-ds2.infinityhealthcare.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis t accountUnlockTime memberof nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM= nsds50ruv: {replicageneration} 532892e8000000070000 nsds50ruv: {replica 7 ldap://test-ds2.infinityhealthcare.com:389} nsds50ruv: {replica 14 ldap://test-ds1.infinityhealthcare.com:389} nsruvReplicaLastModified: {replica 7 ldap://test-ds2.infinityhealthcare.com:38 9} 00000000 nsruvReplicaLastModified: {replica 14 ldap://test-ds1.infinityhealthcare.com:3 89} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20140318212415Z nsds5replicaLastUpdateEnd: 20140318212415Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate started nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0
Any ideas?
Thanks,
Jon
----- Original Message -----
From: "Jon Detert" jdetert@infinityhealthcare.com To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Sent: Tuesday, March 18, 2014 3:59:10 PM Subject: [389-users] multi-master replication setup problem: both suppliers do "not have permission to supply replication updates to the replica"
Hi,
I have two 389-ds servers. I want them to do multi-master replication to each other. Beyond these 2, there are no other servers.
I tried to do this via the command-line, following RedHat's guide [2].
However, /var/log/dirsrv/slapd-*/errors says this:
[18/Mar/2014:15:02:10 -0500] NSMMReplicationPlugin - conn=22 op=3 replica="o=infinityhealthcare.com": Unable to acquire replica: error: permission denied [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin - agmt="cn=o-ihccom-to-ds2" (test-ds2:389): Unable to acquire replica: permission denied. The bind dn "uid=replica-manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later. [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin - agmt="cn=dc-ihc-dc-com-to-ds2" (test-ds2:389): Unable to acquire replica: permission denied. The bind dn "uid=replica-manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later.
Any ideas what to do to fix?
In case it helps explain the problem, here is what one of the replication agreements looks like:
dn: cn=dc-ihc-dc-com-to-ds2,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c n=mapping tree,cn=config objectClass: top objectClass: nsDS5ReplicationAgreement description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds2 cn: dc-ihc-dc-com-to-ds2 nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaHost: test-ds2.infinityhealthcare.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis t accountUnlockTime memberof nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM= nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 0 nsds5replicaLastUpdateEnd: 0 nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 3 Replication error acquiring replica: permissio n denied nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0
and here is the replica on the other server, that this agreement refers to:
dn: cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replica objectClass: extensibleObject cn: replica nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com nsDS5ReplicaId: 7 nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: uid=replica-manager,cn=config nsState:: BwAAAAAAAACSnChTAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAA== nsDS5ReplicaName: 8d64c603-aecc11e3-b040c130-71875861 nsds5ReplicaChangeCount: 0 nsds5replicareapactive: 0
[1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
[2] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- Mark Reynolds 389 Development Team Red Hat, Inc mreynolds@redhat.com
389-users@lists.fedoraproject.org
-
Jon Detert -
Mark Reynolds