[Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN...
Kevin McCarthy
kevin.mccarthy at teligent.co.uk
Wed Jun 28 17:49:38 UTC 2006
Dear List Members,
Release: fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm
A typical replication error log entry now follows (seen repeatedly at both
fedora DS servers):
[28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from
server 2" (ukstatlap:636): Unable to acquire replica: permission denied. The
bind dn "" does not have permission to supply replication updates to the
replica. Will retry later.
Believe me, I have been investigating this one for 2 or 3 days now (having
just switched from OpenLDAP, since multiple master replication is required)
before sending this submission, just in case I missed a configuration item
or work-around, but unfortunately no luck (so far).
The only reference I can find for SSL Client Authentication based Multiple
Master replication (2 Linux RHEL 3 servers being used) that supplies empty
DNs, is the Windows specific entry (whose work-around I tried anyway, but
without success).
Unable to acquire replica: permission denied. The bind dn "" does not have
permission to supply replication updates to the replica. Will retry later.
To workaround the problem, after you modify and save the replication
schedule of an agreement, refresh the console, reconfigure the connection
settings (to SSL client authentication) for the agreement, and save your
changes.
http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.ht
ml
The mutual "Current Supplier DNs" are indeed set (cn=Replication
Manager,cn=replication,cn=config) and the corresponding directory entries do
exist.
The respective server certificates and CA certificates are installed, with
Subject DN entries loaded.
I do not have Legacy Consumer enabled.
CertMapping is also defined (though with a NULL DN being supplied, I guess
that will not be kicking in just yet, though there are entries for the exact
subject DN anyway.)
When using simple authentication, with or without SSL, all is well (although
replication did require both servers to Initialize the Consumer, I thought
that only one was required e.g. ID 1 initializing ID 2, but ID 2 then needed
to initialize ID 1 before successful 2-way replication was achieved).
Any suggestions will be most gratefully received!
Regards,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060628/f5011ecc/attachment.html>
More information about the 389-users
mailing list