[Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN...
Richard Megginson
rmeggins at redhat.com
Thu Jun 29 12:02:07 UTC 2006
Kevin McCarthy wrote:
>
> Dear List Members,
>
> Release: *fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm*
>
> A typical replication error log entry now follows (seen repeatedly at
> both fedora DS servers):
>
> [28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from
> server 2" (ukstatlap:636): Unable to acquire replica: permission
> denied. The *bind dn ""* does not have permission to supply
> replication updates to the replica. Will retry later.
>
> Believe me, I have been investigating this one for 2 or 3 days now
> (having just switched from OpenLDAP, since multiple master replication
> is required) before sending this submission, just in case I missed a
> configuration item or work-around, but unfortunately no luck (so far).
>
> The only reference I can find for SSL Client Authentication based
> Multiple Master replication (2 Linux RHEL 3 servers being used) that
> supplies empty DNs, is the Windows specific entry (whose work-around I
> tried anyway, but without success)…
>
> Unable to acquire replica: permission denied. The bind dn "" does not
> have permission to supply replication updates to the replica. Will
> retry later.
> To workaround the problem, after you modify and save the replication
> schedule of an agreement, refresh the console, reconfigure the
> connection settings (to SSL client authentication) for the agreement,
> and save your changes.
>
> http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.html
>
> The mutual “Current Supplier DNs” are indeed set (cn=Replication
> Manager,cn=replication,cn=config) and the corresponding directory
> entries do exist.
>
> The respective server certificates and CA certificates are installed,
> with Subject DN entries loaded.
>
What are the SubjectDNs in the server certificates?
>
> I do _not_ have Legacy Consumer enabled.
>
You don't need it.
>
> CertMapping is also defined (though with a NULL DN being supplied, I
> guess that will not be kicking in just yet, though there are entries
> for the exact subject DN anyway.)
>
You might want to post your certmap.conf and see here -
http://directory.fedora.redhat.com/wiki/Howto:CertMapping
>
> When using simple authentication, with or without SSL, all is well
> (although replication did require both servers to Initialize the
> Consumer, I thought that only one was required e.g. ID 1 initializing
> ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way
> replication was achieved).
>
That's odd. You should only need to initialize once one way.
>
> Any suggestions will be _most_ gratefully received!
>
> Regards,
>
> Kevin
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060629/e8664663/attachment.bin>
More information about the 389-users
mailing list