[389-users] multi-master replication setup problem: both suppliers do "not have permission to supply replication updates to the replica"

Jon Detert jdetert at infinityhealthcare.com
Tue Mar 18 21:27:26 UTC 2014 

I reset the password of the replicaBindDn on both servers, and this error stopped occurring.

However, I have a new error now:

[18/Mar/2014:16:22:24 -0500] NSMMReplicationPlugin - agmt="cn=dc-ihc-dc-com-to-ds2" (test-ds2:389): Replica has a different generation ID than the local data.

and the replication agreement has a different status now:

dn: cn=dc-ihc-dc-com-to-ds2,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c
 n=mapping tree,cn=config
objectClass: top
objectClass: nsDS5ReplicationAgreement
description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds2
cn: dc-ihc-dc-com-to-ds2
nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com
nsDS5ReplicaHost: test-ds2.infinityhealthcare.com
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: uid=replica-manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis
 t accountUnlockTime memberof
nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM=
nsds50ruv: {replicageneration} 532892e8000000070000
nsds50ruv: {replica 7 ldap://test-ds2.infinityhealthcare.com:389}
nsds50ruv: {replica 14 ldap://test-ds1.infinityhealthcare.com:389}
nsruvReplicaLastModified: {replica 7 ldap://test-ds2.infinityhealthcare.com:38
 9} 00000000
nsruvReplicaLastModified: {replica 14 ldap://test-ds1.infinityhealthcare.com:3
 89} 00000000
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20140318212415Z
nsds5replicaLastUpdateEnd: 20140318212415Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd
 ate started
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0

Any ideas?

Thanks,

Jon


----- Original Message -----
> From: "Jon Detert" <jdetert at infinityhealthcare.com>
> To: "General discussion list for the 389 Directory server project." <389-users at lists.fedoraproject.org>
> Sent: Tuesday, March 18, 2014 3:59:10 PM
> Subject: [389-users] multi-master replication setup problem: both suppliers do "not have permission to supply
> replication updates to the replica"
> 
> Hi,
> 
> I have two 389-ds servers.  I want them to do multi-master replication to
> each other.  Beyond these 2, there are no other servers.
> 
> I tried to do this via the command-line, following RedHat's guide [2].
> 
> However, /var/log/dirsrv/slapd-*/errors says this:
> 
> [18/Mar/2014:15:02:10 -0500] NSMMReplicationPlugin - conn=22 op=3
> replica="o=infinityhealthcare.com": Unable to acquire replica: error:
> permission denied
> [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin -
> agmt="cn=o-ihccom-to-ds2" (test-ds2:389): Unable to acquire replica:
> permission denied. The bind dn "uid=replica-manager,cn=config" does not have
> permission to supply replication updates to the replica. Will retry later.
> [18/Mar/2014:15:07:02 -0500] NSMMReplicationPlugin -
> agmt="cn=dc-ihc-dc-com-to-ds2" (test-ds2:389): Unable to acquire replica:
> permission denied. The bind dn "uid=replica-manager,cn=config" does not have
> permission to supply replication updates to the replica. Will retry later.
> 
> Any ideas what to do to fix?
> 
> In case it helps explain the problem, here is what one of the replication
> agreements looks like:
> 
> dn:
> cn=dc-ihc-dc-com-to-ds2,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c
>  n=mapping tree,cn=config
> objectClass: top
> objectClass: nsDS5ReplicationAgreement
> description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds2
> cn: dc-ihc-dc-com-to-ds2
> nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com
> nsDS5ReplicaHost: test-ds2.infinityhealthcare.com
> nsDS5ReplicaPort: 389
> nsDS5ReplicaBindDN: uid=replica-manager,cn=config
> nsDS5ReplicaBindMethod: SIMPLE
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
> authorityRevocationLis
>  t accountUnlockTime memberof
> nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM=
> nsds5replicareapactive: 0
> nsds5replicaLastUpdateStart: 0
> nsds5replicaLastUpdateEnd: 0
> nsds5replicaChangesSentSinceStartup:
> nsds5replicaLastUpdateStatus: 3 Replication error acquiring replica:
> permissio
>  n denied
> nsds5replicaUpdateInProgress: FALSE
> nsds5replicaLastInitStart: 0
> nsds5replicaLastInitEnd: 0
> 
> and here is the replica on the other server, that this agreement refers to:
> 
> dn: cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,cn=mapping
> tree,cn=config
> objectClass: top
> objectClass: nsds5replica
> objectClass: extensibleObject
> cn: replica
> nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com
> nsDS5ReplicaId: 7
> nsDS5ReplicaType: 3
> nsDS5Flags: 1
> nsds5ReplicaPurgeDelay: 604800
> nsDS5ReplicaBindDN: uid=replica-manager,cn=config
> nsState:: BwAAAAAAAACSnChTAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAA==
> nsDS5ReplicaName: 8d64c603-aecc11e3-b040c130-71875861
> nsds5ReplicaChangeCount: 0
> nsds5replicareapactive: 0
> 
> 
> [1]
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Configuring_Multi_Master_Replication.html
> 
> 
> [2]
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Configuring-Replication-cmd.html

More information about the 389-users mailing list