Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear List Members,

 

Release: fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm

 

A typical replication error log entry now follows (seen repeatedly at both
fedora DS servers):

 

[28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from
server 2" (ukstatlap:636): Unable to acquire replica: permission denied. The
bind dn "" does not have permission to supply replication updates to the
replica. Will retry later.

 

 

 

Believe me, I have been investigating this one for 2 or 3 days now (having
just switched from OpenLDAP, since multiple master replication is required)
before sending this submission, just in case I missed a configuration item
or work-around, but unfortunately no luck (so far).

 

 

The only reference I can find for SSL Client Authentication based Multiple
Master replication (2 Linux RHEL 3 servers being used) that supplies empty
DNs, is the Windows specific entry (whose work-around I tried anyway, but
without success).

 

Unable to acquire replica: permission denied. The bind dn "" does not have
permission to supply replication updates to the replica. Will retry later. 
To workaround the problem, after you modify and save the replication
schedule of an agreement, refresh the console, reconfigure the connection
settings (to SSL client authentication) for the agreement, and save your
changes.

http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.ht
ml

 

The mutual "Current Supplier DNs" are indeed set (cn=Replication
Manager,cn=replication,cn=config) and the corresponding directory entries do
exist.

 

The respective server certificates and CA certificates are installed, with
Subject DN entries loaded.

 

I do not have Legacy Consumer enabled.

 

CertMapping is also defined (though with a NULL DN being supplied, I guess
that will not be kicking in just yet, though there are entries for the exact
subject DN anyway.)

 

 

When using simple authentication, with or without SSL, all is well (although
replication did require both servers to Initialize the Consumer, I thought
that only one was required e.g. ID 1 initializing ID 2, but ID 2 then needed
to initialize ID 1 before successful 2-way replication was achieved).

 

 

Any suggestions will be most gratefully received!

 

Regards,

Kevin

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20060628/f5011ecc/attachment.html
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux