Kevin McCarthy wrote: > > Dear List Members, > > Release: *fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm* > > A typical replication error log entry now follows (seen repeatedly at > both fedora DS servers): > > [28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from > server 2" (ukstatlap:636): Unable to acquire replica: permission > denied. The *bind dn ""* does not have permission to supply > replication updates to the replica. Will retry later. > > Believe me, I have been investigating this one for 2 or 3 days now > (having just switched from OpenLDAP, since multiple master replication > is required) before sending this submission, just in case I missed a > configuration item or work-around, but unfortunately no luck (so far). > > The only reference I can find for SSL Client Authentication based > Multiple Master replication (2 Linux RHEL 3 servers being used) that > supplies empty DNs, is the Windows specific entry (whose work-around I > tried anyway, but without success)? > > Unable to acquire replica: permission denied. The bind dn "" does not > have permission to supply replication updates to the replica. Will > retry later. > To workaround the problem, after you modify and save the replication > schedule of an agreement, refresh the console, reconfigure the > connection settings (to SSL client authentication) for the agreement, > and save your changes. > > http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.html > > The mutual ?Current Supplier DNs? are indeed set (cn=Replication > Manager,cn=replication,cn=config) and the corresponding directory > entries do exist. > > The respective server certificates and CA certificates are installed, > with Subject DN entries loaded. > What are the SubjectDNs in the server certificates? > > I do _not_ have Legacy Consumer enabled. > You don't need it. > > CertMapping is also defined (though with a NULL DN being supplied, I > guess that will not be kicking in just yet, though there are entries > for the exact subject DN anyway.) > You might want to post your certmap.conf and see here - http://directory.fedora.redhat.com/wiki/Howto:CertMapping > > When using simple authentication, with or without SSL, all is well > (although replication did require both servers to Initialize the > Consumer, I thought that only one was required e.g. ID 1 initializing > ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way > replication was achieved). > That's odd. You should only need to initialize once one way. > > Any suggestions will be _most_ gratefully received! > > Regards, > > Kevin > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060629/e8664663/attachment.bin