Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Kevin McCarthy wrote:
>
> Dear List Members,
>
> Release: *fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm*
>
> A typical replication error log entry now follows (seen repeatedly at 
> both fedora DS servers):
>
> [28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from 
> server 2" (ukstatlap:636): Unable to acquire replica: permission 
> denied. The *bind dn ""* does not have permission to supply 
> replication updates to the replica. Will retry later.
>
> Believe me, I have been investigating this one for 2 or 3 days now 
> (having just switched from OpenLDAP, since multiple master replication 
> is required) before sending this submission, just in case I missed a 
> configuration item or work-around, but unfortunately no luck (so far).
>
> The only reference I can find for SSL Client Authentication based 
> Multiple Master replication (2 Linux RHEL 3 servers being used) that 
> supplies empty DNs, is the Windows specific entry (whose work-around I 
> tried anyway, but without success)?
>
> Unable to acquire replica: permission denied. The bind dn "" does not 
> have permission to supply replication updates to the replica. Will 
> retry later.
> To workaround the problem, after you modify and save the replication 
> schedule of an agreement, refresh the console, reconfigure the 
> connection settings (to SSL client authentication) for the agreement, 
> and save your changes.
>
> http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.html
>
> The mutual ?Current Supplier DNs? are indeed set (cn=Replication 
> Manager,cn=replication,cn=config) and the corresponding directory 
> entries do exist.
>
> The respective server certificates and CA certificates are installed, 
> with Subject DN entries loaded.
>
What are the SubjectDNs in the server certificates?
>
> I do _not_ have Legacy Consumer enabled.
>
You don't need it.
>
> CertMapping is also defined (though with a NULL DN being supplied, I 
> guess that will not be kicking in just yet, though there are entries 
> for the exact subject DN anyway.)
>
You might want to post your certmap.conf and see here - 
http://directory.fedora.redhat.com/wiki/Howto:CertMapping
>
> When using simple authentication, with or without SSL, all is well 
> (although replication did require both servers to Initialize the 
> Consumer, I thought that only one was required e.g. ID 1 initializing 
> ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way 
> replication was achieved).
>
That's odd. You should only need to initialize once one way.
>
> Any suggestions will be _most_ gratefully received!
>
> Regards,
>
> Kevin
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060629/e8664663/attachment.bin 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux