On Wednesday 12 December 2007 4:02 pm, Rich Megginson wrote: > Chris G. Sellers wrote: > > Sorry for jumping in here (just joined the list) but it sounds like > > your replication user is being blocked by an ACI that you have > > applied. These could be explicit or inherited from a parent OU in the > > tree. > > And you should definitely be able to see something in the access log for > host=infinity.xxx.ec.gc.ca. Keep in mind that the access log is > buffered so events will not show up for a few minutes if there is no > other activity. > > > Make sure your Replication User is not part of a ACI or make it part > > of a new ACI that allows objectclass=* full permissions. Ok I think I got it. After looking closer at the console log file and this line DSEntrySet.getAttributes(): failed to get attribute description in cn=Replication to infinity.xxx.ec.gc.ca,cn=replica,cn="dc=xxx,dc=ec,dc=gc,dc=ca",cn=mapping tree,cn=config I went and manually added a description attribute for the replication agreement and I no longer am getting prompted for authentication. So I'll just modify my sub and have it create some kind of default description attribute. Still get the ReplicationAgreement.updateAgreementFromServer: unable to read the replica number of changes from {host=ywgldap1.isb.ec.gc.ca} {port=389} {authdn=cn=Directory Manager} ReplicationAgreement.updateAgreementFromServer: unable to read the replica refresh attribute {host=ywgldap1.isb.ec.gc.ca} {port=389} {authdn=cn=Directory Manager} ReplicationAgreement.updateAgreementFromServer: unable to read the consumer initialization status attribute (nsds5replicalastinitstatus) {host=ywgldap1.isb.ec.gc.ca} {port=389} {authdn=cn=Directory Manager} But I'm guessing those are more informative type messages then error messages. Ryan