Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear List Members,

 

Release: fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm

 

A typical replication error log entry now follows (seen repeatedly at both fedora DS servers):

 

[28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from server 2" (ukstatlap:636): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later.

 

 

 

Believe me, I have been investigating this one for 2 or 3 days now (having just switched from OpenLDAP, since multiple master replication is required) before sending this submission, just in case I missed a configuration item or work-around, but unfortunately no luck (so far).

 

 

The only reference I can find for SSL Client Authentication based Multiple Master replication (2 Linux RHEL 3 servers being used) that supplies empty DNs, is the Windows specific entry (whose work-around I tried anyway, but without success)…

 

Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later.
To workaround the problem, after you modify and save the replication schedule of an agreement, refresh the console, reconfigure the connection settings (to SSL client authentication) for the agreement, and save your changes.

http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.html

 

The mutual “Current Supplier DNs” are indeed set (cn=Replication Manager,cn=replication,cn=config) and the corresponding directory entries do exist.

 

The respective server certificates and CA certificates are installed, with Subject DN entries loaded.

 

I do not have Legacy Consumer enabled.

 

CertMapping is also defined (though with a NULL DN being supplied, I guess that will not be kicking in just yet, though there are entries for the exact subject DN anyway.)

 

 

When using simple authentication, with or without SSL, all is well (although replication did require both servers to Initialize the Consumer, I thought that only one was required e.g. ID 1 initializing ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way replication was achieved).

 

 

Any suggestions will be most gratefully received!

 

Regards,

Kevin

 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux