Kevin McCarthy wrote:
Dear List Members, Release: *fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm*A typical replication error log entry now follows (seen repeatedly at both fedora DS servers):[28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from server 2" (ukstatlap:636): Unable to acquire replica: permission denied. The *bind dn ""* does not have permission to supply replication updates to the replica. Will retry later.Believe me, I have been investigating this one for 2 or 3 days now (having just switched from OpenLDAP, since multiple master replication is required) before sending this submission, just in case I missed a configuration item or work-around, but unfortunately no luck (so far).The only reference I can find for SSL Client Authentication based Multiple Master replication (2 Linux RHEL 3 servers being used) that supplies empty DNs, is the Windows specific entry (whose work-around I tried anyway, but without success)…Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. To workaround the problem, after you modify and save the replication schedule of an agreement, refresh the console, reconfigure the connection settings (to SSL client authentication) for the agreement, and save your changes.http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.htmlThe mutual “Current Supplier DNs” are indeed set (cn=Replication Manager,cn=replication,cn=config) and the corresponding directory entries do exist.The respective server certificates and CA certificates are installed, with Subject DN entries loaded.
What are the SubjectDNs in the server certificates?
I do _not_ have Legacy Consumer enabled.
You don't need it.
You might want to post your certmap.conf and see here - http://directory.fedora.redhat.com/wiki/Howto:CertMappingCertMapping is also defined (though with a NULL DN being supplied, I guess that will not be kicking in just yet, though there are entries for the exact subject DN anyway.)
When using simple authentication, with or without SSL, all is well (although replication did require both servers to Initialize the Consumer, I thought that only one was required e.g. ID 1 initializing ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way replication was achieved).
That's odd. You should only need to initialize once one way.
Any suggestions will be _most_ gratefully received! Regards, Kevin ------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
