Fedora directory users - Feb 2009 - Problems with multimaster replication configuration

Hello, I''m trying to configure multimaster replication with two
servers, and I get a permission error when the supplier tries to send the copie
to the consumer. This is the error I get:

supplier: ldap1 -> NSMMReplicationPlugin - agmt="cn=ldap1"
(ldap2:636):
Unable to acquire replica: permission denied. The bind dn
"cn=replication manager,cn=config" does not have permission to supply
replication updates to the replica. Will retry later.

consumer: ldap2 -> NSMMReplicationPlugin - conn=245 op=3
replica="dc=example,dc=es": Unable to acquire replica: error:
permission
denied

The other wa:

supplier: ldap2 -> NSMMReplicationPlugin - agmt="cn=ldap2"
(ldap1:636):
Unable to acquire replica: permission denied. The bind dn
"cn=replication manager,cn=config" does not have permission to supply
replication updates to the replica. Will retry later.

consumer: ldap1 -> NSMMReplicationPlugin - conn=32 op=3
replica="dc=example,dc=es": Unable to acquire replica: error:
permission
denied


I have follow the configuration manual from red hat to configure the multimaster
from:

http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#74262

This is my configuration:

dn: cn=replication manager,cn=config
objectClass: person
objectClass: top
cn: replication manager
sn: RM
userPassword: {SSHA} XXX
passwordExpirationTime: 20380119031407Z
modifiersName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
 t
modifyTimestamp: 20090217141706Z


dn: cn=legacy consumer,cn=replication,cn=config
objectClass: top
objectClass: extensibleObject
cn: legacy consumer
nsslapd-legacy-updatedn: cn=replication manager,cn=config
creatorsName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
modifiersName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
 t
createTimestamp: 20090216083802Z
modifyTimestamp: 20090216100926Z
nsslapd-legacy-updatepw: {SHA} xxx

dn: cn=replica,cn="dc=example,dc=es",cn=mapping tree, cn=config
objectClass: nsDS5Replica
objectClass: top
nsDS5ReplicaRoot: dc=example,dc=es
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsDS5ReplicaId: 1
nsds5ReplicaPurgeDelay: 604800
cn: replica
creatorsName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config
createTimestamp: 20090217095448Z
modifyTimestamp: 20090218092048Z
nsState:: AQAAANnSm0kAAAAAAAAAAAEAAAAnsDS5ReplicaName:
000df382-1dd211b2-a7f6fad4-efd80000
nsDS5ReplicaBindDN: cn=replication manager,cn=config
numSubordinates: 1

dn: cn=ldap1, cn=replica, cn="dc=example,dc=es", cn=mapping tree,
cn=config
objectClass: top
objectClass: nsDS5ReplicationAgreement
description: Replicacion multimaster entre ldap1 y ldap2
cn: ldap1
nsDS5ReplicaRoot: dc=example,dc=es
nsDS5ReplicaHost: ldap2.example.es
nsDS5ReplicaPort: 636
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaTransportInfo: SSL
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaCredentials: {DES} xxxx
creatorsName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
modifiersName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
 t
createTimestamp: 20090217100103Z
modifyTimestamp: 20090218103445Z

dn: cn=ldap2, cn=replica, cn="dc=example,dc=es", cn=mapping tree,
cn=config
objectClass: top
objectClass: nsDS5ReplicationAgreement
description: Replicacion multimaster entre ldap2 y ldap1
cn: ldap1
nsDS5ReplicaRoot: dc=example,dc=es
nsDS5ReplicaHost: ldap1.example.es
nsDS5ReplicaPort: 636
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaTransportInfo: SSL
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaCredentials: {DES} xxxx
creatorsName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
modifiersName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
createTimestamp: 20090217100103Z
modifyTimestamp: 20090218103445Z

I can see where the error is, I hope you can help me
Thank you

-- 
Rocio Quirantes Rodal         
Área de Seguridad Informática
Centro Informático Científico de Andalucía (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 648 / +34 955 056 600 / FAX: +34 955 056 650
Consejería de Innovación, Ciencia y Empresa
Junta de Andalucía
--------------------------------------------------
Este mensaje esta firmado digitalmente. Para poder
reconocer la firma desde su cliente debera tener
instalado el certificado raiz de la CA del CICA en
el mismo. Puede descargarlo desde:

http://pki.cica.es/cacert/
--------------------------------------------------

Hi Rocio Quirantes,

 
>From your configuration I understood you are setting up replication between
two master servers say M1 and M2.

 

The rest of the configuration is fine. Once I too faced the same issue. I
got it worked by adding the following entry in both the servers M1 and M2. I
not clear in which server you added the cn=replication manager,cn=config
entry.(M1 or M2)

 

dn: cn=replication manager,cn=config

objectClass: person

objectClass: top

cn: replication manager

sn: RM

userPassword: {SSHA} XXX

passwordExpirationTime: 20380119031407Z

modifiersName:

uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo

 t

modifyTimestamp: 20090217141706Z

 

If u added it in any one of the master servers try adding it in both (in
both M1 and M2) sides. Because the read-write replicas in both master
servers hold the nsDS5ReplicaBindDN: cn=replication manager,cn=config
attribute.

 

So definitely each master will look for cn=replication manager,cn=config
entry in the another one.

Ex: M1 will search M2 for dn: cn=replication manager,cn=config and viz.,

 

So if any one of the masters is not able to find the above entry it throws
such error.

 

Hope this will work.

 

Regards,

ViSolve LDAP Team

 

 

 

 

 

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rocio
Quirantes
Sent: Wednesday, February 18, 2009 4:26 PM
To: fedora-directory-users@redhat.com
Subject: [Fedora-directory-users] Problems with multimaster
replicationconfiguration

 

Hello, I''m trying to configure multimaster replication with two
servers, and
I get a permission error when the supplier tries to send the copie to the
consumer. This is the error I get:

 

supplier: ldap1 -> NSMMReplicationPlugin - agmt="cn=ldap1"
(ldap2:636):

Unable to acquire replica: permission denied. The bind dn

"cn=replication manager,cn=config" does not have permission to supply

replication updates to the replica. Will retry later.

 

consumer: ldap2 -> NSMMReplicationPlugin - conn=245 op=3

replica="dc=example,dc=es": Unable to acquire replica: error:
permission

denied

 

The other wa:

 

supplier: ldap2 -> NSMMReplicationPlugin - agmt="cn=ldap2"
(ldap1:636):

Unable to acquire replica: permission denied. The bind dn

"cn=replication manager,cn=config" does not have permission to supply

replication updates to the replica. Will retry later.

 

consumer: ldap1 -> NSMMReplicationPlugin - conn=32 op=3

replica="dc=example,dc=es": Unable to acquire replica: error:
permission

denied

 

 

I have follow the configuration manual from red hat to configure the
multimaster from:

 

http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#74262

 

This is my configuration:

 

dn: cn=replication manager,cn=config

objectClass: person

objectClass: top

cn: replication manager

sn: RM

userPassword: {SSHA} XXX

passwordExpirationTime: 20380119031407Z

modifiersName:

uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo

 t

modifyTimestamp: 20090217141706Z

 

 

dn: cn=legacy consumer,cn=replication,cn=config

objectClass: top

objectClass: extensibleObject

cn: legacy consumer

nsslapd-legacy-updatedn: cn=replication manager,cn=config

creatorsName:

uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot

modifiersName:

uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo

 t

createTimestamp: 20090216083802Z

modifyTimestamp: 20090216100926Z

nsslapd-legacy-updatepw: {SHA} xxx

 

dn: cn=replica,cn="dc=example,dc=es",cn=mapping tree, cn=config

objectClass: nsDS5Replica

objectClass: top

nsDS5ReplicaRoot: dc=example,dc=es

nsDS5ReplicaType: 3

nsDS5Flags: 1

nsDS5ReplicaId: 1

nsds5ReplicaPurgeDelay: 604800

cn: replica

creatorsName:

uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot

modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config

createTimestamp: 20090217095448Z

modifyTimestamp: 20090218092048Z

nsState:: AQAAANnSm0kAAAAAAAAAAAEAAAA
nsDS5ReplicaName: 000df382-1dd211b2-a7f6fad4-efd80000

nsDS5ReplicaBindDN: cn=replication manager,cn=config

numSubordinates: 1

 

dn: cn=ldap1, cn=replica, cn="dc=example,dc=es", cn=mapping tree,
cn=config

objectClass: top

objectClass: nsDS5ReplicationAgreement

description: Replicacion multimaster entre ldap1 y ldap2

cn: ldap1

nsDS5ReplicaRoot: dc=example,dc=es

nsDS5ReplicaHost: ldap2.example.es

nsDS5ReplicaPort: 636

nsDS5ReplicaBindDN: cn=replication manager,cn=config

nsDS5ReplicaTransportInfo: SSL

nsDS5ReplicaBindMethod: SIMPLE

nsDS5ReplicaCredentials: {DES} xxxx

creatorsName:

uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot

modifiersName:

uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo

 t

createTimestamp: 20090217100103Z

modifyTimestamp: 20090218103445Z

 

dn: cn=ldap2, cn=replica, cn="dc=example,dc=es", cn=mapping tree,
cn=config

objectClass: top

objectClass: nsDS5ReplicationAgreement

description: Replicacion multimaster entre ldap2 y ldap1

cn: ldap1

nsDS5ReplicaRoot: dc=example,dc=es

nsDS5ReplicaHost: ldap1.example.es

nsDS5ReplicaPort: 636

nsDS5ReplicaBindDN: cn=replication manager,cn=config

nsDS5ReplicaTransportInfo: SSL

nsDS5ReplicaBindMethod: SIMPLE

nsDS5ReplicaCredentials: {DES} xxxx

creatorsName:

uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot

modifiersName:

uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot

createTimestamp: 20090217100103Z

modifyTimestamp: 20090218103445Z

 

I can see where the error is, I hope you can help me

Thank you

 

-- 

Rocio Quirantes Rodal         

Área de Seguridad Informática

Centro Informático Científico de Andalucía (CICA)

Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)

Tfno.: +34 955 056 648 / +34 955 056 600 / FAX: +34 955 056 650

Consejería de Innovación, Ciencia y Empresa

Junta de Andalucía

--------------------------------------------------

Este mensaje esta firmado digitalmente. Para poder

reconocer la firma desde su cliente debera tener

instalado el certificado raiz de la CA del CICA en

el mismo. Puede descargarlo desde:

 

http://pki.cica.es/cacert/

--------------------------------------------------

Visolve LDAP Group escribió:
>
>  
>
> Hi Rocio Quirantes,
>
>  
>
> From your configuration I understood you are setting up replication 
> between two master servers say M1 and M2.
>
>  
>
> The rest of the configuration is fine. Once I too faced the same 
> issue. I got it worked by adding the following entry in both the 
> servers M1 and M2. I not clear in which server you added the 
> cn=replication manager,cn=config entry.(M1 or M2)
>
>  
>
> dn: cn=replication manager,cn=config
>
> objectClass: person
>
> objectClass: top
>
> cn: replication manager
>
> sn: RM
>
> userPassword: {SSHA} XXX
>
> passwordExpirationTime: 20380119031407Z
>
> modifiersName:
>
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
>
>  t
>
> modifyTimestamp: 20090217141706Z
>
>  
>
> If u added it in any one of the master servers try adding it in both 
> (in both M1 and M2) sides. Because the read-write replicas in both 
> master servers hold the *nsDS5ReplicaBindDN: cn=replication 
> manager,cn=config *attribute.
>
>  
>
> So definitely each master will look for cn=replication 
> manager,cn=config entry in the another one.
>
> *Ex:* M1 will search M2 for dn: cn=replication manager,cn=config and viz.,
>
>  
>
> So if any one of the masters is not able to find the above entry it 
> throws such error.
>
>  
>
> Hope this will work.
>
>  
>
> Regards,
>
> ViSolve LDAP Team
>
>  
>
>  
>
>  
>
>  
>
>  
>
> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com 
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rocio 
> Quirantes
> Sent: Wednesday, February 18, 2009 4:26 PM
> To: fedora-directory-users@redhat.com
> Subject: [Fedora-directory-users] Problems with multimaster 
> replicationconfiguration
>
>  
>
> Hello, I''m trying to configure multimaster replication with two 
> servers, and I get a permission error when the supplier tries to send 
> the copie to the consumer. This is the error I get:
>
>  
>
> supplier: ldap1 -> NSMMReplicationPlugin - agmt="cn=ldap1"
(ldap2:636):
>
> Unable to acquire replica: permission denied. The bind dn
>
> "cn=replication manager,cn=config" does not have permission to
supply
>
> replication updates to the replica. Will retry later.
>
>  
>
> consumer: ldap2 -> NSMMReplicationPlugin - conn=245 op=3
>
> replica="dc=example,dc=es": Unable to acquire replica: error:
permission
>
> denied
>
>  
>
> The other wa:
>
>  
>
> supplier: ldap2 -> NSMMReplicationPlugin - agmt="cn=ldap2"
(ldap1:636):
>
> Unable to acquire replica: permission denied. The bind dn
>
> "cn=replication manager,cn=config" does not have permission to
supply
>
> replication updates to the replica. Will retry later.
>
>  
>
> consumer: ldap1 -> NSMMReplicationPlugin - conn=32 op=3
>
> replica="dc=example,dc=es": Unable to acquire replica: error:
permission
>
> denied
>
>  
>
>  
>
> I have follow the configuration manual from red hat to configure the 
> multimaster from:
>
>  
>
> http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#74262
>
>  
>
> This is my configuration:
>
>  
>
> dn: cn=replication manager,cn=config
>
> objectClass: person
>
> objectClass: top
>
> cn: replication manager
>
> sn: RM
>
> userPassword: {SSHA} XXX
>
> passwordExpirationTime: 20380119031407Z
>
> modifiersName:
>
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
>
>  t
>
> modifyTimestamp: 20090217141706Z
>
>  
>
>  
>
> dn: cn=legacy consumer,cn=replication,cn=config
>
> objectClass: top
>
> objectClass: extensibleObject
>
> cn: legacy consumer
>
> nsslapd-legacy-updatedn: cn=replication manager,cn=config
>
> creatorsName:
>
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
>
> modifiersName:
>
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
>
>  t
>
> createTimestamp: 20090216083802Z
>
> modifyTimestamp: 20090216100926Z
>
> nsslapd-legacy-updatepw: {SHA} xxx
>
>  
>
> dn: cn=replica,cn="dc=example,dc=es",cn=mapping tree, cn=config
>
> objectClass: nsDS5Replica
>
> objectClass: top
>
> nsDS5ReplicaRoot: dc=example,dc=es
>
> nsDS5ReplicaType: 3
>
> nsDS5Flags: 1
>
> nsDS5ReplicaId: 1
>
> nsds5ReplicaPurgeDelay: 604800
>
> cn: replica
>
> creatorsName:
>
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
>
> modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config
>
> createTimestamp: 20090217095448Z
>
> modifyTimestamp: 20090218092048Z
>
> nsState:: AQAAANnSm0kAAAAAAAAAAAEAAAA>
> nsDS5ReplicaName: 000df382-1dd211b2-a7f6fad4-efd80000
>
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>
> numSubordinates: 1
>
>  
>
> dn: cn=ldap1, cn=replica, cn="dc=example,dc=es", cn=mapping tree,
> cn=config
>
> objectClass: top
>
> objectClass: nsDS5ReplicationAgreement
>
> description: Replicacion multimaster entre ldap1 y ldap2
>
> cn: ldap1
>
> nsDS5ReplicaRoot: dc=example,dc=es
>
> nsDS5ReplicaHost: ldap2.example.es
>
> nsDS5ReplicaPort: 636
>
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>
> nsDS5ReplicaTransportInfo: SSL
>
> nsDS5ReplicaBindMethod: SIMPLE
>
> nsDS5ReplicaCredentials: {DES} xxxx
>
> creatorsName:
>
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
>
> modifiersName:
>
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
>
>  t
>
> createTimestamp: 20090217100103Z
>
> modifyTimestamp: 20090218103445Z
>
>  
>
> dn: cn=ldap2, cn=replica, cn="dc=example,dc=es", cn=mapping tree,
> cn=config
>
> objectClass: top
>
> objectClass: nsDS5ReplicationAgreement
>
> description: Replicacion multimaster entre ldap2 y ldap1
>
> cn: ldap1
>
> nsDS5ReplicaRoot: dc=example,dc=es
>
> nsDS5ReplicaHost: ldap1.example.es
>
> nsDS5ReplicaPort: 636
>
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>
> nsDS5ReplicaTransportInfo: SSL
>
> nsDS5ReplicaBindMethod: SIMPLE
>
> nsDS5ReplicaCredentials: {DES} xxxx
>
> creatorsName:
>
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
>
> modifiersName:
>
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
>
> createTimestamp: 20090217100103Z
>
> modifyTimestamp: 20090218103445Z
>
>  
>
> I can see where the error is, I hope you can help me
>
> Thank you
>
>  
>
> -- 
>
> Rocio Quirantes Rodal        
>
> Área de Seguridad Informática
>
> Centro Informático Científico de Andalucía (CICA)
>
> Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
>
> Tfno.: +34 955 056 648 / +34 955 056 600 / FAX: +34 955 056 650
>
> Consejería de Innovación, Ciencia y Empresa
>
> Junta de Andalucía
>
> --------------------------------------------------
>
> Este mensaje esta firmado digitalmente. Para poder
>
> reconocer la firma desde su cliente debera tener
>
> instalado el certificado raiz de la CA del CICA en
>
> el mismo. Puede descargarlo desde:
>
>  
>
> http://pki.cica.es/cacert/
>
> --------------------------------------------------
>
>  
>
>  
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
Hello, I have the user in both servers but thank you, I solved the 
problem, it was about the password, I deactivated Legacy consumer, and I 
got the error:

[19/Feb/2009:08:58:10 +0100] NSMMReplicationPlugin - agmt="cn=ldap2" 
(ldap2:636): Simple bind resumed
[19/Feb/2009:08:58:10 +0100] NSMMReplicationPlugin - agmt="cn=ldap2" 
(ldap2:636): Replication bind to cn=replication manager,cn=config on 
consumer failed: 49 ()

And I realised that the problem was with the password, it had a { on it, 
but it appeared as a Ç, very strange
Thank you again

-- 
Rocio Quirantes Rodal         
Área de Seguridad Informática
Centro Informático Científico de Andalucía (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 648 / +34 955 056 600 / FAX: +34 955 056 650
Consejería de Innovación, Ciencia y Empresa
Junta de Andalucía
--------------------------------------------------
Este mensaje esta firmado digitalmente. Para poder
reconocer la firma desde su cliente debera tener
instalado el certificado raiz de la CA del CICA en
el mismo. Puede descargarlo desde:

http://pki.cica.es/cacert/
--------------------------------------------------