[pki-users] Error cloning CA
Mike Mercier
mmercier at gmail.com
Wed May 20 17:54:12 UTC 2009
Hello,
I am attempting to do some testing with the Fedora PKI and Dogtag
systems and have run into an issue.
My setup is as follows:
Server-1 - Running fedora-ds and dogtag (dogtag uses the local
fedora-ds LDAP server as for storage)
Server-2 - Running the same
Server-2 is acting as a LDAP replica for Server-1 (o=NetscapeRoot and
the primary dc are replicated, this *seems* to work fine.. I can
create an entry on Server-1 and it will show up on Server-2)
On Server-1, I installed Dogtag 1.1.0 (via yum) and setup a CA - again
everything *seems* to work fine. On Server-2 I then attempted to
clone the CA from Server-1.
Things go good until I get to the screen to specify where the backend
is located. For the backend, I use the fedora-ds server located on
Server-2, I enter my credentials and then it seems to hang.
In /var/log/dirsrv/slapd-TEST/error on Server-2 I see some error
messages I can't seem to find reference too:
info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=<dc>';
entry ou=certificaterepository,ou=ca,dc=<dc> may not be added to
database yet (this message shows up numerous times)
info: entrydn not indexed on 'ou=ca,ou=requests,dc=<dc>'; entry
ou=ca,ou=requests,dc=<dc> may not be added to database yet (this
message shows up numerous times)
NSMMReplicationPlugin - agmt="cn=cloneAgreement1-server-2-pki-ca"
(service-2:389): Replica has a different generation ID than the local
data
I managed to get around the replication problem by (and this is
probably not the correct course of action):
1. Deleted the replication agreement on both systems
2. Exported the CA database on Server-1 and imported it into Server-2
3. Recreated the replication agreement
This allowed me to finally get past the screen listed above (where the
LDAP credentials have to be entered) but I still see this error on
Server-2:
Replica has a different generation ID than the local data
And on Server-1:
NSMMReplicationPlugin - repl_set_mtn_referrals: could not set
referrals for replica dc=<dc>: 1
Is there a reason that the installation is not correctly setting up
the LDAP database and replication agreement?
Are there steps I have missed, I followed the directions in the RedHat
Certificate Server Admin Guide?
Does this have something to do with replicating o=NetscapeRoot?
Thanks,
Mike
More information about the Pki-users
mailing list