[pki-users] Error cloning CA
Mike Mercier
mmercier at gmail.com
Wed May 20 19:17:07 UTC 2009
Hi,
I (once again) recreated the replication agreement, after initializing
the agreement things seemed to go fine.
I double checked the dse.ldif on both ends and all replication
agreements point to the correct place.
I now see (on both ends) the following message:
NSMMReplicationPlugin - repl_set_mtn_referrals: could not set
referrals for replica dc=<dc>: 1
Any ideas, or should I post this to the directory-users list?
Thanks,
Mike
On Wed, May 20, 2009 at 2:43 PM, Marc Sauton <msauton at redhat.com> wrote:
> It should just work fine.
> Is it possible for some reason your Server-1's dse.ldif had a
> nsDS5ReplicaHost: localhost instead of Server-2?
> This is different from replicating o=NetscapeRoot, and was for your dc=<dc>
> M.
>
> Mike Mercier wrote:
>>
>> Hello,
>>
>> I am attempting to do some testing with the Fedora PKI and Dogtag
>> systems and have run into an issue.
>>
>> My setup is as follows:
>>
>> Server-1 - Running fedora-ds and dogtag (dogtag uses the local
>> fedora-ds LDAP server as for storage)
>> Server-2 - Running the same
>>
>> Server-2 is acting as a LDAP replica for Server-1 (o=NetscapeRoot and
>> the primary dc are replicated, this *seems* to work fine.. I can
>> create an entry on Server-1 and it will show up on Server-2)
>>
>> On Server-1, I installed Dogtag 1.1.0 (via yum) and setup a CA - again
>> everything *seems* to work fine. On Server-2 I then attempted to
>> clone the CA from Server-1.
>> Things go good until I get to the screen to specify where the backend
>> is located. For the backend, I use the fedora-ds server located on
>> Server-2, I enter my credentials and then it seems to hang.
>>
>> In /var/log/dirsrv/slapd-TEST/error on Server-2 I see some error
>> messages I can't seem to find reference too:
>>
>>
>> info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=<dc>';
>> entry ou=certificaterepository,ou=ca,dc=<dc> may not be added to
>> database yet (this message shows up numerous times)
>> info: entrydn not indexed on 'ou=ca,ou=requests,dc=<dc>'; entry
>> ou=ca,ou=requests,dc=<dc> may not be added to database yet (this
>> message shows up numerous times)
>> NSMMReplicationPlugin - agmt="cn=cloneAgreement1-server-2-pki-ca"
>> (service-2:389): Replica has a different generation ID than the local
>> data
>>
>> I managed to get around the replication problem by (and this is
>> probably not the correct course of action):
>> 1. Deleted the replication agreement on both systems
>> 2. Exported the CA database on Server-1 and imported it into Server-2
>> 3. Recreated the replication agreement
>>
>> This allowed me to finally get past the screen listed above (where the
>> LDAP credentials have to be entered) but I still see this error on
>> Server-2:
>> Replica has a different generation ID than the local data
>>
>> And on Server-1:
>> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set
>> referrals for replica dc=<dc>: 1
>>
>>
>> Is there a reason that the installation is not correctly setting up
>> the LDAP database and replication agreement?
>> Are there steps I have missed, I followed the directions in the RedHat
>> Certificate Server Admin Guide?
>> Does this have something to do with replicating o=NetscapeRoot?
>>
>> Thanks,
>> Mike
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
>
More information about the Pki-users
mailing list