[pki-users] Error cloning CA

Marc Sauton msauton at redhat.com
Wed May 20 18:43:53 UTC 2009 

It should just work fine.
Is it possible for some reason your Server-1's dse.ldif had a 
nsDS5ReplicaHost: localhost instead of Server-2?
This is different from replicating o=NetscapeRoot, and was for your dc=<dc>
M.

Mike Mercier wrote:
> Hello,
>
> I am attempting to do some testing with the Fedora PKI and Dogtag
> systems and have run into an issue.
>
> My setup is as follows:
>
> Server-1 - Running fedora-ds and dogtag (dogtag uses the local
> fedora-ds LDAP server as for storage)
> Server-2 - Running the same
>
> Server-2 is acting as a LDAP replica for Server-1 (o=NetscapeRoot and
> the primary dc are replicated, this *seems* to work fine.. I can
> create an entry on Server-1 and it will show up on Server-2)
>
> On Server-1, I installed Dogtag 1.1.0 (via yum) and setup a CA - again
> everything *seems* to work fine.  On Server-2 I then attempted to
> clone the CA from Server-1.
> Things go good until I get to the screen to specify where the backend
> is located.  For the backend, I use the fedora-ds server located on
> Server-2, I enter my credentials and then it seems to hang.
>
> In /var/log/dirsrv/slapd-TEST/error on Server-2 I see some error
> messages I can't seem to find reference too:
>
>
> info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=<dc>';
> entry ou=certificaterepository,ou=ca,dc=<dc> may not be added to
> database yet  (this message shows up numerous times)
> info: entrydn not indexed on 'ou=ca,ou=requests,dc=<dc>'; entry
> ou=ca,ou=requests,dc=<dc> may not be added to database yet  (this
> message shows up numerous times)
> NSMMReplicationPlugin - agmt="cn=cloneAgreement1-server-2-pki-ca"
> (service-2:389): Replica has a different generation ID than the local
> data
>
> I managed to get around the replication problem by (and this is
> probably not the correct course of action):
> 1. Deleted the replication agreement on both systems
> 2. Exported the CA database on Server-1 and imported it into Server-2
> 3. Recreated the replication agreement
>
> This allowed me to finally get past the screen listed above (where the
> LDAP credentials have to be entered) but I still see this error on
> Server-2:
> Replica has a different generation ID than the local data
>
> And on Server-1:
> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set
> referrals for replica dc=<dc>: 1
>
>
> Is there a reason that the installation is not correctly setting up
> the LDAP database and replication agreement?
> Are there steps I have missed, I followed the directions in the RedHat
> Certificate Server Admin Guide?
> Does this have something to do with replicating o=NetscapeRoot?
>
> Thanks,
> Mike
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>

More information about the Pki-users mailing list