The password of the Replication Manager is updated but replication fails with "error 49 (Invalid credentials)".

Solution Verified - Updated -

Environment

Red Hat Enterprise Linux 9
Red Hat Directory Server 12
Red Hat Enterprise Linux 8
Red Hat Directory Server 11
Red Hat Enterprise Linux 7
Red Hat Directory Server 10

Issue

After updating the password of the Replication Manager, entries are no longer getting replicated.

Resolution

Make sure to also update the credentials in the incoming replication agreement(s).
The change should be done over a secure connection.
For instance:

# ldapmodify -x -D "cn=Directory Manager" -W -H ldaps://<SUPPLIER_HOST>:<SUPPLIER_SECURE_PORT>  << EOF
dn: cn=<REPLICATION_AGREEMENT_NAME>,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: modify
replace: nsDS5ReplicaCredentials
nsDS5ReplicaCredentials: <REPLICATION_MANAGER_NEW_PASSWORD>

EOF
#

The attribute nsDS5ReplicaCredentials sets the credentials for the bind DN specified in the replication agreement.
The Directory Server uses this password to connect to the consumer.

Root Cause

A typical error is to forget to update the credentials in the incoming replication agreement(s).

Diagnostic Steps

  • Replication is failing.

  • The errors log contains the following messages:

[17/Feb/2021:11:44:21.410018983 +051800] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: 49, retrying in 4 seconds.
[17/Feb/2021:11:44:25.415031778 +051800] - ERR - NSMMReplicationPlugin - conn_connect - agmt="cn=<REPLICATION_AGREEMENT_NAME>" (<HOST:PORT>) - Decoding of the credentials failed.
[17/Feb/2021:11:44:25.416134190 +051800] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: 49, retrying in 5 seconds.
...
[17/Feb/2021:11:46:27.461057937 +051800] - ERR - slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 49 (Invalid credentials)
[17/Feb/2021:11:46:27.462795127 +051800] - ERR - slapi_ldap_bind - Error: could not bind id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error 49 (Invalid credentials)
[17/Feb/2021:11:47:39.468929295 +051800] - ERR - NSMMReplicationPlugin - conn_connect - agmt="cn=<REPLICATION_AGREEMENT_NAME>" (<HOST:PORT>) - Decoding of the credentials failed.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments