[Freeipa-users] freeIPA replication
Rob Crittenden
rcritten at redhat.com
Mon Dec 14 16:06:56 UTC 2009
Виктор Сергеевич wrote:
> Hi!
>
> Thanks! It works!, but
> In master-server I'm see users in groups, but in replica I'm see only
> group, without users. If search users - i'm can find it. And one more:
Strange, that shouldn't happen. I'd search for them directly in LDAP to
ensure it isn't a problem with the IPA management framework:
% ldapsearch -x -b "cn=users,cn=accounts,dc=example,dc=com"
"(objectclass=posixuser") uid
> If I write users (Firsname and/ore lastname)in cyrillic symbols (russian
> language), save this user and try find it - I'm see "500 - internal
> server error. An unexpected error occured."
> Prompt please - as with it it is possible to consult how
This is a known problem
(https://bugzilla.redhat.com/show_bug.cgi?id=490285). IPA v1 only
supports the ASCII character set currently.
rob
>
> Thanks
>
> В Птн, 11/12/2009 в 13:07 -0700, Rich Megginson пишет:
>> James Roman wrote:
>>> If I remember correctly, I had to comment out the following entries in
>>> the /etc/dirsrv/slapd-XXXX/schema/99user.ldif file:
>>>
>>> # objectClasses: ( 2.16.840.1.113730.3.2.300 NAME 'nsAIMpresence' DESC
>>> 'Netscape
>>> defined objectclass' SUP top AUXILIARY MAY (nsaimid $
>>> nsaimstatusgraphic $
>>> nsaimstatustext ) X-ORIGIN ( 'Netscape Directory Server' 'user
>>> defined' ) )
>>> # objectClasses: ( 2.16.840.1.113730.3.2.301 NAME 'nsICQpresence' DESC
>>> 'Netscape
>>> defined objectclass' SUP top AUXILIARY MAY ( nsicqid $
>>> nsicqstatusgraphic $
>>> nsICQStatusText ) X-ORIGIN ( 'Netscape Directory Server' 'user
>>> defined' ) )
>>> # objectClasses: ( 2.16.840.1.113730.3.2.302 NAME 'nsYIMpresence' DESC
>>> 'Netscape
>>> defined objectclass' SUP top AUXILIARY MAY ( nsyimid $
>>> nsyimstatusgraphic $
>>> nsYIMStatusText ) X-ORIGIN ( 'Netscape Directory Server' 'user
>>> defined' ) )
>>> # objectClasses: ( 2.16.840.1.113730.3.2.303 NAME 'nsMSNpresence' DESC
>>> 'Netscape
>>> defined objectclass' SUP top AUXILIARY MAY nsmsnid X-ORIGIN (
>>> 'Netscape Dir
>>> ectory Server' 'user defined' ) )
>>>
>> That should work. The problem is that these schema should never have
>> been in 99user.ldif in the first place. The code has been fixed so that
>> standard schema such as these will not be copied to 99user.ldif, and
>> setup-ds.pl -u in 389-ds-base 1.2.3 and later will clean up 99user.ldif
>> of these and other bogus schema.
>>>
>>> Rich Megginson wrote:
>>>> Rob Crittenden wrote:
>>>>> Виктор Сергеевич wrote:
>>>>>> On fedora 11:
>>>>>>
>>>>>> Name : 389-ds-base Relocations: (not
>>>>>> relocatable)
>>>>>> Version : 1.2.2 Vendor: Fedora Project
>>>>>> Release : 1.fc11 Build Date: Wed 26 Aug
>>>>>> 2009
>>>>>> 12:07:44 AM MSD
>>>>>> Install Date: Fri 11 Dec 2009 10:46:32 AM MSK Build Host:
>>>>>> x86-1.fedora.phx.redhat.com
>>>>>> Group : System Environment/Daemons Source RPM:
>>>>>> 389-ds-base-1.2.2-1.fc11.src.rpm
>>>>>> Size : 5080205 License: GPLv2 with
>>>>>> exceptions
>>>>>> Signature : RSA/SHA1, Wed 26 Aug 2009 04:34:33 PM MSD, Key ID
>>>>>> 1dc5c758d22e77f2
>>>>>> Packager : Fedora Project
>>>>>> URL : http://port389.org/
>>>>>> Summary : 389 Directory Server (base)
>>>>>>
>>>>> IIRC in 389-ds 1.2.2 some schema was dropped/modified. If you try to
>>>>> replicate between < 1.2.2 and >= 1.2.2 you can get this error
>>>>> because the schema isn't defined on one side.
>>>>>
>>>>> I'm not sure the best way to work around this. Options include:
>>>>>
>>>>> - sync up the 389-ds versions between your servers. This would
>>>>> likely require building your own set of rpms on one or the other.
>>>>> - add the missing schema to the F-11 server in /etc/dirsrv/schema.
>>>>> This has the downside that you'll probably end up broken in other
>>>>> very odd some time way into the future.
>>>>> - modify 99user.ldif on the replicated system and remove the
>>>>> offending attributes. At the point in the replica installation where
>>>>> this fails the installer is almost done. The only missing steps are
>>>>> the DNS configuration and configuring the client.
>>>>>
>>>>> There may be other options, and again I'm not sure which is the best
>>>>> at this point. Rich, what do you think?
>>>> With 389-ds-base 1.2.3 and later (1.2.5.rc2 is currently available
>>>> from the testing repos) 99user.ldif is fixed to remove the offending
>>>> schema upon upgrade (yum or rpm), or by doing setup-ds.pl -u.
>>>>> rob
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list