[Freeipa-users] freeIPA replication
James Roman
james.roman at ssaihq.com
Mon Dec 14 18:57:08 UTC 2009
Rob Crittenden wrote:
> Виктор Сергеевич wrote:
>> Hi!
>> Thanks! It works!, but
>> In master-server I'm see users in groups, but in replica I'm see only
>> group, without users. If search users - i'm can find it. And one more:
>
> Strange, that shouldn't happen. I'd search for them directly in LDAP
> to ensure it isn't a problem with the IPA management framework:
Are you sure your describing this correctly. When I built my replica,
initially, I could see that groups were synchronized (I could search for
groups and I could see the members), but the memberof attributes of
individual user entries was not available in the replica server. These
are not synchronized by default, you must enable the plug-in to generate
the entries.
# > ldapmodify -x -W -D "cn=Directory Manager"
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
I've also seen the memberof entries disappear after performing an
"ipa-replica-manage init replicaserver". This was much harder to
address. I performed a lookup of the ipausers group members, stripped
the entries down to just the uid and then ran then through a script that
removed each entry and re-added them to the ipausers group, which forced
the plug-in to recreate all memberof entries on all accounts. (Thank god
I didn't have to do that on all the groups.)
There are two member related plugins now a freeipa one and a 389 plugin.
Not sure if they are stepping on each other or not.
More information about the Freeipa-users
mailing list