[Freeipa-users] freeIPA replication

Rob Crittenden rcritten at redhat.com
Mon Dec 14 20:20:58 UTC 2009 

James Roman wrote:
> Rob Crittenden wrote:
>> Виктор Сергеевич wrote:
>>> Hi!
>>> Thanks! It works!, but
>>> In master-server I'm see users in groups, but in replica I'm see only
>>> group, without users. If search users - i'm can find it. And one more:
>>
>> Strange, that shouldn't happen. I'd search for them directly in LDAP 
>> to ensure it isn't a problem with the IPA management framework:
> Are you sure your describing this correctly. When I built my replica, 
> initially, I could see that groups were synchronized (I could search for 
> groups and I could see the members), but the memberof attributes of 
> individual user entries was not available in the replica server. These 
> are not synchronized by default, you must enable the plug-in to generate 
> the entries.

Yes, I think I misread his statement. I read it as "I have groups but no 
users" not "I have groups that contain no users".

> # > ldapmodify -x -W -D "cn=Directory Manager"
> dn: cn=MemberOf Plugin,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-pluginEnabled
> nsslapd-pluginEnabled: on
> 
> I've also seen the memberof entries disappear after performing an 
> "ipa-replica-manage init replicaserver". This was much harder to 
> address. I performed a lookup of the ipausers group members, stripped 
> the entries down to just the uid and then ran then through a script that 
> removed each entry and re-added them to the ipausers group, which forced 
> the plug-in to recreate all memberof entries on all accounts. (Thank god 
> I didn't have to do that on all the groups.)
> 
> There are two member related plugins now a freeipa one and a 389 plugin. 
> Not sure if they are stepping on each other or not.

Right, the plugin was developed in IPA and moved into DS. In the next 
version of IPA we are dropping our plugin in favor of the DS version.

You really don't want both enabled at once, who knows what problems that 
could cause.

memberOf isn't a replicated attribute. It is built separately on each 
IPA server.

You can force the attribute to be rebuilt by creating a DS task and 
using ldapmodify to apply it. Something like:

# cp /usr/share/ipa/memberof-task.ldif /tmp/memberof-task.ldif
[edit /tmp/memberof-task.ldif anre placed $TIME with some unique number 
and $SUFFIX with dc=example,ed=com as appropriate]
# ldapmodify -x -D "cn=directory manager" -W < /tmp/memberof-task.ldif

You'll be prompted for your DM password. This should rebuild all the 
local memberOf entries.

rob

More information about the Freeipa-users mailing list