[Freeipa-users] Replica not syncing 'memberOf' attributes

Wed Oct 6 22:08:27 UTC 2010

I'm not sure which group this is referring to. Admins only contains 3
users, no nested groups.

The problem appears to be related to the users, rather than the
groups. None of the users on ohm have a 'memberOf'. Curie has the
correct memberOf attributes.

The groups themselves appear to be correct on both servers. Both ohm
and curie have groups which contain the correct 'member' attributes.
So the problem appears to be that ohm contains groups with correct
'members', but none of the users have any 'memberOf's.

Thanks,

Dan

On Wed, Oct 6, 2010 at 16:17, Rich Megginson <rmeggins at redhat.com> wrote:
> Dan Scott wrote:
>>
>> Hi,
>>
>> ohm_admins.ldif and curie_admins.ldif attached. I added a '-h
>> $hostname' to the command to ensure that I queried both servers. The
>> results look identical to me, apart from the ordering.
>>
>> Thanks,
>>
>> Dan
>>
>> On Wed, Oct 6, 2010 at 15:34, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>>>
>>> Dan Scott wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>> On Wed, Oct 6, 2010 at 11:32, Simo Sorce<ssorce at redhat.com>  wrote:
>>>>
>>>>>
>>>>> On Wed, 6 Oct 2010 10:26:48 -0400
>>>>> Dan Scott<danieljamesscott at gmail.com>  wrote:
>>>>>
>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have master and slave FreeIPA servers. I recently upgraded the slave
>>>>>> by wiping, re-installing Fedora 13 and re-creating the replication
>>>>>> using ipa-replica-prepare and ipa-replica-install.
>>>>>>
>>>>>> For some reason, the slave is having difficulty replicating the
>>>>>> memberOf attribute. I can attach an LDAP viewer to the replica, and
>>>>>> view the schema, but the memberOf attributes are missing. Also, the
>>>>>> master server contains the lines:
>>>>>>
>>>>>> - Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
>>>>>> attribute "memberOf" not allowed
>>>>>> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set
>>>>>> referrals for replica dc=example,dc=com: 20
>>>>>> NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for
>>>>>> replica dc=example,dc=com does not match the data in the changelog.
>>>>>>  Recreating the changelog file. This could affect replication with
>>>>>> replica's  consumers in which case the consumers should be
>>>>>> reinitialized.
>>>>>> [06/Oct/2010:09:58:33 -0400] - skipping cos definition cn=account
>>>>>> inactivation,cn=accounts,dc=example,dc=com--no templates found
>>>>>>
>>>>>> The rest of the replication appears to be working correctly (as far as
>>>>>> I can tell).
>>>>>>
>>>>>> I have tried using ipa-replica-manage init and synch to try to fix the
>>>>>> replication, but I suspect this has something to do with the schema
>>>>>> definition.
>>>>>>
>>>>>> Does anyone have any pointers/ideas for how I can fix this?
>>>>>>
>>>>>
>>>>> Dan, the memberof attribute is explicitly not replicated, and should be
>>>>> simply re-generated on the receiving replica when "member" attributes
>>>>> are replicated.
>>>>>
>>>>
>>>> So does this imply that there is some corruption in the schema on the
>>>> replica server?
>>>>
>>>>
>>>>>
>>>>> Are the IPA versions on the master and the replica the same ?
>>>>>
>>>>
>>>> They are both the same version: ipa-server-1.2.2-4.fc13.x86_64
>>>>
>>>> Thanks,
>>>>
>>>> Dan Scott
>>>>
>>>
>>> It is complaining that memberOf isn't allowed in the admins group which
>>> is
>>> pretty strange.
>>>
>>> Can you show us the admins group out of the replica and master?
>>>
>>> ldapsearch -x -b 'cn=groups,cn=accounts,dc=example,dc=com' cn=admins
>>>
>
> Neither one has the inetUser objectclass which allows the use of memberOf.
>  But why is it attempting to add memberOf to this entry which is itself a
> group entry?  Is this some sort of nested group?
>>>
>>> thanks
>>>
>>> rob
>>>
>>>
>>>  ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>