[Freeipa-users] Replica not syncing 'memberOf' attributes

Dan Scott danieljamesscott at gmail.com
Wed Oct 6 23:20:14 UTC 2010 

Hi,

On Wed, Oct 6, 2010 at 18:30, Rich Megginson <rmeggins at redhat.com> wrote:
> Dan Scott wrote:
>>
>> I'm not sure which group this is referring to. Admins only contains 3
>> users, no nested groups.
>>
>> The problem appears to be related to the users, rather than the
>> groups. None of the users on ohm have a 'memberOf'. Curie has the
>> correct memberOf attributes.
>>
>
> The error message specifically mentions the admin group:
>
> - Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
> attribute "memberOf" not allowed
>
> As if it is attempting to add the memberOf attribute to the group entry
> cn=admins,cn=groups,cn=accounts,dc=example,dc=com - I don't know why it
> would do this unless it is attempting some sort of group nesting.
>>
>> The groups themselves appear to be correct on both servers. Both ohm
>> and curie have groups which contain the correct 'member' attributes.
>> So the problem appears to be that ohm contains groups with correct
>> 'members', but none of the users have any 'memberOf's.
>>
>>
>
> Do all of the users have the inetUser objectclass?

Yep. Looks like it. I have 162 users:

[djscott at ohm ~]$ ldapsearch -h curie.example.com -x -b
'cn=users,cn=accounts,dc=example.com' |grep 'objectClass: inetUser'|wc
    162     324    3564
[djscott at ohm ~]$ ldapsearch -h ohm.example.com -x -b
'cn=users,cn=accounts,dc=example,dc=com' |grep 'objectClass:
inetUser'|wc
    162     324    3564
[djscott at ohm ~]$

Thanks,

Dan

>> On Wed, Oct 6, 2010 at 16:17, Rich Megginson <rmeggins at redhat.com> wrote:
>>
>>>
>>> Dan Scott wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>> ohm_admins.ldif and curie_admins.ldif attached. I added a '-h
>>>> $hostname' to the command to ensure that I queried both servers. The
>>>> results look identical to me, apart from the ordering.
>>>>
>>>> Thanks,
>>>>
>>>> Dan
>>>>
>>>> On Wed, Oct 6, 2010 at 15:34, Rob Crittenden <rcritten at redhat.com>
>>>> wrote:
>>>>
>>>>
>>>>>
>>>>> Dan Scott wrote:
>>>>>
>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> On Wed, Oct 6, 2010 at 11:32, Simo Sorce<ssorce at redhat.com>  wrote:
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> On Wed, 6 Oct 2010 10:26:48 -0400
>>>>>>> Dan Scott<danieljamesscott at gmail.com>  wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I have master and slave FreeIPA servers. I recently upgraded the
>>>>>>>> slave
>>>>>>>> by wiping, re-installing Fedora 13 and re-creating the replication
>>>>>>>> using ipa-replica-prepare and ipa-replica-install.
>>>>>>>>
>>>>>>>> For some reason, the slave is having difficulty replicating the
>>>>>>>> memberOf attribute. I can attach an LDAP viewer to the replica, and
>>>>>>>> view the schema, but the memberOf attributes are missing. Also, the
>>>>>>>> master server contains the lines:
>>>>>>>>
>>>>>>>> - Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
>>>>>>>> attribute "memberOf" not allowed
>>>>>>>> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set
>>>>>>>> referrals for replica dc=example,dc=com: 20
>>>>>>>> NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for
>>>>>>>> replica dc=example,dc=com does not match the data in the changelog.
>>>>>>>>  Recreating the changelog file. This could affect replication with
>>>>>>>> replica's  consumers in which case the consumers should be
>>>>>>>> reinitialized.
>>>>>>>> [06/Oct/2010:09:58:33 -0400] - skipping cos definition cn=account
>>>>>>>> inactivation,cn=accounts,dc=example,dc=com--no templates found
>>>>>>>>
>>>>>>>> The rest of the replication appears to be working correctly (as far
>>>>>>>> as
>>>>>>>> I can tell).
>>>>>>>>
>>>>>>>> I have tried using ipa-replica-manage init and synch to try to fix
>>>>>>>> the
>>>>>>>> replication, but I suspect this has something to do with the schema
>>>>>>>> definition.
>>>>>>>>
>>>>>>>> Does anyone have any pointers/ideas for how I can fix this?
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Dan, the memberof attribute is explicitly not replicated, and should
>>>>>>> be
>>>>>>> simply re-generated on the receiving replica when "member" attributes
>>>>>>> are replicated.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> So does this imply that there is some corruption in the schema on the
>>>>>> replica server?
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Are the IPA versions on the master and the replica the same ?
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> They are both the same version: ipa-server-1.2.2-4.fc13.x86_64
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Dan Scott
>>>>>>
>>>>>>
>>>>>
>>>>> It is complaining that memberOf isn't allowed in the admins group which
>>>>> is
>>>>> pretty strange.
>>>>>
>>>>> Can you show us the admins group out of the replica and master?
>>>>>
>>>>> ldapsearch -x -b 'cn=groups,cn=accounts,dc=example,dc=com' cn=admins
>>>>>
>>>>>
>>>
>>> Neither one has the inetUser objectclass which allows the use of
>>> memberOf.
>>>  But why is it attempting to add memberOf to this entry which is itself a
>>> group entry?  Is this some sort of nested group?
>>>
>>>>>
>>>>> thanks
>>>>>
>>>>> rob
>>>>>
>>>>>
>>>>>
>>>>>  ------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>
>>>
>
>

More information about the Freeipa-users mailing list