[Freeipa-users] Replica not syncing 'memberOf' attributes
Rob Crittenden
rcritten at redhat.com
Thu Oct 7 14:58:02 UTC 2010
Dan Scott wrote:
> On Thu, Oct 7, 2010 at 10:20, Rich Megginson<rmeggins at redhat.com> wrote:
>> Dan Scott wrote:
>>>
>>> On Wed, Oct 6, 2010 at 22:02, Rich Megginson<rmeggins at redhat.com> wrote:
>>>
>>>>
>>>> Dan Scott wrote:
>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> On Wed, Oct 6, 2010 at 18:30, Rich Megginson<rmeggins at redhat.com>
>>>>> wrote:
>>>>>
>>>>>
>>>>>>
>>>>>> Dan Scott wrote:
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> I'm not sure which group this is referring to. Admins only contains 3
>>>>>>> users, no nested groups.
>>>>>>>
>>>>>>> The problem appears to be related to the users, rather than the
>>>>>>> groups. None of the users on ohm have a 'memberOf'. Curie has the
>>>>>>> correct memberOf attributes.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> The error message specifically mentions the admin group:
>>>>>>
>>>>>> - Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
>>>>>> attribute "memberOf" not allowed
>>>>>>
>>>>>> As if it is attempting to add the memberOf attribute to the group entry
>>>>>> cn=admins,cn=groups,cn=accounts,dc=example,dc=com - I don't know why it
>>>>>> would do this unless it is attempting some sort of group nesting.
>>>>>>
>>>>>>
>>>>
>>>> This is still a mystery - we need to figure out why it is attempting to
>>>> add
>>>> memberOf to this entry.
>>>>
>>>>>>>
>>>>>>> The groups themselves appear to be correct on both servers. Both ohm
>>>>>>> and curie have groups which contain the correct 'member' attributes.
>>>>>>> So the problem appears to be that ohm contains groups with correct
>>>>>>> 'members', but none of the users have any 'memberOf's.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Do all of the users have the inetUser objectclass?
>>>>>>
>>>>>>
>>>>>
>>>>> Yep. Looks like it. I have 162 users:
>>>>>
>>>>> [djscott at ohm ~]$ ldapsearch -h curie.example.com -x -b
>>>>> 'cn=users,cn=accounts,dc=example.com' |grep 'objectClass: inetUser'|wc
>>>>> 162 324 3564
>>>>> [djscott at ohm ~]$ ldapsearch -h ohm.example.com -x -b
>>>>> 'cn=users,cn=accounts,dc=example,dc=com' |grep 'objectClass:
>>>>> inetUser'|wc
>>>>> 162 324 3564
>>>>> [djscott at ohm ~]$
>>>>>
>>>>>
>>>>
>>>> If you run the lib/dirsrv/slapd-ds/fixup-memberof.pl script, does it add
>>>> the
>>>> memberOf attributes?
>>>>
>>>
>>> When I try to run that, I get the following:
>>>
>>> [root at ohm ~]# /usr/lib64/dirsrv/slapd-EXAMPLE.COM/fixup-memberof.pl -b
>>> cn=groups,cn=accounts,dc=example,dc=com -D uid=admin -w -
>>> Bind Password: *************
>>>
>>> ldap_simple_bind: No such object
>>>
>>
>> uid=admin is not the full DN - should be something like
>> uid=admin,cn=accounts,dc=example,dc=com or something like that?
>
> Sorry about that, I now get:
>
> adding new entry cn=memberOf_fixup_2010_10_7_10_41_11, cn=memberOf
> task, cn=tasks, cn=config
> ldap_add: Insufficient access
>
> I have an admin Kerberos ticket and I know the password is correct
> because otherwise I get 'ldap_simple_bind: Invalid credentials'.
The IPA admin user can't write to cn=config. You need to do this as
cn=Directory Manager
rob
More information about the Freeipa-users
mailing list