[Freeipa-users] Replica not syncing 'memberOf' attributes
Dan Scott
danieljamesscott at gmail.com
Thu Oct 7 15:16:20 UTC 2010
On Thu, Oct 7, 2010 at 10:58, Rob Crittenden <rcritten at redhat.com> wrote:
> Dan Scott wrote:
>>
>> On Thu, Oct 7, 2010 at 10:20, Rich Megginson<rmeggins at redhat.com> wrote:
>>>
>>> Dan Scott wrote:
>>>>
>>>> On Wed, Oct 6, 2010 at 22:02, Rich Megginson<rmeggins at redhat.com>
>>>> wrote:
>>>>
>>>>>
>>>>> Dan Scott wrote:
>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> On Wed, Oct 6, 2010 at 18:30, Rich Megginson<rmeggins at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Dan Scott wrote:
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> I'm not sure which group this is referring to. Admins only contains
>>>>>>>> 3
>>>>>>>> users, no nested groups.
>>>>>>>>
>>>>>>>> The problem appears to be related to the users, rather than the
>>>>>>>> groups. None of the users on ohm have a 'memberOf'. Curie has the
>>>>>>>> correct memberOf attributes.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> The error message specifically mentions the admin group:
>>>>>>>
>>>>>>> - Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
>>>>>>> attribute "memberOf" not allowed
>>>>>>>
>>>>>>> As if it is attempting to add the memberOf attribute to the group
>>>>>>> entry
>>>>>>> cn=admins,cn=groups,cn=accounts,dc=example,dc=com - I don't know why
>>>>>>> it
>>>>>>> would do this unless it is attempting some sort of group nesting.
>>>>>>>
>>>>>>>
>>>>>
>>>>> This is still a mystery - we need to figure out why it is attempting to
>>>>> add
>>>>> memberOf to this entry.
>>>>>
>>>>>>>>
>>>>>>>> The groups themselves appear to be correct on both servers. Both ohm
>>>>>>>> and curie have groups which contain the correct 'member' attributes.
>>>>>>>> So the problem appears to be that ohm contains groups with correct
>>>>>>>> 'members', but none of the users have any 'memberOf's.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Do all of the users have the inetUser objectclass?
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Yep. Looks like it. I have 162 users:
>>>>>>
>>>>>> [djscott at ohm ~]$ ldapsearch -h curie.example.com -x -b
>>>>>> 'cn=users,cn=accounts,dc=example.com' |grep 'objectClass: inetUser'|wc
>>>>>> 162 324 3564
>>>>>> [djscott at ohm ~]$ ldapsearch -h ohm.example.com -x -b
>>>>>> 'cn=users,cn=accounts,dc=example,dc=com' |grep 'objectClass:
>>>>>> inetUser'|wc
>>>>>> 162 324 3564
>>>>>> [djscott at ohm ~]$
>>>>>>
>>>>>>
>>>>>
>>>>> If you run the lib/dirsrv/slapd-ds/fixup-memberof.pl script, does it
>>>>> add
>>>>> the
>>>>> memberOf attributes?
>>>>>
>>>>
>>>> When I try to run that, I get the following:
>>>>
>>>> [root at ohm ~]# /usr/lib64/dirsrv/slapd-EXAMPLE.COM/fixup-memberof.pl -b
>>>> cn=groups,cn=accounts,dc=example,dc=com -D uid=admin -w -
>>>> Bind Password: *************
>>>>
>>>> ldap_simple_bind: No such object
>>>>
>>>
>>> uid=admin is not the full DN - should be something like
>>> uid=admin,cn=accounts,dc=example,dc=com or something like that?
>>
>> Sorry about that, I now get:
>>
>> adding new entry cn=memberOf_fixup_2010_10_7_10_41_11, cn=memberOf
>> task, cn=tasks, cn=config
>> ldap_add: Insufficient access
>>
>> I have an admin Kerberos ticket and I know the password is correct
>> because otherwise I get 'ldap_simple_bind: Invalid credentials'.
>
> The IPA admin user can't write to cn=config. You need to do this as
> cn=Directory Manager
Thanks for all the help guys. Sorry I don't know too much about this.
Looks like it finally ran:
adding new entry cn=memberOf_fixup_2010_10_7_11_10_0, cn=memberOf
task, cn=tasks, cn=config
The log file on ohm now contains an entry:
[07/Oct/2010:11:10:01 -0400] NSMMReplicationPlugin -
repl_set_mtn_referrals: could not set referrals for replica
dc=example,dc=com: 20
Curie contains the same log entry.
But, none of the users contain the memberOf attributes on ohm.
Dan
More information about the Freeipa-users
mailing list