[Freeipa-users] Replica not syncing 'memberOf' attributes

Rich Megginson rmeggins at redhat.com
Thu Oct 7 15:20:29 UTC 2010 

Dan Scott wrote:
> On Thu, Oct 7, 2010 at 10:58, Rob Crittenden <rcritten at redhat.com> wrote:
>   
>> Dan Scott wrote:
>>     
>>> On Thu, Oct 7, 2010 at 10:20, Rich Megginson<rmeggins at redhat.com>  wrote:
>>>       
>>>> Dan Scott wrote:
>>>>         
>>>>> On Wed, Oct 6, 2010 at 22:02, Rich Megginson<rmeggins at redhat.com>
>>>>>  wrote:
>>>>>
>>>>>           
>>>>>> Dan Scott wrote:
>>>>>>
>>>>>>             
>>>>>>> Hi,
>>>>>>>
>>>>>>> On Wed, Oct 6, 2010 at 18:30, Rich Megginson<rmeggins at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>>>> Dan Scott wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>                 
>>>>>>>>> I'm not sure which group this is referring to. Admins only contains
>>>>>>>>> 3
>>>>>>>>> users, no nested groups.
>>>>>>>>>
>>>>>>>>> The problem appears to be related to the users, rather than the
>>>>>>>>> groups. None of the users on ohm have a 'memberOf'. Curie has the
>>>>>>>>> correct memberOf attributes.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                   
>>>>>>>> The error message specifically mentions the admin group:
>>>>>>>>
>>>>>>>> - Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
>>>>>>>> attribute "memberOf" not allowed
>>>>>>>>
>>>>>>>> As if it is attempting to add the memberOf attribute to the group
>>>>>>>> entry
>>>>>>>> cn=admins,cn=groups,cn=accounts,dc=example,dc=com - I don't know why
>>>>>>>> it
>>>>>>>> would do this unless it is attempting some sort of group nesting.
>>>>>>>>
>>>>>>>>
>>>>>>>>                 
>>>>>> This is still a mystery - we need to figure out why it is attempting to
>>>>>> add
>>>>>> memberOf to this entry.
>>>>>>
>>>>>>             
>>>>>>>>> The groups themselves appear to be correct on both servers. Both ohm
>>>>>>>>> and curie have groups which contain the correct 'member' attributes.
>>>>>>>>> So the problem appears to be that ohm contains groups with correct
>>>>>>>>> 'members', but none of the users have any 'memberOf's.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                   
>>>>>>>> Do all of the users have the inetUser objectclass?
>>>>>>>>
>>>>>>>>
>>>>>>>>                 
>>>>>>> Yep. Looks like it. I have 162 users:
>>>>>>>
>>>>>>> [djscott at ohm ~]$ ldapsearch -h curie.example.com -x -b
>>>>>>> 'cn=users,cn=accounts,dc=example.com' |grep 'objectClass: inetUser'|wc
>>>>>>>   162     324    3564
>>>>>>> [djscott at ohm ~]$ ldapsearch -h ohm.example.com -x -b
>>>>>>> 'cn=users,cn=accounts,dc=example,dc=com' |grep 'objectClass:
>>>>>>> inetUser'|wc
>>>>>>>   162     324    3564
>>>>>>> [djscott at ohm ~]$
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> If you run the lib/dirsrv/slapd-ds/fixup-memberof.pl script, does it
>>>>>> add
>>>>>> the
>>>>>> memberOf attributes?
>>>>>>
>>>>>>             
>>>>> When I try to run that, I get the following:
>>>>>
>>>>> [root at ohm ~]# /usr/lib64/dirsrv/slapd-EXAMPLE.COM/fixup-memberof.pl -b
>>>>> cn=groups,cn=accounts,dc=example,dc=com -D uid=admin -w -
>>>>> Bind Password: *************
>>>>>
>>>>> ldap_simple_bind: No such object
>>>>>
>>>>>           
>>>> uid=admin is not the full DN - should be something like
>>>> uid=admin,cn=accounts,dc=example,dc=com or something like that?
>>>>         
>>> Sorry about that, I now get:
>>>
>>> adding new entry cn=memberOf_fixup_2010_10_7_10_41_11, cn=memberOf
>>> task, cn=tasks, cn=config
>>> ldap_add: Insufficient access
>>>
>>> I have an admin Kerberos ticket and I know the password is correct
>>> because otherwise I get 'ldap_simple_bind: Invalid credentials'.
>>>       
>> The IPA admin user can't write to cn=config. You need to do this as
>> cn=Directory Manager
>>     
>
> Thanks for all the help guys. Sorry I don't know too much about this.
> Looks like it finally ran:
>
> adding new entry cn=memberOf_fixup_2010_10_7_11_10_0, cn=memberOf
> task, cn=tasks, cn=config
>
> The log file on ohm now contains an entry:
>
> [07/Oct/2010:11:10:01 -0400] NSMMReplicationPlugin -
> repl_set_mtn_referrals: could not set referrals for replica
> dc=example,dc=com: 20
>   
20 is "type or value exists" - I think this means that it is attempting 
to set a referral for the master, but there already is one.
> Curie contains the same log entry.
>
> But, none of the users contain the memberOf attributes on ohm.
>   
Does IPA have its own memberOf plugin, or is it using the one from 389?
> Dan
>

More information about the Freeipa-users mailing list