[Freeipa-users] Replica not syncing 'memberOf' attributes

Nathan Kinder nkinder at redhat.com
Thu Oct 7 15:52:44 UTC 2010 

On 10/06/2010 07:03 PM, Rich Megginson wrote:
> Dan Scott wrote:
>> Hi,
>>
>> On Wed, Oct 6, 2010 at 19:29, Nathan Kinder <nkinder at redhat.com> wrote:
>>> On 10/06/2010 03:08 PM, Dan Scott wrote:
>>>> I'm not sure which group this is referring to. Admins only contains 3
>>>> users, no nested groups.
>>>>
>>> Do any other groups have a "member" attribute that points to your
>>> "cn=admins" group's DN?  The error message indicates that some other 
>>> group
>>> has your admins group as a member.
>>
>> Yes, I do have another group of which admins is a member. I have
>> removed it temporarily. Would this be a problem normally?
> I'm not sure how the memberOf plugin is supposed to handle situations 
> like this.
The memberOf plug-in leaves it up to the administrator to ensure that 
the proper objectClasses are present on objects that it wants to add 
memberOf to.  When the plug-in encounters an issue where the memberOf 
attribute it not allowed on an entry, it simply continues on to the next 
entry.  This one grouping error should not cause any other issues with 
memberOf working for other groups.

 From an FreeIPA perspective, should it be allowed to list the 
"cn=admins" group as a member of another group?  If so, the proper 
objectClass needs to be added to "cn=admins" to allow the memberOf 
attribute.
>> Thanks,
>>
>> Dan
>>
>>> -NGK
>>>> The problem appears to be related to the users, rather than the
>>>> groups. None of the users on ohm have a 'memberOf'. Curie has the
>>>> correct memberOf attributes.
>>>>
>>>> The groups themselves appear to be correct on both servers. Both ohm
>>>> and curie have groups which contain the correct 'member' attributes.
>>>> So the problem appears to be that ohm contains groups with correct
>>>> 'members', but none of the users have any 'memberOf's.
>>>>
>>>> Thanks,
>>>>
>>>> Dan
>>>>
>>>> On Wed, Oct 6, 2010 at 16:17, Rich Megginson<rmeggins at redhat.com>  
>>>> wrote:
>>>>
>>>>> Dan Scott wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> ohm_admins.ldif and curie_admins.ldif attached. I added a '-h
>>>>>> $hostname' to the command to ensure that I queried both servers. The
>>>>>> results look identical to me, apart from the ordering.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Dan
>>>>>>
>>>>>> On Wed, Oct 6, 2010 at 15:34, Rob Crittenden<rcritten at redhat.com>
>>>>>>  wrote:
>>>>>>
>>>>>>
>>>>>>> Dan Scott wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> On Wed, Oct 6, 2010 at 11:32, Simo Sorce<ssorce at redhat.com>    
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> On Wed, 6 Oct 2010 10:26:48 -0400
>>>>>>>>> Dan Scott<danieljamesscott at gmail.com>    wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I have master and slave FreeIPA servers. I recently upgraded the
>>>>>>>>>> slave
>>>>>>>>>> by wiping, re-installing Fedora 13 and re-creating the 
>>>>>>>>>> replication
>>>>>>>>>> using ipa-replica-prepare and ipa-replica-install.
>>>>>>>>>>
>>>>>>>>>> For some reason, the slave is having difficulty replicating the
>>>>>>>>>> memberOf attribute. I can attach an LDAP viewer to the 
>>>>>>>>>> replica, and
>>>>>>>>>> view the schema, but the memberOf attributes are missing. 
>>>>>>>>>> Also, the
>>>>>>>>>> master server contains the lines:
>>>>>>>>>>
>>>>>>>>>> - Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
>>>>>>>>>> attribute "memberOf" not allowed
>>>>>>>>>> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set
>>>>>>>>>> referrals for replica dc=example,dc=com: 20
>>>>>>>>>> NSMMReplicationPlugin - replica_reload_ruv: Warning: new data 
>>>>>>>>>> for
>>>>>>>>>> replica dc=example,dc=com does not match the data in the 
>>>>>>>>>> changelog.
>>>>>>>>>>  Recreating the changelog file. This could affect replication 
>>>>>>>>>> with
>>>>>>>>>> replica's  consumers in which case the consumers should be
>>>>>>>>>> reinitialized.
>>>>>>>>>> [06/Oct/2010:09:58:33 -0400] - skipping cos definition 
>>>>>>>>>> cn=account
>>>>>>>>>> inactivation,cn=accounts,dc=example,dc=com--no templates found
>>>>>>>>>>
>>>>>>>>>> The rest of the replication appears to be working correctly 
>>>>>>>>>> (as far
>>>>>>>>>> as
>>>>>>>>>> I can tell).
>>>>>>>>>>
>>>>>>>>>> I have tried using ipa-replica-manage init and synch to try 
>>>>>>>>>> to fix
>>>>>>>>>> the
>>>>>>>>>> replication, but I suspect this has something to do with the 
>>>>>>>>>> schema
>>>>>>>>>> definition.
>>>>>>>>>>
>>>>>>>>>> Does anyone have any pointers/ideas for how I can fix this?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Dan, the memberof attribute is explicitly not replicated, and 
>>>>>>>>> should
>>>>>>>>> be
>>>>>>>>> simply re-generated on the receiving replica when "member" 
>>>>>>>>> attributes
>>>>>>>>> are replicated.
>>>>>>>>>
>>>>>>>>>
>>>>>>>> So does this imply that there is some corruption in the schema 
>>>>>>>> on the
>>>>>>>> replica server?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Are the IPA versions on the master and the replica the same ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>> They are both the same version: ipa-server-1.2.2-4.fc13.x86_64
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Dan Scott
>>>>>>>>
>>>>>>>>
>>>>>>> It is complaining that memberOf isn't allowed in the admins 
>>>>>>> group which
>>>>>>> is
>>>>>>> pretty strange.
>>>>>>>
>>>>>>> Can you show us the admins group out of the replica and master?
>>>>>>>
>>>>>>> ldapsearch -x -b 'cn=groups,cn=accounts,dc=example,dc=com' 
>>>>>>> cn=admins
>>>>>>>
>>>>>>>
>>>>> Neither one has the inetUser objectclass which allows the use of
>>>>> memberOf.
>>>>>  But why is it attempting to add memberOf to this entry which is 
>>>>> itself a
>>>>> group entry?  Is this some sort of nested group?
>>>>>
>>>>>>> thanks
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>  ------------------------------------------------------------------------ 
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Freeipa-users mailing list
>>>>>>> Freeipa-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list