[Freeipa-users] replication question

Csaba Kollar ckollar at xanadu.ie
Tue Jan 27 16:33:23 UTC 2015 

Hi there,

I’ve installed ipa-server-3.0.0-42.el6.centos.x86_64 on CentOS 6.6 servers.
Configured first as a master. Configured second as a replica.
Everything went smooth, no errors.
If I create a user on the master, it automatically shows up on the replica.
BUT If I create a user on the replica, I cannot see on the master the created user. (or if i delete a user on replica which was created on master, it stays on the masters)

I’ve tried to force-sync the master without luck:

[root at centosm ~]# ipa-replica-manage force-sync --from centosr.macp.sh
ipa: INFO: Setting agreement cn=meTocentosm.macp.sh,cn=replica,cn=dc\=macp\,dc\=sh,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTocentosm.macp.sh,cn=replica,cn=dc\=macp\,dc\=sh,cn=mapping tree,cn=config


Example:
[root at centosr ~]# ipa user-add
First name: test
Last name: test
User login [ttest]:
------------------
Added user "ttest"
------------------
  User login: ttest
  First name: test
  Last name: test
  Full name: test test
  Display name: test test
  Initials: tt
  Home directory: /home/ttest
  GECOS field: test test
  Login shell: /bin/sh
  Kerberos principal: ttest at MACP.SH
  Email address: ttest at macp.sh
  UID: 1213900501
  GID: 1213900501
  Password: False
  Kerberos keys available: False

[root at centosm ~]# ipa user-show ttest
ipa: ERROR: ttest: user not found

I’ve checked replication statuses:

Master:
[root at centosm ~]# ldapsearch -x -h centosm.macp.sh -D "cn=directory manager" -w xxxxxx1 -b cn=config '(objectclass=nsds5replicationagreement)'
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=nsds5replicationagreement)
# requesting: ALL
#

# meTocentosr.macp.sh, replica, dc\3Dmacp\2Cdc\3Dsh, mapping tree, config
dn: cn=meTocentosr.macp.sh,cn=replica,cn=dc\3Dmacp\2Cdc\3Dsh,cn=mapping tree,c
 n=config
cn: meTocentosr.macp.sh
objectClass: nsds5replicationagreement
objectClass: top
nsDS5ReplicaTransportInfo: LDAP
description: me to centosr.macp.sh
nsDS5ReplicaRoot: dc=macp,dc=sh
nsDS5ReplicaHost: centosr.macp.sh
nsds5replicaTimeout: 120
nsDS5ReplicaPort: 389
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
 uccessfulauth krblastfailedauth krbloginfailedcount
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150127162748Z
nsds5replicaLastUpdateEnd: 20150127162751Z
nsds5replicaChangesSentSinceStartup:: NDoxMzkxLzMg
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd
 ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20150127145831Z
nsds5replicaLastInitEnd: 20150127145834Z
nsds5replicaLastInitStatus: 0 Total update succeeded

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Slave:
[root at centosr ~]# ldapsearch -x -h centosr.macp.sh -D "cn=directory manager" -w almafa12 -b cn=config '(objectclass=nsds5replicationagreement)'
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=nsds5replicationagreement)
# requesting: ALL
#

# meTocentosm.macp.sh, replica, dc\3Dmacp\2Cdc\3Dsh, mapping tree, config
dn: cn=meTocentosm.macp.sh,cn=replica,cn=dc\3Dmacp\2Cdc\3Dsh,cn=mapping tree,c
 n=config
cn: meTocentosm.macp.sh
objectClass: nsds5replicationagreement
objectClass: top
nsDS5ReplicaTransportInfo: LDAP
description: me to centosm.macp.sh
nsDS5ReplicaRoot: dc=macp,dc=sh
nsDS5ReplicaHost: centosm.macp.sh
nsds5replicaTimeout: 120
nsDS5ReplicaPort: 389
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
 uccessfulauth krblastfailedauth krbloginfailedcount
nsds50ruv: {replicageneration} 54c7a797000000040000
nsds50ruv: {replica 4 ldap://centosm.macp.sh:389}
nsds50ruv: {replica 3 ldap://centosr.macp.sh:389} 54c7a79b000000030000 54c7a7a
 1000400030000
nsruvReplicaLastModified: {replica 4 ldap://centosm.macp.sh:389} 00000000
nsruvReplicaLastModified: {replica 3 ldap://centosr.macp.sh:389} 00000000
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
 ternalModifyTimestamp
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150127162747Z
nsds5replicaLastUpdateEnd: 20150127162747Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd
 ate started
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[root at centosm ~]# ipa-replica-manage list
centosm.macp.sh: master
centosr.macp.sh: master
[root at centosm ~]# ipa-replica-manage -v list centosr.macp.sh
centosm.macp.sh: replica
  last init status: None
  last init ended: None
  last update status: 0 Replica acquired successfully: Incremental update started
  last update ended: 2015-01-27 16:29:00+00:00
[root at centosm ~]#

[root at centosr ~]# ipa-replica-manage list
centosm.macp.sh: master
centosr.macp.sh: master
[root at centosr ~]# ipa-replica-manage list -v centosm.macp.sh
centosr.macp.sh: replica
  last init status: 0 Total update succeeded
  last init ended: 2015-01-27 14:58:34+00:00
  last update status: 0 Replica acquired successfully: Incremental update started
  last update ended: None
[root at centosr ~]#

Probably I’m missing something really obvious, so if anyone can tell me what, I would be really grateful :).

Kind regards,
Csaba Kollar








-- 
***** Email confidentiality notice *****

Xanadu Consultancy Limited is a limited company registered in Ireland with 
registered number 500416 and VAT registered number IE 9793319P. Our 
registered office is at Floor 2, River House, Blackpool Retail & Business 
Park, Cork, Ireland. We have a branch office registered in England and 
Wales with company number FC030315, whose address is at Unit 710 Highgate 
Studios, 53-79 Highgate Road, London, NW5 1TL.

This message is intended solely for the addressee and may contain 
confidential information. If you have received this message in error, 
please send it back to us, and immediately and permanently delete it. Do 
not use, copy or disclose the information contained in this message or in 
any attachment. Xanadu Consultancy Limited cannot accept liability for any 
statements made which are clearly the sender’s own and not expressly made 
on behalf of Xanadu Consultancy Limited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150127/304ed544/attachment.htm>

More information about the Freeipa-users mailing list