[Freeipa-users] Replica not syncing 'memberOf' attributes
Rich Megginson
rmeggins at redhat.com
Wed Oct 6 20:17:56 UTC 2010
Dan Scott wrote:
> Hi,
>
> ohm_admins.ldif and curie_admins.ldif attached. I added a '-h
> $hostname' to the command to ensure that I queried both servers. The
> results look identical to me, apart from the ordering.
>
> Thanks,
>
> Dan
>
> On Wed, Oct 6, 2010 at 15:34, Rob Crittenden <rcritten at redhat.com> wrote:
>
>> Dan Scott wrote:
>>
>>> Hi,
>>>
>>> On Wed, Oct 6, 2010 at 11:32, Simo Sorce<ssorce at redhat.com> wrote:
>>>
>>>> On Wed, 6 Oct 2010 10:26:48 -0400
>>>> Dan Scott<danieljamesscott at gmail.com> wrote:
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>> I have master and slave FreeIPA servers. I recently upgraded the slave
>>>>> by wiping, re-installing Fedora 13 and re-creating the replication
>>>>> using ipa-replica-prepare and ipa-replica-install.
>>>>>
>>>>> For some reason, the slave is having difficulty replicating the
>>>>> memberOf attribute. I can attach an LDAP viewer to the replica, and
>>>>> view the schema, but the memberOf attributes are missing. Also, the
>>>>> master server contains the lines:
>>>>>
>>>>> - Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
>>>>> attribute "memberOf" not allowed
>>>>> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set
>>>>> referrals for replica dc=example,dc=com: 20
>>>>> NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for
>>>>> replica dc=example,dc=com does not match the data in the changelog.
>>>>> Recreating the changelog file. This could affect replication with
>>>>> replica's consumers in which case the consumers should be
>>>>> reinitialized.
>>>>> [06/Oct/2010:09:58:33 -0400] - skipping cos definition cn=account
>>>>> inactivation,cn=accounts,dc=example,dc=com--no templates found
>>>>>
>>>>> The rest of the replication appears to be working correctly (as far as
>>>>> I can tell).
>>>>>
>>>>> I have tried using ipa-replica-manage init and synch to try to fix the
>>>>> replication, but I suspect this has something to do with the schema
>>>>> definition.
>>>>>
>>>>> Does anyone have any pointers/ideas for how I can fix this?
>>>>>
>>>> Dan, the memberof attribute is explicitly not replicated, and should be
>>>> simply re-generated on the receiving replica when "member" attributes
>>>> are replicated.
>>>>
>>> So does this imply that there is some corruption in the schema on the
>>> replica server?
>>>
>>>
>>>> Are the IPA versions on the master and the replica the same ?
>>>>
>>> They are both the same version: ipa-server-1.2.2-4.fc13.x86_64
>>>
>>> Thanks,
>>>
>>> Dan Scott
>>>
>> It is complaining that memberOf isn't allowed in the admins group which is
>> pretty strange.
>>
>> Can you show us the admins group out of the replica and master?
>>
>> ldapsearch -x -b 'cn=groups,cn=accounts,dc=example,dc=com' cn=admins
>>
Neither one has the inetUser objectclass which allows the use of
memberOf. But why is it attempting to add memberOf to this entry which
is itself a group entry? Is this some sort of nested group?
>> thanks
>>
>> rob
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list