[Freeipa-users] Replica not syncing 'memberOf' attributes

Rich Megginson rmeggins at redhat.com
Wed Oct 6 22:30:09 UTC 2010


Dan Scott wrote:
> I'm not sure which group this is referring to. Admins only contains 3
> users, no nested groups.
>
> The problem appears to be related to the users, rather than the
> groups. None of the users on ohm have a 'memberOf'. Curie has the
> correct memberOf attributes.
>   
The error message specifically mentions the admin group:

- Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
attribute "memberOf" not allowed

As if it is attempting to add the memberOf attribute to the group entry 
cn=admins,cn=groups,cn=accounts,dc=example,dc=com - I don't know why it 
would do this unless it is attempting some sort of group nesting.
> The groups themselves appear to be correct on both servers. Both ohm
> and curie have groups which contain the correct 'member' attributes.
> So the problem appears to be that ohm contains groups with correct
> 'members', but none of the users have any 'memberOf's.
>
>   
Do all of the users have the inetUser objectclass?
> Thanks,
>
> Dan
>
> On Wed, Oct 6, 2010 at 16:17, Rich Megginson <rmeggins at redhat.com> wrote:
>   
>> Dan Scott wrote:
>>     
>>> Hi,
>>>
>>> ohm_admins.ldif and curie_admins.ldif attached. I added a '-h
>>> $hostname' to the command to ensure that I queried both servers. The
>>> results look identical to me, apart from the ordering.
>>>
>>> Thanks,
>>>
>>> Dan
>>>
>>> On Wed, Oct 6, 2010 at 15:34, Rob Crittenden <rcritten at redhat.com> wrote:
>>>
>>>       
>>>> Dan Scott wrote:
>>>>
>>>>         
>>>>> Hi,
>>>>>
>>>>> On Wed, Oct 6, 2010 at 11:32, Simo Sorce<ssorce at redhat.com>  wrote:
>>>>>
>>>>>           
>>>>>> On Wed, 6 Oct 2010 10:26:48 -0400
>>>>>> Dan Scott<danieljamesscott at gmail.com>  wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have master and slave FreeIPA servers. I recently upgraded the slave
>>>>>>> by wiping, re-installing Fedora 13 and re-creating the replication
>>>>>>> using ipa-replica-prepare and ipa-replica-install.
>>>>>>>
>>>>>>> For some reason, the slave is having difficulty replicating the
>>>>>>> memberOf attribute. I can attach an LDAP viewer to the replica, and
>>>>>>> view the schema, but the memberOf attributes are missing. Also, the
>>>>>>> master server contains the lines:
>>>>>>>
>>>>>>> - Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
>>>>>>> attribute "memberOf" not allowed
>>>>>>> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set
>>>>>>> referrals for replica dc=example,dc=com: 20
>>>>>>> NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for
>>>>>>> replica dc=example,dc=com does not match the data in the changelog.
>>>>>>>  Recreating the changelog file. This could affect replication with
>>>>>>> replica's  consumers in which case the consumers should be
>>>>>>> reinitialized.
>>>>>>> [06/Oct/2010:09:58:33 -0400] - skipping cos definition cn=account
>>>>>>> inactivation,cn=accounts,dc=example,dc=com--no templates found
>>>>>>>
>>>>>>> The rest of the replication appears to be working correctly (as far as
>>>>>>> I can tell).
>>>>>>>
>>>>>>> I have tried using ipa-replica-manage init and synch to try to fix the
>>>>>>> replication, but I suspect this has something to do with the schema
>>>>>>> definition.
>>>>>>>
>>>>>>> Does anyone have any pointers/ideas for how I can fix this?
>>>>>>>
>>>>>>>               
>>>>>> Dan, the memberof attribute is explicitly not replicated, and should be
>>>>>> simply re-generated on the receiving replica when "member" attributes
>>>>>> are replicated.
>>>>>>
>>>>>>             
>>>>> So does this imply that there is some corruption in the schema on the
>>>>> replica server?
>>>>>
>>>>>
>>>>>           
>>>>>> Are the IPA versions on the master and the replica the same ?
>>>>>>
>>>>>>             
>>>>> They are both the same version: ipa-server-1.2.2-4.fc13.x86_64
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Dan Scott
>>>>>
>>>>>           
>>>> It is complaining that memberOf isn't allowed in the admins group which
>>>> is
>>>> pretty strange.
>>>>
>>>> Can you show us the admins group out of the replica and master?
>>>>
>>>> ldapsearch -x -b 'cn=groups,cn=accounts,dc=example,dc=com' cn=admins
>>>>
>>>>         
>> Neither one has the inetUser objectclass which allows the use of memberOf.
>>  But why is it attempting to add memberOf to this entry which is itself a
>> group entry?  Is this some sort of nested group?
>>     
>>>> thanks
>>>>
>>>> rob
>>>>
>>>>
>>>>  ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>         
>>     




More information about the Freeipa-users mailing list