you can see nscpentrywsi only as "cn=directory manager", and your mods for ipacnfigstring were also done as directory manager, but you search as another user. The attribute is probably there, but access control prevents to see it.


On 11/30/2017 11:02 AM, skrawczenko--- via FreeIPA-users wrote:
Gentlemen, i'm very worried about breaking the entire cluster with something 
irreversible.
Not sure what caused the missed ipaconfigstring or probably this is not the 
root cause.
The replica nodes and winsync are still operational but ipa-replica-manage 
drops an error about ipaconfigstring and i badly need to fix it.

now it becomes even more weird

[root@idm0]# ldapmodify -vvvv -x -D 'cn=directory manager' -W
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
dn: cn=<domain controller>,cn=replicas,cn=ipa,cn=etc,dc=<mydc>
changetype: modify
add: ipaConfigString
ipaConfigString: <domain controller>

add ipaConfigString:
        <domain controller>
modifying entry "cn=<domain controller>,cn=replicas,cn=ipa,cn=etc,dc=<mydc>"
modify complete

Rechecking

[root@idm0]# ldapmodify -vvvv -x -D 'cn=directory manager' -W
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
dn: cn=<domain controller>,cn=replicas,cn=ipa,cn=etc,dc=<mydc>
changetype: modify
add: ipaConfigString
ipaConfigString: <domain controller>

add ipaConfigString:
        <domain controller>
modifying entry "cn=<domain controller>,cn=replicas,cn=ipa,cn=etc,dc=<mydc>"
ldap_modify: Type or value exists (20)

Now

[root@idm0]# ldapsearch -Y GSSAPI -b cn=<domain 
controller>,cn=replicas,cn=ipa,cn=etc,dc=<mydc>
SASL/GSSAPI authentication started
SASL username: ...
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=<domain controller>,cn=replicas,cn=ipa,cn=etc,dc=<mydc>> with scope 
subtree
# filter: (objectclass=*)
# requesting: ALL
#

...
dn: cn=<domain controller>,cn=replicas,cn=ipa,cn=etc,dc=<mydc>
cn: <domain controller>
objectClass: ipaConfigObject
objectClass: nsContainer
objectClass: top

??? where is ipaConfigString???

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

and this attribute also:

[root@idm0]# ldapsearch -Y GSSAPI -b cn=<domain 
controller>,cn=replicas,cn=ipa,cn=etc,dc=<mydc> ncpentrywsi
SASL/GSSAPI authentication started
SASL username: ...
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=<domain controller>,cn=replicas,cn=ipa,cn=etc,dc=<mydc>> with scope 
subtree
# filter: (objectclass=*)
# requesting: ncpentrywsi
#

...

dn: cn=<domain controller>,cn=replicas,cn=ipa,cn=etc,dc=<mydc>

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

It doesn't seem to be there as well....


I can see these searches in access and nothing suspicious in errors, the 
replication and updates from domain controller are being performed constantly
Ready to provide any more details.

Great thanks.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to