danila kuzovlev via FreeIPA-users wrote: > Hi, I'm trynig to create centrlized authorization for my services with > freeipa cluster in differnet locations. For some reasons I use base search in > cn=compat tree for mapping users, but in different replcias result of same > ldapsearch quiestions is different: > ldapsearch -h X.X.X.X -p 389 -b > "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D > "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope > baseObject > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > ldapsearch -h Y.Y.Y.Y -p 389 -b > "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D > "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W > # extended LDIF > # > # LDAPv3 > # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope > baseObject > # filter: (objectclass=*) > # requesting: ALL > # > # some-group, groups, compat, example.com > dn: some_group,cn=groups,cn=compat,dc=example,dc=com > objectClass: posixGroup > objectClass: ipaOverrideTarget > objectClass: ipaexternalgroup > objectClass: top > gidNumber: 12345678 > memberUid: user2 > memberUid: user1 > > ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD > U2YWIxMDNl > cn: some_group > > But, if I make search with "Subtree" cope to the first one, I can see entries > in answer: > ldapsearch -h X.X.X.X -p 389 -b > "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s sub -D > "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W > # extended LDIF > # > # LDAPv3 > # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope > subtree > # filter: (objectclass=*) > # requesting: ALL > # > # some-group, groups, compat, example.com > dn: some_group,cn=groups,cn=compat,dc=example,dc=com > objectClass: posixGroup > objectClass: ipaOverrideTarget > objectClass: ipaexternalgroup > objectClass: top > gidNumber: 12345678 > memberUid: user2 > memberUid: user1 > > ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD > U2YWIxMDNl > cn: some_group > > I have 4 ipa-servers with vesrions 4.9.6 and 4.9.10. > This result I can see with a only one replica, with 4.9.6 vesrion. I try > delete topology segment, reinstall ipa-replica - but it doesnt work.
I think we need a better view of what is happening. But first, why do you need to use the compat tree? Are there AD users in the mix? The search base won't make a difference here since it's a leaf record (hence why the output is identical). I'm not sure what you're trying to demonstrate. This would have nothing to do with different servers providing different results. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
