Rob Crittenden wrote:
Виктор Сергеевич wrote:
Hi!
Thanks! It works!, but
In master-server I'm see users in groups, but in replica I'm see only
group, without users. If search users - i'm can find it. And one more:


Strange, that shouldn't happen. I'd search for them directly in LDAP to ensure it isn't a problem with the IPA management framework:
Are you sure your describing this correctly. When I built my replica, initially, I could see that groups were synchronized (I could search for groups and I could see the members), but the memberof attributes of individual user entries was not available in the replica server. These are not synchronized by default, you must enable the plug-in to generate the entries.

# > ldapmodify -x -W -D "cn=Directory Manager"
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

I've also seen the memberof entries disappear after performing an "ipa-replica-manage init replicaserver". This was much harder to address. I performed a lookup of the ipausers group members, stripped the entries down to just the uid and then ran then through a script that removed each entry and re-added them to the ipausers group, which forced the plug-in to recreate all memberof entries on all accounts. (Thank god I didn't have to do that on all the groups.)

There are two member related plugins now a freeipa one and a 389 plugin. Not sure if they are stepping on each other or not.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to