James Roman wrote:
Rob Crittenden wrote:
Виктор Сергеевич wrote:
Hi!
Thanks! It works!, but
In master-server I'm see users in groups, but in replica I'm see only
group, without users. If search users - i'm can find it. And one more:


Strange, that shouldn't happen. I'd search for them directly in LDAP to ensure it isn't a problem with the IPA management framework:
Are you sure your describing this correctly. When I built my replica, initially, I could see that groups were synchronized (I could search for groups and I could see the members), but the memberof attributes of individual user entries was not available in the replica server. These are not synchronized by default, you must enable the plug-in to generate the entries.

Yes, I think I misread his statement. I read it as "I have groups but no users" not "I have groups that contain no users".

# > ldapmodify -x -W -D "cn=Directory Manager"
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

I've also seen the memberof entries disappear after performing an "ipa-replica-manage init replicaserver". This was much harder to address. I performed a lookup of the ipausers group members, stripped the entries down to just the uid and then ran then through a script that removed each entry and re-added them to the ipausers group, which forced the plug-in to recreate all memberof entries on all accounts. (Thank god I didn't have to do that on all the groups.)

There are two member related plugins now a freeipa one and a 389 plugin. Not sure if they are stepping on each other or not.

Right, the plugin was developed in IPA and moved into DS. In the next version of IPA we are dropping our plugin in favor of the DS version.

You really don't want both enabled at once, who knows what problems that could cause.

memberOf isn't a replicated attribute. It is built separately on each IPA server.

You can force the attribute to be rebuilt by creating a DS task and using ldapmodify to apply it. Something like:

# cp /usr/share/ipa/memberof-task.ldif /tmp/memberof-task.ldif
[edit /tmp/memberof-task.ldif anre placed $TIME with some unique number and $SUFFIX with dc=example,ed=com as appropriate]
# ldapmodify -x -D "cn=directory manager" -W < /tmp/memberof-task.ldif

You'll be prompted for your DM password. This should rebuild all the local memberOf entries.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to