Dan Scott wrote:
On Thu, Oct 7, 2010 at 10:20, Rich Megginson<rmegg...@redhat.com>  wrote:
Dan Scott wrote:


On Wed, Oct 6, 2010 at 22:02, Rich Megginson<rmegg...@redhat.com>  wrote:


Dan Scott wrote:


Hi,

On Wed, Oct 6, 2010 at 18:30, Rich Megginson<rmegg...@redhat.com>
wrote:



Dan Scott wrote:



I'm not sure which group this is referring to. Admins only contains 3
users, no nested groups.

The problem appears to be related to the users, rather than the
groups. None of the users on ohm have a 'memberOf'. Curie has the
correct memberOf attributes.




The error message specifically mentions the admin group:

- Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
attribute "memberOf" not allowed

As if it is attempting to add the memberOf attribute to the group entry
cn=admins,cn=groups,cn=accounts,dc=example,dc=com - I don't know why it
would do this unless it is attempting some sort of group nesting.



This is still a mystery - we need to figure out why it is attempting to
add
memberOf to this entry.


The groups themselves appear to be correct on both servers. Both ohm
and curie have groups which contain the correct 'member' attributes.
So the problem appears to be that ohm contains groups with correct
'members', but none of the users have any 'memberOf's.





Do all of the users have the inetUser objectclass?



Yep. Looks like it. I have 162 users:

[djsc...@ohm ~]$ ldapsearch -h curie.example.com -x -b
'cn=users,cn=accounts,dc=example.com' |grep 'objectClass: inetUser'|wc
   162     324    3564
[djsc...@ohm ~]$ ldapsearch -h ohm.example.com -x -b
'cn=users,cn=accounts,dc=example,dc=com' |grep 'objectClass:
inetUser'|wc
   162     324    3564
[djsc...@ohm ~]$



If you run the lib/dirsrv/slapd-ds/fixup-memberof.pl script, does it add
the
memberOf attributes?


When I try to run that, I get the following:

[r...@ohm ~]# /usr/lib64/dirsrv/slapd-EXAMPLE.COM/fixup-memberof.pl -b
cn=groups,cn=accounts,dc=example,dc=com -D uid=admin -w -
Bind Password: *************

ldap_simple_bind: No such object


uid=admin is not the full DN - should be something like
uid=admin,cn=accounts,dc=example,dc=com or something like that?

Sorry about that, I now get:

adding new entry cn=memberOf_fixup_2010_10_7_10_41_11, cn=memberOf
task, cn=tasks, cn=config
ldap_add: Insufficient access

I have an admin Kerberos ticket and I know the password is correct
because otherwise I get 'ldap_simple_bind: Invalid credentials'.

The IPA admin user can't write to cn=config. You need to do this as cn=Directory Manager

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to