On Thu, Oct 7, 2010 at 10:58, Rob Crittenden <rcrit...@redhat.com> wrote: > Dan Scott wrote: >> >> On Thu, Oct 7, 2010 at 10:20, Rich Megginson<rmegg...@redhat.com> wrote: >>> >>> Dan Scott wrote: >>>> >>>> On Wed, Oct 6, 2010 at 22:02, Rich Megginson<rmegg...@redhat.com> >>>> wrote: >>>> >>>>> >>>>> Dan Scott wrote: >>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> On Wed, Oct 6, 2010 at 18:30, Rich Megginson<rmegg...@redhat.com> >>>>>> wrote: >>>>>> >>>>>> >>>>>>> >>>>>>> Dan Scott wrote: >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> I'm not sure which group this is referring to. Admins only contains >>>>>>>> 3 >>>>>>>> users, no nested groups. >>>>>>>> >>>>>>>> The problem appears to be related to the users, rather than the >>>>>>>> groups. None of the users on ohm have a 'memberOf'. Curie has the >>>>>>>> correct memberOf attributes. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> The error message specifically mentions the admin group: >>>>>>> >>>>>>> - Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" -- >>>>>>> attribute "memberOf" not allowed >>>>>>> >>>>>>> As if it is attempting to add the memberOf attribute to the group >>>>>>> entry >>>>>>> cn=admins,cn=groups,cn=accounts,dc=example,dc=com - I don't know why >>>>>>> it >>>>>>> would do this unless it is attempting some sort of group nesting. >>>>>>> >>>>>>> >>>>> >>>>> This is still a mystery - we need to figure out why it is attempting to >>>>> add >>>>> memberOf to this entry. >>>>> >>>>>>>> >>>>>>>> The groups themselves appear to be correct on both servers. Both ohm >>>>>>>> and curie have groups which contain the correct 'member' attributes. >>>>>>>> So the problem appears to be that ohm contains groups with correct >>>>>>>> 'members', but none of the users have any 'memberOf's. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> Do all of the users have the inetUser objectclass? >>>>>>> >>>>>>> >>>>>> >>>>>> Yep. Looks like it. I have 162 users: >>>>>> >>>>>> [djsc...@ohm ~]$ ldapsearch -h curie.example.com -x -b >>>>>> 'cn=users,cn=accounts,dc=example.com' |grep 'objectClass: inetUser'|wc >>>>>> 162 324 3564 >>>>>> [djsc...@ohm ~]$ ldapsearch -h ohm.example.com -x -b >>>>>> 'cn=users,cn=accounts,dc=example,dc=com' |grep 'objectClass: >>>>>> inetUser'|wc >>>>>> 162 324 3564 >>>>>> [djsc...@ohm ~]$ >>>>>> >>>>>> >>>>> >>>>> If you run the lib/dirsrv/slapd-ds/fixup-memberof.pl script, does it >>>>> add >>>>> the >>>>> memberOf attributes? >>>>> >>>> >>>> When I try to run that, I get the following: >>>> >>>> [r...@ohm ~]# /usr/lib64/dirsrv/slapd-EXAMPLE.COM/fixup-memberof.pl -b >>>> cn=groups,cn=accounts,dc=example,dc=com -D uid=admin -w - >>>> Bind Password: ************* >>>> >>>> ldap_simple_bind: No such object >>>> >>> >>> uid=admin is not the full DN - should be something like >>> uid=admin,cn=accounts,dc=example,dc=com or something like that? >> >> Sorry about that, I now get: >> >> adding new entry cn=memberOf_fixup_2010_10_7_10_41_11, cn=memberOf >> task, cn=tasks, cn=config >> ldap_add: Insufficient access >> >> I have an admin Kerberos ticket and I know the password is correct >> because otherwise I get 'ldap_simple_bind: Invalid credentials'. > > The IPA admin user can't write to cn=config. You need to do this as > cn=Directory Manager
Thanks for all the help guys. Sorry I don't know too much about this. Looks like it finally ran: adding new entry cn=memberOf_fixup_2010_10_7_11_10_0, cn=memberOf task, cn=tasks, cn=config The log file on ohm now contains an entry: [07/Oct/2010:11:10:01 -0400] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=example,dc=com: 20 Curie contains the same log entry. But, none of the users contain the memberOf attributes on ohm. Dan _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users