Dan Scott wrote:
On Thu, Oct 7, 2010 at 10:58, Rob Crittenden <rcrit...@redhat.com> wrote:
Dan Scott wrote:
On Thu, Oct 7, 2010 at 10:20, Rich Megginson<rmegg...@redhat.com>  wrote:
Dan Scott wrote:
On Wed, Oct 6, 2010 at 22:02, Rich Megginson<rmegg...@redhat.com>

Dan Scott wrote:


On Wed, Oct 6, 2010 at 18:30, Rich Megginson<rmegg...@redhat.com>

Dan Scott wrote:

I'm not sure which group this is referring to. Admins only contains
users, no nested groups.

The problem appears to be related to the users, rather than the
groups. None of the users on ohm have a 'memberOf'. Curie has the
correct memberOf attributes.

The error message specifically mentions the admin group:

- Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
attribute "memberOf" not allowed

As if it is attempting to add the memberOf attribute to the group
cn=admins,cn=groups,cn=accounts,dc=example,dc=com - I don't know why
would do this unless it is attempting some sort of group nesting.

This is still a mystery - we need to figure out why it is attempting to
memberOf to this entry.

The groups themselves appear to be correct on both servers. Both ohm
and curie have groups which contain the correct 'member' attributes.
So the problem appears to be that ohm contains groups with correct
'members', but none of the users have any 'memberOf's.

Do all of the users have the inetUser objectclass?

Yep. Looks like it. I have 162 users:

[djsc...@ohm ~]$ ldapsearch -h curie.example.com -x -b
'cn=users,cn=accounts,dc=example.com' |grep 'objectClass: inetUser'|wc
  162     324    3564
[djsc...@ohm ~]$ ldapsearch -h ohm.example.com -x -b
'cn=users,cn=accounts,dc=example,dc=com' |grep 'objectClass:
  162     324    3564
[djsc...@ohm ~]$

If you run the lib/dirsrv/slapd-ds/fixup-memberof.pl script, does it
memberOf attributes?

When I try to run that, I get the following:

[r...@ohm ~]# /usr/lib64/dirsrv/slapd-EXAMPLE.COM/fixup-memberof.pl -b
cn=groups,cn=accounts,dc=example,dc=com -D uid=admin -w -
Bind Password: *************

ldap_simple_bind: No such object

uid=admin is not the full DN - should be something like
uid=admin,cn=accounts,dc=example,dc=com or something like that?
Sorry about that, I now get:

adding new entry cn=memberOf_fixup_2010_10_7_10_41_11, cn=memberOf
task, cn=tasks, cn=config
ldap_add: Insufficient access

I have an admin Kerberos ticket and I know the password is correct
because otherwise I get 'ldap_simple_bind: Invalid credentials'.
The IPA admin user can't write to cn=config. You need to do this as
cn=Directory Manager

Thanks for all the help guys. Sorry I don't know too much about this.
Looks like it finally ran:

adding new entry cn=memberOf_fixup_2010_10_7_11_10_0, cn=memberOf
task, cn=tasks, cn=config

The log file on ohm now contains an entry:

[07/Oct/2010:11:10:01 -0400] NSMMReplicationPlugin -
repl_set_mtn_referrals: could not set referrals for replica
dc=example,dc=com: 20
20 is "type or value exists" - I think this means that it is attempting to set a referral for the master, but there already is one.
Curie contains the same log entry.

But, none of the users contain the memberOf attributes on ohm.
Does IPA have its own memberOf plugin, or is it using the one from 389?

Freeipa-users mailing list

Reply via email to