James Roman wrote:
Rob Crittenden wrote:
Виктор Сергеевич wrote:
Hi!
Thanks! It works!, but
In master-server I'm see users in groups, but in replica I'm see only
group, without users. If search users - i'm can find it. And one more:
Strange, that shouldn't happen. I'd search for them directly in LDAP
to ensure it isn't a problem with the IPA management framework:
Are you sure your describing this correctly. When I built my replica,
initially, I could see that groups were synchronized (I could search for
groups and I could see the members), but the memberof attributes of
individual user entries was not available in the replica server. These
are not synchronized by default, you must enable the plug-in to generate
the entries.
Yes, I think I misread his statement. I read it as "I have groups but no
users" not "I have groups that contain no users".
# > ldapmodify -x -W -D "cn=Directory Manager"
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
I've also seen the memberof entries disappear after performing an
"ipa-replica-manage init replicaserver". This was much harder to
address. I performed a lookup of the ipausers group members, stripped
the entries down to just the uid and then ran then through a script that
removed each entry and re-added them to the ipausers group, which forced
the plug-in to recreate all memberof entries on all accounts. (Thank god
I didn't have to do that on all the groups.)
There are two member related plugins now a freeipa one and a 389 plugin.
Not sure if they are stepping on each other or not.
Right, the plugin was developed in IPA and moved into DS. In the next
version of IPA we are dropping our plugin in favor of the DS version.
You really don't want both enabled at once, who knows what problems that
could cause.
memberOf isn't a replicated attribute. It is built separately on each
IPA server.
You can force the attribute to be rebuilt by creating a DS task and
using ldapmodify to apply it. Something like:
# cp /usr/share/ipa/memberof-task.ldif /tmp/memberof-task.ldif
[edit /tmp/memberof-task.ldif anre placed $TIME with some unique number
and $SUFFIX with dc=example,ed=com as appropriate]
# ldapmodify -x -D "cn=directory manager" -W < /tmp/memberof-task.ldif
You'll be prompted for your DM password. This should rebuild all the
local memberOf entries.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
