Hi, I'm trynig to create centrlized authorization for my services with freeipa cluster in differnet locations. For some reasons I use base search in cn=compat tree for mapping users, but in different replcias result of same ldapsearch quiestions is different: ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 0 Success ldapsearch -h Y.Y.Y.Y -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W # extended LDIF # # LDAPv3 # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # some-group, groups, compat, example.com dn: some_group,cn=groups,cn=compat,dc=example,dc=com objectClass: posixGroup objectClass: ipaOverrideTarget objectClass: ipaexternalgroup objectClass: top gidNumber: 12345678 memberUid: user2 memberUid: user1 ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD U2YWIxMDNl cn: some_group But, if I make search with "Subtree" cope to the first one, I can see entries in answer: ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s sub -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W # extended LDIF # # LDAPv3 # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # some-group, groups, compat, example.com dn: some_group,cn=groups,cn=compat,dc=example,dc=com objectClass: posixGroup objectClass: ipaOverrideTarget objectClass: ipaexternalgroup objectClass: top gidNumber: 12345678 memberUid: user2 memberUid: user1 ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD U2YWIxMDNl cn: some_group I have 4 ipa-servers with vesrions 4.9.6 and 4.9.10. This result I can see with a only one replica, with 4.9.6 vesrion. I try delete topology segment, reinstall ipa-replica - but it doesnt work. Thanks. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
