Re: [Freeipa-users] Replica not syncing 'memberOf' attributes

Wed, 06 Oct 2010 12:36:40 -0700 

Dan Scott wrote:

Hi,

On Wed, Oct 6, 2010 at 11:32, Simo Sorce<sso...@redhat.com>  wrote:

On Wed, 6 Oct 2010 10:26:48 -0400
Dan Scott<danieljamessc...@gmail.com>  wrote:


Hi,

I have master and slave FreeIPA servers. I recently upgraded the slave
by wiping, re-installing Fedora 13 and re-creating the replication
using ipa-replica-prepare and ipa-replica-install.

For some reason, the slave is having difficulty replicating the
memberOf attribute. I can attach an LDAP viewer to the replica, and
view the schema, but the memberOf attributes are missing. Also, the
master server contains the lines:

- Entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com" --
attribute "memberOf" not allowed
NSMMReplicationPlugin - repl_set_mtn_referrals: could not set
referrals for replica dc=example,dc=com: 20
NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for
replica dc=example,dc=com does not match the data in the changelog.
  Recreating the changelog file. This could affect replication with
replica's  consumers in which case the consumers should be
reinitialized.
[06/Oct/2010:09:58:33 -0400] - skipping cos definition cn=account
inactivation,cn=accounts,dc=example,dc=com--no templates found

The rest of the replication appears to be working correctly (as far as
I can tell).

I have tried using ipa-replica-manage init and synch to try to fix the
replication, but I suspect this has something to do with the schema
definition.

Does anyone have any pointers/ideas for how I can fix this?


Dan, the memberof attribute is explicitly not replicated, and should be
simply re-generated on the receiving replica when "member" attributes
are replicated.


So does this imply that there is some corruption in the schema on the
replica server?


Are the IPA versions on the master and the replica the same ?


They are both the same version: ipa-server-1.2.2-4.fc13.x86_64

Thanks,

Dan Scott
It is complaining that memberOf isn't allowed in the admins group which is pretty strange. 

Can you show us the admins group out of the replica and master?

ldapsearch -x -b 'cn=groups,cn=accounts,dc=example,dc=com' cn=admins

thanks

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to