[Freeipa-users] Different results with search in replicas

Hi, I'm trynig to create centrlized authorization for my services with freeipa cluster in differnet locations. For some reasons I use base search in cn=compat tree for mapping users, but in different replcias result of same ldapsearch quiestions is different: ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 0 Success ldapsearch -h Y.Y.Y.Y -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W # extended LDIF # # LDAPv3 # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # some-group, groups, compat, example.com dn: some_group,cn=groups,cn=compat,dc=example,dc=com objectClass: posixGroup objectClass: ipaOverrideTarget objectClass: ipaexternalgroup objectClass: top gidNumber: 12345678 memberUid: user2 memberUid: user1 ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD U2YWIxMDNl cn: some_group But, if I make search with "Subtree" cope to the first one, I can see entries in answer: ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s sub -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W # extended LDIF # # LDAPv3 # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # some-group, groups, compat, example.com dn: some_group,cn=groups,cn=compat,dc=example,dc=com objectClass: posixGroup objectClass: ipaOverrideTarget objectClass: ipaexternalgroup objectClass: top gidNumber: 12345678 memberUid: user2 memberUid: user1 ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD U2YWIxMDNl cn: some_group I have 4 ipa-servers with vesrions 4.9.6 and 4.9.10. This result I can see with a only one replica, with 4.9.6 vesrion. I try delete topology segment, reinstall ipa-replica - but it doesnt work. Thanks.