Hi, I'm trynig to create centrlized authorization for my services with freeipa cluster in differnet locations. For some reasons I use base search in cn=compat tree for mapping users, but in different replcias result of same ldapsearch quiestions is different: ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 0 Success
ldapsearch -h Y.Y.Y.Y -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W # extended LDIF # # LDAPv3 # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # some-group, groups, compat, example.com dn: some_group,cn=groups,cn=compat,dc=example,dc=com objectClass: posixGroup objectClass: ipaOverrideTarget objectClass: ipaexternalgroup objectClass: top gidNumber: 12345678 memberUid: user2 memberUid: user1
ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD U2YWIxMDNl cn: some_group
But, if I make search with "Subtree" cope to the first one, I can see entries in answer: ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s sub -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W # extended LDIF # # LDAPv3 # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # some-group, groups, compat, example.com dn: some_group,cn=groups,cn=compat,dc=example,dc=com objectClass: posixGroup objectClass: ipaOverrideTarget objectClass: ipaexternalgroup objectClass: top gidNumber: 12345678 memberUid: user2 memberUid: user1
ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD U2YWIxMDNl cn: some_group
I have 4 ipa-servers with vesrions 4.9.6 and 4.9.10. This result I can see with a only one replica, with 4.9.6 vesrion. I try delete topology segment, reinstall ipa-replica - but it doesnt work. Thanks.
danila kuzovlev via FreeIPA-users wrote:
Hi, I'm trynig to create centrlized authorization for my services with freeipa cluster in differnet locations. For some reasons I use base search in cn=compat tree for mapping users, but in different replcias result of same ldapsearch quiestions is different: ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 0 Success
ldapsearch -h Y.Y.Y.Y -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W # extended LDIF # # LDAPv3 # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # some-group, groups, compat, example.com dn: some_group,cn=groups,cn=compat,dc=example,dc=com objectClass: posixGroup objectClass: ipaOverrideTarget objectClass: ipaexternalgroup objectClass: top gidNumber: 12345678 memberUid: user2 memberUid: user1
ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD U2YWIxMDNl cn: some_group
But, if I make search with "Subtree" cope to the first one, I can see entries in answer: ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s sub -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W # extended LDIF # # LDAPv3 # base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # some-group, groups, compat, example.com dn: some_group,cn=groups,cn=compat,dc=example,dc=com objectClass: posixGroup objectClass: ipaOverrideTarget objectClass: ipaexternalgroup objectClass: top gidNumber: 12345678 memberUid: user2 memberUid: user1
ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD U2YWIxMDNl cn: some_group
I have 4 ipa-servers with vesrions 4.9.6 and 4.9.10. This result I can see with a only one replica, with 4.9.6 vesrion. I try delete topology segment, reinstall ipa-replica - but it doesnt work.
I think we need a better view of what is happening.
But first, why do you need to use the compat tree? Are there AD users in the mix?
The search base won't make a difference here since it's a leaf record (hence why the output is identical). I'm not sure what you're trying to demonstrate. This would have nothing to do with different servers providing different results.
rob
No, there isn't AD users in my FreeIPA domain. We use a role-based access to resources, and it is a reason why I search in compat - in many situations we need to see indirect member UIDs in groups. The point is that the output is not the same for X.X.X.X and Y.Y.Y.Y replicas. May be I expressed incorrectly, but in fact I have a two questions: 1) Why same ldapsearch question to different replicas in FreeIPA return different results? In the post above replica X.X.X.X has no entries in answer, but replica Y.Y.Y.Y has one entry 2) Why replica X.X.X.X with search in SUBTREE scope returns one entry, but with BASE scope there is no entries in answer. I would like advice on where to look the answer of this replica's behavior.
Hi,
the compat tree is not replicated, it is a virtual tree created locally on each server. Do you have exactly the same packages for slapi-nis on both replicas? There were some known issues with the compat tree related to base searches and different versions may produce a different behavior because of this known issue. For instance see *Bug 1979619* https://bugzilla.redhat.com/show_bug.cgi?id=1979619 - With base object scope, ldapsearch against compat tree does not return any data on Rhel8 IPA servers.
HTH, flo
On Tue, Feb 28, 2023 at 4:02 AM danila kuzovlev via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
No, there isn't AD users in my FreeIPA domain. We use a role-based access to resources, and it is a reason why I search in compat - in many situations we need to see indirect member UIDs in groups. The point is that the output is not the same for X.X.X.X and Y.Y.Y.Y replicas. May be I expressed incorrectly, but in fact I have a two questions:
- Why same ldapsearch question to different replicas in FreeIPA return
different results? In the post above replica X.X.X.X has no entries in answer, but replica Y.Y.Y.Y has one entry 2) Why replica X.X.X.X with search in SUBTREE scope returns one entry, but with BASE scope there is no entries in answer. I would like advice on where to look the answer of this replica's behavior. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
I update slapi-nis to 0.60 version, and requests with base scope now return correct results. Thanks.
freeipa-users@lists.fedorahosted.org