Fixing FreeIPA Replication Issues
Case example of an HBAC service ID that is not consistent across the master-master FreeIPA implementation:
# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers: | idmipa04 | idmipa03 | STATE |
+——————–+————+————+——-+
| Active Users | 3 | 3 | OK |
| Stage Users | 0 | 0 | OK |
| Preserved Users | 0 | 0 | OK |
| Hosts | 18 | 18 | OK |
| Services | 92 | 92 | OK |
| User Groups | 13 | 13 | OK |
| Host Groups | 1 | 1 | OK |
| Netgroups | 0 | 0 | OK |
| HBAC Rules | 3 | 3 | OK |
| SUDO Rules | 3 | 3 | OK |
| DNS Zones | 9 | 9 | OK |
| Certificates | 30 | 30 | OK |
| LDAP Conflicts | 2 | 2 | FAIL |
| Ghost Replicas | 0 | 0 | OK |
| Anonymous BIND | ON | ON | OK |
| Microsoft ADTrust | True | True | OK |
| Replication Status | idmipa03 0 | idmipa04 0 | OK |
+——————–+————+————+——-+
#
# ldapsearch -D "cn=Directory Manager" -W -b "dc=mws,dc=mds,dc=xyz" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mws,dc=mds,dc=xyz> with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: * nsds5ReplConflict
#
# System: Read Radius Servers + 4b428601-8c7311ea-a731aa32-03d9775b, permission
s, pbac, mws.mds.xyz
dn: cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d97
75b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz
ipaPermLocation: cn=radiusproxy,dc=mws,dc=mds,dc=xyz
ipaPermDefaultAttr: ipatokenradiusserver
ipaPermDefaultAttr: description
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipatokenusermapattribute
ipaPermDefaultAttr: ipatokenradiusretries
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: ipatokenradiustimeout
member: cn=User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xyz
member: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xy
z
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: ldapsubentry
cn: System: Read Radius Servers
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermBindRuleType: permission
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipatokenradiusconfiguration)
nsds5ReplConflict: namingConflict (ADD) cn=system: read radius servers,cn=perm
issions,cn=pbac,dc=mws,dc=mds,dc=xyz
# systemd-user + 1e6a2603-9d7c11ea-b83daa32-03d9775b, hbacservices, hbac, mws.m
ds.xyz
dn: cn=systemd-user+nsuniqueid=1e6a2603-9d7c11ea-b83daa32-03d9775b,cn=hbacservices,cn=hbac,dc=mws,dc=mds,dc=xyz
ipaUniqueID: 22f40934-9d7c-11ea-b5a6-00505686b78e
description: pam_systemd and systemd user@.service
cn: systemd-user
objectClass: ipaobject
objectClass: ipahbacservice
objectClass: ldapsubentry
nsds5ReplConflict: namingConflict (ADD) cn=systemd-user,cn=hbacservices,cn=hba
c,dc=mws,dc=mds,dc=xyz
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
#
# ldapdelete -D "cn=Directory Manager" -W -p 389 -h idmipa04.mws.mds.xyz -x "cn=systemd-user+nsuniqueid=1e6a2603-9d7c11ea-b83daa32-03d9775b,cn=hbacservices,cn=hbac,dc=mws,dc=mds,dc=xyz"
Enter LDAP Password:
$ echo $?
0
# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers: | idmipa03 | idmipa04 | STATE |
+——————–+————+————+——-+
| Active Users | 3 | 3 | OK |
| Stage Users | 0 | 0 | OK |
| Preserved Users | 0 | 0 | OK |
| Hosts | 18 | 18 | OK |
| Services | 92 | 92 | OK |
| User Groups | 13 | 13 | OK |
| Host Groups | 1 | 1 | OK |
| Netgroups | 0 | 0 | OK |
| HBAC Rules | 3 | 3 | OK |
| SUDO Rules | 3 | 3 | OK |
| DNS Zones | 9 | 9 | OK |
| Certificates | 30 | 30 | OK |
| LDAP Conflicts | 1 | 1 | FAIL |
| Ghost Replicas | 0 | 0 | OK |
| Anonymous BIND | ON | ON | OK |
| Microsoft ADTrust | True | True | OK |
| Replication Status | idmipa04 0 | idmipa03 0 | OK |
+——————–+————+————+——-+
#
Case two is identical to the first one above:
# ldapsearch -D "cn=Directory Manager" -W -b "dc=mws,dc=mds,dc=xyz" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mws,dc=mds,dc=xyz> with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: * nsds5ReplConflict
#
# System: Read Radius Servers + 4b428601-8c7311ea-a731aa32-03d9775b, permission
s, pbac, mws.mds.xyz
dn: cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d97
75b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz
ipaPermLocation: cn=radiusproxy,dc=mws,dc=mds,dc=xyz
ipaPermDefaultAttr: ipatokenradiusserver
ipaPermDefaultAttr: description
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipatokenusermapattribute
ipaPermDefaultAttr: ipatokenradiusretries
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: ipatokenradiustimeout
member: cn=User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xyz
member: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xy
z
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: ldapsubentry
cn: System: Read Radius Servers
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermBindRuleType: permission
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipatokenradiusconfiguration)
nsds5ReplConflict: namingConflict (ADD) cn=system: read radius servers,cn=perm
issions,cn=pbac,dc=mws,dc=mds,dc=xyz
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
#
#
# ldapdelete -D "cn=Directory Manager" -W -p 389 -h idmipa04.mws.mds.xyz -x "cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d9775b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz"
Enter LDAP Password:
# echo $?
0
# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers: | idmipa03 | idmipa04 | STATE |
+——————–+————+————+——-+
| Active Users | 3 | 3 | OK |
| Stage Users | 0 | 0 | OK |
| Preserved Users | 0 | 0 | OK |
| Hosts | 18 | 18 | OK |
| Services | 92 | 92 | OK |
| User Groups | 13 | 13 | OK |
| Host Groups | 1 | 1 | OK |
| Netgroups | 0 | 0 | OK |
| HBAC Rules | 3 | 3 | OK |
| SUDO Rules | 3 | 3 | OK |
| DNS Zones | 9 | 9 | OK |
| Certificates | 30 | 30 | OK |
| LDAP Conflicts | 0 | 0 | OK |
| Ghost Replicas | 0 | 0 | OK |
| Anonymous BIND | ON | ON | OK |
| Microsoft ADTrust | True | True | OK |
| Replication Status | idmipa04 0 | idmipa03 0 | OK |
+——————–+————+————+——-+
#
Regards,