Header Shadow Image


Fixing FreeIPA Replication Issues

Case example of an HBAC service ID that is not consistent across the master-master FreeIPA implementation:

# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa04   | idmipa03   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 2          | 2          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa03 0 | idmipa04 0 | OK    |
+——————–+————+————+——-+

# ldapsearch -D "cn=Directory Manager" -W -b "dc=mws,dc=mds,dc=xyz" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mws,dc=mds,dc=xyz> with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: * nsds5ReplConflict
#

# System: Read Radius Servers + 4b428601-8c7311ea-a731aa32-03d9775b, permission
 s, pbac, mws.mds.xyz
dn: cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d97
 75b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz
ipaPermLocation: cn=radiusproxy,dc=mws,dc=mds,dc=xyz
ipaPermDefaultAttr: ipatokenradiusserver
ipaPermDefaultAttr: description
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipatokenusermapattribute
ipaPermDefaultAttr: ipatokenradiusretries
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: ipatokenradiustimeout
member: cn=User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xyz
member: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xy
 z
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: ldapsubentry
cn: System: Read Radius Servers
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermBindRuleType: permission
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipatokenradiusconfiguration)
nsds5ReplConflict: namingConflict (ADD) cn=system: read radius servers,cn=perm
 issions,cn=pbac,dc=mws,dc=mds,dc=xyz

# systemd-user + 1e6a2603-9d7c11ea-b83daa32-03d9775b, hbacservices, hbac, mws.m
 ds.xyz
dn: cn=systemd-user+nsuniqueid=1e6a2603-9d7c11ea-b83daa32-03d9775b,cn=hbacservices,cn=hbac,dc=mws,dc=mds,dc=xyz
ipaUniqueID: 22f40934-9d7c-11ea-b5a6-00505686b78e
description: pam_systemd and systemd user@.service
cn: systemd-user
objectClass: ipaobject
objectClass: ipahbacservice
objectClass: ldapsubentry
nsds5ReplConflict: namingConflict (ADD) cn=systemd-user,cn=hbacservices,cn=hba
 c,dc=mws,dc=mds,dc=xyz

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

 

# ldapdelete -D "cn=Directory Manager" -W -p 389 -h idmipa04.mws.mds.xyz -x "cn=systemd-user+nsuniqueid=1e6a2603-9d7c11ea-b83daa32-03d9775b,cn=hbacservices,cn=hbac,dc=mws,dc=mds,dc=xyz"
Enter LDAP Password:
$ echo $?
0
# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa03   | idmipa04   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 1          | 1          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa04 0 | idmipa03 0 | OK    |
+——————–+————+————+——-+
#

 

Case two is identical to the first one above:

# ldapsearch -D "cn=Directory Manager" -W -b "dc=mws,dc=mds,dc=xyz" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mws,dc=mds,dc=xyz> with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: * nsds5ReplConflict
#

# System: Read Radius Servers + 4b428601-8c7311ea-a731aa32-03d9775b, permission
 s, pbac, mws.mds.xyz
dn: cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d97
 75b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz

ipaPermLocation: cn=radiusproxy,dc=mws,dc=mds,dc=xyz
ipaPermDefaultAttr: ipatokenradiusserver
ipaPermDefaultAttr: description
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipatokenusermapattribute
ipaPermDefaultAttr: ipatokenradiusretries
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: ipatokenradiustimeout
member: cn=User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xyz
member: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xy
 z
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: ldapsubentry
cn: System: Read Radius Servers
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermBindRuleType: permission
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipatokenradiusconfiguration)
nsds5ReplConflict: namingConflict (ADD) cn=system: read radius servers,cn=perm
 issions,cn=pbac,dc=mws,dc=mds,dc=xyz

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


# ldapdelete -D "cn=Directory Manager" -W -p 389 -h idmipa04.mws.mds.xyz -x "cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d9775b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz"
Enter LDAP Password:
# echo $?
0
# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa03   | idmipa04   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 0          | 0          | OK    |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa04 0 | idmipa03 0 | OK    |
+——————–+————+————+——-+

 

Regards,

Leave a Reply

You must be logged in to post a comment.


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License