Hi,

the compat tree is not replicated, it is a virtual tree created locally on each server.

Do you have exactly the same packages for slapi-nis on both replicas? There were some known issues with the compat tree related to base searches and different versions may produce a different behavior because of this known issue. For instance see Bug 1979619 - With base object scope, ldapsearch against compat tree does not return any data on Rhel8 IPA servers.

HTH,

flo

On Tue, Feb 28, 2023 at 4:02 AM danila kuzovlev via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

No, there isn't AD users in my FreeIPA domain.
We use a role-based access to resources, and it is a reason why I search in compat - in many situations we need to see indirect member UIDs in groups.
The point is that the output is not the same for X.X.X.X and Y.Y.Y.Y replicas.
May be I expressed incorrectly, but in fact I have a two questions:
1) Why same ldapsearch question to different replicas in FreeIPA return different results? In the post above replica X.X.X.X has no entries in answer, but replica Y.Y.Y.Y has one entry
2) Why replica X.X.X.X with search in SUBTREE scope returns one entry, but with BASE scope there is no entries in answer.
I would like advice on where to look the answer of this replica's behavior.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue