Hi, I'm trynig to create centrlized authorization for my services with freeipa cluster
in differnet locations. For some reasons I use base search in cn=compat tree for mapping
users, but in different replcias result of same ldapsearch quiestions is different:
ldapsearch -h X.X.X.X -p 389 -b
"cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D
"uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
ldapsearch -h Y.Y.Y.Y -p 389 -b
"cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D
"uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W
# extended LDIF
#
# LDAPv3
# base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# some-group, groups, compat,
example.com
dn: some_group,cn=groups,cn=compat,dc=example,dc=com
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 12345678
memberUid: user2
memberUid: user1
ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD
U2YWIxMDNl
cn: some_group
But, if I make search with "Subtree" cope to the first one, I can see entries in
answer:
ldapsearch -h X.X.X.X -p 389 -b
"cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s sub -D
"uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W
# extended LDIF
#
# LDAPv3
# base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# some-group, groups, compat,
example.com
dn: some_group,cn=groups,cn=compat,dc=example,dc=com
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 12345678
memberUid: user2
memberUid: user1
ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD
U2YWIxMDNl
cn: some_group
I have 4 ipa-servers with vesrions 4.9.6 and 4.9.10.
This result I can see with a only one replica, with 4.9.6 vesrion. I try delete topology
segment, reinstall ipa-replica - but it doesnt work.
Thanks.