Введение

Термины

Репликация — процесс синхронизации данных между несколькими экземплярами служб каталогов (КД). Репликация обеспечивает отказоустойчивость, распределение нагрузки, географическую доступность данных. В инфраструктуре доменов FreeIPA (ALD Pro) репликация играет ключевую роль, поддерживая согласованность данных между контроллерами домена.

...

Получить конфликты для cn=conflict_user+nsuniqueid=adc2dc05-71ea11f0-816fe86f-aa36b0da,cn=groups,cn=accounts,dc=ald250,dc=pro

Command
dsconf ldap://dc01.ald250.pro -D "cn=Directory Manager" repl-conflict compare cn=conflict_user+nsuniqueid=adc2dc05-71ea11f0-816fe86f-aa36b0da,cn=groups,cn=accounts,dc=ald250,dc=pro

Пример вывода команды:

Блок кода

collapse	true

Conflict Entry:

dn: cn=conflict_user+nsuniqueid=adc2dc05-71ea11f0-816fe86f-aa36b0da,cn=groups,cn=accounts,dc=ald250,dc=pro
cn: conflict_user
description: User private group for conflict_user
gidNumber: 1213300500
ipaUniqueID: c1a7f6d8-71ea-11f0-a685-02000a452904
mepManagedBy: uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
nsds5replconflict: namingConflict (ADD) cn=conflict_user,cn=groups,cn=accounts,dc=ald250,dc=pro
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
objectClass: ldapsubentry


Valid Entry:

dn: cn=conflict_user,cn=groups,cn=accounts,dc=ald250,dc=pro
cn: conflict_user
description: User private group for conflict_user
gidNumber: 1213200010
ipaUniqueID: accda578-71ea-11f0-8dec-02000a452902
mepManagedBy: uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top

Удалить конфликтующую запись, оставив только запись cn=conflict_user,cn=groups,cn=accounts,dc=ald250,dc=pro:
Command
dsconf ldap://dc01.ald250.pro -D "cn=Directory Manager" repl-conflict delete cn=conflict_user+nsuniqueid=adc2dc05-71ea11f0-816fe86f-aa36b0da,cn=groups,cn=accounts,dc=ald250,dc=pro

По такому же принципу разрешить второй конфликт:

Блок кода

collapse	true

root@dc01:~# dsconf ldap://dc01.ald250.pro -D "cn=Directory Manager" repl-conflict compare nsuniqueid=adc2dc01-71ea11f0-816fe86f-aa36b0da+uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
Enter password for cn=Directory Manager on ldap://dc01.ald250.pro: 
Conflict Entry:

dn: nsuniqueid=adc2dc01-71ea11f0-816fe86f-aa36b0da+uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
cn: conflicted User
displayName: conflicted User
gecos: conflicted User
gidNumber: 1213300500
givenName: conflicted
homeDirectory: /home/conflict_user
initials: cU
ipaNTSecurityIdentifier: S-1-5-21-196329585-3226835358-3389735258-101500
ipaUniqueID: c173c7be-71ea-11f0-a685-02000a452904
krbCanonicalName: conflict_user@ALD250.PRO
krbExtraData:: AAI445Focm9vdC9hZG1pbkBBTEQyNTAuUFJPAA==
krbLastPwdChange: 20250805105552Z
krbPasswordExpiration: 20250805105552Z
krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBBjQjo4PD1ZLVBIfEI0KitroUkwR6ADAgESoUAEPiAAXxsWn7SM64uMNXVBzUsCpN1JZOObIc/h+tt+/vlGqWrfFMcF2en4vgPJJo/qtKx0+886arhXPkdPAv4bMFigGzAZoAMCAQShEgQQNTBRWS07MXNTUFZpcCZVJKE5MDegAwIBEaEwBC4QAFnNxLdgMlcm6rpsMIqgh6CN2IWb/cTk6Jj/sKQYGZkU8KlkJHuelUVz0bSk
krbPrincipalName: conflict_user@ALD250.PRO
loginShell: /bin/bash
mail: conflict_user@ald250.pro
mepManagedEntry: cn=conflict_user,cn=groups,cn=accounts,dc=ald250,dc=pro
nsds5replconflict: namingConflict (ADD) uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: x-ald-user
objectClass: x-ald-user-parsec14
objectClass: x-ald-audit-policy
objectClass: rbta-unit
objectClass: rbta-address
objectClass: rbtaCustomUserAttrs
objectClass: rbta-inetorgperson-ext
objectClass: ruPostMailAccount
objectClass: rbtaUserMeta
objectClass: ipaSshGroupOfPubKeys
objectClass: ldapsubentry
objectClass: mepOriginEntry
objectClass: ipantuserattrs
proxyAddresses: SMTP:CONFLICT_USER@ALD250.PRO
rbtadp: ou=ald250.pro,cn=orgunits,cn=accounts,dc=ald250,dc=pro
rbtaou: ald250.pro
sn: User
uid: conflict_user
uidNumber: 1213300500
userPassword: {PBKDF2-SHA512}10000$uPEJ8l/mnTsjJkckyxqqJRIQx/X2OrOI$Wzm9wddHKCb9JOLl4UVQLUk/czorLTUqEOYE6QBT/l4t+B+pXgJ8xXrVmkdnKYyREYmXrpf2XyNPsOoEbzbz8A==
x-ald-user-mac: 0:0x0:0:0x0
xaldusermacmax: 0
xaldusermacmin: 0


Valid Entry:

dn: uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
cn: conflict User
displayName: conflict User
gecos: conflict User
gidNumber: 1213200010
givenName: conflict
homeDirectory: /home/conflict_user
initials: cU
ipaNTSecurityIdentifier: S-1-5-21-196329585-3226835358-3389735258-1010
ipaUniqueID: acbf75f2-71ea-11f0-8dec-02000a452902
krbCanonicalName: conflict_user@ALD250.PRO
krbExtraData:: AAIV45Focm9vdC9hZG1pbkBBTEQyNTAuUFJPAA==
krbLastPwdChange: 20250805105517Z
krbPasswordExpiration: 20250805105517Z
krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBBlWVFiX0VGQy0pWD5lSEQ3oUkwR6ADAgESoUAEPiAAzbHqRTVBdHb5wmDrl77TO8VUARRi0rHmJ/98XoVsTBAvYLNRjJVPh9G0b3ghLu0PONdXZiIpu2ErHi8xMFigGzAZoAMCAQShEgQQTUZ7PTopVktRfGZFaW8+LaE5MDegAwIBEaEwBC4QAM3dD4hlnDrfq/XuK10ieoM4yAPEMA+MM+R9CW4OdIsThk9Sx36VOtIOIhSh
krbPrincipalName: conflict_user@ALD250.PRO
loginShell: /bin/bash
mail: conflict_user@ald250.pro
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ald250,dc=pro
memberOf: cn=ALDPRO - Organization units,cn=roles,cn=accounts,dc=ald250,dc=pro
memberOf: cn=Organization units,cn=privileges,cn=pbac,dc=ald250,dc=pro
memberOf: cn=Organization units - Read - Relations,cn=permissions,cn=pbac,dc=ald250,dc=pro
memberOf: cn=Organization units - Read - OU,cn=permissions,cn=pbac,dc=ald250,dc=pro
memberOf: cn=conflict_user_3m98nnfmo7u7d2rsx,cn=users_history,cn=accounts,dc=ald250,dc=pro
memberOf: cn=conflict_user_fow3ooa2q7q3vkvui,cn=users_history,cn=accounts,dc=ald250,dc=pro
memberOf: cn=test_role,cn=roles,cn=accounts,dc=ald250,dc=pro
memberOf: cn=ALDPRO ROCO Attributes Mapping - Read,cn=privileges,cn=pbac,dc=ald250,dc=pro
memberOf: cn=ALDPRO ROCO Attributes Mapping - Read,cn=permissions,cn=pbac,dc=ald250,dc=pro
memberOf: cn=ALDPRO ROCO Attributes Mapping - Manage,cn=privileges,cn=pbac,dc=ald250,dc=pro
memberOf: cn=ALDPRO ROCO Attributes Mapping - Manage,cn=permissions,cn=pbac,dc=ald250,dc=pro
mepManagedEntry: cn=conflict_user,cn=groups,cn=accounts,dc=ald250,dc=pro
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: x-ald-user
objectClass: x-ald-user-parsec14
objectClass: x-ald-audit-policy
objectClass: rbta-unit
objectClass: rbta-address
objectClass: rbtaCustomUserAttrs
objectClass: rbta-inetorgperson-ext
objectClass: ruPostMailAccount
objectClass: rbtaUserMeta
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
proxyAddresses: SMTP:CONFLICT_USER@ALD250.PRO
rbtadp: ou=ald250.pro,cn=orgunits,cn=accounts,dc=ald250,dc=pro
rbtaou: ald250.pro
sn: User
uid: conflict_user
uidNumber: 1213200010
userPassword: {PBKDF2-SHA512}10000$+mn7IoPU4om7kLc9I3PS1opkiHJteGzy$uEHe5EuvMJ4c4KOukivH8+46Ohqvx8PuvSamj18k3uQnzgZ1KBl7brBq4yEGzxJc5Y6Ssl0hkxDZ2D0cMPCOLA==
x-ald-user-mac: 0:0x0:0:0x0
xaldusermacmax: 0
xaldusermacmin: 0

КомандаКоманды для удаления и проверки:

Command

root@dc01:~# sudo dsconf ldap://dc01.ald250.pro -D "cn=Directory Manager" repl-conflict delete nsuniqueid=adc2dc01-71ea11f0-816fe86f-aa36b0da+uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
Enter password for cn=Directory Manager on ldap://dc01.ald250.pro:
root@dc01:~# sudo dsconf ldap://dc01.ald250.pro -D "cn=Directory Manager" repl-conflict list dc=ald250,dc=pro
Enter password for cn=Directory Manager on ldap://dc01.ald250.pro:
There were no conflict entries found under the suffix

Перезапустить службу каталога:
Command
sudo systemctl restart dirsrv@*

Повторно проверить состояние репликации:

Command
root@dc01:~# ds-replcheck online -D "cn=Directory Manager" -W -m ldapm ldap://dc01:389 -r ldap://dc02:389 -b "dc=ald250,dc=pro" -i memberof,idnssoaserial,entryusn,krblastsuccessfulauth,krblastfailedauth,krbloginfailedcount

Пример вывода команды:

Блок кода

collapse	true

Enter password: 
================================================================================
         Replication Synchronization Report  (Thu Aug  7 10:15:54 2025)
================================================================================


Database RUV's
=====================================================

Supplier RUV:
  {replica 3 ldap://dc02.ald250.pro:389} 687a55d0000100030000 6894526b000500030000
  {replica 4 ldap://dc01.ald250.pro:389} 687a55c1000100040000 6894527e000300040000
  {replicageneration} 687a55c1000000040000

Replica RUV:
  {replica 3 ldap://dc02.ald250.pro:389} 687a55d0000100030000 6894526b000500030000
  {replica 4 ldap://dc01.ald250.pro:389} 687a55c1000100040000 6894527e000300040000
  {replicageneration} 687a55c1000000040000

Replication State: Supplier and Replica are in perfect synchronization


Entry Counts
=====================================================

Supplier:  3704
Replica: 3824


Tombstones
=====================================================

Supplier:  21
Replica: 21

Missing Entries
=====================================================

  Entries missing on Supplier:
   - cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:53 2025)
   - cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:53 2025)
   - uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:14:42 2025)
   - uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - uid=admin,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ng,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:53 2025)
   - cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:53 2025)
   - cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=computers,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:53 2025)
   - ou=sudoers,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:53 2025)
   - cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:53 2025)
   - cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:53 2025)
   - uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:14:42 2025)
   - uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - uid=admin,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ng,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:53 2025)
   - cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:53 2025)
   - cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=computers,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:53 2025)
   - ou=sudoers,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:53 2025)
   - cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:52 2025)
   - cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:52 2025)
   - uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:14:42 2025)
   - uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - uid=admin,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ng,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:52 2025)
   - cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:52 2025)
   - cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=computers,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:52 2025)
   - ou=sudoers,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:52 2025)
   - cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:52 2025)
   - cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:52 2025)
   - uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:14:42 2025)
   - uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - uid=admin,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ng,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:52 2025)
   - cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:52 2025)
   - cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=computers,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:52 2025)
   - ou=sudoers,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:52 2025)
   - cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:51 2025)
   - cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:51 2025)
   - uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:14:42 2025)
   - uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - uid=admin,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ng,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:51 2025)
   - cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:51 2025)
   - cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=computers,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:51 2025)
   - ou=sudoers,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:51 2025)
   - cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:50 2025)
   - cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:50 2025)
   - uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:14:42 2025)
   - uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - uid=admin,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ng,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:50 2025)
   - cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:50 2025)
   - cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=computers,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:50 2025)
   - ou=sudoers,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:50 2025)
   - cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:50 2025)
   - cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:50 2025)
   - uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:14:42 2025)
   - uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - uid=admin,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ng,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:50 2025)
   - cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:50 2025)
   - cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=computers,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:50 2025)
   - ou=sudoers,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:50 2025)
   - cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:49 2025)
   - cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:49 2025)
   - uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:14:42 2025)
   - uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - uid=admin,cn=users,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ng,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:49 2025)
   - cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:49 2025)
   - cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Tue Aug  5 10:06:38 2025)
   - cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)
   - cn=computers,cn=compat,dc=ald250,dc=pro  (Created on Replica at: Thu Aug  7 07:15:49 2025)
   - ou=sudoers,dc=ald250,dc=pro  (Created on Replica at: Fri Jul 18 14:19:28 2025)

Result
=====================================================

There are replication differences between Supplier and Replica

В выводе команды присутствует сообщение Replication State: Supplier and Replica are in perfect synchronization, означающее что синхронизация прошла успешно. Остальные конфликтующие записи разрешились самостоятельно. Также вывод команды говорит о расхождении записей каталога compat - на реплике записи присутствуют, а на 1КД - нет. Данные записи не влияют на работу ALD Pro, они относятся к плагину Schema Compatibility и этот плагин можно отключить. Данная структура не переносится при реинициализации реплики. Для устранения конфликта записей каталога compat можно отключить плагин на втором контроллере домена и перезагрузить службу каталогов dirsrv (команды выполняются на втором контроллере домена):

Command
sudo ipa-compat-manage disable sudo systemctl restart dirsrv@*

Теперь при выполнении команды:

Command
ds-replcheck online -D "cn=Directory Manager" -W -m ldap://dc01:389 -r ldap://dc02:389 -b "dc=ald250,dc=pro" -i memberof,idnssoaserial,entryusn,krblastsuccessfulauth,krblastfailedauth,krbloginfailedcount

конфликты отсутствуют полностью:

Блок кода

collapse	true

Enter password: 
================================================================================
         Replication Synchronization Report  (Thu Aug  7 12:11:57 2025)
================================================================================


Database RUV's
=====================================================

Supplier RUV:
  {replica 3 ldap://dc02.ald250.pro:389} 687a55d0000100030000 68946d16000200030000
  {replica 4 ldap://dc01.ald250.pro:389} 687a55c1000100040000 68946cc6000100040000
  {replicageneration} 687a55c1000000040000

Replica RUV:
  {replica 3 ldap://dc02.ald250.pro:389} 687a55d0000100030000 68946d16000200030000
  {replica 4 ldap://dc01.ald250.pro:389} 687a55c1000100040000 68946cc6000100040000
  {replicageneration} 687a55c1000000040000

Replication State: Supplier and Replica are in perfect synchronization


Entry Counts
=====================================================

Supplier:  3724
Replica: 3724


Tombstones
=====================================================

Supplier:  41
Replica: 41

Result
=====================================================

No replication differences between Supplier and Replica

...

Создать резервную копию контроллера домена:
Command
sudo ipa-backup -vd --online --data
Выполнить реинициализацию на втором контроллере домена:
Command
sudo ipa-replica-manage -dv re-initialize --from <имя_первого_КД>

Проверить идентичность данных:

Command
ds-replcheck online -D "cn=Directory Manager" -W -m ldap://<имя_первого_КД>:389 -r ldap://<имя_реплики>:389 -b <доменный_суффикс> -i memberof,idnssoaserial,entryusn,krblastsuccessfulauth,krblastfailedauth,krbloginfailedcount

Проконтролировать выполнение реинициализации. При успешной реинициализации:
- В выводе команды ds-replcheck должно быть:
  Replication State: Supplier and Replica are in perfect synchronization
  No replication differences between Supplier and Replica
  Критичные параметры:
  1. memberof - должно — должно совпадать членство в группах;
  2. idnssoaserial - idnssoaserial — идентичность DNS-зон;
  3. krblastfailedauth - — чтобы не блокировать легитимных пользователей.

Полезные команды и сценарии

Сценарий проверки расхождений записей пользователей, компьютеров и подразделений

Данный сценарий следует выполнять с использованием sudo:

Блок кода

base_dn=$(ldapsearch -Q -LLL -s base | awk '/^dn:/{print $2}')
password="<PASSWORD>"
# Для пользователей
ipa-replica-manage list 2>/dev/null | grep -E '^[a-zA-Z0-9.-]+:' | awk -F: '{print $1}' | xargs -I{} bash -c 'echo "=== Проверка пользователей на реплике: {} ==="; ldapsearch -x -h {} -b "cn=users,cn=accounts,'"$base_dn"'" -s onelevel -D "cn=Directory Manager" -w "'"$password"'" "(uid=*)" dn 2>/dev/null | grep -c "^dn:" || echo "Ошибка подключения к {}"'
# Для компьютеров
ipa-replica-manage list 2>/dev/null | grep -E '^[a-zA-Z0-9.-]+:' | awk -F: '{print $1}' | xargs -I{} bash -c 'echo "=== Проверка компьютеров на реплике: {} ==="; ldapsearch -x -h {} -b "cn=computers,cn=accounts,'"$base_dn"'" -s onelevel -D "cn=Directory Manager" -w "'"$password"'" "(fqdn=*)" dn 2>/dev/null | grep -c "^dn:" || echo "Ошибка подключения к {}"'
# Для подразделений
ipa-replica-manage list 2>/dev/null | grep -E '^[a-zA-Z0-9.-]+:' | awk -F: '{print $1}' | xargs -I{} bash -c 'echo "=== Проверка подразделений на реплике: {} ==="; ldapsearch -x -h {} -b "cn=orgunits,cn=accounts,'"$base_dn"'" -s onelevel -D "cn=Directory Manager" -w "'"$password"'" "(ou=*)" dn 2>/dev/null | grep -c "^dn:" || echo "Ошибка подключения к {}"'

...

Получение векторов репликации (Replica Update Vectors, RUV)

Command
sudo ipa-replica-manage list-ruv

Проверка статуса репликации между всеми серверами

Command
sudo dsconf $(ldapsearch -Q -LLL -s base \| awk '/nisDomain:/{gsub(/\./,"-",$2); print toupper($2)}') replication monitor

На вопрос Enter a bind DN for <server>:389 ответьте ответить cn="Directory Manager" и вести пароль.

Вывести информацию о группе узлов ipaservers

...

Command
domain=$(ldapsearch -Q -LLL -s base \| awk '/nisDomain:/{gsub(/\./,"-",$2); print toupper($2)}'); dsconf $domain repl-conflict list $(ldapsearch -Q -LLL -s base \| awk '/^dn:/{print $2}') \| awk '/^dn: /{print substr($0,5)}' \| xargs -I [] dsconf $domain repl-conflict delete []

Заключение

Регулярный мониторинг и соблюдение рекомендаций по разрешению конфликтов помогут избежать проблем с согласованностью данных.

Дерево страниц

Сравнение версий

Старая версия 4

Новая версия 5

Ключ

Оглавление

Введение

Термины

Полезные команды и сценарии

Сценарий проверки расхождений записей пользователей, компьютеров и подразделений

Получение векторов репликации (Replica Update Vectors, RUV)

Проверка статуса репликации между всеми серверами

Вывести информацию о группе узлов ipaservers

Заключение

Дерево страниц

История страницы

Сравнение версий

Старая версия 4

Новая версия 5

Ключ

Оглавление

Введение

Термины

Полезные команды и сценарии

Сценарий проверки расхождений записей пользователей, компьютеров и подразделений

Получение векторов репликации (Replica Update Vectors, RUV)

Проверка статуса репликации между всеми серверами

Вывести информацию о группе узлов ipaservers

Заключение