Репликация — процесс синхронизации данных между несколькими экземплярами служб каталогов (КД). Репликация обеспечивает отказоустойчивость, распределение нагрузки, географическую доступность данных. В инфраструктуре доменов FreeIPA (ALD Pro) репликация играет ключевую роль, поддерживая согласованность данных между контроллерами домена.
DN (Distinguished Name, отличительное имя) — уникальный, полный путь к записи в каталоге, однозначно идентифицирующий эту и только эту запись в иерархической структуре каталога.
Доменный суффикс — это корневое DN домена LDAP (например, `dc=example,dc=com`), определяющее корень каталога, пространство имен и границы репликации.
Атрибут — именованное свойство объекта в LDAP (например, `uid`, `cn`, `mail`), хранящее данные (логин, имя, email) и их метаданные (синтаксис, правила сопоставления).
Класс — шаблон объектов (например, `inetOrgPerson`, `posixAccount`), определяющий обязательные (`MUST`) и допустимые (`MAY`) атрибуты для описания сущностей (пользователей, групп, устройств) в каталоге.
Схема данных в LDAP — набор правил, определяющих структуру каталога, включая допустимые классы в (например, `user`, `group`), их атрибуты (например, `cn`, `uid`) и ограничения на значения (типы данных, уникальность, обязательность).
Конфликт репликации — возникновение несоответствия между разными экземплярами каталога, нарушающее идентичность данных и/или препятствующее дальнейшей синхронизации данных. Можно выделить следующие типы конфликтов репликации:
Naming conflicts (ADD) — возникают при попытке добавить запись с DN, который уже существует в каталоге.
Attribute conflicts — различия в атрибутах экземпляров одной и той же записи на разных серверах.
Modification conflicts — одновременное изменение экземпляров одной и той же записи на разных серверах.
Доменный суффикс используется в командах поиска конфликтов репликации. Для получения доменного суффикса на любом контроллере домена выполнить следующие действия:
| kinit admin |
| ldapsearch -Q -LLL -s base | awk '/^dn:/{print $2}' |
Для проверки наличия конфликтов выполнить на контроллере домена команду:
| /usr/sbin/dsconf ldap://`hostname` -D "cn=Directory Manager" repl-conflict list <доменный_суффикс> |
Эта команда выведет список всех записей, участвующих в конфликтах репликации. Практические примеры использования команды представлены далее в главах
Для конфликтов добавления рекомендуется сохранять валидные записи и удалять конфликтующие:
| /usr/sbin/dsconf ldap://<имя_КД> -D "cn=Directory Manager" repl-conflict delete <dn конфликтующей записи> |
Валидными считаются записи:
созданные корректным образом (через официальные API или UI);
имеющие все обязательные атрибуты;
соответствующие схеме данных;
принадлежащие "авторитетному" серверу (обычно первому КД в топологии).
Определение валидных записей:
| /usr/sbin/dsconf ldap://<имя_КД> -D "cn=Directory Manager" repl-conflict compare <dn конфликтующей записи> |
Проверить временные метки (атрибут modifyTimestamp).
Учесть бизнес-логику (учесть, какая запись реально используется) (учет бизнес-логики выходит за рамки настоящей статьи).
Ситуации, где:
конфликт затрагивает критичные данные (например, учётные записи администраторов);
несколько атрибутов одновременно расходятся между репликами;
автоматическое разрешение может нарушить целостность данных;
конфликт затрагивает связанные записи (например, группы и их участники).
Пример:
Одновременное изменение номера телефона пользователя на двух разных КД, где оба изменения технически корректны, но нужно выбрать актуальное. Порядок действий для решения конфликта
| /usr/sbin/dsconf ldap://<имя_КД> -D "cn=Directory Manager" repl-conflict compare <dn конфликтующей записи> |
| /usr/sbin/dsconf ldap://<имя_КД> -D "cn=Directory Manager" repl-conflict swap <dn конфликтующей записи> |
После разрешения конфликтов необходимо убедиться в корректной работе репликации. Для этого:
| ds-replcheck online -D "cn=Directory Manager" -W -m ldap://<имя_первого_КД>:389 -r ldap://<имя_реплики>:389 -b <доменный_суффикс> -i memberof,idnssoaserial,entryusn,krblastsuccessfulauth,krblastfailedauth,krbloginfailedcount |
entryusn, modifyTimestamp);memberof);krblastfailedauth);idnssoaserial).При обнаружении проблем репликации рекомендуется:
| dsconf -D "cn=Directory Manager" ldap://<имя_КД> config replace nsslapd-errorlog-level=24576 |
Моделирование ошибок описано в раскрывающемся меню:
Результат моделирования и выполнения команды ds-replcheck:
================================================================================
Replication Synchronization Report (Wed Aug 6 15:50:57 2025)
================================================================================
Database RUV's
=====================================================
Supplier RUV:
{replica 3 ldap://dc02.ald250.pro:389} 687a55d0000100030000 68934868000000030000
{replica 4 ldap://dc01.ald250.pro:389} 687a55c1000100040000 68934c91000000040000
{replicageneration} 687a55c1000000040000
Replica RUV:
{replica 3 ldap://dc02.ald250.pro:389} 687a55d0000100030000 68934868000000030000
{replica 4 ldap://dc01.ald250.pro:389} 687a55c1000100040000 6891d7b1000000040000
{replicageneration} 687a55c1000000040000
Replication State: Replica is behind Supplier by: 95456 seconds
Entry Counts
=====================================================
Supplier: 3703
Replica: 3813
Tombstones
=====================================================
Supplier: 17
Replica: 10
Conflict Entries
=====================================================
Supplier Conflict Entries: 2
Missing Entries
=====================================================
Entries missing on Replica:
- cn=a1_9tplmxnqe0duwgnf5rk7dku1hhc6,cn=users_history,cn=accounts,dc=ald250,dc=pro (Created on Supplier at: Tue Aug 5 10:51:28 2025)
- cn=a2_dyj6exrhicuii991av19kqyoipsv,cn=users_history,cn=accounts,dc=ald250,dc=pro (Created on Supplier at: Tue Aug 5 10:52:16 2025)
- cn=conflict_user_3m98nnfmo7u7d2rsx,cn=users_history,cn=accounts,dc=ald250,dc=pro (Created on Supplier at: Tue Aug 5 10:55:18 2025)
- uid=a1,cn=deleted users,cn=accounts,cn=provisioning,dc=ald250,dc=pro (Created on Supplier at: Tue Aug 5 12:44:10 2025)
- uid=a2,cn=deleted users,cn=accounts,cn=provisioning,dc=ald250,dc=pro (Created on Supplier at: Tue Aug 5 12:44:11 2025)
- cn=test_role,cn=roles,cn=accounts,dc=ald250,dc=pro (Created on Supplier at: Wed Aug 6 08:36:15 2025)
- cn=journal.ald250.pro,cn=log,cn=services,cn=aldpro,cn=etc,dc=ald250,dc=pro (Created on Supplier at: Wed Aug 6 09:58:46 2025)
- cn=ansible,cn=users_history,cn=accounts,dc=ald250,dc=pro (Created on Supplier at: Wed Aug 6 09:59:51 2025)
- cn=login,cn=audit,dc=ald250,dc=pro (Created on Supplier at: Wed Aug 6 09:59:52 2025)
Entries missing on Supplier:
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:57 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:57 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:57 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:57 2025)
- cn=conflict_user,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:57 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:57 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:56 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:56 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:56 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:56 2025)
- cn=conflict_user,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:56 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:56 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:56 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:56 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:56 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:56 2025)
- cn=conflict_user,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:56 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:56 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:55 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:55 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:55 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:55 2025)
- cn=conflict_user,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:55 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:55 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:55 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:55 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:55 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:55 2025)
- cn=conflict_user,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:55 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:55 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:54 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:54 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:54 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:54 2025)
- cn=conflict_user,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:54 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:54 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:54 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:54 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:54 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:54 2025)
- cn=conflict_user,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:54 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:54 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:53 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:53 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:53 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:53 2025)
- cn=conflict_user,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:55:53 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Wed Aug 6 12:50:53 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
Entry Inconsistencies
=====================================================
cn=log,cn=services,cn=aldpro,cn=etc,dc=ald250,dc=pro
----------------------------------------------------
- Attribute 'aci' is different:
Supplier:
- Value: (targetattr = "*")(target = "ldap
- State Info: aci;vucsn-68932756000400040000: (targetattr = "*")(target = "ldap:///cn=log,cn=services,cn=aldpro,cn=etc,dc=ald250,dc=pro")(version 3.0;acl "Read service log container by host journal.ald250.pro";allow (compare,read,search) userdn = "ldap:///fqdn=journal.ald250.pro,cn=computers,cn=accounts,dc=ald250,dc=pro";)
- Date: Wed Aug 6 12:58:46 2025
- Value: (targetattr = "cn || envvar")(target = "ldap
- State Info: aci;vucsn-68932757000000040000: (targetattr = "cn || envvar")(target = "ldap:///cn=journal.ald250.pro,cn=log,cn=services,cn=aldpro,cn=etc,dc=ald250,dc=pro")(version 3.0;acl "Read service log envvar by host journal.ald250.pro";allow (compare,read,search) userdn = "ldap:///fqdn=journal.ald250.pro,cn=computers,cn=accounts,dc=ald250,dc=pro";)
- Date: Wed Aug 6 12:58:47 2025
Replica:
- Origin value: b'(targetattr = "*")(targetfilter = "(objectClass=*)")(version 3.0;acl "permission:ALDPRO - Add Event Log Servers";allow (add) groupdn = "ldap:///cn=ALDPRO - Add Event Log Servers,cn=permissions,cn=pbac,dc=ald250,dc=pro";)'
- Origin value: b'(targetattr = "*")(targetfilter = "(objectClass=*)")(version 3.0;acl "permission:ALDPRO - Read Event Log Servers";allow (compare,read,search) groupdn = "ldap:///cn=ALDPRO - Read Event Log Servers,cn=permissions,cn=pbac,dc=ald250,dc=pro";)'
- Origin value: b'(targetattr = "*")(targetfilter = "(objectClass=*)")(version 3.0;acl "permission:ALDPRO - Remove Event Log Servers";allow (delete) groupdn = "ldap:///cn=ALDPRO - Remove Event Log Servers,cn=permissions,cn=pbac,dc=ald250,dc=pro";)'
- Origin value: b'(targetattr = "rbtaServiceName || servicerole || cn || rbtasite || objectClass")(targetfilter = "(objectclass=rbta-aldpro-service-instance)")(version 3.0;acl "permission:ALDPRO ROCO Event Log Servers - Read";allow (read,search,compare) groupdn = "ldap:///cn=ALDPRO ROCO Event Log Servers - Read,cn=permissions,cn=pbac,dc=ald250,dc=pro";)'
- Origin value: b'(targetattr = "rbtasite || servicerole")(targetfilter = "(objectClass=*)")(version 3.0;acl "permission:ALDPRO - Modify Event Log Servers";allow (write) groupdn = "ldap:///cn=ALDPRO - Modify Event Log Servers,cn=permissions,cn=pbac,dc=ald250,dc=pro";)'
cn=ALDPRO ROCO Attributes Mapping - Read,cn=privileges,cn=pbac,dc=ald250,dc=pro
-------------------------------------------------------------------------------
- Attribute 'member' is different:
Supplier:
- Value: cn=ALDPRO - Main Administrator,cn=roles,cn=accounts,dc=ald250,dc=pro
- State Info: member;adcsn-68931de1000200040000;vucsn-68931de1000200040000: cn=ALDPRO - Main Administrator,cn=roles,cn=accounts,dc=ald250,dc=pro
- Date: Wed Aug 6 12:18:25 2025
- Value: cn=ALDPRO - Domain Viewer,cn=roles,cn=accounts,dc=ald250,dc=pro
- State Info: member;vucsn-68931de1000200040000: cn=ALDPRO - Domain Viewer,cn=roles,cn=accounts,dc=ald250,dc=pro
- Date: Wed Aug 6 12:18:25 2025
- Value: cn=ALDPRO - Syncer Attributes Mapping Administrators,cn=roles,cn=accounts,dc=ald250,dc=pro
- State Info: member;vucsn-68931de1000200040000: cn=ALDPRO - Syncer Attributes Mapping Administrators,cn=roles,cn=accounts,dc=ald250,dc=pro
- Date: Wed Aug 6 12:18:25 2025
- Value: cn=test_role,cn=roles,cn=accounts,dc=ald250,dc=pro
- State Info: member;vucsn-68931de1000200040000: cn=test_role,cn=roles,cn=accounts,dc=ald250,dc=pro
- Date: Wed Aug 6 12:18:25 2025
Replica:
- Origin value: b'cn=ALDPRO - Domain Viewer,cn=roles,cn=accounts,dc=ald250,dc=pro'
- Origin value: b'cn=ALDPRO - Main Administrator,cn=roles,cn=accounts,dc=ald250,dc=pro'
- Origin value: b'cn=ALDPRO - Syncer Attributes Mapping Administrators,cn=roles,cn=accounts,dc=ald250,dc=pro'
cn=ALDPRO ROCO Attributes Mapping - Manage,cn=privileges,cn=pbac,dc=ald250,dc=pro
---------------------------------------------------------------------------------
- Attribute 'member' is different:
Supplier:
- Value: cn=ALDPRO - Main Administrator,cn=roles,cn=accounts,dc=ald250,dc=pro
- State Info: member;adcsn-68931de0000100040000;vucsn-68931de0000100040000: cn=ALDPRO - Main Administrator,cn=roles,cn=accounts,dc=ald250,dc=pro
- Date: Wed Aug 6 12:18:24 2025
- Value: cn=ALDPRO - Syncer Attributes Mapping Administrators,cn=roles,cn=accounts,dc=ald250,dc=pro
- State Info: member;vucsn-68931de0000100040000: cn=ALDPRO - Syncer Attributes Mapping Administrators,cn=roles,cn=accounts,dc=ald250,dc=pro
- Date: Wed Aug 6 12:18:24 2025
- Value: cn=test_role,cn=roles,cn=accounts,dc=ald250,dc=pro
- State Info: member;vucsn-68931de0000100040000: cn=test_role,cn=roles,cn=accounts,dc=ald250,dc=pro
- Date: Wed Aug 6 12:18:24 2025
Replica:
- Origin value: b'cn=ALDPRO - Main Administrator,cn=roles,cn=accounts,dc=ald250,dc=pro'
- Origin value: b'cn=ALDPRO - Syncer Attributes Mapping Administrators,cn=roles,cn=accounts,dc=ald250,dc=pro'
cn=ALDPRO - Organizational Units Administrators,cn=roles,cn=accounts,dc=ald250,dc=pro
-------------------------------------------------------------------------------------
- Replica missing attribute: "member"
- Supplier's State Info: member;adcsn-68930940000000040000;vucsn-68930940000000040000: uid=testuser,cn=users,cn=accounts,dc=ald250,dc=pro
- Date: Wed Aug 6 10:50:24 2025
fqdn=journal.ald250.pro,cn=computers,cn=accounts,dc=ald250,dc=pro
-----------------------------------------------------------------
- Replica missing attribute: "rbtasubsystemconfigstate"
- Supplier's State Info: rbtaSubsystemConfigState;adcsn-68932eab000000040000;vucsn-68932eab000000040000: {"state": "applied"}
- Date: Wed Aug 6 13:30:03 2025
- Replica missing attribute: "rbtasubsystemconfig"
- Supplier's State Info: rbtaSubsystemConfig;adcsn-6893278e000400040000;vucsn-6893278e000400040000: {"is_master": true}
- Date: Wed Aug 6 12:59:42 2025
- Replica missing attribute: "rbtasubsystemversionald"
- Supplier's State Info: rbtaSubsystemVersionAld;adcsn-6893278e000300040000;vucsn-6893278e000300040000: 2.5.0
- Date: Wed Aug 6 12:59:42 2025
- Replica missing attribute: "rbtasubsystemstate"
- Supplier's State Info: rbtaSubsystemState;adcsn-6893278e000200040000;vucsn-6893278e000200040000: installed
- Date: Wed Aug 6 12:59:42 2025
- Replica missing attribute: "rbtasubsystemmetainfo"
- Supplier's State Info: rbtaSubsystemMetainfo;adcsn-6893278e000100040000;vucsn-6893278e000100040000: {"state": "installed", "location": "hq", "role": "log", "site": "\u0413\u043e\u043b\u043e\u0432\u043d\u043e\u0439 \u043e\u0444\u0438\u0441", "state_created": "20250806095846Z", "state_updated": "20250806095942Z", "version_ald": "2.5.0"}
- Date: Wed Aug 6 12:59:42 2025
- Replica missing attribute: "rbtasubsystemlog"
- Supplier's State Info: rbtaSubsystemLog;adcsn-6893278e000000040000;vucsn-6893278e000000040000: [{"timestamp": "2025-08-06T09:58:46Z", "code": 1, "desc": "\u041e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d \u0437\u0430\u043f\u0440\u043e\u0441 \u043d\u0430 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0443 \u0441\u0435\u0440\u0432\u0435\u0440\u0430"}, {"timestamp": "2025-08-06T09:59:33.660699Z", "code": 9, "desc": "\u041d\u0430\u0447\u0430\u043b\u0430\u0441\u044c \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0430"}, {"timestamp": "2025-08-06T09:59:42.119576Z", "code": 2, "desc": "\u0421\u0435\u0440\u0432\u0435\u0440 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d"}]
- Date: Wed Aug 6 12:59:42 2025
- Replica missing attribute: "rbtasubsystemsite"
- Supplier's State Info: rbtaSubsystemSite;vucsn-68932756000000040006:: 0JPQvtC70L7QstC90L7QuSDQvtGE0LjRgQ==
- Date: Wed Aug 6 12:58:46 2025
- Replica missing attribute: "rbtasubsystemrole"
- Supplier's State Info: rbtaSubsystemRole;vucsn-68932756000000040005: log
- Date: Wed Aug 6 12:58:46 2025
- Replica missing attribute: "aldprochangesauthtor"
- Supplier's State Info: aldproChangesAuthtor;vucsn-68932756000000040000: cn=admin_353bd1beb59483655e479012fc,cn=users_history,cn=accounts,dc=ald250,dc=pro
- Date: Wed Aug 6 12:58:46 2025
- Replica missing attribute: "aci"
- Supplier's State Info: aci;vucsn-68932756000200040000: (targetattr = "objectclass || rbtaSubsystemCredentials || rbtaSubsystemMetainfo || rbtaSubsystemLog || rbtaSubsystemConfig || rbtaSubsystemRole || rbtaSubsystemVersionAld || rbtaSubsystemState || rbtaSubsystemConfigState || rbtaSubsystemSite || rbta-csr || rbta-crt")(target = "ldap:///fqdn=journal.ald250.pro,cn=computers,cn=accounts,dc=ald250,dc=pro")(version 3.0;acl "Read on behalf of the host";allow (compare,read,search) userdn = "ldap:///fqdn=journal.ald250.pro,cn=computers,cn=accounts,dc=ald250,dc=pro";)
- Date: Wed Aug 6 12:58:46 2025
- Supplier's State Info: aci;vucsn-68932756000300040000: (targetattr = "rbtaSubsystemCredentials || rbtaSubsystemMetainfo || rbtaSubsystemLog || rbtaSubsystemConfig || rbtaSubsystemVersionAld || rbtaSubsystemState || rbtaSubsystemConfigState || rbta-csr || rbta-crt")(target = "ldap:///fqdn=journal.ald250.pro,cn=computers,cn=accounts,dc=ald250,dc=pro")(version 3.0;acl "Write on behalf of the host";allow (add,write,delete) userdn = "ldap:///fqdn=journal.ald250.pro,cn=computers,cn=accounts,dc=ald250,dc=pro";)
- Date: Wed Aug 6 12:58:46 2025
- Attribute 'objectclass' is different:
Supplier:
- Value: ipaobject
- State Info: objectClass;adcsn-68932756000000040001;vucsn-68932756000000040001: ipaobject
- Date: Wed Aug 6 12:58:46 2025
- Value: ieee802device
- State Info: objectClass;vucsn-68932756000000040001: ieee802device
- Date: Wed Aug 6 12:58:46 2025
- Value: ipaSshGroupOfPubKeys
- State Info: objectClass;vucsn-68932756000000040001: ipaSshGroupOfPubKeys
- Date: Wed Aug 6 12:58:46 2025
- Value: ipahost
- State Info: objectClass;vucsn-68932756000000040001: ipahost
- Date: Wed Aug 6 12:58:46 2025
- Value: ipaservice
- State Info: objectClass;vucsn-68932756000000040001: ipaservice
- Date: Wed Aug 6 12:58:46 2025
- Value: ipasshhost
- State Info: objectClass;vucsn-68932756000000040001: ipasshhost
- Date: Wed Aug 6 12:58:46 2025
- Value: krbprincipal
- State Info: objectClass;vucsn-68932756000000040001: krbprincipal
- Date: Wed Aug 6 12:58:46 2025
- Value: krbprincipalaux
- State Info: objectClass;vucsn-68932756000000040001: krbprincipalaux
- Date: Wed Aug 6 12:58:46 2025
- Value: nshost
- State Info: objectClass;vucsn-68932756000000040001: nshost
- Date: Wed Aug 6 12:58:46 2025
- Value: pkiuser
- State Info: objectClass;vucsn-68932756000000040001: pkiuser
- Date: Wed Aug 6 12:58:46 2025
- Value: rbta-address
- State Info: objectClass;vucsn-68932756000000040001: rbta-address
- Date: Wed Aug 6 12:58:46 2025
- Value: rbta-subsystem
- State Info: objectClass;vucsn-68932756000000040001: rbta-subsystem
- Date: Wed Aug 6 12:58:46 2025
- Value: rbta-subsystem-pkiproxy
- State Info: objectClass;vucsn-68932756000000040001: rbta-subsystem-pkiproxy
- Date: Wed Aug 6 12:58:46 2025
- Value: rbta-unit
- State Info: objectClass;vucsn-68932756000000040001: rbta-unit
- Date: Wed Aug 6 12:58:46 2025
- Value: top
- State Info: objectClass;vucsn-68932756000000040001: top
- Date: Wed Aug 6 12:58:46 2025
Replica:
- Origin value: ieee802device
- Origin value: ipasshgroupofpubkeys
- Origin value: ipahost
- Origin value: ipaobject
- Origin value: ipaservice
- Origin value: ipasshhost
- Origin value: krbprincipal
- Origin value: krbprincipalaux
- Origin value: nshost
- Origin value: pkiuser
- Origin value: rbta-address
- Origin value: rbta-unit
- Origin value: top
cn=repl keep alive 4,dc=ald250,dc=pro
-------------------------------------
- Attribute 'keepalivetimestamp' is different:
Supplier:
- Value: 20250806123737Z
- State Info: keepalivetimestamp;adcsn-68934c91000000040000;vucsn-68934c91000000040000: 20250806123737Z
- Date: Wed Aug 6 15:37:37 2025
Replica:
- Value: 20250805093737Z
- State Info: keepalivetimestamp;adcsn-6891d0e1000000040000;vucsn-6891d0e1000000040000: 20250805093737Z
- Date: Tue Aug 5 12:37:37 2025
dnaHostname=dc01.ald250.pro+dnaPortNum=389,cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=ald250,dc=pro
---------------------------------------------------------------------------------------------
- Attribute 'dnaremainingvalues' is different:
Supplier:
- Value: 100489
- State Info: dnaRemainingValues;adcsn-6891e339000000040000;vucsn-6891e339000000040000: 100489
- Date: Tue Aug 5 13:55:53 2025
Replica:
- Value: 199992
- State Info: dnaRemainingValues;adcsn-6891d7ae000100040000;vucsn-6891d7ae000100040000: 199992
- Date: Tue Aug 5 13:06:38 2025
uid=testuser,cn=users,cn=accounts,dc=ald250,dc=pro
--------------------------------------------------
- Attribute 'telephonenumber' is different:
Supplier:
- Value: +111111111
- State Info: telephoneNumber;adcsn-6891f9fa000000040000;vucsn-6891f9fa000000040000: +111111111
- Date: Tue Aug 5 15:32:58 2025
Replica:
- Value: +33333333
- State Info: telephoneNumber;adcsn-6891f9de000000030000;vucsn-6891f9de000000030000: +33333333
- Date: Tue Aug 5 15:32:30 2025
uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
-------------------------------------------------------
- Attribute 'ipantsecurityidentifier' is different:
Supplier:
- Value: S-1-5-21-196329585-3226835358-3389735258-1010
- State Info: ipaNTSecurityIdentifier;adcsn-6891e316000800040001;vucsn-6891e316000800040001: S-1-5-21-196329585-3226835358-3389735258-1010
- Date: Tue Aug 5 13:55:18 2025
Replica:
- Value: S-1-5-21-196329585-3226835358-3389735258-101500
- State Info: ipaNTSecurityIdentifier;adcsn-6891e339000c00030001;vucsn-6891e339000c00030001: S-1-5-21-196329585-3226835358-3389735258-101500
- Date: Tue Aug 5 13:55:53 2025
- Attribute 'krbextradata' is different:
Supplier:
- Value:
- State Info: krbExtraData;adcsn-6891e316000300040000;vucsn-6891e316000300040000:: AAIV45Focm9vdC9hZG1pbkBBTEQyNTAuUFJPAA==
- Date: Tue Aug 5 13:55:18 2025
Replica:
- Value:
- State Info: krbExtraData;adcsn-6891e339000500030000;vucsn-6891e339000500030000:: AAI445Focm9vdC9hZG1pbkBBTEQyNTAuUFJPAA==
- Date: Tue Aug 5 13:55:53 2025
- Attribute 'krblastpwdchange' is different:
Supplier:
- Value: 20250805105517Z
- State Info: krbLastPwdChange;vucsn-6891e316000200040001: 20250805105517Z
- Date: Tue Aug 5 13:55:18 2025
Replica:
- Value: 20250805105552Z
- State Info: krbLastPwdChange;vucsn-6891e339000400030001: 20250805105552Z
- Date: Tue Aug 5 13:55:53 2025
- Attribute 'krbpasswordexpiration' is different:
Supplier:
- Value: 20250805105517Z
- State Info: krbPasswordExpiration;vucsn-6891e316000200040000: 20250805105517Z
- Date: Tue Aug 5 13:55:18 2025
Replica:
- Value: 20250805105552Z
- State Info: krbPasswordExpiration;vucsn-6891e339000400030000: 20250805105552Z
- Date: Tue Aug 5 13:55:53 2025
- Attribute 'givenname' is different:
Supplier:
- Value: conflict
- State Info: givenName;vucsn-6891e316000000040000: conflict
- Date: Tue Aug 5 13:55:18 2025
Replica:
- Value: conflicted
- State Info: givenName;vucsn-6891e339000100030000: conflicted
- Date: Tue Aug 5 13:55:53 2025
- Attribute 'cn' is different:
Supplier:
- Value: conflict User
- State Info: cn;vucsn-6891e316000000040000: conflict User
- Date: Tue Aug 5 13:55:18 2025
Replica:
- Value: conflicted User
- State Info: cn;vucsn-6891e339000100030000: conflicted User
- Date: Tue Aug 5 13:55:53 2025
- Attribute 'displayname' is different:
Supplier:
- Value: conflict User
- State Info: displayName;vucsn-6891e316000000040000: conflict User
- Date: Tue Aug 5 13:55:18 2025
Replica:
- Value: conflicted User
- State Info: displayName;vucsn-6891e339000100030000: conflicted User
- Date: Tue Aug 5 13:55:53 2025
- Attribute 'gecos' is different:
Supplier:
- Value: conflict User
- State Info: gecos;vucsn-6891e316000000040000: conflict User
- Date: Tue Aug 5 13:55:18 2025
Replica:
- Value: conflicted User
- State Info: gecos;vucsn-6891e339000100030000: conflicted User
- Date: Tue Aug 5 13:55:53 2025
- Attribute 'userpassword' is different:
Supplier:
- Value: {PBKDF2-SHA512}10000$+mn7IoPU4om7kLc9I3PS1opkiHJteGzy$uEHe5EuvMJ4c4KOukivH8+46Ohqvx8PuvSamj18k3uQnzgZ1KBl7brBq4yEGzxJc5Y6Ssl0hkxDZ2D0cMPCOLA==
- State Info: userPassword;vucsn-6891e316000000040000: {PBKDF2-SHA512}10000$+mn7IoPU4om7kLc9I3PS1opkiHJteGzy$uEHe5EuvMJ4c4KOukivH8+46Ohqvx8PuvSamj18k3uQnzgZ1KBl7brBq4yEGzxJc5Y6Ssl0hkxDZ2D0cMPCOLA==
- Date: Tue Aug 5 13:55:18 2025
Replica:
- Value: {PBKDF2-SHA512}10000$uPEJ8l/mnTsjJkckyxqqJRIQx/X2OrOI$Wzm9wddHKCb9JOLl4UVQLUk/czorLTUqEOYE6QBT/l4t+B+pXgJ8xXrVmkdnKYyREYmXrpf2XyNPsOoEbzbz8A==
- State Info: userPassword;vucsn-6891e339000100030000: {PBKDF2-SHA512}10000$uPEJ8l/mnTsjJkckyxqqJRIQx/X2OrOI$Wzm9wddHKCb9JOLl4UVQLUk/czorLTUqEOYE6QBT/l4t+B+pXgJ8xXrVmkdnKYyREYmXrpf2XyNPsOoEbzbz8A==
- Date: Tue Aug 5 13:55:53 2025
- Attribute 'ipauniqueid' is different:
Supplier:
- Value: acbf75f2-71ea-11f0-8dec-02000a452902
- State Info: ipaUniqueID;vucsn-6891e316000000040000: acbf75f2-71ea-11f0-8dec-02000a452902
- Date: Tue Aug 5 13:55:18 2025
Replica:
- Value: c173c7be-71ea-11f0-a685-02000a452904
- State Info: ipaUniqueID;vucsn-6891e339000100030000: c173c7be-71ea-11f0-a685-02000a452904
- Date: Tue Aug 5 13:55:53 2025
- Attribute 'krbprincipalkey' is different:
Supplier:
- Origin value: b'0\x81\xde\xa0\x03\x02\x01\x01\xa1\x03\x02\x01\x01\xa2\x03\x02\x01\x01\xa3\x03\x02\x01\x01\xa4\x81\xc70\x81\xc40h\xa0\x1b0\x19\xa0\x03\x02\x01\x04\xa1\x12\x04\x10eYQb_EFC-)X>eHD7\xa1I0G\xa0\x03\x02\x01\x12\xa1@\x04> \x00\xcd\xb1\xeaE5Atv\xf9\xc2`\xeb\x97\xbe\xd3;\xc5T\x01\x14b\xd2\xb1\xe6\'\xff|^\x85lL\x10/`\xb3Q\x8c\x95O\x87\xd1\xb4ox!.\xed\x0f8\xd7Wf")\xbba+\x1e/10X\xa0\x1b0\x19\xa0\x03\x02\x01\x04\xa1\x12\x04\x10MF{=:)VKQ|fEio>-\xa1907\xa0\x03\x02\x01\x11\xa10\x04.\x10\x00\xcd\xdd\x0f\x88e\x9c:\xdf\xab\xf5\xee+]"z\x838\xc8\x03\xc40\x0f\x8c3\xe4}\tn\x0et\x8b\x13\x86OR\xc7~\x95:\xd2\x0e"\x14\xa1'
Replica:
- Origin value: b'0\x81\xde\xa0\x03\x02\x01\x01\xa1\x03\x02\x01\x01\xa2\x03\x02\x01\x01\xa3\x03\x02\x01\x01\xa4\x81\xc70\x81\xc40h\xa0\x1b0\x19\xa0\x03\x02\x01\x04\xa1\x12\x04\x10cB:8<=Y-PH|B4*+k\xa1I0G\xa0\x03\x02\x01\x12\xa1@\x04> \x00_\x1b\x16\x9f\xb4\x8c\xeb\x8b\x8c5uA\xcdK\x02\xa4\xddId\xe3\x9b!\xcf\xe1\xfa\xdb~\xfe\xf9F\xa9j\xdf\x14\xc7\x05\xd9\xe9\xf8\xbe\x03\xc9&\x8f\xea\xb4\xact\xfb\xcf:j\xb8W>GO\x02\xfe\x1b0X\xa0\x1b0\x19\xa0\x03\x02\x01\x04\xa1\x12\x04\x1050QY-;1sSPVip&U$\xa1907\xa0\x03\x02\x01\x11\xa10\x04.\x10\x00Y\xcd\xc4\xb7`2W&\xea\xbal0\x8a\xa0\x87\xa0\x8d\xd8\x85\x9b\xfd\xc4\xe4\xe8\x98\xff\xb0\xa4\x18\x19\x99\x14\xf0\xa9d${\x9e\x95Es\xd1\xb4\xa4'
- Attribute 'uidnumber' is different:
Supplier:
- Origin value: b'1213200010'
Replica:
- Origin value: b'1213300500'
- Attribute 'gidnumber' is different:
Supplier:
- Origin value: b'1213200010'
Replica:
- Origin value: b'1213300500'
cn=conflict_user,cn=groups,cn=accounts,dc=ald250,dc=pro
-------------------------------------------------------
- Attribute 'gidnumber' is different:
Supplier:
- Value: 1213200010
- State Info: gidNumber;vucsn-6891e316000400040000: 1213200010
- Date: Tue Aug 5 13:55:18 2025
Replica:
- Value: 1213300500
- State Info: gidNumber;vucsn-6891e339000600030000: 1213300500
- Date: Tue Aug 5 13:55:53 2025
- Attribute 'ipauniqueid' is different:
Supplier:
- Value: accda578-71ea-11f0-8dec-02000a452902
- State Info: ipaUniqueID;vucsn-6891e316000400040000: accda578-71ea-11f0-8dec-02000a452902
- Date: Tue Aug 5 13:55:18 2025
Replica:
- Value: c1a7f6d8-71ea-11f0-a685-02000a452904
- State Info: ipaUniqueID;vucsn-6891e339000600030000: c1a7f6d8-71ea-11f0-a685-02000a452904
- Date: Tue Aug 5 13:55:53 2025
Result
=====================================================
There are replication differences between Supplier and Replica |
Отчет показывает расхождения между серверами dc01.ald250.pro (Supplier) и dc02.ald250.pro (Replica). Выявлены ключевые проблемы:
1. Состояние репликации (Database RUV's)
Replica is behind Supplier by: 95456 секунд (~26.5 часов) - реплика серьезно отстает по времени.
Расхождения в RUV (Replica Update Vectors):
Для replica 4 (dc01): 687a55c1000100040000 68934c91000000040000 (Supplier) vs 687a55c1000100040000 6891d7b1000000040000 (Replica)
2. Количественные расхождения
Записей: 3703 (Supplier) vs 3813 (Replica) - на реплике больше записей.
3. Конфликтующие записи
4. Отсутствующие записи
3 записи в users_history (a1_9tpl..., a2_dyj..., ansible)
2 удаленных пользователя (uid=a1, uid=a2) (создавались и удалились отдельно вне воспроизведения)
Роль test_role (создавалась отдельно, вне воспроизведения)
Запись журнала journal.ald250.pro
Запись аудита login
Структура compat (пользователи, группы)
Записи sudoers
5. Несоответствия атрибутов
SID: S-1-5-21-...-1010 (Supplier) vs S-1-5-21-...-101500 (Replica)
Пароли: разные хеши PBKDF2-SHA512
UID/GID: 1213200010 vs 1213300500
Данные Kerberos: krbLastPwdChange, krbExtraData различаются
Имена: "conflict User" vs "conflicted User"
Отсутствуют атрибуты rbtaSubsystem* на реплике
Различия в objectClass (на Supplier больше классов)
Метки времени: 20250806123737Z (Supplier) vs 20250805093737Z (Replica)
dnaRemainingValues: 100489 (Supplier) vs 199992 (Replica)
Атрибут 'telephonenumber': +111111111 (Supplier) vs +33333333 (Replica)
Начнем с вывода и решения конфликтов, которые показывает dsconf:
dn: nsuniqueid=adc2dc01-71ea11f0-816fe86f-aa36b0da+uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
cn: conflicted User
displayName: conflicted User
gecos: conflicted User
gidNumber: 1213300500
givenName: conflicted
homeDirectory: /home/conflict_user
initials: cU
ipaNTSecurityIdentifier: S-1-5-21-196329585-3226835358-3389735258-101500
ipaUniqueID: c173c7be-71ea-11f0-a685-02000a452904
krbCanonicalName: conflict_user@ALD250.PRO
krbExtraData:: AAI445Focm9vdC9hZG1pbkBBTEQyNTAuUFJPAA==
krbLastPwdChange: 20250805105552Z
krbPasswordExpiration: 20250805105552Z
krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBBjQjo4PD1ZLVBIfEI0KitroUkwR6ADAgESoUAEPiAAXxsWn7SM64uMNXVBzUsCpN1JZOObIc/h+tt+/vlGqWrfFMcF2en4vgPJJo/qtKx0+886arhXPkdPAv4bMFigGzAZoAMCAQShEgQQNTBRWS07MXNTUFZpcCZVJKE5MDegAwIBEaEwBC4QAFnNxLdgMlcm6rpsMIqgh6CN2IWb/cTk6Jj/sKQYGZkU8KlkJHuelUVz0bSk
krbPrincipalName: conflict_user@ALD250.PRO
loginShell: /bin/bash
mail: conflict_user@ald250.pro
mepManagedEntry: cn=conflict_user,cn=groups,cn=accounts,dc=ald250,dc=pro
nsds5replconflict: namingConflict (ADD) uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: x-ald-user
objectClass: x-ald-user-parsec14
objectClass: x-ald-audit-policy
objectClass: rbta-unit
objectClass: rbta-address
objectClass: rbtaCustomUserAttrs
objectClass: rbta-inetorgperson-ext
objectClass: ruPostMailAccount
objectClass: rbtaUserMeta
objectClass: ipaSshGroupOfPubKeys
objectClass: ldapsubentry
objectClass: mepOriginEntry
objectClass: ipantuserattrs
proxyAddresses: SMTP:CONFLICT_USER@ALD250.PRO
rbtadp: ou=ald250.pro,cn=orgunits,cn=accounts,dc=ald250,dc=pro
rbtaou: ald250.pro
sn: User
uid: conflict_user
uidNumber: 1213300500
userPassword: {PBKDF2-SHA512}10000$uPEJ8l/mnTsjJkckyxqqJRIQx/X2OrOI$Wzm9wddHKCb9JOLl4UVQLUk/czorLTUqEOYE6QBT/l4t+B+pXgJ8xXrVmkdnKYyREYmXrpf2XyNPsOoEbzbz8A==
x-ald-user-mac: 0:0x0:0:0x0
xaldusermacmax: 0
xaldusermacmin: 0
dn: cn=conflict_user+nsuniqueid=adc2dc05-71ea11f0-816fe86f-aa36b0da,cn=groups,cn=accounts,dc=ald250,dc=pro
cn: conflict_user
description: User private group for conflict_user
gidNumber: 1213300500
ipaUniqueID: c1a7f6d8-71ea-11f0-a685-02000a452904
mepManagedBy: uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
nsds5replconflict: namingConflict (ADD) cn=conflict_user,cn=groups,cn=accounts,dc=ald250,dc=pro
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
objectClass: ldapsubentry |
| dsconf ldap://dc01.ald250.pro -D "cn=Directory Manager" repl-conflict compare cn=conflict_user+nsuniqueid=adc2dc05-71ea11f0-816fe86f-aa36b0da,cn=groups,cn=accounts,dc=ald250,dc=pro |
Conflict Entry: dn: cn=conflict_user+nsuniqueid=adc2dc05-71ea11f0-816fe86f-aa36b0da,cn=groups,cn=accounts,dc=ald250,dc=pro cn: conflict_user description: User private group for conflict_user gidNumber: 1213300500 ipaUniqueID: c1a7f6d8-71ea-11f0-a685-02000a452904 mepManagedBy: uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro nsds5replconflict: namingConflict (ADD) cn=conflict_user,cn=groups,cn=accounts,dc=ald250,dc=pro objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: ldapsubentry Valid Entry: dn: cn=conflict_user,cn=groups,cn=accounts,dc=ald250,dc=pro cn: conflict_user description: User private group for conflict_user gidNumber: 1213200010 ipaUniqueID: accda578-71ea-11f0-8dec-02000a452902 mepManagedBy: uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top |
| dsconf ldap://dc01.ald250.pro -D "cn=Directory Manager" repl-conflict delete cn=conflict_user+nsuniqueid=adc2dc05-71ea11f0-816fe86f-aa36b0da,cn=groups,cn=accounts,dc=ald250,dc=pro |
root@dc01:~# dsconf ldap://dc01.ald250.pro -D "cn=Directory Manager" repl-conflict compare nsuniqueid=adc2dc01-71ea11f0-816fe86f-aa36b0da+uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
Enter password for cn=Directory Manager on ldap://dc01.ald250.pro:
Conflict Entry:
dn: nsuniqueid=adc2dc01-71ea11f0-816fe86f-aa36b0da+uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
cn: conflicted User
displayName: conflicted User
gecos: conflicted User
gidNumber: 1213300500
givenName: conflicted
homeDirectory: /home/conflict_user
initials: cU
ipaNTSecurityIdentifier: S-1-5-21-196329585-3226835358-3389735258-101500
ipaUniqueID: c173c7be-71ea-11f0-a685-02000a452904
krbCanonicalName: conflict_user@ALD250.PRO
krbExtraData:: AAI445Focm9vdC9hZG1pbkBBTEQyNTAuUFJPAA==
krbLastPwdChange: 20250805105552Z
krbPasswordExpiration: 20250805105552Z
krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBBjQjo4PD1ZLVBIfEI0KitroUkwR6ADAgESoUAEPiAAXxsWn7SM64uMNXVBzUsCpN1JZOObIc/h+tt+/vlGqWrfFMcF2en4vgPJJo/qtKx0+886arhXPkdPAv4bMFigGzAZoAMCAQShEgQQNTBRWS07MXNTUFZpcCZVJKE5MDegAwIBEaEwBC4QAFnNxLdgMlcm6rpsMIqgh6CN2IWb/cTk6Jj/sKQYGZkU8KlkJHuelUVz0bSk
krbPrincipalName: conflict_user@ALD250.PRO
loginShell: /bin/bash
mail: conflict_user@ald250.pro
mepManagedEntry: cn=conflict_user,cn=groups,cn=accounts,dc=ald250,dc=pro
nsds5replconflict: namingConflict (ADD) uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: x-ald-user
objectClass: x-ald-user-parsec14
objectClass: x-ald-audit-policy
objectClass: rbta-unit
objectClass: rbta-address
objectClass: rbtaCustomUserAttrs
objectClass: rbta-inetorgperson-ext
objectClass: ruPostMailAccount
objectClass: rbtaUserMeta
objectClass: ipaSshGroupOfPubKeys
objectClass: ldapsubentry
objectClass: mepOriginEntry
objectClass: ipantuserattrs
proxyAddresses: SMTP:CONFLICT_USER@ALD250.PRO
rbtadp: ou=ald250.pro,cn=orgunits,cn=accounts,dc=ald250,dc=pro
rbtaou: ald250.pro
sn: User
uid: conflict_user
uidNumber: 1213300500
userPassword: {PBKDF2-SHA512}10000$uPEJ8l/mnTsjJkckyxqqJRIQx/X2OrOI$Wzm9wddHKCb9JOLl4UVQLUk/czorLTUqEOYE6QBT/l4t+B+pXgJ8xXrVmkdnKYyREYmXrpf2XyNPsOoEbzbz8A==
x-ald-user-mac: 0:0x0:0:0x0
xaldusermacmax: 0
xaldusermacmin: 0
Valid Entry:
dn: uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro
cn: conflict User
displayName: conflict User
gecos: conflict User
gidNumber: 1213200010
givenName: conflict
homeDirectory: /home/conflict_user
initials: cU
ipaNTSecurityIdentifier: S-1-5-21-196329585-3226835358-3389735258-1010
ipaUniqueID: acbf75f2-71ea-11f0-8dec-02000a452902
krbCanonicalName: conflict_user@ALD250.PRO
krbExtraData:: AAIV45Focm9vdC9hZG1pbkBBTEQyNTAuUFJPAA==
krbLastPwdChange: 20250805105517Z
krbPasswordExpiration: 20250805105517Z
krbPrincipalKey:: MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBBlWVFiX0VGQy0pWD5lSEQ3oUkwR6ADAgESoUAEPiAAzbHqRTVBdHb5wmDrl77TO8VUARRi0rHmJ/98XoVsTBAvYLNRjJVPh9G0b3ghLu0PONdXZiIpu2ErHi8xMFigGzAZoAMCAQShEgQQTUZ7PTopVktRfGZFaW8+LaE5MDegAwIBEaEwBC4QAM3dD4hlnDrfq/XuK10ieoM4yAPEMA+MM+R9CW4OdIsThk9Sx36VOtIOIhSh
krbPrincipalName: conflict_user@ALD250.PRO
loginShell: /bin/bash
mail: conflict_user@ald250.pro
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ald250,dc=pro
memberOf: cn=ALDPRO - Organization units,cn=roles,cn=accounts,dc=ald250,dc=pro
memberOf: cn=Organization units,cn=privileges,cn=pbac,dc=ald250,dc=pro
memberOf: cn=Organization units - Read - Relations,cn=permissions,cn=pbac,dc=ald250,dc=pro
memberOf: cn=Organization units - Read - OU,cn=permissions,cn=pbac,dc=ald250,dc=pro
memberOf: cn=conflict_user_3m98nnfmo7u7d2rsx,cn=users_history,cn=accounts,dc=ald250,dc=pro
memberOf: cn=conflict_user_fow3ooa2q7q3vkvui,cn=users_history,cn=accounts,dc=ald250,dc=pro
memberOf: cn=test_role,cn=roles,cn=accounts,dc=ald250,dc=pro
memberOf: cn=ALDPRO ROCO Attributes Mapping - Read,cn=privileges,cn=pbac,dc=ald250,dc=pro
memberOf: cn=ALDPRO ROCO Attributes Mapping - Read,cn=permissions,cn=pbac,dc=ald250,dc=pro
memberOf: cn=ALDPRO ROCO Attributes Mapping - Manage,cn=privileges,cn=pbac,dc=ald250,dc=pro
memberOf: cn=ALDPRO ROCO Attributes Mapping - Manage,cn=permissions,cn=pbac,dc=ald250,dc=pro
mepManagedEntry: cn=conflict_user,cn=groups,cn=accounts,dc=ald250,dc=pro
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: x-ald-user
objectClass: x-ald-user-parsec14
objectClass: x-ald-audit-policy
objectClass: rbta-unit
objectClass: rbta-address
objectClass: rbtaCustomUserAttrs
objectClass: rbta-inetorgperson-ext
objectClass: ruPostMailAccount
objectClass: rbtaUserMeta
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
proxyAddresses: SMTP:CONFLICT_USER@ALD250.PRO
rbtadp: ou=ald250.pro,cn=orgunits,cn=accounts,dc=ald250,dc=pro
rbtaou: ald250.pro
sn: User
uid: conflict_user
uidNumber: 1213200010
userPassword: {PBKDF2-SHA512}10000$+mn7IoPU4om7kLc9I3PS1opkiHJteGzy$uEHe5EuvMJ4c4KOukivH8+46Ohqvx8PuvSamj18k3uQnzgZ1KBl7brBq4yEGzxJc5Y6Ssl0hkxDZ2D0cMPCOLA==
x-ald-user-mac: 0:0x0:0:0x0
xaldusermacmax: 0
xaldusermacmin: 0
|
root@dc01:~# dsconf ldap://dc01.ald250.pro -D "cn=Directory Manager" repl-conflict delete nsuniqueid=adc2dc01-71ea11f0-816fe86f-aa36b0da+uid=conflict_user,cn=users,cn=accounts,dc=ald250,dc=pro |
| systemctl restart dirsrv@* |
| root@dc01:~# ds-replcheck online -D "cn=Directory Manager" -W -m ldap://dc01:389 -r ldap://dc02:389 -b "dc=ald250,dc=pro" -i memberof,idnssoaserial,entryusn,krblastsuccessfulauth,krblastfailedauth,krbloginfailedcount |
Enter password:
================================================================================
Replication Synchronization Report (Thu Aug 7 10:15:54 2025)
================================================================================
Database RUV's
=====================================================
Supplier RUV:
{replica 3 ldap://dc02.ald250.pro:389} 687a55d0000100030000 6894526b000500030000
{replica 4 ldap://dc01.ald250.pro:389} 687a55c1000100040000 6894527e000300040000
{replicageneration} 687a55c1000000040000
Replica RUV:
{replica 3 ldap://dc02.ald250.pro:389} 687a55d0000100030000 6894526b000500030000
{replica 4 ldap://dc01.ald250.pro:389} 687a55c1000100040000 6894527e000300040000
{replicageneration} 687a55c1000000040000
Replication State: Supplier and Replica are in perfect synchronization
Entry Counts
=====================================================
Supplier: 3704
Replica: 3824
Tombstones
=====================================================
Supplier: 21
Replica: 21
Missing Entries
=====================================================
Entries missing on Supplier:
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:53 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:53 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:14:42 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:53 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:53 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:53 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:53 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:53 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:53 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:14:42 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:53 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:53 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:53 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:53 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:52 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:52 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:14:42 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:52 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:52 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:52 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:52 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:52 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:52 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:14:42 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:52 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:52 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:52 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:52 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:51 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:51 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:14:42 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:51 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:51 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:51 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:51 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:50 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:50 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:14:42 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:50 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:50 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:50 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:50 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:50 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:50 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:14:42 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:50 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:50 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:50 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:50 2025)
- cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:49 2025)
- cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:49 2025)
- uid=conflict_user,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:14:42 2025)
- uid=testuser,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- uid=admin,cn=users,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ng,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:49 2025)
- cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:49 2025)
- cn=testuser,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Tue Aug 5 10:06:38 2025)
- cn=print_admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=Default\20SMB\20Group,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=ald\20trust\20admin,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=editors,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=admins,cn=groups,cn=compat,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
- cn=computers,cn=compat,dc=ald250,dc=pro (Created on Replica at: Thu Aug 7 07:15:49 2025)
- ou=sudoers,dc=ald250,dc=pro (Created on Replica at: Fri Jul 18 14:19:28 2025)
Result
=====================================================
There are replication differences between Supplier and Replica |
sudo ipa-compat-manage disable |
| ds-replcheck online -D "cn=Directory Manager" -W -m ldap://dc01:389 -r ldap://dc02:389 -b "dc=ald250,dc=pro" -i memberof,idnssoaserial,entryusn,krblastsuccessfulauth,krblastfailedauth,krbloginfailedcount |
Enter password:
================================================================================
Replication Synchronization Report (Thu Aug 7 12:11:57 2025)
================================================================================
Database RUV's
=====================================================
Supplier RUV:
{replica 3 ldap://dc02.ald250.pro:389} 687a55d0000100030000 68946d16000200030000
{replica 4 ldap://dc01.ald250.pro:389} 687a55c1000100040000 68946cc6000100040000
{replicageneration} 687a55c1000000040000
Replica RUV:
{replica 3 ldap://dc02.ald250.pro:389} 687a55d0000100030000 68946d16000200030000
{replica 4 ldap://dc01.ald250.pro:389} 687a55c1000100040000 68946cc6000100040000
{replicageneration} 687a55c1000000040000
Replication State: Supplier and Replica are in perfect synchronization
Entry Counts
=====================================================
Supplier: 3724
Replica: 3724
Tombstones
=====================================================
Supplier: 41
Replica: 41
Result
=====================================================
No replication differences between Supplier and Replica |
В сложных случаях может потребоваться полная реинициализация реплики. Использование реинициализации является крайней мерой и нежелательно по следующим причинам:
Производительность: требует полной пересылки всех данных (часы простоя для больших каталогов).
Риски: может привести к потере локальных изменений, если выполнена некорректно.
Маскировка проблем: не устраняет корневые причины конфликтов (например, неправильную топологию репликации).
Реинициализация рекомендуется в следующих случаях:
после аппаратного сбоя (например, отказ жёсткого диска) на реплике;
при расхождениях в более чем 5-10% записей;
после изменения схемы данных.
Для выполнения реинициализации:
ds-replcheck должно быть:memberof - должно совпадать членство в группах;idnssoaserial - идентичность DNS-зон;krblastfailedauth - чтобы не блокировать легитимных пользователейbase_dn=$(ldapsearch -Q -LLL -s base | awk '/^dn:/{print $2}')
password="<PASSWORD>"
# Для пользователей
ipa-replica-manage list 2>/dev/null | grep -E '^[a-zA-Z0-9.-]+:' | awk -F: '{print $1}' | xargs -I{} bash -c 'echo "=== Проверка пользователей на реплике: {} ==="; ldapsearch -x -h {} -b "cn=users,cn=accounts,'"$base_dn"'" -s onelevel -D "cn=Directory Manager" -w "'"$password"'" "(uid=*)" dn 2>/dev/null | grep -c "^dn:" || echo "Ошибка подключения к {}"'
# Для компьютеров
ipa-replica-manage list 2>/dev/null | grep -E '^[a-zA-Z0-9.-]+:' | awk -F: '{print $1}' | xargs -I{} bash -c 'echo "=== Проверка компьютеров на реплике: {} ==="; ldapsearch -x -h {} -b "cn=computers,cn=accounts,'"$base_dn"'" -s onelevel -D "cn=Directory Manager" -w "'"$password"'" "(fqdn=*)" dn 2>/dev/null | grep -c "^dn:" || echo "Ошибка подключения к {}"'
# Для подразделений
ipa-replica-manage list 2>/dev/null | grep -E '^[a-zA-Z0-9.-]+:' | awk -F: '{print $1}' | xargs -I{} bash -c 'echo "=== Проверка подразделений на реплике: {} ==="; ldapsearch -x -h {} -b "cn=orgunits,cn=accounts,'"$base_dn"'" -s onelevel -D "cn=Directory Manager" -w "'"$password"'" "(ou=*)" dn 2>/dev/null | grep -c "^dn:" || echo "Ошибка подключения к {}"' |
Где <PASSWORD> - пароль УЗ Directory Manager
Получение Replica Update Vectors (RUV), о состоянии репликации между серверами FreeIPA :
ipa-replica-manage list-ruv |
Проверка статуса репликации между всеми серверами:
dsconf $(ldapsearch -Q -LLL -s base | awk '/nisDomain:/{gsub(/\./,"-",$2); print toupper($2)}') replication monitor |
На вопрос Enter a bind DN for <server>:389 ответьте cn="Directory Manager"Вывести информацию о группе узлов ipaservers:
ipa hostgroup-show ipaservers |
Удаление всех конфликтов:
Данная команда удалит все конфликты, данные могут быть повреждены! |
domain=$(ldapsearch -Q -LLL -s base | awk '/nisDomain:/{gsub(/\./,"-",$2); print toupper($2)}'); dsconf $domain repl-conflict list $(ldapsearch -Q -LLL -s base | awk '/^dn:/{print $2}') | awk '/^dn: /{print substr($0,5)}' | xargs -I [] dsconf $domain repl-conflict delete [] |
Регулярный мониторинг и соблюдение рекомендаций по разрешению конфликтов помогут избежать проблем с согласованностью данных.