You'll have to forgive my ignorance here since I'm still fairly new to IPA and 
fortunately haven't run in to many issues as of yet. 

The three IPA 3.0 servers all have what look to be following conflicts:

$ ldapsearch -D "cn=directory manager" -w secret -b "dc=domain,dc=tld" 
"nsds5ReplConflict=*" \* nsds5ReplConflict | grep nsds5ReplConflict
# filter: nsds5ReplConflict=*
# requesting: * nsds5ReplConflict
nsds5ReplConflict: namingConflict cn=ipa4-4.domain.tld,cn=masters,cn=ipa,cn
nsds5ReplConflict: namingConflict dnahostname=ipa4-4.domain.tld+dnaportnum=
nsds5ReplConflict: namingConflict cn=ipaservers,cn=hostgroups,cn=accounts,dc=z
nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=domain,dc=tld
nsds5ReplConflict: namingConflict cn=domain,cn=topology,cn=ipa,cn=etc,dc=domain,
nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=domain,dc=tld
nsds5ReplConflict: namingConflict cn=dns administrators,cn=privileges,cn=pbac,
nsds5ReplConflict: namingConflict cn=dns servers,cn=privileges,cn=pbac,dc=domain
nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=domain,dc=tld
nsds5ReplConflict: namingConflict cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=domain,
nsds5ReplConflict: namingConflict cn=ca,cn=topology,cn=ipa,cn=etc,dc=domain,dc=u
nsds5ReplConflict: namingConflict cn=system: add ca,cn=permissions,cn=pbac,dc=
nsds5ReplConflict: namingConflict cn=system: delete ca,cn=permissions,cn=pbac,
nsds5ReplConflict: namingConflict cn=system: modify ca,cn=permissions,cn=pbac,
nsds5ReplConflict: namingConflict cn=system: read cas,cn=permissions,cn=pbac,d
nsds5ReplConflict: namingConflict cn=system: modify dns servers configuration,
nsds5ReplConflict: namingConflict cn=system: read dns servers configuration,cn
nsds5ReplConflict: namingConflict cn=system: add ipa locations,cn=permissions,
nsds5ReplConflict: namingConflict cn=system: modify ipa locations,cn=permissio
nsds5ReplConflict: namingConflict cn=system: read ipa locations,cn=permissions
nsds5ReplConflict: namingConflict cn=system: remove ipa locations,cn=permissio
nsds5ReplConflict: namingConflict cn=system: read locations of ipa servers,cn=
nsds5ReplConflict: namingConflict cn=system: read status of services on ipa se
nsds5ReplConflict: namingConflict cn=system: manage service principals,cn=perm
nsds5ReplConflict: namingConflict cn=system: manage user principals,cn=permiss
nsds5ReplConflict: namingConflict dnahostname=ipa4-4.domain.tld+dnaportnum=

While the IPA 4.4 server shows no conflicts:
$ ldapsearch -D "cn=directory manager" -w secret -b "dc=domain,dc=tld" 
"nsds5ReplConflict=*" \* nsds5ReplConflict | grep nsds5ReplConflict
# filter: nsds5ReplConflict=*
# requesting: * nsds5ReplConflict

So I would need to delete/modify the conflicts on the IPA 3.0 servers but the 
IPA 4.4 server should be okay, correct?  Is there any impact to running the 
ldapmodify command to remove these conflicts while services are running?  Would 
I need to do this on each of the IPA 3.x servers?

Looking at one of the conflicts on one of the IPA 3.0:
$ ldapsearch -D "cn=directory manager" -w secret -b "dc=domain,dc=tld" 
"cn=domain"
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=tld> with scope subtree
# filter: cn=domain
# requesting: ALL
#

# domain, topology, ipa, etc, domain.us
dn: cn=domain,cn=topology,cn=ipa,cn=etc,dc=domain,dc=tld
cn: domain
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
 uccessfulauth krblastfailedauth krbloginfailedcount
objectClass: top
objectClass: iparepltopoconf
ipaReplTopoConfRoot: dc=domain,dc=tld
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
 ternalModifyTimestamp

# domain + e8d2f70e-512111e7-9205b5bf-43202000, topology, ipa, etc, domain.us
dn: cn=domain+nsuniqueid=e8d2f70e-512111e7-9205b5bf-43202000,cn=topology,cn=ip
 a,cn=etc,dc=domain,dc=tld
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
 ternalModifyTimestamp
ipaReplTopoConfRoot: dc=domain,dc=tld
objectClass: top
objectClass: iparepltopoconf
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
 uccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
cn: domain

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Would I need to remove the "dn: 
cn=domain+nsuniqueid=e8d2f70e-512111e7-9205b5bf-43202000" entry in this case?  
And do that removal on each server?

Thank you and any help is appreciated!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to