On Thu, Jun 15, 2017 at 01:07:27PM -0000, john.bowman--- via FreeIPA-users 
wrote:
> You'll have to forgive my ignorance here since I'm still fairly new to IPA 
> and fortunately haven't run in to many issues as of yet. 
> 
> The three IPA 3.0 servers all have what look to be following conflicts:
> 
> $ ldapsearch -D "cn=directory manager" -w secret -b "dc=domain,dc=tld" 
> "nsds5ReplConflict=*" \* nsds5ReplConflict | grep nsds5ReplConflict
> # filter: nsds5ReplConflict=*
> # requesting: * nsds5ReplConflict
> nsds5ReplConflict: namingConflict cn=ipa4-4.domain.tld,cn=masters,cn=ipa,cn
> nsds5ReplConflict: namingConflict dnahostname=ipa4-4.domain.tld+dnaportnum=
> nsds5ReplConflict: namingConflict cn=ipaservers,cn=hostgroups,cn=accounts,dc=z
> nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=domain,dc=tld
> nsds5ReplConflict: namingConflict 
> cn=domain,cn=topology,cn=ipa,cn=etc,dc=domain,
> nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=domain,dc=tld
> nsds5ReplConflict: namingConflict cn=dns administrators,cn=privileges,cn=pbac,
> nsds5ReplConflict: namingConflict cn=dns 
> servers,cn=privileges,cn=pbac,dc=domain
> nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=domain,dc=tld
> nsds5ReplConflict: namingConflict 
> cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=domain,
> nsds5ReplConflict: namingConflict 
> cn=ca,cn=topology,cn=ipa,cn=etc,dc=domain,dc=u
> nsds5ReplConflict: namingConflict cn=system: add ca,cn=permissions,cn=pbac,dc=
> nsds5ReplConflict: namingConflict cn=system: delete ca,cn=permissions,cn=pbac,
> nsds5ReplConflict: namingConflict cn=system: modify ca,cn=permissions,cn=pbac,
> nsds5ReplConflict: namingConflict cn=system: read cas,cn=permissions,cn=pbac,d
> nsds5ReplConflict: namingConflict cn=system: modify dns servers configuration,
> nsds5ReplConflict: namingConflict cn=system: read dns servers configuration,cn
> nsds5ReplConflict: namingConflict cn=system: add ipa locations,cn=permissions,
> nsds5ReplConflict: namingConflict cn=system: modify ipa locations,cn=permissio
> nsds5ReplConflict: namingConflict cn=system: read ipa locations,cn=permissions
> nsds5ReplConflict: namingConflict cn=system: remove ipa locations,cn=permissio
> nsds5ReplConflict: namingConflict cn=system: read locations of ipa servers,cn=
> nsds5ReplConflict: namingConflict cn=system: read status of services on ipa se
> nsds5ReplConflict: namingConflict cn=system: manage service principals,cn=perm
> nsds5ReplConflict: namingConflict cn=system: manage user principals,cn=permiss
> nsds5ReplConflict: namingConflict dnahostname=ipa4-4.domain.tld+dnaportnum=
> 
> While the IPA 4.4 server shows no conflicts:
> $ ldapsearch -D "cn=directory manager" -w secret -b "dc=domain,dc=tld" 
> "nsds5ReplConflict=*" \* nsds5ReplConflict | grep nsds5ReplConflict
> # filter: nsds5ReplConflict=*
> # requesting: * nsds5ReplConflict

Depends on whether you need to keep the data on the v3 machine and
whether the data on the v4 machine is correct...

But the general guide to managing replication conflicts is:
    
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html

> 
> So I would need to delete/modify the conflicts on the IPA 3.0 servers but the 
> IPA 4.4 server should be okay, correct?  Is there any impact to running the 
> ldapmodify command to remove these conflicts while services are running?  
> Would I need to do this on each of the IPA 3.x servers?
> 
> Looking at one of the conflicts on one of the IPA 3.0:
> $ ldapsearch -D "cn=directory manager" -w secret -b "dc=domain,dc=tld" 
> "cn=domain"
> # extended LDIF
> #
> # LDAPv3
> # base <dc=domain,dc=tld> with scope subtree
> # filter: cn=domain
> # requesting: ALL
> #
> 
> # domain, topology, ipa, etc, domain.us
> dn: cn=domain,cn=topology,cn=ipa,cn=etc,dc=domain,dc=tld
> cn: domain
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
>   entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
> nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
>  uccessfulauth krblastfailedauth krbloginfailedcount
> objectClass: top
> objectClass: iparepltopoconf
> ipaReplTopoConfRoot: dc=domain,dc=tld
> nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
>  ternalModifyTimestamp
> 
> # domain + e8d2f70e-512111e7-9205b5bf-43202000, topology, ipa, etc, domain.us
> dn: cn=domain+nsuniqueid=e8d2f70e-512111e7-9205b5bf-43202000,cn=topology,cn=ip
>  a,cn=etc,dc=domain,dc=tld
> nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
>  ternalModifyTimestamp
> ipaReplTopoConfRoot: dc=domain,dc=tld
> objectClass: top
> objectClass: iparepltopoconf
> nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
>  uccessfulauth krblastfailedauth krbloginfailedcount
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
>   entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
> cn: domain
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 3
> # numEntries: 2
> 
> Would I need to remove the "dn: 
> cn=domain+nsuniqueid=e8d2f70e-512111e7-9205b5bf-43202000" entry in this case? 
>  And do that removal on each server?
> 
> Thank you and any help is appreciated!
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to