[Freeipa-users] Re: ipahealthcheck: ldapsearch finds no replconflict but nsconf does

Fri, 09 Jul 2021 12:33:23 -0700 

Kees Bakker via FreeIPA-users wrote:
> Hi,
> 
> ipahealthcheck gives me this warning
> 
> [
>   {
>     "source": "ipahealthcheck.ds.replication",
>     "check": "ReplicationCheck",
>     "result": "WARNING",
>     "uuid": "237f4271-6e93-4d42-a15d-accdb936e51b",
>     "when": "20210709182051Z",
>     "duration": "45.967890",
>     "kw": {
>       "key": "DSREPLLE0002",
>       "items": [
>         "Replication",
>         "Conflict Entries"
>       ],
>       "msg": "There were 1 conflict entries found under the replication
> suffix \"o=ipaca\"."
>     }
>   }
> ]
> 
> 
> ldapsearch does not reveal any hit, however nsconf does.
> 
> 
> [root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D
> 'cn=Directory Manager' -b 'o=ipaca' '(nsds5ReplConflict=*)'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <o=ipaca> with scope subtree
> # filter: (nsds5ReplConflict=*)
> # requesting: ALL
> #
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 1
> 
> 
> [root@linge ~]# dsconf slapd-EXAMPLE-COM  repl-conflict list o=ipaca
> dn:
> cn=iparep4.example.com:443+nsuniqueid=ee993401-84ef11eb-93f498e2-54354ddc,cn=CAList,ou=Security
> Domain,o=ipaca
> Clone: TRUE
> DomainManager: TRUE
> SecureAdminPort: 443
> SecureAgentPort: 443
> SecureEEClientAuthPort: 443
> SecurePort: 443
> SubsystemName: CA iparep4.example.com 8443
> UnSecurePort: 80
> cn: iparep4.example.com:443
> host: iparep4.example.com
> nsds5replconflict: namingConflict (ADD)
> cn=iparep4.example.com:443,cn=calist,ou=security domain,o=ipaca
> objectClass: top
> objectClass: pkiSubsystem
> objectClass: ldapsubentry
> 
> 
> How is that possible?

389 filters out conflict entries now. Add this filter and you should see
it with ldapsearch:

(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))

rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to