The correct search filter must include (objectClass=ldapSubEntry): ldapsearch -H ldaps://linge.example.com -W -D 'cn=Directory Manager' -b 'o=ipaca' '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))' nsds5ReplConflict
HTH, flo On Sat, Jul 10, 2021 at 3:20 PM Kees Bakker via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On 09-07-2021 21:33, Rob Crittenden wrote: > > Kees Bakker via FreeIPA-users wrote: > >> Hi, > >> > >> ipahealthcheck gives me this warning > >> > >> [ > >> { > >> "source": "ipahealthcheck.ds.replication", > >> "check": "ReplicationCheck", > >> "result": "WARNING", > >> "uuid": "237f4271-6e93-4d42-a15d-accdb936e51b", > >> "when": "20210709182051Z", > >> "duration": "45.967890", > >> "kw": { > >> "key": "DSREPLLE0002", > >> "items": [ > >> "Replication", > >> "Conflict Entries" > >> ], > >> "msg": "There were 1 conflict entries found under the replication > >> suffix \"o=ipaca\"." > >> } > >> } > >> ] > >> > >> > >> ldapsearch does not reveal any hit, however nsconf does. > >> > >> > >> [root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D > >> 'cn=Directory Manager' -b 'o=ipaca' '(nsds5ReplConflict=*)' > >> Enter LDAP Password: > >> # extended LDIF > >> # > >> # LDAPv3 > >> # base <o=ipaca> with scope subtree > >> # filter: (nsds5ReplConflict=*) > >> # requesting: ALL > >> # > >> > >> # search result > >> search: 2 > >> result: 0 Success > >> > >> # numResponses: 1 > >> > >> > >> [root@linge ~]# dsconf slapd-EXAMPLE-COM repl-conflict list o=ipaca > >> dn: > >> cn=iparep4.example.com:443 > +nsuniqueid=ee993401-84ef11eb-93f498e2-54354ddc,cn=CAList,ou=Security > >> Domain,o=ipaca > >> Clone: TRUE > >> DomainManager: TRUE > >> SecureAdminPort: 443 > >> SecureAgentPort: 443 > >> SecureEEClientAuthPort: 443 > >> SecurePort: 443 > >> SubsystemName: CA iparep4.example.com 8443 > >> UnSecurePort: 80 > >> cn: iparep4.example.com:443 > >> host: iparep4.example.com > >> nsds5replconflict: namingConflict (ADD) > >> cn=iparep4.example.com:443,cn=calist,ou=security domain,o=ipaca > >> objectClass: top > >> objectClass: pkiSubsystem > >> objectClass: ldapsubentry > >> > >> > >> How is that possible? > > 389 filters out conflict entries now. Add this filter and you should see > > it with ldapsearch: > > > > (&(!(objectclass=nstombstone))(nsds5ReplConflict=*)) > > > > That makes no difference. Both BASEDN and o=ipaca result in no hits. > (( Can ldapsearch really filter out more if the filter expression is less > restrictive? )) > > [root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D > 'cn=Directory Manager' -b 'o=ipaca' > '(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <o=ipaca> with scope subtree > # filter: (&(!(objectclass=nstombstone))(nsds5ReplConflict=*)) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > > [root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D > 'cn=Directory Manager' -b $BASEDN > '(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=example,dc=com> with scope subtree > # filter: (&(!(objectclass=nstombstone))(nsds5ReplConflict=*)) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > > -- > Kees > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure