The correct search filter must include (objectClass=ldapSubEntry):
ldapsearch -H ldaps://linge.example.com -W -D 'cn=Directory Manager' -b
'o=ipaca' '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))'
nsds5ReplConflict
HTH,
flo
On Sat, Jul 10, 2021 at 3:20 PM Kees Bakker via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> On 09-07-2021 21:33, Rob Crittenden wrote:
> > Kees Bakker via FreeIPA-users wrote:
> >> Hi,
> >>
> >> ipahealthcheck gives me this warning
> >>
> >> [
> >> {
> >> "source": "ipahealthcheck.ds.replication",
> >> "check": "ReplicationCheck",
> >> "result": "WARNING",
> >> "uuid": "237f4271-6e93-4d42-a15d-accdb936e51b",
> >> "when": "20210709182051Z",
> >> "duration": "45.967890",
> >> "kw": {
> >> "key": "DSREPLLE0002",
> >> "items": [
> >> "Replication",
> >> "Conflict Entries"
> >> ],
> >> "msg": "There were 1 conflict entries found under the replication
> >> suffix \"o=ipaca\"."
> >> }
> >> }
> >> ]
> >>
> >>
> >> ldapsearch does not reveal any hit, however nsconf does.
> >>
> >>
> >> [root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D
> >> 'cn=Directory Manager' -b 'o=ipaca' '(nsds5ReplConflict=*)'
> >> Enter LDAP Password:
> >> # extended LDIF
> >> #
> >> # LDAPv3
> >> # base <o=ipaca> with scope subtree
> >> # filter: (nsds5ReplConflict=*)
> >> # requesting: ALL
> >> #
> >>
> >> # search result
> >> search: 2
> >> result: 0 Success
> >>
> >> # numResponses: 1
> >>
> >>
> >> [root@linge ~]# dsconf slapd-EXAMPLE-COM repl-conflict list o=ipaca
> >> dn:
> >> cn=iparep4.example.com:443
> +nsuniqueid=ee993401-84ef11eb-93f498e2-54354ddc,cn=CAList,ou=Security
> >> Domain,o=ipaca
> >> Clone: TRUE
> >> DomainManager: TRUE
> >> SecureAdminPort: 443
> >> SecureAgentPort: 443
> >> SecureEEClientAuthPort: 443
> >> SecurePort: 443
> >> SubsystemName: CA iparep4.example.com 8443
> >> UnSecurePort: 80
> >> cn: iparep4.example.com:443
> >> host: iparep4.example.com
> >> nsds5replconflict: namingConflict (ADD)
> >> cn=iparep4.example.com:443,cn=calist,ou=security domain,o=ipaca
> >> objectClass: top
> >> objectClass: pkiSubsystem
> >> objectClass: ldapsubentry
> >>
> >>
> >> How is that possible?
> > 389 filters out conflict entries now. Add this filter and you should see
> > it with ldapsearch:
> >
> > (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
> >
>
> That makes no difference. Both BASEDN and o=ipaca result in no hits.
> (( Can ldapsearch really filter out more if the filter expression is less
> restrictive? ))
>
> [root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D
> 'cn=Directory Manager' -b 'o=ipaca'
> '(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <o=ipaca> with scope subtree
> # filter: (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
> [root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D
> 'cn=Directory Manager' -b $BASEDN
> '(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=com> with scope subtree
> # filter: (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
> --
> Kees
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
