[Freeipa-users] LDAP conflicts after yum update on Almalinux 8.9

[Lee Csk via FreeIPA-users]

After performing a usual Yum update's on multiple IPA servers (not at the same 
time, one server reportedly started hanging), we started observing "LDAP 
Conflicts" in multiple IPA replication servers:

az2-replica.noc.net
| LDAP Conflicts | 9 | FAIL |
mi2-replica.noc.net:
| LDAP Conflicts | 9 | FAIL |
mi1-replica.noc.net:
| LDAP Conflicts | 9 | FAIL |
az1-replica.noc.net:
| LDAP Conflicts | 10 | FAIL |
sg1-replicate.noc.net:
| LDAP Conflicts | 3 | FAIL |
sg2-replica.noc.net
| LDAP Conflicts | 3 | FAIL |

The "Replication status" while reports OK, we observe also flapping at times 
between OK and FAIL too.

We have tried to follow on one of the replication servers: 
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_replication-solving_common_replication_conflicts#Solving_Common_Replication_Conflicts-Solving_Orphan_Entry_Conflicts
- by removing the orphan entry, however the replication broke completely on it 
(ipa service couldn't start back up), requiring a full re-install of that 
specific replica.

]$ sudo -u admin /home/admin/.local/bin/cipa -H localhost |grep "LDAP Conflicts"
| LDAP Conflicts     | 0              | OK    |

$ dsconf -D "cn=Directory Manager" ldap://$(hostname) repl-conflict list-glue 
"dc=noc,dc=net"
Enter password for cn=Directory Manager on ldap://az1-replica.noc.net: 
dn: cn=sg1-replica.noc.net,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net
cn: sg1-replica.noc.net
ipaLocation: idnsname=singapore,cn=locations,cn=etc,dc=noc,dc=net
ipaMaxDomainLevel: 1
ipaMinDomainLevel: 1
ipaReplTopoManagedSuffix: dc=noc,dc=net
nsds5replconflict: deletedEntryHasChildren
objectClass: top
objectClass: nsContainer
objectClass: ipaReplTopoManagedServer
objectClass: ipaConfigObject
objectClass: ipaSupportedDomainLevelConfig
objectClass: ipalocationmember
objectClass: extensibleobject
objectClass: glue

$ ldapsearch -H ldaps://$(hostname) -W -D 'cn=Directory Manager' 
'(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))' nsds5ReplConflict
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=noc,dc=net> (default) with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: nsds5ReplConflict 
#

# sg1-replica.noc.net + 039c4293-257f11ed-a255f732-cfd01100, masters, ipa, etc, 
noc.net
dn: 
cn=sg1-replica.noc.net+nsuniqueid=039c4293-257f11ed-a255f732-cfd01100,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net
nsds5ReplConflict: namingConflict (ADD) 
cn=sg1-replica.noc.net,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net

# HTTP/mi1-replica.noc....@noc.net + 
0264df8b-fca611ee-a3cba8b9-8a6b8039,services, accounts, noc.net
dn: 
krbprincipalname=HTTP/mi1-replica.noc....@noc.net+nsuniqueid=0264df8b-fca611ee-a3cba8b9-8a6b8039,cn=services,cn=accounts,dc=noc,dc=net
nsds5ReplConflict: namingConflict (ADD) 
krbprincipalname=http/mi1-ipaca.noc....@noc.net,cn=services,cn=accounts,dc=noc,dc=net

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

OR:

az1-replica.noc.net:/$ ldapsearch -H ldap://$(hostname) -D "cn=Directory 
Manager" -W -b "dc=noc,dc=net" 
"(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=noc,dc=net> with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: * nsds5ReplConflict 
#

# sg1-replica.noc.net + 039c4293-257f11ed-a255f732-cfd01100, masters, ipa,
  etc, noc.net
dn: cn=sg1-replica.noc.net+nsuniqueid=039c4293-257f11ed-a255f732-cfd01100
 ,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net
ipaLocation: idnsname=singapore,cn=locations,cn=etc,dc=noc,dc=net
objectClass: top
objectClass: nsContainer
objectClass: ipaReplTopoManagedServer
objectClass: ipaConfigObject
objectClass: ipaSupportedDomainLevelConfig
objectClass: ldapsubentry
objectClass: ipalocationmember
cn: sg1-replica.noc.net
ipaReplTopoManagedSuffix: dc=noc,dc=net
ipaMinDomainLevel: 1
ipaMaxDomainLevel: 1
nsds5ReplConflict: namingConflict (ADD) cn=sg1-replica.noc.net,cn=masters
 ,cn=ipa,cn=etc,dc=noc,dc=net

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

We expect: | LDAP Conflicts | 0 | OK |

Running versions:
ipa-server-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64
ipa-client-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64
389-ds-base-1.4.3.37-2.module_el8.9.0+3710+3183c30a.alma.1.x86_64
krb5-server-1.18.2-26.el8_9.x86_64

The yum update happened from:
ipa-server-4.9.12-11.module_el8.9.0+3715+e4197dc9.alma.1.x86_64
to:
ipa-server-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64

Please advise, how its best to resolve these "LDAP Conflicts".
How to remove, or retain if its the case?

Thanks,
Lee
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue