So in my case I would need to do the "Renaming an Entry with a Multi-Valued Naming Attribute" procedure on both IPA01 and IPA02?
Would another way of doing this be to remove IPA01 (and later IPA02) as a replication-master and then re-add it? I ask this because I have about 70 of these entries. I think they are there because I was using a perl script (which used the perl ldap->add function) to create new user entries and for a while the script called this (ldap->add) on IPA then IPA02 immediately after. -Ron On 09/03/2014 02:24 PM, Rich Megginson wrote: > On 09/03/2014 02:44 PM, Ron wrote: >> By the way, all three replica servers show the same: >> >> [root@ipa]# ipa user-find --all --raw --login phys210e | grep dn: >> dn: >> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca >> >> >> [root@ipa01]# ipa user-find --all --raw --login phys210e | grep dn: >> dn: >> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca >> >> >> [root@ipa02]# ipa user-find --all --raw --login phys210e | grep dn: >> dn: >> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca >> > > These appear to be replication conflict entries. Not sure what > happened. See > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html > >> >> On 09/03/2014 12:26 PM, Rob Crittenden wrote: >>> Ron wrote: >>>> And here is the result of the user-show command: >>>> [root@ipa slapd-pxxx-abc-CA]# ipa user-show --all --raw phys210e >>>> ipa: ERROR: phys210e: user not found >>> Sorry, thinko on my part. Do ipa user-find --all --raw --login phys210e >>> >>> user-show is going to have the same issue as user-delete. >>> >>> rob >>> >>>> >>>> On 09/03/2014 10:43 AM, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>>>>> Can you check /var/log/dirsrv/slapd-YOUR-REALM/access, search for >>>>>> the DEL >>>>>> operation and see what was the error code that DS gave when it >>>>>> refused to >>>>>> delete the user? >>>>> Were I to guess the issue is that this is a replication conflict >>>>> entry. >>>>> If you do: >>>>> >>>>> # ipa user-show --all --raw phys210e |grep dn: >>>>> >>>>> It will likely begin with nsuniqueid=<hex>, ... >>>>> >>>>> The reason it can be found and not deleted is we create the dn to be >>>>> removed, we don't search for it. So the user >>>>> uid=phys210e,cn=users,... >>>>> etc doesn't exist but the user nsuniqueid=<hex> ... does. >>>>> >>>>> You'll need to use ldapmodify or ldapdelete to remove the entry >>>>> though >>>>> I'd check your other masters to see what the state of the user is >>>>> there. >>>>> >>>>> rob >>>>> >>>>>> Martin >>>>>> >>>>>> On 09/03/2014 06:18 PM, Ron wrote: >>>>>>> user-find sees a user but user-del cannot remove it. What can I >>>>>>> do? >>>>>>> Thanks. >>>>>>> Regards, >>>>>>> Ron >>>>>>> >>>>>>> [root@ipa]# ipa user-find --login phys210e >>>>>>> -------------- >>>>>>> 1 user matched >>>>>>> -------------- >>>>>>> User login: phys210e >>>>>>> First name: Testing >>>>>>> Last name: Phys210 >>>>>>> Home directory: /home2/phys210e >>>>>>> Login shell: /bin/bash >>>>>>> Email address: phys2...@pxxx.abc.ca >>>>>>> UID: 15010 >>>>>>> GID: 15010 >>>>>>> Account disabled: False >>>>>>> Password: True >>>>>>> Kerberos keys available: False >>>>>>> ---------------------------- >>>>>>> Number of entries returned 1 >>>>>>> ---------------------------- >>>>>>> [root@ipa]# ipa user-del phys210e --continue >>>>>>> --------------- >>>>>>> Deleted user "" >>>>>>> --------------- >>>>>>> Failed to remove: phys210e >>>>>>> >>>>>>> >>>>>>> [root@ipa]# cat /etc/redhat-release >>>>>>> Red Hat Enterprise Linux Server release 6.5 (Santiago) >>>>>>> >>>>>>> [root@ipa]# rpm -qa|grep ipa; rpm -qa|grep 389 >>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>> ipa-admintools-3.0.0-37.el6.i686 >>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>> libipa_hbac-1.9.2-129.el6_5.4.i686 >>>>>>> ipa-server-selinux-3.0.0-37.el6.i686 >>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>> libipa_hbac-python-1.9.2-129.el6_5.4.i686 >>>>>>> ipa-server-3.0.0-37.el6.i686 >>>>>>> ipa-python-3.0.0-37.el6.i686 >>>>>>> ipa-client-3.0.0-37.el6.i686 >>>>>>> 389-ds-base-libs-1.2.11.15-33.el6_5.i686 >>>>>>> 389-ds-base-1.2.11.15-33.el6_5.i686 >>>> -- >>>> Ron Parachoniak >>>> Systems Manager, Department of Physics & Astronomy >>>> University of British Columbia, Vancouver, B.C. V6T 1Z1 >>>> Phone: (604) 838-6437 >>>> >> > -- Ron Parachoniak Systems Manager, Department of Physics & Astronomy University of British Columbia, Vancouver, B.C. V6T 1Z1 Phone: (604) 838-6437 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project