Ah, ok. As Rob advised, you will need to delete it via ldapdelete CLI or via any LDAP GUI application of choice.
BTW, this is upstream ticket tracking better means to resolve replication conflicts: https://fedorahosted.org/freeipa/ticket/1025 Martin On 09/03/2014 10:44 PM, Ron wrote: > By the way, all three replica servers show the same: > > [root@ipa]# ipa user-find --all --raw --login phys210e | grep dn: > dn: > nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca > > [root@ipa01]# ipa user-find --all --raw --login phys210e | grep dn: > dn: > nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca > > [root@ipa02]# ipa user-find --all --raw --login phys210e | grep dn: > dn: > nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca > > On 09/03/2014 12:26 PM, Rob Crittenden wrote: >> Ron wrote: >>> And here is the result of the user-show command: >>> [root@ipa slapd-pxxx-abc-CA]# ipa user-show --all --raw phys210e >>> ipa: ERROR: phys210e: user not found >> Sorry, thinko on my part. Do ipa user-find --all --raw --login phys210e >> >> user-show is going to have the same issue as user-delete. >> >> rob >> >>> >>> >>> On 09/03/2014 10:43 AM, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> Can you check /var/log/dirsrv/slapd-YOUR-REALM/access, search for the DEL >>>>> operation and see what was the error code that DS gave when it refused to >>>>> delete the user? >>>> Were I to guess the issue is that this is a replication conflict entry. >>>> If you do: >>>> >>>> # ipa user-show --all --raw phys210e |grep dn: >>>> >>>> It will likely begin with nsuniqueid=<hex>, ... >>>> >>>> The reason it can be found and not deleted is we create the dn to be >>>> removed, we don't search for it. So the user uid=phys210e,cn=users,... >>>> etc doesn't exist but the user nsuniqueid=<hex> ... does. >>>> >>>> You'll need to use ldapmodify or ldapdelete to remove the entry though >>>> I'd check your other masters to see what the state of the user is there. >>>> >>>> rob >>>> >>>>> Martin >>>>> >>>>> On 09/03/2014 06:18 PM, Ron wrote: >>>>>> user-find sees a user but user-del cannot remove it. What can I do? >>>>>> Thanks. >>>>>> Regards, >>>>>> Ron >>>>>> >>>>>> [root@ipa]# ipa user-find --login phys210e >>>>>> -------------- >>>>>> 1 user matched >>>>>> -------------- >>>>>> User login: phys210e >>>>>> First name: Testing >>>>>> Last name: Phys210 >>>>>> Home directory: /home2/phys210e >>>>>> Login shell: /bin/bash >>>>>> Email address: phys2...@pxxx.abc.ca >>>>>> UID: 15010 >>>>>> GID: 15010 >>>>>> Account disabled: False >>>>>> Password: True >>>>>> Kerberos keys available: False >>>>>> ---------------------------- >>>>>> Number of entries returned 1 >>>>>> ---------------------------- >>>>>> [root@ipa]# ipa user-del phys210e --continue >>>>>> --------------- >>>>>> Deleted user "" >>>>>> --------------- >>>>>> Failed to remove: phys210e >>>>>> >>>>>> >>>>>> [root@ipa]# cat /etc/redhat-release >>>>>> Red Hat Enterprise Linux Server release 6.5 (Santiago) >>>>>> >>>>>> [root@ipa]# rpm -qa|grep ipa; rpm -qa|grep 389 >>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>> ipa-admintools-3.0.0-37.el6.i686 >>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>> libipa_hbac-1.9.2-129.el6_5.4.i686 >>>>>> ipa-server-selinux-3.0.0-37.el6.i686 >>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>> libipa_hbac-python-1.9.2-129.el6_5.4.i686 >>>>>> ipa-server-3.0.0-37.el6.i686 >>>>>> ipa-python-3.0.0-37.el6.i686 >>>>>> ipa-client-3.0.0-37.el6.i686 >>>>>> 389-ds-base-libs-1.2.11.15-33.el6_5.i686 >>>>>> 389-ds-base-1.2.11.15-33.el6_5.i686 >>> >>> -- >>> Ron Parachoniak >>> Systems Manager, Department of Physics & Astronomy >>> University of British Columbia, Vancouver, B.C. V6T 1Z1 >>> Phone: (604) 838-6437 >>> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
