On 09/05/2014 12:44 AM, Martin Kosek wrote:
On 09/04/2014 10:31 PM, Ron wrote:
So I tried to delete an entry on IPA01 without success:

[root@ipa01 ~]# ldapdelete -D
"uid=admin,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca" -W -x
"cn=userxyz+nsuniqueid=62c9c682-32ce11e4-8c13b928-a98b9061,cn=groups,cn=accounts,dc=xxxx,dc=abc,dc=ca"
Enter LDAP Password:
ldap_delete: Server is unwilling to perform (53)
     additional info: Deleting a managed entry is not allowed. It needs
to be manually unlinked first

Same problem if I try to use ldapmodify:

[root@ipa01 ~]# ldapmodify -D
"uid=admin,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca" -W -x
Enter LDAP Password:
dn:
cn=userxyz+nsuniqueid=62c9c682-32ce11e4-8c13b928-a98b9061,cn=groups,cn=accounts,dc=xxxx,dc=abc,dc=ca
changetype: modrdn
newrdn: uid=19000
deleteoldrdn: 0

modifying rdn of entry
"cn=userxyz+nsuniqueid=62c9c682-32ce11e4-8c13b928-a98b9061,cn=groups,cn=accounts,dc=xxxx,dc=abc,dc=ca"
ldap_rename: Server is unwilling to perform (53)
     additional info: Renaming a managed entry is not allowed. It needs
to be manually unlinked first.

(19000 is just an unused uid)

Would this be because of the private group associated with the user?
Exactly.

How do I unlink the entry?  Would I use the following?
ipa group-detach userxyz
You would normally use it, but I am not sure it would work given that group DN
is changed with the nsuniqueid RDN.

However, you can manually detach the group with ldapmodify:

$ kinit admin
$ ipa group-show fbar --all --raw
   dn: cn=fbar,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
   cn: fbar
   description: User private group for fbar
   gidnumber: 82600004
   ipaUniqueID: 2fbdbdd2-34c7-11e4-a98a-001a4a2221bf
   mepManagedBy: uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
   objectClass: posixgroup
   objectClass: ipaobject
   objectClass: mepManagedEntry
   objectClass: top

$ ldapmodify -Y GSSAPI -h `hostname`
SASL/GSSAPI authentication started
SASL username: ad...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
dn: cn=fbar,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
changetype: modify
delete: objectClass
objectClass: mepManagedEntry
-
delete: mepManagedBy
mepManagedBy: uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test

modifying entry "cn=fbar,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test"


Now the ldapdelete on group should work.

Is this procedure documented somewhere?


Thanks again for all your help!
-Ron

On 09/04/2014 02:48 AM, Martin Kosek wrote:
Ah, ok. As Rob advised, you will need to delete it via ldapdelete CLI or via
any LDAP GUI application of choice.

BTW, this is upstream ticket tracking better means to resolve replication
conflicts:
https://fedorahosted.org/freeipa/ticket/1025

Martin

On 09/03/2014 10:44 PM, Ron wrote:
By the way, all three replica servers show the same:

[root@ipa]# ipa user-find --all --raw --login phys210e | grep dn:
   dn:
nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca

[root@ipa01]# ipa user-find --all --raw --login phys210e | grep dn:
   dn:
nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca

[root@ipa02]# ipa user-find --all --raw --login phys210e | grep dn:
   dn:
nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to