Gronde, Christopher (Contractor) wrote:
> Is it possible to delete the mapping and try it and if it doesn't work or 
> breaks something else add it back?  How would I go about deleting this 
> mapping?  Or adding the mapping for principal name in the right order?

So what I'd do is this:

Do the same cn=mappping ldapsearch on the working master to see what the
differences are. Determine if this is an ordering problem or if there is
just extra gunk on this non-working master.

And compare the versions of 389-ds: rpm -q 389-ds-base. They should be
the same. If not then maybe one supports the new ordering and one doesn't.


1. Stop dirsrv
2. cp dse.ldif dse.ldif.mappings
3. edit dse.ldif to match your findings. Either re-order the entries or
remove ones you don't need (or both).
4. Start dirsrv
5. Start krb5kdc

Step 1 is super important because 389-ds writes dse.ldif on shutdown so
all changes made while the service is running will be lost.

You can also do this via ldapmodify but it is far easier and less error
prone to use your favorite editor in this case.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to