On Tue, 23 Aug 2016, Zak Wolfinger wrote:
We were in the final stages of migrating FreeIPA from 3.0 to 4.2.
During the migration, both the 3.0 replicas and the 4.2 replicas were
in the replica pool.  User account changes made to 3.0 would replicate
to 4.2 just fine, but changes wouldn’t replicate from 4.2 to 3.0.

Admins should have been aware of this and performing all changes to the
3.0 replicas.  However 2 accounts were created on the 4.2 replicas and
then also added to the 3.0 replicas.  This resulted in a replication
conflict and each user account has a duplicate with the same username
but different UIDs.

I want to delete the duplicates.  “ipa user-del” will not take the UID
as an identifier, only the username.  Using just the username fails
with an error due to the duplicate accounts.

The old 3.0 replicas have all been removed from the pool and
decommissioned.  It would be tons of work to bring them back into
production.

Any thoughts on how to fix this issue?
You can delete wrong entry using ldapdelete.

Search for the records with 'ipa user-find' first:

[root ipa]# ipa user-find --all --raw --login myuser | grep dn:
 dn: 
nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=myuser,cn=users,cn=accounts,dc=xxxx,dc=exampe,dc=com

This gives you a DN of the conflict entry. Now you can delete it with
ldapdelete:

[root ipa]# ldapdelete -Y GSSPAI 
nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=myuser,cn=users,cn=accounts,dc=xxxx,dc=exampe,dc=com

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to