Re: [Freeipa-users] freeipa 4.1 replication conflict resolve issue

Wed, 21 Dec 2016 08:28:05 -0800 


On 21.12.2016 12:08, Ludwig Krispenz wrote:


On 12/21/2016 05:11 AM, Ian Chen wrote:

hello list,

I tried to search for answer, but not solution come up yet. please help.

the setup with multiple nodes has IPA version:
ipa-server-4.1.0-18.el7.centos.4.x86_64



after adding a replication with an old node, replicaiton conflict 
occured.


---- node104

dn: 
nsuniqueid=5820a804-af9211e6-bbce8d9c-0794b841+uid=test2,cn=users,cn=acco

 unts,dc=...
uid: test2
nsds5ReplConflict: namingConflict uid=test2,cn=users,cn=accounts,dc=...
krbPrincipalName: test2@...
krbLastPwdChange: 20161220054653Z
krbPasswordExpiration: 20170320054653Z
ipaUniqueID: 606b2260-af92-11e6-a928-0050568faf9d


---- node203
dn: uid=test2,cn=users,cn=accounts,dc=...
uid: test2
krbPrincipalName: test2@...
krbLastPwdChange: 20161220054653Z
krbPasswordExpiration: 20170320054653Z
ipaUniqueID: 606b2260-af92-11e6-a928-0050568faf9d


I tried rename RDN following this
https://mkosek.fedorapeople.org/publican_site/en-US/FreeIPA/3.4/html/FreeIPA_Guide/ipa-replica-manage.html


hello,


guide ^ is deprecated, please use the 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html



For replication conflict is useful this guide 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html


Martin




but when trying to delete uid, then change RDN back to uid, there is 
this error


modifying entry "cn=TempValue,cn=users,cn=accounts,dc=..."
ldap_modify: Object class violation (65)

    additional info: missing attribute "uid" required by object class 
"posixAccount"


I cannot delete object class posixAccount then add it back

I cannot see which commands you really tried to execute and failed, so 
could you provide the full log of what you did if you want to follow 
the steps in the IPA doc.



But I do not think that you need to go thru the MOD/MODRDN/... 
sequence if you do not want to keep both entries. If a conflict 
arises, one entry keeps the original dn, the other gets a dn with 
"nsuniquid=....+..." and the nsds5ReplConflict attribute. you can 
check the entries and inmost cases you just want to keep the 
"original" and just delete the conflict entry





--
Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to