On 01/18/17 16:22, Ludwig Krispenz wrote:
> I think the procedure in the link about renaming is only needed if you want
> to keep both entries with a "normal" dn. But you want to get rid of the
> conflict entries. Since you have to cleanup each of them individually I
> would suggest to start with one of them.
>
> First get both the conflict entry and the normal entry and compare them:
> ldapsearch -D "cn=directory manager" ..... -b "cn=System: Manage Host
> Principals,cn=permissions,cn=pbac,dc=example,dc=de" -s base
> ldapsearch -D "cn=directory manager" ..... -b "cn=System: Manage Host
> Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de"
> -s base
>
> They should be identical.
> Next check if the conflict entry has child entries:
> ldapsearch -D "cn=directory manager" ..... -b "cn=System: Manage Host
> Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de"
> dn
>
> If there are no entries below the conflict entry you can remove it:
> ldapmodify - D "cn=directory manager" ......
> dn: cn=System: Manage Host
> Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
> changetype: delete
>
Of course they are not identical :-(. Worst case seems to be this
one:
% ldapsearch -o ldif-wrap=no -D "cn=directory manager" -w secret -b "cn=DNS
Servers+nsuniqueid=109be317-ccd911e6-a5b3d0c8-d8da17db,cn=privileges,cn=pbac,dc=example,dc=de"
-s base
# extended LDIF
#
# LDAPv3
# base <cn=DNS
Servers+nsuniqueid=109be317-ccd911e6-a5b3d0c8-d8da17db,cn=privileges,cn=pbac,dc=example,dc=de>
with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# DNS Servers + 109be317-ccd911e6-a5b3d0c8-d8da17db, privileges, pbac,
example.de
dn: cn=DNS
Servers+nsuniqueid=109be317-ccd911e6-a5b3d0c8-d8da17db,cn=privileges,cn=pbac,dc=example,dc=de
memberOf: cn=System: Read DNS
Configuration,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Write DNS
Configuration,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Manage DNSSEC
metadata,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Read DNS Servers
Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: DNS Servers
description: DNS Servers
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
% ldapsearch -o ldif-wrap=no -D "cn=directory manager" -w secret -b "cn=DNS
Servers,cn=privileges,cn=pbac,dc=example,dc=de" -s base
# extended LDIF
#
# LDAPv3
# base <cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=de> with scope
baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# DNS Servers, privileges, pbac, example.de
dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=de
memberOf: cn=System: Read DNS Servers
Configuration,cn=permissions,cn=pbac,dc=example,dc=de
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: DNS Servers
description: DNS Servers
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Looks like the wrong record has been marked as a duplicate. Can I just copy
the missing "memberOf" attributes to the good record, delete the bad record,
and all is fine?
Next ldapmodify returned these error messages:
deleting entry
"cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de"
ldap_delete: Server is unwilling to perform (53)
additional info: Deleting a managed entry is not allowed. It
needs to be manually unlinked first.
deleting entry
"cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de"
ldap_delete: Operations error (1)
I am highly concerned especially about the "Operations error". Sounds
like something internal.
Every helpful comment is highly appreciated.
Harri
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
