On 01/18/17 16:22, Ludwig Krispenz wrote:
> I think the procedure in the link about renaming is only needed if you want 
> to keep both entries with a "normal" dn. But you want to get rid of the 
> conflict entries.  Since you have to cleanup each of them individually I 
> would suggest to start with one of them.
> 
> First get both the conflict entry and the normal entry and compare them:
> ldapsearch   -D "cn=directory manager" ..... -b "cn=System: Manage Host 
> Principals,cn=permissions,cn=pbac,dc=example,dc=de" -s base
> ldapsearch  -D "cn=directory manager"  ..... -b "cn=System: Manage Host 
> Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de"
>  -s base
> 
> They should be identical.
> Next check if the conflict entry has child entries:
> ldapsearch  -D "cn=directory manager"  ..... -b "cn=System: Manage Host 
> Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de"
>  dn
> 
> If there are no entries below the conflict entry you can remove it:
> ldapmodify - D "cn=directory manager" ......
> dn: cn=System: Manage Host 
> Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
> changetype: delete
> 

Of course they are not identical :-(. Worst case seems to be this
one:

% ldapsearch -o ldif-wrap=no -D "cn=directory manager" -w secret -b "cn=DNS 
Servers+nsuniqueid=109be317-ccd911e6-a5b3d0c8-d8da17db,cn=privileges,cn=pbac,dc=example,dc=de"
 -s base
# extended LDIF
#
# LDAPv3
# base <cn=DNS 
Servers+nsuniqueid=109be317-ccd911e6-a5b3d0c8-d8da17db,cn=privileges,cn=pbac,dc=example,dc=de>
 with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# DNS Servers + 109be317-ccd911e6-a5b3d0c8-d8da17db, privileges, pbac, 
example.de
dn: cn=DNS 
Servers+nsuniqueid=109be317-ccd911e6-a5b3d0c8-d8da17db,cn=privileges,cn=pbac,dc=example,dc=de
memberOf: cn=System: Read DNS 
Configuration,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Write DNS 
Configuration,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Manage DNSSEC 
metadata,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Read DNS Servers 
Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: DNS Servers
description: DNS Servers

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



% ldapsearch -o ldif-wrap=no -D "cn=directory manager" -w secret -b "cn=DNS 
Servers,cn=privileges,cn=pbac,dc=example,dc=de" -s base
# extended LDIF
#
# LDAPv3
# base <cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=de> with scope 
baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# DNS Servers, privileges, pbac, example.de
dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=de
memberOf: cn=System: Read DNS Servers 
Configuration,cn=permissions,cn=pbac,dc=example,dc=de
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: DNS Servers
description: DNS Servers

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Looks like the wrong record has been marked as a duplicate. Can I just copy
the missing "memberOf" attributes to the good record, delete the bad record,
and all is fine?


Next ldapmodify returned these error messages:

        deleting entry 
"cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de"
        ldap_delete: Server is unwilling to perform (53)
                additional info: Deleting a managed entry is not allowed. It 
needs to be manually unlinked first.


        deleting entry 
"cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de"
        ldap_delete: Operations error (1)


I am highly concerned especially about the "Operations error". Sounds
like something internal.


Every helpful comment is highly appreciated.
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to