Hi Thierry, On 01/24/17 15:01, thierry bordaz wrote: >> Hopefully yes, but there were 2 conflicts that already made some >> problems: >> >> deleting entry >> "cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de" >> ldap_delete: Server is unwilling to perform (53) >> additional info: Deleting a managed entry is not allowed. It >> needs to be manually unlinked first. >> >> >> deleting entry >> "cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de" >> ldap_delete: Operations error (1) >> >> I got these problems before I became more careful with this. > > This will be a difficulty to setup that script. > You may be unable to delete some entries (managed entry, tombstones..). > > I think one target of the script is to get the 'valid' entries at the > expected level: having the expected set of attribute/values. A kind of merge > of valid/conflict entries. > Then you may have to moddn some conflict children under the valid entry. > At the end, remove the conflict entries.
I agree. But I still need to work on a snapshot first, without the risk of making things worse. Would you suggest to disconnect ipabak from the network and ipa1, cleanup the mess as far as possible, and then connect ipabak to the network again to rely upon the regular replica synchroni- zation? > > As I said, setting up such script could take you more time than fixing > manually the 43 conflicts. > Maybe there is a misunderstanding about "script" here: Its not a high-end shell script with man page and command line flags and so on. It is just a sequence of variable assignments and commands to run. Goal is to avoid having to type the same stuff twice, and to make use of copy and paste in an editor. One key feature is to get something reproducible. Every helpful advice is highly welcome Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
