On 01/24/2017 04:18 PM, Harald Dunkel wrote:
Hi Thierry,

On 01/24/17 15:01, thierry bordaz wrote:
Hopefully yes, but there were 2 conflicts that already made some

     deleting entry 
     ldap_delete: Server is unwilling to perform (53)
             additional info: Deleting a managed entry is not allowed. It needs 
to be manually unlinked first.

     deleting entry 
     ldap_delete: Operations error (1)

I got these problems before I became more careful with this.
This will be a difficulty to setup that script.
You may be unable to delete some entries (managed entry, tombstones..).

I think one target of the script is to get the 'valid' entries at the expected 
level: having the expected set of attribute/values. A kind of merge of 
valid/conflict entries.
Then you may have to moddn some conflict children under the valid entry.
At the end, remove the conflict entries.
I agree. But I still need to work on a snapshot first, without
the risk of making things worse.

Would you suggest to disconnect ipabak from the network and ipa1,
cleanup the mess as far as possible, and then connect ipabak
to the network again to rely upon the regular replica synchroni-

Yes, as soon as ipaback is in sync with ipa1 and you took a snapshot of ipaback, I think you can disconnect ipaback and run your script on it (iterating with the snapshot).

As I said, setting up such script could take you more time than fixing manually 
the 43 conflicts.

Maybe there is a misunderstanding about "script" here: Its not
a high-end shell script with man page and command line flags and
so on. It is just a sequence of variable assignments and commands
to run. Goal is to avoid having to type the same stuff twice, and
to make use of copy and paste in an editor. One key feature is to
get something reproducible.

Every helpful advice is highly welcome

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to