Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

Thu, 26 Jan 2017 07:59:02 -0800 


On 01/26/2017 10:55 AM, Harald Dunkel wrote:

Hi Thierry,

good new: I got rid of most of the conflicting entries. There
are only 2 left (see below). They look circular somehow.


That is excellent news. Great !


Please note that the unwanted list of ipa servers is empty. The
official list looks OK. The record for cn=ipaservers,cn=ng,cn=alt\
,dc=example,dc=de looks fine, too. It points to the official list.
So hopefully the duplicates are not a big deal.

It would be nice to get rid of both, though.


Any helpful hint is highly appreciated
Harri
------------------------------------------------------------------

% cat <<EOF | ldapmodify -D "cn=directory manager" -w secret -x

dn: 
cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
changetype: delete
EOF

deleting entry 
"cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de"
ldap_delete: Server is unwilling to perform (53)
         additional info: Deleting a managed entry is not allowed. It needs to 
be manually unlinked first.


% cat <<EOF | ldapmodify -D "cn=directory manager" -w secret -x

dn: 
cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
changetype: delete
EOF

deleting entry 
"cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de"
ldap_delete: Operations error (1)



Those entries are managed entries and it is not possible to delete them 
from direct ldap command.

A solution proposed by Ludwig is not first make them unmanaged:

cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
changetype: modify
modify: objectclass
delete: mepManagedEntry

cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
changetype: modify
modify: objectclass
delete: mepManagedEntry

Then retry to delete them.
It should work for the first one but unsure it will succeed for the second one.


% ldapsearch -o ldif-wrap=no -D "cn=directory manager" -w secret -b 
"cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de"
 -s base
# extended LDIF
#
# LDAPv3
# base 
<cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de>
 with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# ipaservers + 109be304-ccd911e6-a5b3d0c8-d8da17db, ng, alt, example.de
dn: 
cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
ipaUniqueID: 15699da0-ccd9-11e6-b194-fe4936c476ff
mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
description: ipaNetgroup ipaservers
cn: ipaservers
nisDomainName: example.de
objectClass: ipanisnetgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: ipaAssociation
objectClass: top
memberHost: 
cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


% ldapsearch -o ldif-wrap=no -D "cn=directory manager" -w secret -b 
"cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de"
 -s base
# extended LDIF
#
# LDAPv3
# base 
<cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de>
 with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# ipaservers + 109be302-ccd911e6-a5b3d0c8-d8da17db, hostgroups, accounts, 
example.de
dn: 
cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
ipaUniqueID: 14a4041e-ccd9-11e6-b194-fe4936c476ff
cn: ipaservers
description: IPA server hosts
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de
memberOf: 
cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
























					Reply via email to