On 01/31/2017 03:37 PM, Harald Dunkel wrote:
Hi Thierry,
On 01/30/17 09:10, thierry bordaz wrote:
I understand your concern and in fact it is difficult to anticipate a
potential bad impact of this cleanup. However,I think it is safe to get rid of
the following entry.
Before doing so you may check it exists
cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de that is managedBy the
ipaservers_hostgoups.
dn:
cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
objectClass: mepManagedEntry
If you are willing to remove that entry you need to remove the mepmanagedEntry
oc. So you need to remove the mepManagedBy and oc in the same operation
Regarding the following entry
dn:
cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
objectClass: mepOriginEntry
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de
You may want to check if it exists an entry it manages, looking for
"(mepManagedBy=
cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
)". If it exists none, you should be able to remove it.
Also I think working on ipabak, you should be able to do some tests on the
cleanup instance to validate everything is working fine.
This looks like a pretty high risk, even if ipabak says everything
is fine.
The major problem was the failure on Debian Wheezy using the very old
sssd. This seems to be gone now by resolving the "easy" cases.
About the "hard" cases: AFAICS
ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
doesn't list any hosts (the official entry does), and
cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
points to the duplicate entry only. They are not referenced anywhere
else in the ldap database. So I would suggest to wait and see if
I run in any problem here. Would you agree to this, or do you expect
problems later?
Hello,
I fully agree. Wait for a problem to occur, if it occurs.
In case this entry would create a problem and you are afraid of deleting
it, I think we may decide to hide it to the application (ipa).
You can do this by adding the 'objectclass: ldapsubentry'. It may be
suffisant to workaround the problem, if the problem occurs.
With this option, you would keep the conflict entry and keep the
possibility to "resurrect" it later.
I highly appreciate your help
You are very welcome
thierry
Regards
Harri
regards
thierry
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
