On 01/31/2017 03:37 PM, Harald Dunkel wrote:
Hi Thierry,

On 01/30/17 09:10, thierry bordaz wrote:
I understand your concern and in fact it is difficult to anticipate a  
potential bad impact of this cleanup. However,I think it is safe to get rid of 
the following entry.
Before doing so you may check it exists

cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de that is managedBy the 
ipaservers_hostgoups.

dn: 
cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
objectClass: mepManagedEntry


If you are willing to remove that entry you need to remove the mepmanagedEntry 
oc. So you need to remove the mepManagedBy and oc in the same operation


Regarding the following entry
  dn: 
cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
objectClass: mepOriginEntry
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de

You may want to check if it exists an entry it manages, looking for 
"(mepManagedBy=
cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
)". If it exists none, you should be able to remove it.

Also I think working on ipabak, you should be able to do some tests on the 
cleanup instance to validate everything is working fine.

This looks like a pretty high risk, even if ipabak says everything
is fine.

The major problem was the failure on Debian Wheezy using the very old
sssd. This seems to be gone now by resolving the "easy" cases.

About the "hard" cases: AFAICS

ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de

doesn't list any hosts (the official entry does), and

cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de

points to the duplicate entry only. They are not referenced anywhere
else in the ldap database. So I would suggest to wait and see if
I run in any problem here. Would you agree to this, or do you expect
problems later?
Hello,

I fully agree. Wait for a problem to occur, if it occurs.
In case this entry would create a problem and you are afraid of deleting it, I think we may decide to hide it to the application (ipa). You can do this by adding the 'objectclass: ldapsubentry'. It may be suffisant to workaround the problem, if the problem occurs. With this option, you would keep the conflict entry and keep the possibility to "resurrect" it later.


I highly appreciate your help
You are very welcome
thierry

Regards
Harri





regards
thierry


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to