On 01/31/2017 03:37 PM, Harald Dunkel wrote:
Hi Thierry,

On 01/30/17 09:10, thierry bordaz wrote:
I understand your concern and in fact it is difficult to anticipate a  
potential bad impact of this cleanup. However,I think it is safe to get rid of 
the following entry.
Before doing so you may check it exists

cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de that is managedBy the 

mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
objectClass: mepManagedEntry

If you are willing to remove that entry you need to remove the mepmanagedEntry 
oc. So you need to remove the mepManagedBy and oc in the same operation

Regarding the following entry
objectClass: mepOriginEntry
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de

You may want to check if it exists an entry it manages, looking for 
)". If it exists none, you should be able to remove it.

Also I think working on ipabak, you should be able to do some tests on the 
cleanup instance to validate everything is working fine.

This looks like a pretty high risk, even if ipabak says everything
is fine.

The major problem was the failure on Debian Wheezy using the very old
sssd. This seems to be gone now by resolving the "easy" cases.

About the "hard" cases: AFAICS


doesn't list any hosts (the official entry does), and


points to the duplicate entry only. They are not referenced anywhere
else in the ldap database. So I would suggest to wait and see if
I run in any problem here. Would you agree to this, or do you expect
problems later?

I fully agree. Wait for a problem to occur, if it occurs.
In case this entry would create a problem and you are afraid of deleting it, I think we may decide to hide it to the application (ipa). You can do this by adding the 'objectclass: ldapsubentry'. It may be suffisant to workaround the problem, if the problem occurs. With this option, you would keep the conflict entry and keep the possibility to "resurrect" it later.

I highly appreciate your help
You are very welcome



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to