On 02/16/2017 01:32 PM, Tiemen Ruiten wrote:
Hello,

I have a FreeIPA setup in which some masters suffered from a few uncontrolled shutdowns and now there are replication conflicts (which prevent from setting the Domain Level to 1).

I was trying to follow the instructions here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html

But unfortunately I'm not getting anywhere. This the result of an ldapsearch for replication conflicts:


    [root@moscovium ~]# ldapsearch -x -D "cn=directory manager" -W -b
    "dc=ipa,dc=rdmedia,dc=com" "nsds5ReplConflict=*" \* nsds5ReplConflict
    Enter LDAP Password:
    # extended LDIF
    #
    # LDAPv3
    # base <dc=ipa,dc=rdmedia,dc=com> with scope subtree
    # filter: nsds5ReplConflict=*
    # requesting: * nsds5ReplConflict
    #
    # servers + 334bfc53-cdae11e6-8a85a70a-bda98fae, dns,
    ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn:
    cn=servers+nsuniqueid=334bfc53-cdae11e6-8a85a70a-bda98fae,cn=dns,dc=ipa,dc
     =rdmedia,dc=com
    objectClass: nsContainer
    objectClass: top
    cn: servers
    nsds5ReplConflict: namingConflict
    cn=servers,cn=dns,dc=ipa,dc=rdmedia,dc=com
    # System: Add CA + 334bfbe5-cdae11e6-8a85a70a-bda98fae,
    permissions, pbac, ipa.
    rdmedia.com <http://rdmedia.com>
    dn: cn=System: Add
    CA+nsuniqueid=334bfbe5-cdae11e6-8a85a70a-bda98fae,cn=permis
     sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=ipaca)
    ipaPermRight: add
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Add CA
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=CA
    Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: add
    ca,cn=permissions,cn=pbac,dc=
ipa,dc=rdmedia,dc=com
    # System: Delete CA + 334bfbe9-cdae11e6-8a85a70a-bda98fae,
    permissions, pbac, i
    pa.rdmedia.com <http://pa.rdmedia.com>
    dn: cn=System: Delete
    CA+nsuniqueid=334bfbe9-cdae11e6-8a85a70a-bda98fae,cn=per
     missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=ipaca)
    ipaPermRight: delete
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Delete CA
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=CA
    Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: delete
    ca,cn=permissions,cn=pbac,
     dc=ipa,dc=rdmedia,dc=com
    # System: Modify CA + 334bfbed-cdae11e6-8a85a70a-bda98fae,
    permissions, pbac, i
    pa.rdmedia.com <http://pa.rdmedia.com>
    dn: cn=System: Modify
    CA+nsuniqueid=334bfbed-cdae11e6-8a85a70a-bda98fae,cn=per
     missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=ipaca)
    ipaPermRight: write
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Modify CA
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=CA
    Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermDefaultAttr: description
    ipaPermDefaultAttr: cn
    ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: modify
    ca,cn=permissions,cn=pbac,
     dc=ipa,dc=rdmedia,dc=com
    # System: Read CAs + 334bfbf1-cdae11e6-8a85a70a-bda98fae,
    permissions, pbac, ip
    a.rdmedia.com <http://a.rdmedia.com>
    dn: cn=System: Read
    CAs+nsuniqueid=334bfbf1-cdae11e6-8a85a70a-bda98fae,cn=perm
     issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=ipaca)
    ipaPermRight: read
    ipaPermRight: compare
    ipaPermRight: search
    ipaPermBindRuleType: all
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Read CAs
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    ipaPermDefaultAttr: description
    ipaPermDefaultAttr: ipacaissuerdn
    ipaPermDefaultAttr: objectclass
    ipaPermDefaultAttr: ipacasubjectdn
    ipaPermDefaultAttr: ipacaid
    ipaPermDefaultAttr: cn
    ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: read
    cas,cn=permissions,cn=pbac,d
     c=ipa,dc=rdmedia,dc=com
    # System: Modify DNS Servers Configuration +
    334bfbf6-cdae11e6-8a85a70a-bda98fa
     e, permissions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn: cn=System: Modify DNS Servers
    Configuration+nsuniqueid=334bfbf6-cdae11e6-8
     a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
    ipaPermRight: write
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Modify DNS Servers Configuration
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=DNS
    Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermDefaultAttr: idnssoamname
    ipaPermDefaultAttr: idnssubstitutionvariable
    ipaPermDefaultAttr: idnsforwardpolicy
    ipaPermDefaultAttr: idnsforwarders
    ipaPermLocation: dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: modify dns servers
    configuration,
     cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    # System: Read DNS Servers Configuration +
    334bfbfa-cdae11e6-8a85a70a-bda98fae,
      permissions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn: cn=System: Read DNS Servers
    Configuration+nsuniqueid=334bfbfa-cdae11e6-8a8
     5a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
    ipaPermRight: read
    ipaPermRight: compare
    ipaPermRight: search
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Read DNS Servers Configuration
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=DNS
    Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    member: cn=DNS Servers,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermDefaultAttr: idnsforwardpolicy
    ipaPermDefaultAttr: objectclass
    ipaPermDefaultAttr: idnsforwarders
    ipaPermDefaultAttr: idnsserverid
    ipaPermDefaultAttr: idnssubstitutionvariable
    ipaPermDefaultAttr: idnssoamname
    ipaPermLocation: dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: read dns servers
    configuration,cn
     =permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    # System: Manage Host Principals +
    334bfc0b-cdae11e6-8a85a70a-bda98fae, permiss
     ions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn: cn=System: Manage Host
    Principals+nsuniqueid=334bfc0b-cdae11e6-8a85a70a-bd
     a98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=ipahost)
    ipaPermRight: write
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Manage Host Principals
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=Host
    Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    member: cn=Host
    Enrollment,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermDefaultAttr: krbprincipalname
    ipaPermDefaultAttr: krbcanonicalname
    ipaPermLocation: cn=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: manage host
    principals,cn=permiss
     ions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    # System: Add IPA Locations + 334bfc20-cdae11e6-8a85a70a-bda98fae,
    permissions,
      pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn: cn=System: Add IPA
    Locations+nsuniqueid=334bfc20-cdae11e6-8a85a70a-bda98fa
     e,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=ipaLocationObject)
    ipaPermRight: add
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Add IPA Locations
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=DNS
    Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: add ipa
    locations,cn=permissions,
     cn=pbac,dc=ipa,dc=rdmedia,dc=com
    # System: Modify IPA Locations +
    334bfc24-cdae11e6-8a85a70a-bda98fae, permissio
     ns, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn: cn=System: Modify IPA
    Locations+nsuniqueid=334bfc24-cdae11e6-8a85a70a-bda9
     8fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=ipaLocationObject)
    ipaPermRight: write
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Modify IPA Locations
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=DNS
    Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermDefaultAttr: description
    ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: modify ipa
    locations,cn=permissio
     ns,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    # System: Read IPA Locations +
    334bfc28-cdae11e6-8a85a70a-bda98fae, permissions
     , pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn: cn=System: Read IPA
    Locations+nsuniqueid=334bfc28-cdae11e6-8a85a70a-bda98f
     ae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=ipaLocationObject)
    ipaPermRight: read
    ipaPermRight: compare
    ipaPermRight: search
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Read IPA Locations
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=DNS
    Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermDefaultAttr: objectclass
    ipaPermDefaultAttr: description
    ipaPermDefaultAttr: idnsname
    ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: read ipa
    locations,cn=permissions
     ,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    # System: Remove IPA Locations +
    334bfc2c-cdae11e6-8a85a70a-bda98fae, permissio
     ns, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn: cn=System: Remove IPA
    Locations+nsuniqueid=334bfc2c-cdae11e6-8a85a70a-bda9
     8fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=ipaLocationObject)
    ipaPermRight: delete
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Remove IPA Locations
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=DNS
    Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: remove ipa
    locations,cn=permissio
     ns,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    # System: Read Locations of IPA Servers +
    334bfc30-cdae11e6-8a85a70a-bda98fae,
     permissions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn: cn=System: Read Locations of IPA
    Servers+nsuniqueid=334bfc30-cdae11e6-8a85
     a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=ipaConfigObject)
    ipaPermRight: read
    ipaPermRight: compare
    ipaPermRight: search
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Read Locations of IPA Servers
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=DNS
    Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermDefaultAttr: objectclass
    ipaPermDefaultAttr: ipaserviceweight
    ipaPermDefaultAttr: ipalocation
    ipaPermDefaultAttr: cn
    ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: read locations of ipa
    servers,cn=
     permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    # System: Read Status of Services on IPA Servers +
    334bfc34-cdae11e6-8a85a70a-b
     da98fae, permissions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn: cn=System: Read Status of Services on IPA
    Servers+nsuniqueid=334bfc34-cdae
     11e6-8a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=ipaConfigObject)
    ipaPermRight: read
    ipaPermRight: compare
    ipaPermRight: search
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Read Status of Services on IPA Servers
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=DNS
    Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermDefaultAttr: objectclass
    ipaPermDefaultAttr: ipaconfigstring
    ipaPermDefaultAttr: cn
    ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: read status of
    services on ipa se
     rvers,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    # System: Manage Service Principals +
    334bfc38-cdae11e6-8a85a70a-bda98fae, perm
     issions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn: cn=System: Manage Service
    Principals+nsuniqueid=334bfc38-cdae11e6-8a85a70a
     -bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=ipaservice)
    ipaPermRight: write
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Manage Service Principals
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=Service
    Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=c
     om
    ipaPermDefaultAttr: krbprincipalname
    ipaPermDefaultAttr: krbcanonicalname
    ipaPermLocation: cn=services,cn=accounts,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: manage service
    principals,cn=perm
     issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    # System: Manage User Principals +
    334bfc45-cdae11e6-8a85a70a-bda98fae, permiss
     ions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn: cn=System: Manage User
    Principals+nsuniqueid=334bfc45-cdae11e6-8a85a70a-bd
     a98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    ipaPermTargetFilter: (objectclass=posixaccount)
    ipaPermRight: write
    ipaPermBindRuleType: permission
    ipaPermissionType: V2
    ipaPermissionType: MANAGED
    ipaPermissionType: SYSTEM
    cn: System: Manage User Principals
    objectClass: ipapermission
    objectClass: top
    objectClass: groupofnames
    objectClass: ipapermissionv2
    member: cn=User
    Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    member: cn=Modify Users and Reset
    passwords,cn=privileges,cn=pbac,dc=ipa,dc=rd
     media,dc=com
    ipaPermDefaultAttr: krbprincipalname
    ipaPermDefaultAttr: krbcanonicalname
    ipaPermLocation: cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict cn=system: manage user
    principals,cn=permiss
     ions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
    # locations + 334bfba2-cdae11e6-8a85a70a-bda98fae, etc,
    ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn:
    cn=locations+nsuniqueid=334bfba2-cdae11e6-8a85a70a-bda98fae,cn=etc,dc=ipa,
     dc=rdmedia,dc=com
    objectClass: nsContainer
    objectClass: top
    cn: locations
    nsds5ReplConflict: namingConflict
    cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
    aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
    3.0;acl "permi
     ssion:System: Add IPA Locations";allow (add) groupdn =
    "ldap:///cn=System: Ad
     d IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
    aci: (targetattr = "description")(targetfilter =
    "(objectclass=ipaLocationObje
     ct)")(version 3.0;acl "permission:System: Modify IPA
    Locations";allow (write)
      groupdn = "ldap:///cn=System: Modify IPA
    Locations,cn=permissions,cn=pbac,dc
     =ipa,dc=rdmedia,dc=com";)
    aci: (targetattr = "createtimestamp || description || entryusn ||
    idnsname ||
     modifytimestamp || objectclass")(targetfilter =
    "(objectclass=ipaLocationObje
     ct)")(version 3.0;acl "permission:System: Read IPA
    Locations";allow (compare,
     read,search) groupdn = "ldap:///cn=System: Read IPA
    Locations,cn=permissions,
     cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
    aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
    3.0;acl "permi
     ssion:System: Remove IPA Locations";allow (delete) groupdn =
    "ldap:///cn=Syst
     em: Remove IPA
    Locations,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
    # neon.ipa.rdmedia.com <http://neon.ipa.rdmedia.com> +
    1b780d06-017611e6-966aeb96-de53d9d8, computers, accoun
     ts, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn: fqdn=neon.ipa.rdmedia.com
    
<http://neon.ipa.rdmedia.com>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c
     n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com
    krbExtraData::
    AAJIQA5XaG9zdC9uZW9uLmlwYS5yZG1lZGlhLmNvbUBJUEEuUkRNRURJQS5DT00
     A
    enrolledBy: uid=admin,cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com
    krbLastPwdChange: 20160413124912Z
    krbPrincipalKey::
    MIIBKKADAgEBoQMCAQGiAwIBAaMDAgEBpIIBEDCCAQwwS6FJMEegAwIBEqFA
     
BD4gAPd2yVptQC/d3mk7xdb3skL+KkkUzewAxCF0FJgXXuBVt1y2GHtnhzILNe91amjovgXAFEujn
     
8x6YrwHXDA7oTkwN6ADAgERoTAELhAAPbI3gwakFyt9EnCqDLWst6FeXKO0Fwvx3+gZZOGmYQpr0Z
     
ujLLtmJuJVmS8wQ6FBMD+gAwIBEKE4BDYYABMJXEKVH2Yn4nGzJ5woqDjO2dVUx8nQ+1NSi6dREwy
     
8T+7VrbdVOpaQgkUx4czwkhxKvVcwO6E5MDegAwIBF6EwBC4QABWhTKkWc50oJlpSw/FK2yhl+ZUo
     MZt0XHA/xdPXDD3DxGV5cx2MgvJEhJzs
    cn: neon.ipa.rdmedia.com <http://neon.ipa.rdmedia.com>
    objectClass: ipaobject
    objectClass: ieee802device
    objectClass: nshost
    objectClass: ipaservice
    objectClass: pkiuser
    objectClass: ipahost
    objectClass: krbprincipal
    objectClass: krbprincipalaux
    objectClass: ipasshhost
    objectClass: top
    objectClass: ipaSshGroupOfPubKeys
    fqdn: neon.ipa.rdmedia.com <http://neon.ipa.rdmedia.com>
    managedBy: fqdn=neon.ipa.rdmedia.com
    <http://neon.ipa.rdmedia.com>,cn=computers,cn=accounts,dc=ipa,dc=rdmedi
     a,dc=com
    krbPrincipalName: host/neon.ipa.rdmedia....@ipa.rdmedia.com
    <mailto:neon.ipa.rdmedia....@ipa.rdmedia.com>
    serverHostName: neon
    ipaUniqueID: 1eaa355c-0176-11e6-8dd5-001a4aa7101c
    krbPwdPolicyReference: cn=Default Host Password
    Policy,cn=computers,cn=account
     s,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplConflict: namingConflict fqdn=neon.ipa.rdmedia.com
    <http://neon.ipa.rdmedia.com>,cn=computers,cn=ac
     counts,dc=ipa,dc=rdmedia,dc=com
    # cas + 334bfba8-cdae11e6-8a85a70a-bda98fae, ca, ipa.rdmedia.com
    <http://ipa.rdmedia.com>
    dn:
    cn=cas+nsuniqueid=334bfba8-cdae11e6-8a85a70a-bda98fae,cn=ca,dc=ipa,dc=rdme
     dia,dc=com
    objectClass: nsContainer
    objectClass: top
    cn: cas
    nsds5ReplConflict: namingConflict
    cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
    aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
    "permission:System
     : Add CA";allow (add) groupdn = "ldap:///cn=System: Add
    CA,cn=permissions,cn=
     pbac,dc=ipa,dc=rdmedia,dc=com";)
    aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
    "permission:System
     : Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete
    CA,cn=permis
     sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
    aci: (targetattr = "cn || description")(targetfilter =
    "(objectclass=ipaca)")(
     version 3.0;acl "permission:System: Modify CA";allow (write)
    groupdn = "ldap:
     ///cn=System: Modify
    CA,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
    aci: (targetattr = "cn || createtimestamp || description ||
    entryusn || ipacai
     d || ipacaissuerdn || ipacasubjectdn || modifytimestamp ||
    objectclass")(targ
     etfilter = "(objectclass=ipaca)")(version 3.0;acl
    "permission:System: Read CA
     s";allow (compare,read,search) userdn = "ldap:///all";;)
    # custodia + 334bfbdb-cdae11e6-8a85a70a-bda98fae, ipa, etc,
    ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn:
    cn=custodia+nsuniqueid=334bfbdb-cdae11e6-8a85a70a-bda98fae,cn=ipa,cn=etc,d
     c=ipa,dc=rdmedia,dc=com
    objectClass: nsContainer
    objectClass: top
    cn: custodia
    nsds5ReplConflict: namingConflict
    cn=custodia,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,
     dc=com
    # domain + 334bfb9e-cdae11e6-8a85a70a-bda98fae, topology, ipa,
    etc, ipa.rdmedia
     .com
    dn:
    cn=domain+nsuniqueid=334bfb9e-cdae11e6-8a85a70a-bda98fae,cn=topology,cn=ip
     a,cn=etc,dc=ipa,dc=rdmedia,dc=com
    nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
    internalModifiersName in
     ternalModifyTimestamp
    ipaReplTopoConfRoot: dc=ipa,dc=rdmedia,dc=com
    objectClass: top
    objectClass: iparepltopoconf
    nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE
    entryusn krblasts
     uccessfulauth krblastfailedauth krbloginfailedcount
    nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
    idnssoaserial
      entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
    cn: domain
    nsds5ReplConflict: namingConflict
    cn=domain,cn=topology,cn=ipa,cn=etc,dc=ipa,d
     c=rdmedia,dc=com
    # ca + 334bfbe0-cdae11e6-8a85a70a-bda98fae, topology, ipa, etc,
    ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn:
    cn=ca+nsuniqueid=334bfbe0-cdae11e6-8a85a70a-bda98fae,cn=topology,cn=ipa,cn
     =etc,dc=ipa,dc=rdmedia,dc=com
    objectClass: top
    objectClass: iparepltopoconf
    cn: ca
    ipaReplTopoConfRoot: o=ipaca
    nsds5ReplConflict: namingConflict
    cn=ca,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=rd
     media,dc=com
    # dogtag + 334bfbdd-cdae11e6-8a85a70a-bda98fae, custodia +
    334bfbdb-cdae11e6-8a
     85a70a-bda98fae, ipa, etc, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn:
    cn=dogtag+nsuniqueid=334bfbdd-cdae11e6-8a85a70a-bda98fae,cn=custodia+nsuni
     
queid=334bfbdb-cdae11e6-8a85a70a-bda98fae,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=
     com
    objectClass: nsContainer
    objectClass: top
    cn: dogtag
    nsds5ReplConflict: namingConflict
    cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=ipa,d
     c=rdmedia,dc=com
    # lawrencium + 6c7e3d83-c11711e6-8a85a70a-bda98fae,
    ipa.rdmedia.com <http://ipa.rdmedia.com>., dns, ipa.
    rdmedia.com <http://rdmedia.com>
    dn:
    idnsName=lawrencium+nsuniqueid=6c7e3d83-c11711e6-8a85a70a-bda98fae,idnsnam
     e=ipa.rdmedia.com
    <http://ipa.rdmedia.com>.,cn=dns,dc=ipa,dc=rdmedia,dc=com
    aRecord: 192.168.50.55
    dNSTTL: 1200
    objectClass: idnsRecord
    objectClass: top
    idnsName: lawrencium
    nsds5ReplConflict: namingConflict
    idnsname=lawrencium,idnsname=ipa.rdmedia.com <http://ipa.rdmedia.com>
     .,cn=dns,dc=ipa,dc=rdmedia,dc=com
    # mendelevium + e5710f85-c5c511e6-8a85a70a-bda98fae,
    ipa.rdmedia.com <http://ipa.rdmedia.com>., dns, ipa
     .rdmedia.com <http://rdmedia.com>
    dn:
    idnsName=mendelevium+nsuniqueid=e5710f85-c5c511e6-8a85a70a-bda98fae,idnsna
     me=ipa.rdmedia.com
    <http://ipa.rdmedia.com>.,cn=dns,dc=ipa,dc=rdmedia,dc=com
    aRecord: 192.168.50.52
    dNSTTL: 1200
    objectClass: idnsRecord
    objectClass: top
    idnsName: mendelevium
    nsds5ReplConflict: namingConflict
    idnsname=mendelevium,idnsname=ipa.rdmedia.co <http://ipa.rdmedia.co>
     m.,cn=dns,dc=ipa,dc=rdmedia,dc=com
    # 41 + e764de07-5e2f11e6-bd76eb96-de53d9d8,
    120.100.10.in-addr.arpa., dns, ipa.
    rdmedia.com <http://rdmedia.com>
    dn:
    idnsname=41+nsuniqueid=e764de07-5e2f11e6-bd76eb96-de53d9d8,idnsname=120.10
     0.10.in-addr.arpa.,cn=dns,dc=ipa,dc=rdmedia,dc=com
    objectClass: top
    objectClass: idnsrecord
    pTRRecord: arsenica.ipa.rdmedia.com <http://arsenica.ipa.rdmedia.com>.
    idnsName: 41
    nsds5ReplConflict: namingConflict
    idnsname=41,idnsname=120.100.10.in-addr.arpa
     .,cn=dns,dc=ipa,dc=rdmedia,dc=com
    # ipa + 58d90aec-cdae11e6-8a85a70a-bda98fae, cas +
    334bfba8-cdae11e6-8a85a70a-b
     da98fae, ca, ipa.rdmedia.com <http://ipa.rdmedia.com>
    dn:
    cn=ipa+nsuniqueid=58d90aec-cdae11e6-8a85a70a-bda98fae,cn=cas+nsuniqueid=33
     4bfba8-cdae11e6-8a85a70a-bda98fae,cn=ca,dc=ipa,dc=rdmedia,dc=com
    description: IPA CA
    ipaCaIssuerDN: CN=Certificate Authority,O=IPA.RDMEDIA.COM
    <http://IPA.RDMEDIA.COM>
    objectClass: top
    objectClass: ipaca
    ipaCaSubjectDN: CN=Certificate Authority,O=IPA.RDMEDIA.COM
    <http://IPA.RDMEDIA.COM>
    ipaCaId: 21547c03-13c3-4f4f-992b-b0257012d1c1
    cn: ipansds5ReplConflict
    nsds5ReplConflict: namingConflict
    cn=ipa,cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
    # search result
    search: 2
    result: 0 Success
    # numResponses: 28
    # numEntries: 27


So when I try eg. this...

    [root@moscovium ~]# ldapmodify -x -D "cn=directory manager" -W -h
    moscovium.ipa.rdmedia.com <http://moscovium.ipa.rdmedia.com> -p 389
    Enter LDAP Password:
    dn: fqdn=neon.ipa.rdmedia.com
    
<http://neon.ipa.rdmedia.com>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c
     n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com
    changetype: modrdn
    newrdn fqdn=neontemp.ipa.rdmedia.com <http://neontemp.ipa.rdmedia.com>
    deleteoldrdn: 0

It has to be
newrdn: fqdn=neontemp.ipa.rdmedia.com <http://neontemp.ipa.rdmedia.com>
the ":" was missing.
But you don't always have to do the modrdn steps, only if you want to keep the conflict entry under a different dn.

I would suggest you do the search for conflicts again, and just returning the nsds5ReplConflict attribute, you get then something like: dn: idnsname=41+nsuniqueid=e764de07-5e2f11e6-bd76eb96-de53d9d8,idnsname=120.10.in- addr.arpa.,cn=dns,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict idnsname=mendelevium,idnsname=ipa.rdmedia.co <http://ipa.rdmedia.co>
 m.,cn=dns,dc=ipa,dc=rdmedia,dc=com


next do a search for both entries, the conflict entry and the one referenced in the and the nsds5ReplConflict attribute, if the original entry exists and you want to keep this, you can just delete the conflict entry

ldapmodify -x -D "cn=directory manager" ....
dn: fqdn=neon.ipa.rdmedia.com <http://neon.ipa.rdmedia.com>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c
 n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com
changetype: delete

...I get:

    ldapmodify: invalid format (line 3) entry:
    "fqdn=neon.ipa.rdmedia.com
    
<http://neon.ipa.rdmedia.com>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,cn=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com"

So my question: what can I do to resolve the conflicts?

--
Tiemen Ruiten
Systems Engineer
R&D Media



--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to