Hello,
I have a FreeIPA setup in which some masters suffered from a few
uncontrolled shutdowns and now there are replication conflicts (which
prevent from setting the Domain Level to 1).
I was trying to follow the instructions here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html
But unfortunately I'm not getting anywhere. This the result of an
ldapsearch for replication conflicts:
[root@moscovium ~]# ldapsearch -x -D "cn=directory manager" -W -b
"dc=ipa,dc=rdmedia,dc=com" "nsds5ReplConflict=*" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=rdmedia,dc=com> with scope subtree
# filter: nsds5ReplConflict=*
# requesting: * nsds5ReplConflict
#
# servers + 334bfc53-cdae11e6-8a85a70a-bda98fae, dns,
ipa.rdmedia.com <http://ipa.rdmedia.com>
dn:
cn=servers+nsuniqueid=334bfc53-cdae11e6-8a85a70a-bda98fae,cn=dns,dc=ipa,dc
=rdmedia,dc=com
objectClass: nsContainer
objectClass: top
cn: servers
nsds5ReplConflict: namingConflict
cn=servers,cn=dns,dc=ipa,dc=rdmedia,dc=com
# System: Add CA + 334bfbe5-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, ipa.
rdmedia.com <http://rdmedia.com>
dn: cn=System: Add
CA+nsuniqueid=334bfbe5-cdae11e6-8a85a70a-bda98fae,cn=permis
sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA
Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: add
ca,cn=permissions,cn=pbac,dc=
ipa,dc=rdmedia,dc=com
# System: Delete CA + 334bfbe9-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, i
pa.rdmedia.com <http://pa.rdmedia.com>
dn: cn=System: Delete
CA+nsuniqueid=334bfbe9-cdae11e6-8a85a70a-bda98fae,cn=per
missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Delete CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA
Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: delete
ca,cn=permissions,cn=pbac,
dc=ipa,dc=rdmedia,dc=com
# System: Modify CA + 334bfbed-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, i
pa.rdmedia.com <http://pa.rdmedia.com>
dn: cn=System: Modify
CA+nsuniqueid=334bfbed-cdae11e6-8a85a70a-bda98fae,cn=per
missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA
Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermDefaultAttr: description
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: modify
ca,cn=permissions,cn=pbac,
dc=ipa,dc=rdmedia,dc=com
# System: Read CAs + 334bfbf1-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, ip
a.rdmedia.com <http://a.rdmedia.com>
dn: cn=System: Read
CAs+nsuniqueid=334bfbf1-cdae11e6-8a85a70a-bda98fae,cn=perm
issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: all
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read CAs
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacaissuerdn
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipacasubjectdn
ipaPermDefaultAttr: ipacaid
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: read
cas,cn=permissions,cn=pbac,d
c=ipa,dc=rdmedia,dc=com
# System: Modify DNS Servers Configuration +
334bfbf6-cdae11e6-8a85a70a-bda98fa
e, permissions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn: cn=System: Modify DNS Servers
Configuration+nsuniqueid=334bfbf6-cdae11e6-8
a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermDefaultAttr: idnssoamname
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: idnsforwarders
ipaPermLocation: dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: modify dns servers
configuration,
cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
# System: Read DNS Servers Configuration +
334bfbfa-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn: cn=System: Read DNS Servers
Configuration+nsuniqueid=334bfbfa-cdae11e6-8a8
5a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
member: cn=DNS Servers,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: idnsforwarders
ipaPermDefaultAttr: idnsserverid
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnssoamname
ipaPermLocation: dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: read dns servers
configuration,cn
=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
# System: Manage Host Principals +
334bfc0b-cdae11e6-8a85a70a-bda98fae, permiss
ions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn: cn=System: Manage Host
Principals+nsuniqueid=334bfc0b-cdae11e6-8a85a70a-bd
a98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipahost)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Host Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Host
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
member: cn=Host
Enrollment,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: manage host
principals,cn=permiss
ions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
# System: Add IPA Locations + 334bfc20-cdae11e6-8a85a70a-bda98fae,
permissions,
pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn: cn=System: Add IPA
Locations+nsuniqueid=334bfc20-cdae11e6-8a85a70a-bda98fa
e,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: add ipa
locations,cn=permissions,
cn=pbac,dc=ipa,dc=rdmedia,dc=com
# System: Modify IPA Locations +
334bfc24-cdae11e6-8a85a70a-bda98fae, permissio
ns, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn: cn=System: Modify IPA
Locations+nsuniqueid=334bfc24-cdae11e6-8a85a70a-bda9
8fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermDefaultAttr: description
ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: modify ipa
locations,cn=permissio
ns,cn=pbac,dc=ipa,dc=rdmedia,dc=com
# System: Read IPA Locations +
334bfc28-cdae11e6-8a85a70a-bda98fae, permissions
, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn: cn=System: Read IPA
Locations+nsuniqueid=334bfc28-cdae11e6-8a85a70a-bda98f
ae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: description
ipaPermDefaultAttr: idnsname
ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: read ipa
locations,cn=permissions
,cn=pbac,dc=ipa,dc=rdmedia,dc=com
# System: Remove IPA Locations +
334bfc2c-cdae11e6-8a85a70a-bda98fae, permissio
ns, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn: cn=System: Remove IPA
Locations+nsuniqueid=334bfc2c-cdae11e6-8a85a70a-bda9
8fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Remove IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: remove ipa
locations,cn=permissio
ns,cn=pbac,dc=ipa,dc=rdmedia,dc=com
# System: Read Locations of IPA Servers +
334bfc30-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn: cn=System: Read Locations of IPA
Servers+nsuniqueid=334bfc30-cdae11e6-8a85
a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Locations of IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaserviceweight
ipaPermDefaultAttr: ipalocation
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: read locations of ipa
servers,cn=
permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
# System: Read Status of Services on IPA Servers +
334bfc34-cdae11e6-8a85a70a-b
da98fae, permissions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn: cn=System: Read Status of Services on IPA
Servers+nsuniqueid=334bfc34-cdae
11e6-8a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Status of Services on IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaconfigstring
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: read status of
services on ipa se
rvers,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
# System: Manage Service Principals +
334bfc38-cdae11e6-8a85a70a-bda98fae, perm
issions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn: cn=System: Manage Service
Principals+nsuniqueid=334bfc38-cdae11e6-8a85a70a
-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaservice)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Service Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Service
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=c
om
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=services,cn=accounts,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: manage service
principals,cn=perm
issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
# System: Manage User Principals +
334bfc45-cdae11e6-8a85a70a-bda98fae, permiss
ions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn: cn=System: Manage User
Principals+nsuniqueid=334bfc45-cdae11e6-8a85a70a-bd
a98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage User Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=User
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
member: cn=Modify Users and Reset
passwords,cn=privileges,cn=pbac,dc=ipa,dc=rd
media,dc=com
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: manage user
principals,cn=permiss
ions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
# locations + 334bfba2-cdae11e6-8a85a70a-bda98fae, etc,
ipa.rdmedia.com <http://ipa.rdmedia.com>
dn:
cn=locations+nsuniqueid=334bfba2-cdae11e6-8a85a70a-bda98fae,cn=etc,dc=ipa,
dc=rdmedia,dc=com
objectClass: nsContainer
objectClass: top
cn: locations
nsds5ReplConflict: namingConflict
cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
3.0;acl "permi
ssion:System: Add IPA Locations";allow (add) groupdn =
"ldap:///cn=System: Ad
d IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
aci: (targetattr = "description")(targetfilter =
"(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Modify IPA
Locations";allow (write)
groupdn = "ldap:///cn=System: Modify IPA
Locations,cn=permissions,cn=pbac,dc
=ipa,dc=rdmedia,dc=com";)
aci: (targetattr = "createtimestamp || description || entryusn ||
idnsname ||
modifytimestamp || objectclass")(targetfilter =
"(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Read IPA
Locations";allow (compare,
read,search) groupdn = "ldap:///cn=System: Read IPA
Locations,cn=permissions,
cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
3.0;acl "permi
ssion:System: Remove IPA Locations";allow (delete) groupdn =
"ldap:///cn=Syst
em: Remove IPA
Locations,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
# neon.ipa.rdmedia.com <http://neon.ipa.rdmedia.com> +
1b780d06-017611e6-966aeb96-de53d9d8, computers, accoun
ts, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn: fqdn=neon.ipa.rdmedia.com
<http://neon.ipa.rdmedia.com>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c
n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com
krbExtraData::
AAJIQA5XaG9zdC9uZW9uLmlwYS5yZG1lZGlhLmNvbUBJUEEuUkRNRURJQS5DT00
A
enrolledBy: uid=admin,cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com
krbLastPwdChange: 20160413124912Z
krbPrincipalKey::
MIIBKKADAgEBoQMCAQGiAwIBAaMDAgEBpIIBEDCCAQwwS6FJMEegAwIBEqFA
BD4gAPd2yVptQC/d3mk7xdb3skL+KkkUzewAxCF0FJgXXuBVt1y2GHtnhzILNe91amjovgXAFEujn
8x6YrwHXDA7oTkwN6ADAgERoTAELhAAPbI3gwakFyt9EnCqDLWst6FeXKO0Fwvx3+gZZOGmYQpr0Z
ujLLtmJuJVmS8wQ6FBMD+gAwIBEKE4BDYYABMJXEKVH2Yn4nGzJ5woqDjO2dVUx8nQ+1NSi6dREwy
8T+7VrbdVOpaQgkUx4czwkhxKvVcwO6E5MDegAwIBF6EwBC4QABWhTKkWc50oJlpSw/FK2yhl+ZUo
MZt0XHA/xdPXDD3DxGV5cx2MgvJEhJzs
cn: neon.ipa.rdmedia.com <http://neon.ipa.rdmedia.com>
objectClass: ipaobject
objectClass: ieee802device
objectClass: nshost
objectClass: ipaservice
objectClass: pkiuser
objectClass: ipahost
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: ipasshhost
objectClass: top
objectClass: ipaSshGroupOfPubKeys
fqdn: neon.ipa.rdmedia.com <http://neon.ipa.rdmedia.com>
managedBy: fqdn=neon.ipa.rdmedia.com
<http://neon.ipa.rdmedia.com>,cn=computers,cn=accounts,dc=ipa,dc=rdmedi
a,dc=com
krbPrincipalName: host/[email protected]
<mailto:[email protected]>
serverHostName: neon
ipaUniqueID: 1eaa355c-0176-11e6-8dd5-001a4aa7101c
krbPwdPolicyReference: cn=Default Host Password
Policy,cn=computers,cn=account
s,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict fqdn=neon.ipa.rdmedia.com
<http://neon.ipa.rdmedia.com>,cn=computers,cn=ac
counts,dc=ipa,dc=rdmedia,dc=com
# cas + 334bfba8-cdae11e6-8a85a70a-bda98fae, ca, ipa.rdmedia.com
<http://ipa.rdmedia.com>
dn:
cn=cas+nsuniqueid=334bfba8-cdae11e6-8a85a70a-bda98fae,cn=ca,dc=ipa,dc=rdme
dia,dc=com
objectClass: nsContainer
objectClass: top
cn: cas
nsds5ReplConflict: namingConflict
cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
"permission:System
: Add CA";allow (add) groupdn = "ldap:///cn=System: Add
CA,cn=permissions,cn=
pbac,dc=ipa,dc=rdmedia,dc=com";)
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
"permission:System
: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete
CA,cn=permis
sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
aci: (targetattr = "cn || description")(targetfilter =
"(objectclass=ipaca)")(
version 3.0;acl "permission:System: Modify CA";allow (write)
groupdn = "ldap:
///cn=System: Modify
CA,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
aci: (targetattr = "cn || createtimestamp || description ||
entryusn || ipacai
d || ipacaissuerdn || ipacasubjectdn || modifytimestamp ||
objectclass")(targ
etfilter = "(objectclass=ipaca)")(version 3.0;acl
"permission:System: Read CA
s";allow (compare,read,search) userdn = "ldap:///all";;)
# custodia + 334bfbdb-cdae11e6-8a85a70a-bda98fae, ipa, etc,
ipa.rdmedia.com <http://ipa.rdmedia.com>
dn:
cn=custodia+nsuniqueid=334bfbdb-cdae11e6-8a85a70a-bda98fae,cn=ipa,cn=etc,d
c=ipa,dc=rdmedia,dc=com
objectClass: nsContainer
objectClass: top
cn: custodia
nsds5ReplConflict: namingConflict
cn=custodia,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,
dc=com
# domain + 334bfb9e-cdae11e6-8a85a70a-bda98fae, topology, ipa,
etc, ipa.rdmedia
.com
dn:
cn=domain+nsuniqueid=334bfb9e-cdae11e6-8a85a70a-bda98fae,cn=topology,cn=ip
a,cn=etc,dc=ipa,dc=rdmedia,dc=com
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
internalModifiersName in
ternalModifyTimestamp
ipaReplTopoConfRoot: dc=ipa,dc=rdmedia,dc=com
objectClass: top
objectClass: iparepltopoconf
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE
entryusn krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
cn: domain
nsds5ReplConflict: namingConflict
cn=domain,cn=topology,cn=ipa,cn=etc,dc=ipa,d
c=rdmedia,dc=com
# ca + 334bfbe0-cdae11e6-8a85a70a-bda98fae, topology, ipa, etc,
ipa.rdmedia.com <http://ipa.rdmedia.com>
dn:
cn=ca+nsuniqueid=334bfbe0-cdae11e6-8a85a70a-bda98fae,cn=topology,cn=ipa,cn
=etc,dc=ipa,dc=rdmedia,dc=com
objectClass: top
objectClass: iparepltopoconf
cn: ca
ipaReplTopoConfRoot: o=ipaca
nsds5ReplConflict: namingConflict
cn=ca,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=rd
media,dc=com
# dogtag + 334bfbdd-cdae11e6-8a85a70a-bda98fae, custodia +
334bfbdb-cdae11e6-8a
85a70a-bda98fae, ipa, etc, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn:
cn=dogtag+nsuniqueid=334bfbdd-cdae11e6-8a85a70a-bda98fae,cn=custodia+nsuni
queid=334bfbdb-cdae11e6-8a85a70a-bda98fae,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=
com
objectClass: nsContainer
objectClass: top
cn: dogtag
nsds5ReplConflict: namingConflict
cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=ipa,d
c=rdmedia,dc=com
# lawrencium + 6c7e3d83-c11711e6-8a85a70a-bda98fae,
ipa.rdmedia.com <http://ipa.rdmedia.com>., dns, ipa.
rdmedia.com <http://rdmedia.com>
dn:
idnsName=lawrencium+nsuniqueid=6c7e3d83-c11711e6-8a85a70a-bda98fae,idnsnam
e=ipa.rdmedia.com
<http://ipa.rdmedia.com>.,cn=dns,dc=ipa,dc=rdmedia,dc=com
aRecord: 192.168.50.55
dNSTTL: 1200
objectClass: idnsRecord
objectClass: top
idnsName: lawrencium
nsds5ReplConflict: namingConflict
idnsname=lawrencium,idnsname=ipa.rdmedia.com <http://ipa.rdmedia.com>
.,cn=dns,dc=ipa,dc=rdmedia,dc=com
# mendelevium + e5710f85-c5c511e6-8a85a70a-bda98fae,
ipa.rdmedia.com <http://ipa.rdmedia.com>., dns, ipa
.rdmedia.com <http://rdmedia.com>
dn:
idnsName=mendelevium+nsuniqueid=e5710f85-c5c511e6-8a85a70a-bda98fae,idnsna
me=ipa.rdmedia.com
<http://ipa.rdmedia.com>.,cn=dns,dc=ipa,dc=rdmedia,dc=com
aRecord: 192.168.50.52
dNSTTL: 1200
objectClass: idnsRecord
objectClass: top
idnsName: mendelevium
nsds5ReplConflict: namingConflict
idnsname=mendelevium,idnsname=ipa.rdmedia.co <http://ipa.rdmedia.co>
m.,cn=dns,dc=ipa,dc=rdmedia,dc=com
# 41 + e764de07-5e2f11e6-bd76eb96-de53d9d8,
120.100.10.in-addr.arpa., dns, ipa.
rdmedia.com <http://rdmedia.com>
dn:
idnsname=41+nsuniqueid=e764de07-5e2f11e6-bd76eb96-de53d9d8,idnsname=120.10
0.10.in-addr.arpa.,cn=dns,dc=ipa,dc=rdmedia,dc=com
objectClass: top
objectClass: idnsrecord
pTRRecord: arsenica.ipa.rdmedia.com <http://arsenica.ipa.rdmedia.com>.
idnsName: 41
nsds5ReplConflict: namingConflict
idnsname=41,idnsname=120.100.10.in-addr.arpa
.,cn=dns,dc=ipa,dc=rdmedia,dc=com
# ipa + 58d90aec-cdae11e6-8a85a70a-bda98fae, cas +
334bfba8-cdae11e6-8a85a70a-b
da98fae, ca, ipa.rdmedia.com <http://ipa.rdmedia.com>
dn:
cn=ipa+nsuniqueid=58d90aec-cdae11e6-8a85a70a-bda98fae,cn=cas+nsuniqueid=33
4bfba8-cdae11e6-8a85a70a-bda98fae,cn=ca,dc=ipa,dc=rdmedia,dc=com
description: IPA CA
ipaCaIssuerDN: CN=Certificate Authority,O=IPA.RDMEDIA.COM
<http://IPA.RDMEDIA.COM>
objectClass: top
objectClass: ipaca
ipaCaSubjectDN: CN=Certificate Authority,O=IPA.RDMEDIA.COM
<http://IPA.RDMEDIA.COM>
ipaCaId: 21547c03-13c3-4f4f-992b-b0257012d1c1
cn: ipansds5ReplConflict
nsds5ReplConflict: namingConflict
cn=ipa,cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 28
# numEntries: 27
So when I try eg. this...
[root@moscovium ~]# ldapmodify -x -D "cn=directory manager" -W -h
moscovium.ipa.rdmedia.com <http://moscovium.ipa.rdmedia.com> -p 389
Enter LDAP Password:
dn: fqdn=neon.ipa.rdmedia.com
<http://neon.ipa.rdmedia.com>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c
n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com
changetype: modrdn
newrdn fqdn=neontemp.ipa.rdmedia.com <http://neontemp.ipa.rdmedia.com>
deleteoldrdn: 0
