Thank you very much Ludwig, that worked. I had to do a ldapdelete -r (recursive) to remove a few containers which apparently had some tombstone entries in them. Domain is now running at level 1!
On 16 February 2017 at 13:58, Ludwig Krispenz <lkris...@redhat.com> wrote: > > On 02/16/2017 01:32 PM, Tiemen Ruiten wrote: > > Hello, > > I have a FreeIPA setup in which some masters suffered from a few > uncontrolled shutdowns and now there are replication conflicts (which > prevent from setting the Domain Level to 1). > > I was trying to follow the instructions here: https://access.redhat. > com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/ > Identity_Management_Guide/ipa-replica-manage.html > > But unfortunately I'm not getting anywhere. This the result of an > ldapsearch for replication conflicts: > > >> [root@moscovium ~]# ldapsearch -x -D "cn=directory manager" -W -b >> "dc=ipa,dc=rdmedia,dc=com" "nsds5ReplConflict=*" \* nsds5ReplConflict >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=ipa,dc=rdmedia,dc=com> with scope subtree >> # filter: nsds5ReplConflict=* >> # requesting: * nsds5ReplConflict >> # >> # servers + 334bfc53-cdae11e6-8a85a70a-bda98fae, dns, ipa.rdmedia.com >> dn: cn=servers+nsuniqueid=334bfc53-cdae11e6-8a85a70a- >> bda98fae,cn=dns,dc=ipa,dc >> =rdmedia,dc=com >> objectClass: nsContainer >> objectClass: top >> cn: servers >> nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=ipa,dc= >> rdmedia,dc=com >> # System: Add CA + 334bfbe5-cdae11e6-8a85a70a-bda98fae, permissions, >> pbac, ipa. >> rdmedia.com >> dn: cn=System: Add CA+nsuniqueid=334bfbe5-cdae11e6-8a85a70a-bda98fae,cn= >> permis >> sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=ipaca) >> ipaPermRight: add >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Add CA >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc= >> com >> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: add >> ca,cn=permissions,cn=pbac,dc= >> ipa,dc=rdmedia,dc=com > > # System: Delete CA + 334bfbe9-cdae11e6-8a85a70a-bda98fae, permissions, >> pbac, i >> pa.rdmedia.com >> dn: cn=System: Delete CA+nsuniqueid=334bfbe9- >> cdae11e6-8a85a70a-bda98fae,cn=per >> missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=ipaca) >> ipaPermRight: delete >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Delete CA >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc= >> com >> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: delete >> ca,cn=permissions,cn=pbac, >> dc=ipa,dc=rdmedia,dc=com >> # System: Modify CA + 334bfbed-cdae11e6-8a85a70a-bda98fae, permissions, >> pbac, i >> pa.rdmedia.com >> dn: cn=System: Modify CA+nsuniqueid=334bfbed- >> cdae11e6-8a85a70a-bda98fae,cn=per >> missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=ipaca) >> ipaPermRight: write >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Modify CA >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc= >> com >> ipaPermDefaultAttr: description >> ipaPermDefaultAttr: cn >> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: modify >> ca,cn=permissions,cn=pbac, >> dc=ipa,dc=rdmedia,dc=com >> # System: Read CAs + 334bfbf1-cdae11e6-8a85a70a-bda98fae, permissions, >> pbac, ip >> a.rdmedia.com >> dn: cn=System: Read CAs+nsuniqueid=334bfbf1- >> cdae11e6-8a85a70a-bda98fae,cn=perm >> issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=ipaca) >> ipaPermRight: read >> ipaPermRight: compare >> ipaPermRight: search >> ipaPermBindRuleType: all >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Read CAs >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> ipaPermDefaultAttr: description >> ipaPermDefaultAttr: ipacaissuerdn >> ipaPermDefaultAttr: objectclass >> ipaPermDefaultAttr: ipacasubjectdn >> ipaPermDefaultAttr: ipacaid >> ipaPermDefaultAttr: cn >> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: read >> cas,cn=permissions,cn=pbac,d >> c=ipa,dc=rdmedia,dc=com >> # System: Modify DNS Servers Configuration + 334bfbf6-cdae11e6-8a85a70a- >> bda98fa >> e, permissions, pbac, ipa.rdmedia.com >> dn: cn=System: Modify DNS Servers Configuration+nsuniqueid= >> 334bfbf6-cdae11e6-8 >> a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=idnsServerConfigObject) >> ipaPermRight: write >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Modify DNS Servers Configuration >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc= >> com >> ipaPermDefaultAttr: idnssoamname >> ipaPermDefaultAttr: idnssubstitutionvariable >> ipaPermDefaultAttr: idnsforwardpolicy >> ipaPermDefaultAttr: idnsforwarders >> ipaPermLocation: dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: modify dns servers >> configuration, >> cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> # System: Read DNS Servers Configuration + 334bfbfa-cdae11e6-8a85a70a- >> bda98fae, >> permissions, pbac, ipa.rdmedia.com >> dn: cn=System: Read DNS Servers Configuration+nsuniqueid= >> 334bfbfa-cdae11e6-8a8 >> 5a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=idnsServerConfigObject) >> ipaPermRight: read >> ipaPermRight: compare >> ipaPermRight: search >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Read DNS Servers Configuration >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc= >> com >> member: cn=DNS Servers,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermDefaultAttr: idnsforwardpolicy >> ipaPermDefaultAttr: objectclass >> ipaPermDefaultAttr: idnsforwarders >> ipaPermDefaultAttr: idnsserverid >> ipaPermDefaultAttr: idnssubstitutionvariable >> ipaPermDefaultAttr: idnssoamname >> ipaPermLocation: dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: read dns servers >> configuration,cn >> =permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> # System: Manage Host Principals + 334bfc0b-cdae11e6-8a85a70a-bda98fae, >> permiss >> ions, pbac, ipa.rdmedia.com >> dn: cn=System: Manage Host Principals+nsuniqueid= >> 334bfc0b-cdae11e6-8a85a70a-bd >> a98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=ipahost) >> ipaPermRight: write >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Manage Host Principals >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=Host Administrators,cn=privileges, >> cn=pbac,dc=ipa,dc=rdmedia,dc=com >> member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermDefaultAttr: krbprincipalname >> ipaPermDefaultAttr: krbcanonicalname >> ipaPermLocation: cn=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: manage host >> principals,cn=permiss >> ions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> # System: Add IPA Locations + 334bfc20-cdae11e6-8a85a70a-bda98fae, >> permissions, >> pbac, ipa.rdmedia.com >> dn: cn=System: Add IPA Locations+nsuniqueid=334bfc20- >> cdae11e6-8a85a70a-bda98fa >> e,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=ipaLocationObject) >> ipaPermRight: add >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Add IPA Locations >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc= >> com >> ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: add ipa >> locations,cn=permissions, >> cn=pbac,dc=ipa,dc=rdmedia,dc=com >> # System: Modify IPA Locations + 334bfc24-cdae11e6-8a85a70a-bda98fae, >> permissio >> ns, pbac, ipa.rdmedia.com >> dn: cn=System: Modify IPA Locations+nsuniqueid=334bfc24- >> cdae11e6-8a85a70a-bda9 >> 8fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=ipaLocationObject) >> ipaPermRight: write >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Modify IPA Locations >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc= >> com >> ipaPermDefaultAttr: description >> ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: modify ipa >> locations,cn=permissio >> ns,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> # System: Read IPA Locations + 334bfc28-cdae11e6-8a85a70a-bda98fae, >> permissions >> , pbac, ipa.rdmedia.com >> dn: cn=System: Read IPA Locations+nsuniqueid=334bfc28- >> cdae11e6-8a85a70a-bda98f >> ae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=ipaLocationObject) >> ipaPermRight: read >> ipaPermRight: compare >> ipaPermRight: search >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Read IPA Locations >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc= >> com >> ipaPermDefaultAttr: objectclass >> ipaPermDefaultAttr: description >> ipaPermDefaultAttr: idnsname >> ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: read ipa >> locations,cn=permissions >> ,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> # System: Remove IPA Locations + 334bfc2c-cdae11e6-8a85a70a-bda98fae, >> permissio >> ns, pbac, ipa.rdmedia.com >> dn: cn=System: Remove IPA Locations+nsuniqueid=334bfc2c- >> cdae11e6-8a85a70a-bda9 >> 8fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=ipaLocationObject) >> ipaPermRight: delete >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Remove IPA Locations >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc= >> com >> ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: remove ipa >> locations,cn=permissio >> ns,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> # System: Read Locations of IPA Servers + 334bfc30-cdae11e6-8a85a70a- >> bda98fae, >> permissions, pbac, ipa.rdmedia.com >> dn: cn=System: Read Locations of IPA Servers+nsuniqueid=334bfc30- >> cdae11e6-8a85 >> a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=ipaConfigObject) >> ipaPermRight: read >> ipaPermRight: compare >> ipaPermRight: search >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Read Locations of IPA Servers >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc= >> com >> ipaPermDefaultAttr: objectclass >> ipaPermDefaultAttr: ipaserviceweight >> ipaPermDefaultAttr: ipalocation >> ipaPermDefaultAttr: cn >> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: read locations of ipa >> servers,cn= >> permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> # System: Read Status of Services on IPA Servers + >> 334bfc34-cdae11e6-8a85a70a-b >> da98fae, permissions, pbac, ipa.rdmedia.com >> dn: cn=System: Read Status of Services on IPA Servers+nsuniqueid=334bfc34- >> cdae >> 11e6-8a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=ipaConfigObject) >> ipaPermRight: read >> ipaPermRight: compare >> ipaPermRight: search >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Read Status of Services on IPA Servers >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc= >> com >> ipaPermDefaultAttr: objectclass >> ipaPermDefaultAttr: ipaconfigstring >> ipaPermDefaultAttr: cn >> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: read status of services on >> ipa se >> rvers,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> # System: Manage Service Principals + 334bfc38-cdae11e6-8a85a70a-bda98fae, >> perm >> issions, pbac, ipa.rdmedia.com >> dn: cn=System: Manage Service Principals+nsuniqueid= >> 334bfc38-cdae11e6-8a85a70a >> -bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=ipaservice) >> ipaPermRight: write >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Manage Service Principals >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=Service Administrators,cn=privileges, >> cn=pbac,dc=ipa,dc=rdmedia,dc=c >> om >> ipaPermDefaultAttr: krbprincipalname >> ipaPermDefaultAttr: krbcanonicalname >> ipaPermLocation: cn=services,cn=accounts,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: manage service >> principals,cn=perm >> issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> # System: Manage User Principals + 334bfc45-cdae11e6-8a85a70a-bda98fae, >> permiss >> ions, pbac, ipa.rdmedia.com >> dn: cn=System: Manage User Principals+nsuniqueid= >> 334bfc45-cdae11e6-8a85a70a-bd >> a98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> ipaPermTargetFilter: (objectclass=posixaccount) >> ipaPermRight: write >> ipaPermBindRuleType: permission >> ipaPermissionType: V2 >> ipaPermissionType: MANAGED >> ipaPermissionType: SYSTEM >> cn: System: Manage User Principals >> objectClass: ipapermission >> objectClass: top >> objectClass: groupofnames >> objectClass: ipapermissionv2 >> member: cn=User Administrators,cn=privileges, >> cn=pbac,dc=ipa,dc=rdmedia,dc=com >> member: cn=Modify Users and Reset passwords,cn=privileges,cn= >> pbac,dc=ipa,dc=rd >> media,dc=com >> ipaPermDefaultAttr: krbprincipalname >> ipaPermDefaultAttr: krbcanonicalname >> ipaPermLocation: cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict cn=system: manage user >> principals,cn=permiss >> ions,cn=pbac,dc=ipa,dc=rdmedia,dc=com >> # locations + 334bfba2-cdae11e6-8a85a70a-bda98fae, etc, ipa.rdmedia.com >> dn: cn=locations+nsuniqueid=334bfba2-cdae11e6-8a85a70a- >> bda98fae,cn=etc,dc=ipa, >> dc=rdmedia,dc=com >> objectClass: nsContainer >> objectClass: top >> cn: locations >> nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=ipa,dc= >> rdmedia,dc=com >> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl >> "permi >> ssion:System: Add IPA Locations";allow (add) groupdn = " >> ldap:///cn=System: Ad >> d IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";) >> aci: (targetattr = "description")(targetfilter = >> "(objectclass=ipaLocationObje >> ct)")(version 3.0;acl "permission:System: Modify IPA Locations";allow >> (write) >> groupdn = "ldap:///cn=System: Modify IPA Locations,cn=permissions,cn= >> pbac,dc >> =ipa,dc=rdmedia,dc=com";) >> aci: (targetattr = "createtimestamp || description || entryusn || >> idnsname || >> modifytimestamp || objectclass")(targetfilter = >> "(objectclass=ipaLocationObje >> ct)")(version 3.0;acl "permission:System: Read IPA Locations";allow >> (compare, >> read,search) groupdn = "ldap:///cn=System: Read IPA >> Locations,cn=permissions, >> cn=pbac,dc=ipa,dc=rdmedia,dc=com";) >> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl >> "permi >> ssion:System: Remove IPA Locations";allow (delete) groupdn = " >> ldap:///cn=Syst >> em: Remove IPA Locations,cn=permissions,cn= >> pbac,dc=ipa,dc=rdmedia,dc=com";) >> # neon.ipa.rdmedia.com + 1b780d06-017611e6-966aeb96-de53d9d8, computers, >> accoun >> ts, ipa.rdmedia.com >> dn: fqdn=neon.ipa.rdmedia.com+nsuniqueid=1b780d06-017611e6- >> 966aeb96-de53d9d8,c >> n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com >> krbExtraData:: AAJIQA5XaG9zdC9uZW9uLmlwYS5yZG >> 1lZGlhLmNvbUBJUEEuUkRNRURJQS5DT00 >> A >> enrolledBy: uid=admin,cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com >> krbLastPwdChange: 20160413124912Z >> krbPrincipalKey:: MIIBKKADAgEBoQMCAQGiAwIBAaMDAg >> EBpIIBEDCCAQwwS6FJMEegAwIBEqFA >> BD4gAPd2yVptQC/d3mk7xdb3skL+KkkUzewAxCF0FJgXXuBVt1y2GHtnhz >> ILNe91amjovgXAFEujn >> 8x6YrwHXDA7oTkwN6ADAgERoTAELhAAPbI3gwakFyt9EnCqDLWst6FeXKO0F >> wvx3+gZZOGmYQpr0Z >> ujLLtmJuJVmS8wQ6FBMD+gAwIBEKE4BDYYABMJXEKVH2Yn4nGzJ >> 5woqDjO2dVUx8nQ+1NSi6dREwy >> 8T+7VrbdVOpaQgkUx4czwkhxKvVcwO6E5MDegAwIBF6EwBC4QABWhTKkWc50oJl >> pSw/FK2yhl+ZUo >> MZt0XHA/xdPXDD3DxGV5cx2MgvJEhJzs >> cn: neon.ipa.rdmedia.com >> objectClass: ipaobject >> objectClass: ieee802device >> objectClass: nshost >> objectClass: ipaservice >> objectClass: pkiuser >> objectClass: ipahost >> objectClass: krbprincipal >> objectClass: krbprincipalaux >> objectClass: ipasshhost >> objectClass: top >> objectClass: ipaSshGroupOfPubKeys >> fqdn: neon.ipa.rdmedia.com >> managedBy: fqdn=neon.ipa.rdmedia.com,cn=computers,cn=accounts,dc=ipa, >> dc=rdmedi >> a,dc=com >> krbPrincipalName: host/neon.ipa.rdmedia....@ipa.rdmedia.com >> serverHostName: neon >> ipaUniqueID: 1eaa355c-0176-11e6-8dd5-001a4aa7101c >> krbPwdPolicyReference: cn=Default Host Password >> Policy,cn=computers,cn=account >> s,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplConflict: namingConflict fqdn=neon.ipa.rdmedia.com,cn= >> computers,cn=ac >> counts,dc=ipa,dc=rdmedia,dc=com >> # cas + 334bfba8-cdae11e6-8a85a70a-bda98fae, ca, ipa.rdmedia.com >> dn: cn=cas+nsuniqueid=334bfba8-cdae11e6-8a85a70a-bda98fae,cn= >> ca,dc=ipa,dc=rdme >> dia,dc=com >> objectClass: nsContainer >> objectClass: top >> cn: cas >> nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com >> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl >> "permission:System >> : Add CA";allow (add) groupdn = "ldap:///cn=System: Add >> CA,cn=permissions,cn= >> pbac,dc=ipa,dc=rdmedia,dc=com";) >> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl >> "permission:System >> : Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete >> CA,cn=permis >> sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";) >> aci: (targetattr = "cn || description")(targetfilter = >> "(objectclass=ipaca)")( >> version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = >> "ldap: >> ///cn=System: Modify CA,cn=permissions,cn=pbac,dc= >> ipa,dc=rdmedia,dc=com";) >> aci: (targetattr = "cn || createtimestamp || description || entryusn || >> ipacai >> d || ipacaissuerdn || ipacasubjectdn || modifytimestamp || >> objectclass")(targ >> etfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: >> Read CA >> s";allow (compare,read,search) userdn = "ldap:///all";) >> # custodia + 334bfbdb-cdae11e6-8a85a70a-bda98fae, ipa, etc, >> ipa.rdmedia.com >> dn: cn=custodia+nsuniqueid=334bfbdb-cdae11e6-8a85a70a- >> bda98fae,cn=ipa,cn=etc,d >> c=ipa,dc=rdmedia,dc=com >> objectClass: nsContainer >> objectClass: top >> cn: custodia >> nsds5ReplConflict: namingConflict cn=custodia,cn=ipa,cn=etc,dc= >> ipa,dc=rdmedia, >> dc=com >> # domain + 334bfb9e-cdae11e6-8a85a70a-bda98fae, topology, ipa, etc, >> ipa.rdmedia >> .com >> dn: cn=domain+nsuniqueid=334bfb9e-cdae11e6-8a85a70a-bda98fae,cn= >> topology,cn=ip >> a,cn=etc,dc=ipa,dc=rdmedia,dc=com >> nsds5ReplicaStripAttrs: modifiersName modifyTimestamp >> internalModifiersName in >> ternalModifyTimestamp >> ipaReplTopoConfRoot: dc=ipa,dc=rdmedia,dc=com >> objectClass: top >> objectClass: iparepltopoconf >> nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn >> krblasts >> uccessfulauth krblastfailedauth krbloginfailedcount >> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof >> idnssoaserial >> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount >> cn: domain >> nsds5ReplConflict: namingConflict cn=domain,cn=topology,cn=ipa, >> cn=etc,dc=ipa,d >> c=rdmedia,dc=com >> # ca + 334bfbe0-cdae11e6-8a85a70a-bda98fae, topology, ipa, etc, >> ipa.rdmedia.com >> dn: cn=ca+nsuniqueid=334bfbe0-cdae11e6-8a85a70a-bda98fae,cn= >> topology,cn=ipa,cn >> =etc,dc=ipa,dc=rdmedia,dc=com >> objectClass: top >> objectClass: iparepltopoconf >> cn: ca >> ipaReplTopoConfRoot: o=ipaca >> nsds5ReplConflict: namingConflict cn=ca,cn=topology,cn=ipa,cn= >> etc,dc=ipa,dc=rd >> media,dc=com >> # dogtag + 334bfbdd-cdae11e6-8a85a70a-bda98fae, custodia + >> 334bfbdb-cdae11e6-8a >> 85a70a-bda98fae, ipa, etc, ipa.rdmedia.com >> dn: cn=dogtag+nsuniqueid=334bfbdd-cdae11e6-8a85a70a-bda98fae,cn= >> custodia+nsuni >> queid=334bfbdb-cdae11e6-8a85a70a-bda98fae,cn=ipa,cn= >> etc,dc=ipa,dc=rdmedia,dc= >> com >> objectClass: nsContainer >> objectClass: top >> cn: dogtag >> nsds5ReplConflict: namingConflict cn=dogtag,cn=custodia,cn=ipa, >> cn=etc,dc=ipa,d >> c=rdmedia,dc=com >> # lawrencium + 6c7e3d83-c11711e6-8a85a70a-bda98fae, ipa.rdmedia.com., >> dns, ipa. >> rdmedia.com >> dn: idnsName=lawrencium+nsuniqueid=6c7e3d83-c11711e6- >> 8a85a70a-bda98fae,idnsnam >> e=ipa.rdmedia.com.,cn=dns,dc=ipa,dc=rdmedia,dc=com >> aRecord: 192.168.50.55 >> dNSTTL: 1200 >> objectClass: idnsRecord >> objectClass: top >> idnsName: lawrencium >> nsds5ReplConflict: namingConflict idnsname=lawrencium,idnsname=i >> pa.rdmedia.com >> .,cn=dns,dc=ipa,dc=rdmedia,dc=com >> # mendelevium + e5710f85-c5c511e6-8a85a70a-bda98fae, ipa.rdmedia.com., >> dns, ipa >> .rdmedia.com >> dn: idnsName=mendelevium+nsuniqueid=e5710f85-c5c511e6- >> 8a85a70a-bda98fae,idnsna >> me=ipa.rdmedia.com.,cn=dns,dc=ipa,dc=rdmedia,dc=com >> aRecord: 192.168.50.52 >> dNSTTL: 1200 >> objectClass: idnsRecord >> objectClass: top >> idnsName: mendelevium >> nsds5ReplConflict: namingConflict idnsname=mendelevium,idnsname= >> ipa.rdmedia.co >> m.,cn=dns,dc=ipa,dc=rdmedia,dc=com >> # 41 + e764de07-5e2f11e6-bd76eb96-de53d9d8, 120.100.10.in-addr.arpa., >> dns, ipa. >> rdmedia.com >> dn: idnsname=41+nsuniqueid=e764de07-5e2f11e6-bd76eb96- >> de53d9d8,idnsname=120.10 >> 0.10.in-addr.arpa.,cn=dns,dc=ipa,dc=rdmedia,dc=com >> objectClass: top >> objectClass: idnsrecord >> pTRRecord: arsenica.ipa.rdmedia.com. >> idnsName: 41 >> nsds5ReplConflict: namingConflict idnsname=41,idnsname=120.100. >> 10.in-addr.arpa >> .,cn=dns,dc=ipa,dc=rdmedia,dc=com >> # ipa + 58d90aec-cdae11e6-8a85a70a-bda98fae, cas + >> 334bfba8-cdae11e6-8a85a70a-b >> da98fae, ca, ipa.rdmedia.com >> dn: cn=ipa+nsuniqueid=58d90aec-cdae11e6-8a85a70a-bda98fae,cn= >> cas+nsuniqueid=33 >> 4bfba8-cdae11e6-8a85a70a-bda98fae,cn=ca,dc=ipa,dc=rdmedia,dc=com >> description: IPA CA >> ipaCaIssuerDN: CN=Certificate Authority,O=IPA.RDMEDIA.COM >> objectClass: top >> objectClass: ipaca >> ipaCaSubjectDN: CN=Certificate Authority,O=IPA.RDMEDIA.COM >> ipaCaId: 21547c03-13c3-4f4f-992b-b0257012d1c1 >> cn: ipansds5ReplConflict >> nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=ipa,dc= >> rdmedia,dc=com >> # search result >> search: 2 >> result: 0 Success >> # numResponses: 28 >> # numEntries: 27 > > > So when I try eg. this... > > [root@moscovium ~]# ldapmodify -x -D "cn=directory manager" -W -h >> moscovium.ipa.rdmedia.com -p 389 >> Enter LDAP Password: >> dn: fqdn=neon.ipa.rdmedia.com+nsuniqueid=1b780d06-017611e6- >> 966aeb96-de53d9d8,c >> n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com >> changetype: modrdn >> newrdn fqdn=neontemp.ipa.rdmedia.com >> deleteoldrdn: 0 > > It has to be > newrdn: fqdn=neontemp.ipa.rdmedia.com > the ":" was missing. > But you don't always have to do the modrdn steps, only if you want to keep > the conflict entry under a different dn. > > I would suggest you do the search for conflicts again, and just returning > the nsds5ReplConflict attribute, you get then something like: > dn: > idnsname=41+nsuniqueid=e764de07-5e2f11e6-bd76eb96-de53d9d8,idnsname=120.10.in- > addr.arpa.,cn=dns,dc=ipa,dc=rdmedia,dc=com > nsds5ReplConflict: namingConflict idnsname=mendelevium,idnsname= > ipa.rdmedia.co > m.,cn=dns,dc=ipa,dc=rdmedia,dc=com > > > next do a search for both entries, the conflict entry and the one > referenced in the and the > nsds5ReplConflict attribute, if the original entry exists and you want to > keep this, you can just delete the conflict entry > > ldapmodify -x -D "cn=directory manager" .... > dn: fqdn=neon.ipa.rdmedia.com+nsuniqueid=1b780d06-017611e6- > 966aeb96-de53d9d8,c > n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com > changetype: delete > > > ...I get: > > ldapmodify: invalid format (line 3) entry: "fqdn=neon.ipa.rdmedia.com+ >> nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,cn= >> computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com" > > > So my question: what can I do to resolve the conflicts? > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, > Eric Shander > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Tiemen Ruiten Systems Engineer R&D Media
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project