On Thu, Mar 9, 2017 at 4:06 PM, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On to, 09 maalis 2017, Robert Johnson wrote: > >> Hello, >> >> I am running into an odd issue haven't been able to find any information >> through searching on this issue online. >> >> Environment: We are currently have a IPA master running >> ipa-server-4.4.0-14.el7_3.4.x86_64 on a RHEL 7.3 server. We have a mix >> of >> RHEL 6.8, RHEL 7.x and Solaris 10 clients. We also have a one way trust to >> a windows domain. Compatibility mode is enabled. >> >> The issue I'm seeing is that when I delete an IPA domain user through the >> web gui, the user account doesn't appear to be removed completely from the >> system. I verified via "ipa user-find" that the user is no longer in the >> system. I also checked via "ldapsearch" that the user account doesn't >> exist in the "accounts" container. However, when I look in the "users, >> compat" container, that user still exists. >> >> This is causing problems with my Solaris clients since they are pointing >> to >> the compat tree so that we can login with the windows accounts on those >> servers. The Solaris client is still seeing the account as being valid >> and >> is asking the user for a password on login which fails because the account >> doesn't exist in the IPA domain anymore. >> >> Do I need to remove the account from the ldap compat container manually or >> is the IPA user delete command (through the gui and/or command line) >> suppose to take care of this ? Or is there is some sort of clean up >> process that I have to wait for to occur before this account gets removed >> from that container ? If so, what is the time frame ? >> > Compat tree is automatically generated. It also tracks existing objects, > so any time the object is removed from the primary tree, it should be > cleared from the compat tree as well. > > If you can reliably demonstrate the problem using > http://www.freeipa.org/page/Demo (it has compat tree enabled), then feel > free to open a bug. > > -- > / Alexander Bokovoy > So after doing some more digging using ldapsearch, I discovered some "odd" entries. It appears that all my IPA users appear to have duplicate entries under the compat tree. So on a hunch I deleted another IPA user and one of the two entries disappeared from the container. I tried to use ldapdelete (and ldapmodify) to remove the "ghost" entry using the DN I found from the search and I get a "object not found" and then it says that it matched the base tree. If I dump the whole compat tree out to a file, the ghost objects look to be exact duplicates of the original entries (minus the guid which is different). I can't seem to find a way to remove them. Any ideas ?
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project