On Thu, Mar 9, 2017 at 4:06 PM, Alexander Bokovoy <aboko...@redhat.com>

> On to, 09 maalis 2017, Robert Johnson wrote:
>> Hello,
>> I am running into an odd issue haven't been able to find any information
>> through searching on this issue online.
>> Environment: We are currently have a IPA master running
>> ipa-server-4.4.0-14.el7_3.4.x86_64 on a RHEL 7.3 server.  We have a mix
>> of
>> RHEL 6.8, RHEL 7.x and Solaris 10 clients. We also have a one way trust to
>> a windows domain.  Compatibility mode is enabled.
>> The issue I'm seeing is that when I delete an IPA domain user through the
>> web gui, the user account doesn't appear to be removed completely from the
>> system.  I verified via "ipa user-find" that the user is no longer in the
>> system.  I also checked via "ldapsearch" that the user account doesn't
>> exist in the "accounts" container.  However, when I look in the "users,
>> compat" container, that user still exists.
>> This is causing problems with my Solaris clients since they are pointing
>> to
>> the compat tree so that we can login with the windows accounts on those
>> servers.  The Solaris client is still seeing the account as being valid
>> and
>> is asking the user for a password on login which fails because the account
>> doesn't exist in the IPA domain anymore.
>> Do I need to remove the account from the ldap compat container manually or
>> is the IPA user delete command (through the gui and/or command line)
>> suppose to take care of this ?  Or is there is some sort of clean up
>> process that I have to wait for to occur before this account gets removed
>> from that container ?  If so, what is the time frame ?
> Compat tree is automatically generated. It also tracks existing objects,
> so any time the object is removed from the primary tree, it should be
> cleared from the compat tree as well.
> If you can reliably demonstrate the problem using
> http://www.freeipa.org/page/Demo (it has compat tree enabled), then feel
> free to open a bug.
> --
> / Alexander Bokovoy

So after doing some more digging using ldapsearch, I discovered some "odd"
entries.  It appears that all my IPA users appear to have duplicate entries
under the compat tree. So on a hunch I deleted another IPA user and one of
the two entries disappeared from the container.  I tried to use ldapdelete
(and ldapmodify) to remove the "ghost" entry using the DN I found from the
search and I get a "object not found" and then it says that it matched the
base tree.  If I dump the whole compat tree out to a file, the ghost
objects look to be exact duplicates of the original entries (minus the guid
which is different).  I can't seem to find a way to remove them.

Any ideas ?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to