On to, 09 maalis 2017, Robert Johnson wrote:
On Thu, Mar 9, 2017 at 4:06 PM, Alexander Bokovoy <aboko...@redhat.com>

On to, 09 maalis 2017, Robert Johnson wrote:


I am running into an odd issue haven't been able to find any information
through searching on this issue online.

Environment: We are currently have a IPA master running
ipa-server-4.4.0-14.el7_3.4.x86_64 on a RHEL 7.3 server.  We have a mix
RHEL 6.8, RHEL 7.x and Solaris 10 clients. We also have a one way trust to
a windows domain.  Compatibility mode is enabled.

The issue I'm seeing is that when I delete an IPA domain user through the
web gui, the user account doesn't appear to be removed completely from the
system.  I verified via "ipa user-find" that the user is no longer in the
system.  I also checked via "ldapsearch" that the user account doesn't
exist in the "accounts" container.  However, when I look in the "users,
compat" container, that user still exists.

This is causing problems with my Solaris clients since they are pointing
the compat tree so that we can login with the windows accounts on those
servers.  The Solaris client is still seeing the account as being valid
is asking the user for a password on login which fails because the account
doesn't exist in the IPA domain anymore.

Do I need to remove the account from the ldap compat container manually or
is the IPA user delete command (through the gui and/or command line)
suppose to take care of this ?  Or is there is some sort of clean up
process that I have to wait for to occur before this account gets removed
from that container ?  If so, what is the time frame ?

Compat tree is automatically generated. It also tracks existing objects,
so any time the object is removed from the primary tree, it should be
cleared from the compat tree as well.

If you can reliably demonstrate the problem using
http://www.freeipa.org/page/Demo (it has compat tree enabled), then feel
free to open a bug.

/ Alexander Bokovoy

So after doing some more digging using ldapsearch, I discovered some "odd"
entries.  It appears that all my IPA users appear to have duplicate entries
under the compat tree. So on a hunch I deleted another IPA user and one of
the two entries disappeared from the container.  I tried to use ldapdelete
(and ldapmodify) to remove the "ghost" entry using the DN I found from the
search and I get a "object not found" and then it says that it matched the
base tree.  If I dump the whole compat tree out to a file, the ghost
objects look to be exact duplicates of the original entries (minus the guid
which is different).  I can't seem to find a way to remove them.

Any ideas ?
Demonstrate your problem using the FreeIPA demo instance, please.

Compat tree is not writable, thus you cannot delete anything from it
directly. You only can delete the original entry to cause removal of a
compat entry.

Show how it is not removed with step by step ldapsearch/ipa CLI
operations against our demo instance, please.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to