[Freeipa-users] attrlist_replace - attr_replace failed
Hello, we have a 4 way master master replication. Which is finnaly working, but we still see one error: [09/May/2018:14:21:27.882261986 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa34.bph.cxn:389/o%3Dipaca) failed. [09/May/2018:14:21:31.827746424 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa35.bph.cxn:389/o%3Dipaca) failed. How can we fix these? -- *Sándor Juhász* System Administrator *ChemAxon* *Ltd*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] upgrade from 4.4 to 4.5
Hello, we have upgraded from 4.4 to 4.5. The upgrade seems successful, but there is a small issue. Replication is in sync in the 4 way master cluster. Everything replicates - users, groups, properties. The list gives the last successful update time. If we run ipa-replica-manage force-sync --from It gives back: No status yet A lot of times and never returns. Is this normal? IS this a bug? CentOS Linux release 7.5.1804 (Core) ipa-client-4.5.4-10.el7.centos.x86_64 ipa-server-4.5.4-10.el7.centos.x86_64 -- *Sándor Juhász* System Administrator *ChemAxon* *Ltd*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] ipa replication issues
Hello, we are using freeipa in a 4way multi master replication setup. Servers ipa14,ipa15 and ipa34,ipa35 on CentOS Linux release 7.3.1611 (Core) with version ipa-server-common-4.4.0-14.el7.centos.7.noarch. We have an issue where one of the servers log a missing CSN. It happens even after ipa replication reinitialized. We are guessing that CSN 5a0a27d90006 only exists on ipa35, but we see it in those files listed on ipa15 and the error is reported there. Please see attached file with logs. How can we fix this? -- *Sándor Juhász* System Administrator *ChemAxon* *Ltd*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 [root@ipa15 slapd-CXN]# tail /var/log/dirsrv/slapd-CXN/errors [12/Apr/2018:13:26:05.231364497 +0200] NSMMReplicationPlugin - agmt="cn=ipa15.bpo.cxn-to-ipa35.bph.cxn" (ipa35:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. [12/Apr/2018:13:26:05.232377892 +0200] agmt="cn=ipa15.bpo.cxn-to-ipa34.bph.cxn" (ipa34:389) - Can't locate CSN 5a0a27d90006 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [12/Apr/2018:13:26:05.233482709 +0200] NSMMReplicationPlugin - changelog program - agmt="cn=ipa15.bpo.cxn-to-ipa34.bph.cxn" (ipa34:389): CSN 5a0a27d90006 not found, we aren't as up to date, or we purged [12/Apr/2018:13:26:05.234574121 +0200] NSMMReplicationPlugin - agmt="cn=ipa15.bpo.cxn-to-ipa34.bph.cxn" (ipa34:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. [12/Apr/2018:13:26:09.365978165 +0200] agmt="cn=ipa15.bpo.cxn-to-ipa34.bph.cxn" (ipa34:389) - Can't locate CSN 5a0a27d90006 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [12/Apr/2018:13:26:09.367651068 +0200] NSMMReplicationPlugin - changelog program - agmt="cn=ipa15.bpo.cxn-to-ipa34.bph.cxn" (ipa34:389): CSN 5a0a27d90006 not found, we aren't as up to date, or we purged [12/Apr/2018:13:26:09.368795838 +0200] NSMMReplicationPlugin - agmt="cn=ipa15.bpo.cxn-to-ipa34.bph.cxn" (ipa34:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. [12/Apr/2018:13:26:09.370046314 +0200] agmt="cn=ipa15.bpo.cxn-to-ipa35.bph.cxn" (ipa35:389) - Can't locate CSN 5a0a27d90006 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [12/Apr/2018:13:26:09.371076721 +0200] NSMMReplicationPlugin - changelog program - agmt="cn=ipa15.bpo.cxn-to-ipa35.bph.cxn" (ipa35:389): CSN 5a0a27d90006 not found, we aren't as up to date, or we purged [12/Apr/2018:13:26:09.372024624 +0200] NSMMReplicationPlugin - agmt="cn=ipa15.bpo.cxn-to-ipa35.bph.cxn" (ipa35:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. [root@ipa15 slapd-CXN]# ls -la /var/lib/dirsrv/slapd-CXN/cldb/ total 560 drwxr-xr-x 2 dirsrv dirsrv 7 Apr 12 10:59 . drwxrwx--- 6 dirsrv dirsrv 6 Nov 15 15:27 .. -rw--- 1 dirsrv dirsrv 188416 Apr 12 13:24 1265b714-cae7-8b4be16c-d336c0e2_58987d9e0004.db -rw-r--r-- 1 dirsrv dirsrv 0 Apr 12 10:59 1265b714-cae7-8b4be16c-d336c0e2.sema -rw--- 1 dirsrv dirsrv 3923968 Apr 12 13:13 5b1d7070-cae7-8b4be16c-d336c0e2_58987e190006.db -rw-r--r-- 1 dirsrv dirsrv 0 Feb 23 08:01 5b1d7070-cae7-8b4be16c-d336c0e2.sema -rw--- 1 dirsrv dirsrv 30 Nov 15 15:27 DBVERSION [root@ipa15 slapd-CXN]# dbscan -f /var/lib/dirsrv/slapd-CXN/cldb/5b1d7070-cae7-8b4be16c-d336c0e2_58987e190006.db | grep 5a0a27d90006 [root@ipa15 slapd-CXN]# dbscan -f /var/lib/dirsrv/slapd-CXN/cldb/1265b714-cae7-8b4be16c-d336c0e2_58987d9e0004.db | grep 5a0a27d90006 [root@ipa15 slapd-CXN]# [root@ipa35 cldb]# tail /var/log/dirsrv/slapd-CXN/errors [10/Apr/2018:10:04:32.885553831 +0200] NSMMReplicationPlugin - agmt="cn=ipa35.bph.cxn-to-ipa34.bph.cxn" (ipa34:389): Warning: Unable to parse the response to the endReplication extended operation. [10/Apr/2018:10:39:59.910735350 +0200] NSMMReplicationPlugin - agmt="cn=ipa35.bph.cxn-to-ipa34.bph.cxn" (ipa34:389): Warning: Unable to parse the response to the endReplication extended operation. [11/Apr/2018:13:43:48.793517144 +0200] NSMMReplicationPlugin - agmt="cn=ipa35.bph.cxn-to-ipa34.bph.cxn" (ipa34:389): Warning: Unable to parse the response to the endReplication extended operation. [11/Apr/2018:15:28:09.367467787 +0200] NSMMReplicationPlugin - agmt="cn=ipa35.bph.cxn-to-ipa34.bph.cxn" (ipa34:389): Warning: Unable to parse the response to the endReplication extended operation. [11/Apr/2018:16:32:22.833697506 +0200] NSMMReplicationPlugin - agmt="cn=ipa35.bph.cxn-to-ipa34.bph.cxn" (ipa34:389): Warning: Unable to parse the response to the endReplication extended operation.
[Freeipa-users] Re: ipa replication issues
here are the results: [root@ipa14 ~]# ldapsearch -H ldap://ipa14.bpo.cxn -o ldif-wrap=no -D "cn=directory manager" -x -W -b cn=config "objectclass=nsds5replica" nsds5replicaid nsds50ruv Enter LDAP Password: # extended LDIF # # LDAPv3 # base
[Freeipa-users] Re: ipa user-del and UI fails, as well, ldapdelete
Was detached and deleted prior to the user's deletion. First modified by dn: cn=,cn=groups,cn=accounts,dc=cxn changetype: modify delete: objectclass objectclass: mepManagedEntry - delete: mepManagedBy Then deleted. -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden wrote: > Sandor Juhasz via FreeIPA-users wrote: > > We have an entry, what after clicking delete on the UI got partially > > deleted. > > The compat tree entry is gone. > > The accounts tree entry is there. > > ldapsearch finds the entry by uid, but does fail by dn. > > ipa user-show finds the user > > ipa user-del says no such user > > ldapdelete fails to delete the entry by dn with err=32 > > Web ui shows user > > User content can be modified from ipa cli and web ui - like name, shell, > > but cannot be deleted > > Other entries can be created and deleted without issue. > > We have 4way master-master replication. Tried cli on 3 and got same > > result and issue. > > The third is not touched and the entry is available there both accounts > > and compat tree. > > > > > > ipa-server-4.6.4-10.el7.centos.3.x86_64 > > CentOS Linux release 7.6.1810 (Core) > > > > On full broken master: > > # , users, accounts, cxn > > dn: uid=,cn=users,cn=accounts,dc=cxn > > gecos: FOO BAR > > displayName: FOO BAR > > krbLastAdminUnlock: 20190807124134Z > > krbLoginFailedCount: 0 > > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn > > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn > > memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn > > gidNumber: > > uidNumber: > > ipaUniqueID: > > cn: BAZ > > givenName: FOO > > krbPrincipalName: @CXN > > mail: > > homeDirectory: /home/ > > sn: BAR > > initials: cU > > loginShell: /bin/false > > objectClass: ipaobject > > objectClass: person > > objectClass: top > > objectClass: ipasshuser > > objectClass: inetorgperson > > objectClass: organizationalperson > > objectClass: krbticketpolicyaux > > objectClass: krbprincipalaux > > objectClass: inetuser > > objectClass: posixaccount > > objectClass: ipaSshGroupOfPubKeys > > objectClass: mepOriginEntry > > krbCanonicalName: @CXN > > uid: > > mepManagedEntry: cn=,cn=groups,cn=accounts,dc=cxn > > krbPasswordExpiration: 20170615133527Z > > krbLastPwdChange: 20170615133527Z > > krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A > > Can you check to see if the group entry exists, > cn=,cn=groups,cn=accounts,dc=cxn via ldapsearch? > > rob > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa user-del and UI fails, as well, ldapdelete
Many cases for service users the matching group was created by either error or mistake. Where those service users are mostly under some group collecting them, also assigned as GID. So the leftovers were detached and deleted, so there is less confusion. So far there were no issues like this. -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 On Wed, Aug 7, 2019 at 4:10 PM Rob Crittenden wrote: > Sandor Juhasz wrote: > > Was detached and deleted prior to the user's deletion. > > First modified by > > dn: cn=,cn=groups,cn=accounts,dc=cxn > > changetype: modify > > delete: objectclass > > objectclass: mepManagedEntry > > - > > delete: mepManagedBy > > > > Then deleted. > > I don't know if this is the issue or not but the user still shows: > > objectClass: mepOriginEntry > mepManagedEntry: cn=,cn=groups,cn=accounts,dc=cxn > > What led you to manually disconnect the group? > > rob > > > -- > > *Sándor Juhász* > > System Administrator > > *ChemAxon* *Kft*. > > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 > > Cell: +36704258964 > > > > > > On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote: > > > > Sandor Juhasz via FreeIPA-users wrote: > > > We have an entry, what after clicking delete on the UI got > partially > > > deleted. > > > The compat tree entry is gone. > > > The accounts tree entry is there. > > > ldapsearch finds the entry by uid, but does fail by dn. > > > ipa user-show finds the user > > > ipa user-del says no such user > > > ldapdelete fails to delete the entry by dn with err=32 > > > Web ui shows user > > > User content can be modified from ipa cli and web ui - like name, > > shell, > > > but cannot be deleted > > > Other entries can be created and deleted without issue. > > > We have 4way master-master replication. Tried cli on 3 and got same > > > result and issue. > > > The third is not touched and the entry is available there both > > accounts > > > and compat tree. > > > > > > > > > ipa-server-4.6.4-10.el7.centos.3.x86_64 > > > CentOS Linux release 7.6.1810 (Core) > > > > > > On full broken master: > > > # , users, accounts, cxn > > > dn: uid=,cn=users,cn=accounts,dc=cxn > > > gecos: FOO BAR > > > displayName: FOO BAR > > > krbLastAdminUnlock: 20190807124134Z > > > krbLoginFailedCount: 0 > > > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn > > > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn > > > memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn > > > gidNumber: > > > uidNumber: > > > ipaUniqueID: > > > cn: BAZ > > > givenName: FOO > > > krbPrincipalName: @CXN > > > mail: > > > homeDirectory: /home/ > > > sn: BAR > > > initials: cU > > > loginShell: /bin/false > > > objectClass: ipaobject > > > objectClass: person > > > objectClass: top > > > objectClass: ipasshuser > > > objectClass: inetorgperson > > > objectClass: organizationalperson > > > objectClass: krbticketpolicyaux > > > objectClass: krbprincipalaux > > > objectClass: inetuser > > > objectClass: posixaccount > > > objectClass: ipaSshGroupOfPubKeys > > > objectClass: mepOriginEntry > > > krbCanonicalName: @CXN > > > uid: > > > mepManagedEntry: cn=,cn=groups,cn=accounts,dc=cxn > > > krbPasswordExpiration: 20170615133527Z > > > krbLastPwdChange: 20170615133527Z > > > krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A > > > > Can you check to see if the group entry exists, > > cn=,cn=groups,cn=accounts,dc=cxn via ldapsearch? > > > > rob > > > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] ipa user-del and UI fails, as well, ldapdelete
We have an entry, what after clicking delete on the UI got partially deleted. The compat tree entry is gone. The accounts tree entry is there. ldapsearch finds the entry by uid, but does fail by dn. ipa user-show finds the user ipa user-del says no such user ldapdelete fails to delete the entry by dn with err=32 Web ui shows user User content can be modified from ipa cli and web ui - like name, shell, but cannot be deleted Other entries can be created and deleted without issue. We have 4way master-master replication. Tried cli on 3 and got same result and issue. The third is not touched and the entry is available there both accounts and compat tree. ipa-server-4.6.4-10.el7.centos.3.x86_64 CentOS Linux release 7.6.1810 (Core) On full broken master: # , users, accounts, cxn dn: uid=,cn=users,cn=accounts,dc=cxn gecos: FOO BAR displayName: FOO BAR krbLastAdminUnlock: 20190807124134Z krbLoginFailedCount: 0 memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn gidNumber: uidNumber: ipaUniqueID: cn: BAZ givenName: FOO krbPrincipalName: @CXN mail: homeDirectory: /home/ sn: BAR initials: cU loginShell: /bin/false objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry krbCanonicalName: @CXN uid: mepManagedEntry: cn=,cn=groups,cn=accounts,dc=cxn krbPasswordExpiration: 20170615133527Z krbLastPwdChange: 20170615133527Z krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A On untouched master: # , users, compat, cxn dn: uid=,cn=users,cn=compat,dc=cxn objectClass: posixAccount objectClass: ipaOverrideTarget objectClass: top gecos: BAZ cn: BAZ uidNumber: gidNumber: loginShell: /bin/false homeDirectory: /home/ ipaAnchorUUID:: somerandomuuid uid: # , users, accounts, cxn dn: uid=,cn=users,cn=accounts,dc=cxn gecos: FOO BAR displayName: FOO BAR krbLastAdminUnlock: 20190807124134Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn memberOf: cn=group1,cn=groups,cn=accounts,dc=cxn memberOf: cn=group2,cn=groups,cn=accounts,dc=cxn gidNumber: krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A krbLastPwdChange: 20170615133527Z krbPasswordExpiration: 20170615133527Z mepManagedEntry: cn=,cn=groups,cn=accounts,dc=cxn uid: krbCanonicalName: @CXN objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/false initials: cU sn: BAR homeDirectory: /home/ mail: krbPrincipalName: @CXN givenName: FOO cn: BAZ ipaUniqueID: randomuniqueid uidNumber: -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa user-del and UI fails, as well, ldapdelete
You have found the key i guess - related to the mepmanagedentry. The issue can be reproduced. Detaching and deleting the managed group results in the not deletable user. Now the question is, how do i get out of it? -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 On Wed, Aug 7, 2019 at 4:21 PM Sandor Juhasz wrote: > Many cases for service users the matching group was created by either > error or mistake. > Where those service users are mostly under some group collecting them, > also assigned > as GID. > So the leftovers were detached and deleted, so there is less confusion. > So far there were no issues like this. > -- > *Sándor Juhász* > System Administrator > *ChemAxon* *Kft*. > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 > Cell: +36704258964 > > > On Wed, Aug 7, 2019 at 4:10 PM Rob Crittenden wrote: > >> Sandor Juhasz wrote: >> > Was detached and deleted prior to the user's deletion. >> > First modified by >> > dn: cn=,cn=groups,cn=accounts,dc=cxn >> > changetype: modify >> > delete: objectclass >> > objectclass: mepManagedEntry >> > - >> > delete: mepManagedBy >> > >> > Then deleted. >> >> I don't know if this is the issue or not but the user still shows: >> >> objectClass: mepOriginEntry >> mepManagedEntry: cn=,cn=groups,cn=accounts,dc=cxn >> >> What led you to manually disconnect the group? >> >> rob >> >> > -- >> > *Sándor Juhász* >> > System Administrator >> > *ChemAxon* *Kft*. >> > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 >> > Cell: +36704258964 >> > >> > >> > On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden > > <mailto:rcrit...@redhat.com>> wrote: >> > >> > Sandor Juhasz via FreeIPA-users wrote: >> > > We have an entry, what after clicking delete on the UI got >> partially >> > > deleted. >> > > The compat tree entry is gone. >> > > The accounts tree entry is there. >> > > ldapsearch finds the entry by uid, but does fail by dn. >> > > ipa user-show finds the user >> > > ipa user-del says no such user >> > > ldapdelete fails to delete the entry by dn with err=32 >> > > Web ui shows user >> > > User content can be modified from ipa cli and web ui - like name, >> > shell, >> > > but cannot be deleted >> > > Other entries can be created and deleted without issue. >> > > We have 4way master-master replication. Tried cli on 3 and got >> same >> > > result and issue. >> > > The third is not touched and the entry is available there both >> > accounts >> > > and compat tree. >> > > >> > > >> > > ipa-server-4.6.4-10.el7.centos.3.x86_64 >> > > CentOS Linux release 7.6.1810 (Core) >> > > >> > > On full broken master: >> > > # , users, accounts, cxn >> > > dn: uid=,cn=users,cn=accounts,dc=cxn >> > > gecos: FOO BAR >> > > displayName: FOO BAR >> > > krbLastAdminUnlock: 20190807124134Z >> > > krbLoginFailedCount: 0 >> > > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn >> > > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn >> > > memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn >> > > gidNumber: >> > > uidNumber: >> > > ipaUniqueID: >> > > cn: BAZ >> > > givenName: FOO >> > > krbPrincipalName: @CXN >> > > mail: >> > > homeDirectory: /home/ >> > > sn: BAR >> > > initials: cU >> > > loginShell: /bin/false >> > > objectClass: ipaobject >> > > objectClass: person >> > > objectClass: top >> > > objectClass: ipasshuser >> > > objectClass: inetorgperson >> > > objectClass: organizationalperson >> > > objectClass: krbticketpolicyaux >> > > objectClass: krbprincipalaux >> > > objectClass: inetuser >> > > objectClass: posixaccount >> > > objectClass: ipaSshGroupOfPubKeys >> > > objectClass: mepOriginEntry >> > > krbCanonicalName: @CXN >> > > uid: >> > > mepManagedEntry: cn=,cn=groups,cn=accounts,dc=cxn >> > > krbPasswordExpiration: 20170615133527Z >> > > krbLastPwdChange: 20170615133527Z >> > > krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A >> > >> > Can you check to see if the group entry exists, >> > cn=,cn=groups,cn=accounts,dc=cxn via ldapsearch? >> > >> > rob >> > >> >> ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa user-del and UI fails, as well, ldapdelete
I was able to cheat it on the replica where the user was not partially deleted. I had to recreate and reattach the deleted group. Then detach it with ipa group-detach Then delete the user. Then the replication took care of the rest of the masters and purged the remainders. Any idea how to do it easier? I cannot refer user by dn: because when i try, even with a not problematic user i get no such object? Any idea? -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 On Wed, Aug 7, 2019 at 4:32 PM Sandor Juhasz wrote: > You have found the key i guess - related to the mepmanagedentry. The issue > can be reproduced. > Detaching and deleting the managed group results in the not deletable user. > Now the question is, how do i get out of it? > -- > *Sándor Juhász* > System Administrator > *ChemAxon* *Kft*. > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 > Cell: +36704258964 > > > On Wed, Aug 7, 2019 at 4:21 PM Sandor Juhasz wrote: > >> Many cases for service users the matching group was created by either >> error or mistake. >> Where those service users are mostly under some group collecting them, >> also assigned >> as GID. >> So the leftovers were detached and deleted, so there is less confusion. >> So far there were no issues like this. >> -- >> *Sándor Juhász* >> System Administrator >> *ChemAxon* *Kft*. >> Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 >> Cell: +36704258964 >> >> >> On Wed, Aug 7, 2019 at 4:10 PM Rob Crittenden >> wrote: >> >>> Sandor Juhasz wrote: >>> > Was detached and deleted prior to the user's deletion. >>> > First modified by >>> > dn: cn=,cn=groups,cn=accounts,dc=cxn >>> > changetype: modify >>> > delete: objectclass >>> > objectclass: mepManagedEntry >>> > - >>> > delete: mepManagedBy >>> > >>> > Then deleted. >>> >>> I don't know if this is the issue or not but the user still shows: >>> >>> objectClass: mepOriginEntry >>> mepManagedEntry: cn=,cn=groups,cn=accounts,dc=cxn >>> >>> What led you to manually disconnect the group? >>> >>> rob >>> >>> > -- >>> > *Sándor Juhász* >>> > System Administrator >>> > *ChemAxon* *Kft*. >>> > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 >>> > Cell: +36704258964 >>> > >>> > >>> > On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden >> > <mailto:rcrit...@redhat.com>> wrote: >>> > >>> > Sandor Juhasz via FreeIPA-users wrote: >>> > > We have an entry, what after clicking delete on the UI got >>> partially >>> > > deleted. >>> > > The compat tree entry is gone. >>> > > The accounts tree entry is there. >>> > > ldapsearch finds the entry by uid, but does fail by dn. >>> > > ipa user-show finds the user >>> > > ipa user-del says no such user >>> > > ldapdelete fails to delete the entry by dn with err=32 >>> > > Web ui shows user >>> > > User content can be modified from ipa cli and web ui - like name, >>> > shell, >>> > > but cannot be deleted >>> > > Other entries can be created and deleted without issue. >>> > > We have 4way master-master replication. Tried cli on 3 and got >>> same >>> > > result and issue. >>> > > The third is not touched and the entry is available there both >>> > accounts >>> > > and compat tree. >>> > > >>> > > >>> > > ipa-server-4.6.4-10.el7.centos.3.x86_64 >>> > > CentOS Linux release 7.6.1810 (Core) >>> > > >>> > > On full broken master: >>> > > # , users, accounts, cxn >>> > > dn: uid=,cn=users,cn=accounts,dc=cxn >>> > > gecos: FOO BAR >>> > > displayName: FOO BAR >>> > > krbLastAdminUnlock: 20190807124134Z >>> > > krbLoginFailedCount: 0 >>> > > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn >>> > > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn >>> > > memberOf: cn=somegroupt2,cn=groups,cn=accoun
[Freeipa-users] Re: ipa user-del and UI fails, as well, ldapdelete
The question was how to refer user entity as it has two dn in the accounts and compat trees. Anyway. I have done the manual detach, because i found that solution suggested by someone here on the list and i was stupid enough not to further investigate. I was able to fix all broken entities with readding, reattaching the groups and detaching them again with ipa group-detach. That fixed the users as well. Thanks for your help. -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 On Wed, Aug 7, 2019 at 7:15 PM Rob Crittenden wrote: > Sandor Juhasz via FreeIPA-users wrote: > > I was able to cheat it on the replica where the user was not partially > > deleted. > > I had to recreate and reattach the deleted group. > > Then detach it with > > ipa group-detach > > Then delete the user. > > Then the replication took care of the rest of the masters and purged the > > remainders. > > > > Any idea how to do it easier? I cannot refer user by dn: because when i > > try, even with a not > > problematic user i get no such object? Any idea? > > I'm not sure what you mean about the dn or why you used the ldapmodify > instead of group-detach in the first place. > > rob > > > -- > > *Sándor Juhász* > > System Administrator > > *ChemAxon* *Kft*. > > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 > > Cell: +36704258964 > > > > > > On Wed, Aug 7, 2019 at 4:32 PM Sandor Juhasz > <mailto:sjuh...@chemaxon.com>> wrote: > > > > You have found the key i guess - related to the mepmanagedentry. The > > issue can be reproduced. > > Detaching and deleting the managed group results in the not > > deletable user. > > Now the question is, how do i get out of it? > > -- > > *Sándor Juhász* > > System Administrator > > *ChemAxon* *Kft*. > > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, > H-1031 > > Cell: +36704258964 > > > > > > On Wed, Aug 7, 2019 at 4:21 PM Sandor Juhasz > <mailto:sjuh...@chemaxon.com>> wrote: > > > > Many cases for service users the matching group was created by > > either error or mistake. > > Where those service users are mostly under some group collecting > > them, also assigned > > as GID. > > So the leftovers were detached and deleted, so there is less > > confusion. > > So far there were no issues like this. > > -- > > *Sándor Juhász* > > System Administrator > > *ChemAxon* *Kft*. > > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, > > H-1031 > > Cell: +36704258964 > > > > > > On Wed, Aug 7, 2019 at 4:10 PM Rob Crittenden > > mailto:rcrit...@redhat.com>> wrote: > > > > Sandor Juhasz wrote: > > > Was detached and deleted prior to the user's deletion. > > > First modified by > > > dn: cn=,cn=groups,cn=accounts,dc=cxn > > > changetype: modify > > > delete: objectclass > > > objectclass: mepManagedEntry > > > - > > > delete: mepManagedBy > > > > > > Then deleted. > > > > I don't know if this is the issue or not but the user still > > shows: > > > > objectClass: mepOriginEntry > > mepManagedEntry: cn=,cn=groups,cn=accounts,dc=cxn > > > > What led you to manually disconnect the group? > > > > rob > > > > > -- > > > *Sándor Juhász* > > > System Administrator > > > *ChemAxon* *Kft*. > > > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, > > Hungary, H-1031 > > > Cell: +36704258964 > > > > > > > > > On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden > > mailto:rcrit...@redhat.com> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > wrote: > > > > > > Sandor Juhasz via FreeIPA-users wrote: > > > > We have an entry, what after clicking delete on the > >
[Freeipa-users] IPA ocsp responder cert
Hi, we are running freeipa server 4.6.5. Facing the issue, where the ocsp responder in the Server-Cert is set to Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ipa-ca.bpo.cxn/ca/ocsp; Where the hosts cert's subject is Subject: "CN=ipa14.bpo.cxn,O=CXN" I have added DNS alias for the given machine, but the httpd shows only cert for the subject, but cannot add the ocsp. Tried with certutil, with ipa-getcert, but i was not able to add the alias to the given cert. Is there a way to fix this? -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: IPA ocsp responder cert
Disregard my question. I had to realize that ocsp responder is on plain http, so no need to hassle there with additional certs there. -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 On Mon, Oct 28, 2019 at 2:10 PM Rob Crittenden wrote: > Sandor Juhasz via FreeIPA-users wrote: > > Hi, > > > > we are running freeipa server 4.6.5. > > Facing the issue, where the ocsp responder in the Server-Cert is set > > to > > Name: Authority Information Access > > Method: PKIX Online Certificate Status Protocol > > Location: > > URI: "http://ipa-ca.bpo.cxn/ca/ocsp; > > > > Where the hosts cert's subject is > > Subject: "CN=ipa14.bpo.cxn,O=CXN" > > > > I have added DNS alias for the given machine, but the httpd shows only > > cert for the subject, but cannot add the ocsp. Tried with certutil, with > > ipa-getcert, but i was not > > able to add the alias to the given cert. > > Is there a way to fix this? > > I'm unclear what you are trying to do. You want the OCSP AVA to point to > a specific host? If so, for what reason? > > rob > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org