<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/29/2015 05:58 PM, Andy Thompson
wrote:<br>
</div>
<blockquote
cite="mid:1c36c58d3c564cae80cc61ac7cbd4f42@TCCCORPEXCH02.TCC.local"
type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">dn:
nsuniqueid=7e1a1f87-e82611e4-99f1b343-
</pre>
</blockquote>
<pre wrap="">f0abc1a8,cn=username,cn=groups,c
</pre>
<blockquote type="cite">
<pre wrap="">n=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn:
nsuniqueid=7e1a1f87-e82611e4-99f1b343-
</pre>
</blockquote>
<pre wrap="">f0abc1a8,cn=username,cn=groups,c
</pre>
<blockquote type="cite">
<pre wrap="">n=accounts,dc=mhbenp,dc=lin
nscpentrywsi: objectClass;vucsn-55364a42000500040000: posixgroup
nscpentrywsi: objectClass;vucsn-55364a42000500040000: ipaobject
nscpentrywsi: objectClass;vucsn-55364a42000500040000:
</pre>
</blockquote>
<pre wrap="">mepManagedEntry
</pre>
<blockquote type="cite">
<pre wrap="">nscpentrywsi: objectClass;vucsn-55364a42000500040000: top
nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone
nscpentrywsi:
cn;vucsn-55364a42000500040000;mdcsn-55364a42000500040000: gfeigh
nscpentrywsi: gidNumber;vucsn-55364a42000500040000: 1249000003
nscpentrywsi: description;vucsn-55364a42000500040000: User private
group for username
nscpentrywsi: mepManagedBy;vucsn-55364a42000500040000: uid=
username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: creatorsName;vucsn-55364a42000500040000: cn=Managed
Entries,cn=plugins,cn=config
nscpentrywsi: modifiersName;vucsn-55364a42000500040000: cn=Managed
Entries,cn=plugins,cn=config
nscpentrywsi: createTimestamp;vucsn-55364a42000500040000:
20150421130152Z
nscpentrywsi: modifyTimestamp;vucsn-55364a42000500040000:
20150421130152Z
nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8
nscpentrywsi: ipaUniqueID;vucsn-55364a42000500040000:
94dc1638-e826-11e4-878a-005056a92af3
nscpentrywsi: parentid: 4
nscpentrywsi: entryid: 385
nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8
nscpentrywsi: nstombstonecsn: 5540deb8000300030000
nscpentrywsi: nscpEntryDN:
cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: entryusn: 52327
thought I tried that before, apparently not.
</pre>
</blockquote>
<pre wrap="">ok, so we have the entry on one server, the csn of the objectclass:
tombstone is :
objectClass;vucsn-5540deb8000300030000: nsTombstone
, which matches the csn in the error log:
Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-
f0abc1a8, CSN 5540deb8000300030000): Operations error (1) so the state of
the entry is as expected.
Now we nend to find it on the other server. If the search for the & filter with
nstombstone does return nothing, could you try
</pre>
</blockquote>
<pre wrap="">
If I run ldapsearch -LLL -o ldif-wrap=no -H <a class="moz-txt-link-freetext" href="ldap://mdhixnpipa01">ldap://mdhixnpipa01</a> -x -D "cn=directory manager" -W -b "dc=mhbenp,dc=lin" "(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter it returns nothing on the primary server
dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin
ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-1003
krbLastSuccessfulAuth: 20150421180533Z
krbPasswordExpiration: 20150720180532Z
userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVhqTXQxUT09
krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A
0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD
+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
krbLoginFailedCount: 0
krbTicketFlags: 128
krbLastPwdChange: 20150421180532Z
krbLastFailedAuth: 20150421180457Z
mepManagedEntry: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
displayName: user name
cn: User Name
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
objectClass: nsTombstone
loginShell: /bin/bash
initials: GF
gecos: User Name
homeDirectory: /home/username
uid: username
mail: <a class="moz-txt-link-abbreviated" href="mailto:username@mhbenp.lin">username@mhbenp.lin</a>
krbPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:username@MHBENP.LIN">username@MHBENP.LIN</a>
givenName: User
sn: name
ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3
uidNumber: 1249000003
gidNumber: 1249000003
nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
</pre>
</blockquote>
<font face="Times New Roman, Times, serif">In fact, nsuniqueid does
not appear in this entry. It is a distinguished RDN but is
missing. Did you run the command with 'nscpentrywsi' requested
attribute. May be nsuniqueid was hidden for that reason but I
would be surprised.<br>
<br>
nsuniqueid is a key element of replication. I wonder how
replication can find the entry itself. nsuniqueid could be in the
index but then the entry is corrupted.<br>
<br>
<br>
<br>
</font>
</body>
</html>