<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 04/29/2015 05:58 PM, Andy Thompson wrote:<br> </div> <blockquote cite="mid:1c36c58d3c564cae80cc61ac7cbd4f42@TCCCORPEXCH02.TCC.local" type="cite"> <blockquote type="cite"> <blockquote type="cite"> <pre wrap="">dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- </pre> </blockquote> <pre wrap="">f0abc1a8,cn=username,cn=groups,c </pre> <blockquote type="cite"> <pre wrap="">n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- </pre> </blockquote> <pre wrap="">f0abc1a8,cn=username,cn=groups,c </pre> <blockquote type="cite"> <pre wrap="">n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a42000500040000: posixgroup nscpentrywsi: objectClass;vucsn-55364a42000500040000: ipaobject nscpentrywsi: objectClass;vucsn-55364a42000500040000: </pre> </blockquote> <pre wrap="">mepManagedEntry </pre> <blockquote type="cite"> <pre wrap="">nscpentrywsi: objectClass;vucsn-55364a42000500040000: top nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone nscpentrywsi: cn;vucsn-55364a42000500040000;mdcsn-55364a42000500040000: gfeigh nscpentrywsi: gidNumber;vucsn-55364a42000500040000: 1249000003 nscpentrywsi: description;vucsn-55364a42000500040000: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a42000500040000: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a42000500040000: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a42000500040000: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a42000500040000: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a42000500040000: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a42000500040000: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb8000300030000 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. </pre> </blockquote> <pre wrap="">ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb8000300030000: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343- f0abc1a8, CSN 5540deb8000300030000): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the & filter with nstombstone does return nothing, could you try </pre> </blockquote> <pre wrap=""> If I run ldapsearch -LLL -o ldif-wrap=no -H <a class="moz-txt-link-freetext" href="ldap://mdhixnpipa01">ldap://mdhixnpipa01</a> -x -D "cn=directory manager" -W -b "dc=mhbenp,dc=lin" "(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVhqTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= krbLoginFailedCount: 0 krbTicketFlags: 128 krbLastPwdChange: 20150421180532Z krbLastFailedAuth: 20150421180457Z mepManagedEntry: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin displayName: user name cn: User Name objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs objectClass: nsTombstone loginShell: /bin/bash initials: GF gecos: User Name homeDirectory: /home/username uid: username mail: <a class="moz-txt-link-abbreviated" href="mailto:username@mhbenp.lin">username@mhbenp.lin</a> krbPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:username@MHBENP.LIN">username@MHBENP.LIN</a> givenName: User sn: name ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 uidNumber: 1249000003 gidNumber: 1249000003 nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 </pre> </blockquote> <font face="Times New Roman, Times, serif">In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN but is missing. Did you run the command with 'nscpentrywsi' requested attribute. May be nsuniqueid was hidden for that reason but I would be surprised.<br> <br> nsuniqueid is a key element of replication. I wonder how replication can find the entry itself. nsuniqueid could be in the index but then the entry is corrupted.<br> <br> <br> <br> </font> </body> </html>