<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 06.05.2016 21:29, Devin Acosta
wrote:<br>
</div>
<blockquote cite="mid:572CF096.30802@pabstatencio.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div style="font-size: 11pt;font-family: tt;"><span
style="font-weight: bold;"></span>
<blockquote class="__pbForwardBlockQuote" style="border: 0px
none; font-weight: bold;"
cite="mid:572CF03B.6000909@linuxguru.co" type="cite">
<div class="__pbConvBody" __pbrmquotes="false"
style="color:#888888;margin-left:24px;margin-right:24px;">I
am running the latest FreeIPA on CentOS 7.2.
<br>
<br>
I noticed I had a “nsds5ReplConflict” with an item, i tried
to follow the webpage to rename and delete but that failed.
I then tried to have ipa1-i2x reload from ipa01-aws
instance, now now it seems to have gone maybe worse?
<br>
can you please advise how to get back to a healthy system. I
initially added a system account as recommended so i could
have say like Jira/Confluence do User searches against IDM.
<br>
<br>
[dacosta@ipa1-i2x ~]$ ldapsearch -x -D "cn=directory
manager" -w ‘password' -b "dc=rsinc,dc=local"
"nsds5ReplConflict=*" \* nsds5ReplConflict
<br>
# extended LDIF
<br>
#
<br>
# LDAPv3
<br>
# base <dc=rsinc,dc=local> with scope subtree
<br>
# filter: nsds5ReplConflict=*
<br>
# requesting: * nsds5ReplConflict
<br>
#
<br>
<br>
# 7ad08581-059911e6-b55c83a4-93228cdf + ldapsearch,
sysaccounts, etc, rsinc.loc
<br>
al
<br>
dn:
nsuniqueid=7ad08581-059911e6-b55c83a4-93228cdf+uid=ldapsearch,cn=sysaccoun<br>
ts,cn=etc,dc=rsinc,dc=local
<br>
userPassword:: e1NTSEF9M3krdTh5TkdYV=
<br>
=
<br>
uid: ldapsearch
<br>
objectClass: account
<br>
objectClass: simplesecurityobject
<br>
objectClass: top
<br>
nsds5ReplConflict: namingConflict
uid=ldapsearch,cn=sysaccounts,cn=etc,dc=rsin
<br>
c,dc=local
<br>
<br>
# search result
<br>
search: 2
<br>
result: 0 Success
<br>
<br>
# numResponses: 2
<br>
# numEntries: 1
<br>
<br>
[dacosta@ipa1-i2x ~]$ ./ipa_check_consistency -H
"ipa1-i2x.local ipa01-aws.rsinc.local" -d RSINC.LOCAL
<br>
Directory Manager password:
<br>
FreeIPA servers: ipa1-i2x ipa01-aws STATE
<br>
===================================================
<br>
Active Users ERROR 33 FAIL
<br>
Stage Users ERROR 0 FAIL
<br>
Preserved Users ERROR 0 FAIL
<br>
User Groups ERROR 7 FAIL
<br>
Hosts ERROR 82 FAIL
<br>
Host Groups ERROR 1 FAIL
<br>
HBAC Rules ERROR 2 FAIL
<br>
SUDO Rules ERROR 4 FAIL
<br>
DNS Zones ERROR 14 FAIL
<br>
LDAP Conflicts ERROR YES FAIL
<br>
Anonymous BIND ERROR on FAIL
<br>
Replication Status ipa02-aws 0
<br>
ipa1-i2x 0
<br>
===================================================
<br>
<br>
<br>
[dacosta@ipa1-i2x ~]$ ipa-replica-manage list
<br>
ipa: WARNING: session memcached servers not running
<br>
ipa02-aws.rsinc.local: master
<br>
ipa01-aws.rsinc.local: master
<br>
ipa1-i2x.rsinc.local: master
<br>
<br>
<br>
Devin Acosta
<br>
Linux Certified Engineer
<br>
e: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:devin@linuxguru.co">devin@linuxguru.co</a>
<br>
<br>
</div>
</blockquote>
<br style="font-weight: bold;">
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
hello, it is not clear to me what is wrong, do you have there
conflicts?<br>
The output of command is not tool supported by freeIPA, I have no
idea what is wrong.<br>
<br>
to check replication status for each IPA server run<br>
ipa-replica-manage -v list <hostname><br>
<br>
can you kinit on all replicas?<br>
can you do ldapsearch as directory manager on each server?<br>
<br>
Martin<br>
</body>
</html>