<div dir="ltr">Thank you very much Ludwig, that worked. I had to do a ldapdelete -r (recursive) to remove a few containers which apparently had some tombstone entries in them. Domain is now running at level 1!</div><div class="gmail_extra"><br><div class="gmail_quote">On 16 February 2017 at 13:58, Ludwig Krispenz <span dir="ltr"><<a href="mailto:lkrispen@redhat.com" target="_blank">lkrispen@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<br>
<div class="m_8208528144818540294moz-cite-prefix">On 02/16/2017 01:32 PM, Tiemen Ruiten
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>I have a FreeIPA setup in which some masters suffered from
a few uncontrolled shutdowns and now there are replication
conflicts (which prevent from setting the Domain Level to 1). </div>
<div><br>
</div>
<div>I was trying to follow the instructions here: <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html" target="_blank">https://access.redhat.<wbr>com/documentation/en-US/Red_<wbr>Hat_Enterprise_Linux/6/html/<wbr>Identity_Management_Guide/ipa-<wbr>replica-manage.html</a></div>
<div><br>
</div>
<div>But unfortunately I'm not getting anywhere. This the result
of an ldapsearch for replication conflicts:</div>
<div><br>
</div>
<blockquote class="gmail_quote"><br>
[root@moscovium ~]# ldapsearch -x -D "cn=directory manager" -W
-b "dc=ipa,dc=rdmedia,dc=com" "nsds5ReplConflict=*" \*
nsds5ReplConflict<br>
Enter LDAP Password: <br>
# extended LDIF<br>
#<br>
# LDAPv3<br>
# base <dc=ipa,dc=rdmedia,dc=com> with scope subtree<br>
# filter: nsds5ReplConflict=*<br>
# requesting: * nsds5ReplConflict <br>
#<br>
# servers + 334bfc53-cdae11e6-8a85a70a-<wbr>bda98fae, dns, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn:
cn=servers+nsuniqueid=<wbr>334bfc53-cdae11e6-8a85a70a-<wbr>bda98fae,cn=dns,dc=ipa,dc<br>
=rdmedia,dc=com<br>
objectClass: nsContainer<br>
objectClass: top<br>
cn: servers<br>
nsds5ReplConflict: namingConflict
cn=servers,cn=dns,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
# System: Add CA + 334bfbe5-cdae11e6-8a85a70a-<wbr>bda98fae,
permissions, pbac, ipa.<br>
<a href="http://rdmedia.com" target="_blank">rdmedia.com</a><br>
dn: cn=System: Add
CA+nsuniqueid=334bfbe5-<wbr>cdae11e6-8a85a70a-bda98fae,cn=<wbr>permis<br>
sions,cn=pbac,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaca)<br>
ipaPermRight: add<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Add CA<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=CA
Administrator,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: add
ca,cn=permissions,cn=pbac,dc=<br>
ipa,dc=rdmedia,dc=com </blockquote>
<blockquote class="gmail_quote"># System: Delete CA +
334bfbe9-cdae11e6-8a85a70a-<wbr>bda98fae, permissions, pbac, i<br>
<a href="http://pa.rdmedia.com" target="_blank">pa.rdmedia.com</a><br>
dn: cn=System: Delete
CA+nsuniqueid=334bfbe9-<wbr>cdae11e6-8a85a70a-bda98fae,cn=<wbr>per<br>
missions,cn=pbac,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaca)<br>
ipaPermRight: delete<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Delete CA<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=CA
Administrator,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: delete
ca,cn=permissions,cn=pbac,<br>
dc=ipa,dc=rdmedia,dc=com<br>
# System: Modify CA + 334bfbed-cdae11e6-8a85a70a-<wbr>bda98fae,
permissions, pbac, i<br>
<a href="http://pa.rdmedia.com" target="_blank">pa.rdmedia.com</a><br>
dn: cn=System: Modify
CA+nsuniqueid=334bfbed-<wbr>cdae11e6-8a85a70a-bda98fae,cn=<wbr>per<br>
missions,cn=pbac,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaca)<br>
ipaPermRight: write<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Modify CA<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=CA
Administrator,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
ipaPermDefaultAttr: description<br>
ipaPermDefaultAttr: cn<br>
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: modify
ca,cn=permissions,cn=pbac,<br>
dc=ipa,dc=rdmedia,dc=com<br>
# System: Read CAs + 334bfbf1-cdae11e6-8a85a70a-<wbr>bda98fae,
permissions, pbac, ip<br>
<a href="http://a.rdmedia.com" target="_blank">a.rdmedia.com</a><br>
dn: cn=System: Read
CAs+nsuniqueid=334bfbf1-<wbr>cdae11e6-8a85a70a-bda98fae,cn=<wbr>perm<br>
issions,cn=pbac,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaca)<br>
ipaPermRight: read<br>
ipaPermRight: compare<br>
ipaPermRight: search<br>
ipaPermBindRuleType: all<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Read CAs<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
ipaPermDefaultAttr: description<br>
ipaPermDefaultAttr: ipacaissuerdn<br>
ipaPermDefaultAttr: objectclass<br>
ipaPermDefaultAttr: ipacasubjectdn<br>
ipaPermDefaultAttr: ipacaid<br>
ipaPermDefaultAttr: cn<br>
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: read
cas,cn=permissions,cn=pbac,d<br>
c=ipa,dc=rdmedia,dc=com<br>
# System: Modify DNS Servers Configuration +
334bfbf6-cdae11e6-8a85a70a-<wbr>bda98fa<br>
e, permissions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn: cn=System: Modify DNS Servers
Configuration+nsuniqueid=<wbr>334bfbf6-cdae11e6-8<br>
a85a70a-bda98fae,cn=<wbr>permissions,cn=pbac,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=<wbr>idnsServerConfigObject)<br>
ipaPermRight: write<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Modify DNS Servers Configuration<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
ipaPermDefaultAttr: idnssoamname<br>
ipaPermDefaultAttr: idnssubstitutionvariable<br>
ipaPermDefaultAttr: idnsforwardpolicy<br>
ipaPermDefaultAttr: idnsforwarders<br>
ipaPermLocation: dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: modify dns
servers configuration,<br>
cn=permissions,cn=pbac,dc=<wbr>ipa,dc=rdmedia,dc=com<br>
# System: Read DNS Servers Configuration +
334bfbfa-cdae11e6-8a85a70a-<wbr>bda98fae,<br>
permissions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn: cn=System: Read DNS Servers
Configuration+nsuniqueid=<wbr>334bfbfa-cdae11e6-8a8<br>
5a70a-bda98fae,cn=<wbr>permissions,cn=pbac,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=<wbr>idnsServerConfigObject)<br>
ipaPermRight: read<br>
ipaPermRight: compare<br>
ipaPermRight: search<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Read DNS Servers Configuration<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
member: cn=DNS
Servers,cn=privileges,cn=pbac,<wbr>dc=ipa,dc=rdmedia,dc=com<br>
ipaPermDefaultAttr: idnsforwardpolicy<br>
ipaPermDefaultAttr: objectclass<br>
ipaPermDefaultAttr: idnsforwarders<br>
ipaPermDefaultAttr: idnsserverid<br>
ipaPermDefaultAttr: idnssubstitutionvariable<br>
ipaPermDefaultAttr: idnssoamname<br>
ipaPermLocation: dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: read dns servers
configuration,cn<br>
=permissions,cn=pbac,dc=ipa,<wbr>dc=rdmedia,dc=com<br>
# System: Manage Host Principals +
334bfc0b-cdae11e6-8a85a70a-<wbr>bda98fae, permiss<br>
ions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn: cn=System: Manage Host
Principals+nsuniqueid=<wbr>334bfc0b-cdae11e6-8a85a70a-bd<br>
a98fae,cn=permissions,cn=<wbr>pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipahost)<br>
ipaPermRight: write<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Manage Host Principals<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=Host
Administrators,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
member: cn=Host
Enrollment,cn=privileges,cn=<wbr>pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermDefaultAttr: krbprincipalname<br>
ipaPermDefaultAttr: krbcanonicalname<br>
ipaPermLocation:
cn=computers,cn=accounts,dc=<wbr>ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: manage host
principals,cn=permiss<br>
ions,cn=pbac,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
# System: Add IPA Locations +
334bfc20-cdae11e6-8a85a70a-<wbr>bda98fae, permissions,<br>
pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn: cn=System: Add IPA
Locations+nsuniqueid=334bfc20-<wbr>cdae11e6-8a85a70a-bda98fa<br>
e,cn=permissions,cn=pbac,dc=<wbr>ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=<wbr>ipaLocationObject)<br>
ipaPermRight: add<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Add IPA Locations<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: add ipa
locations,cn=permissions,<br>
cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
# System: Modify IPA Locations +
334bfc24-cdae11e6-8a85a70a-<wbr>bda98fae, permissio<br>
ns, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn: cn=System: Modify IPA
Locations+nsuniqueid=334bfc24-<wbr>cdae11e6-8a85a70a-bda9<br>
8fae,cn=permissions,cn=pbac,<wbr>dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=<wbr>ipaLocationObject)<br>
ipaPermRight: write<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Modify IPA Locations<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
ipaPermDefaultAttr: description<br>
ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: modify ipa
locations,cn=permissio<br>
ns,cn=pbac,dc=ipa,dc=rdmedia,<wbr>dc=com<br>
# System: Read IPA Locations +
334bfc28-cdae11e6-8a85a70a-<wbr>bda98fae, permissions<br>
, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn: cn=System: Read IPA
Locations+nsuniqueid=334bfc28-<wbr>cdae11e6-8a85a70a-bda98f<br>
ae,cn=permissions,cn=pbac,dc=<wbr>ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=<wbr>ipaLocationObject)<br>
ipaPermRight: read<br>
ipaPermRight: compare<br>
ipaPermRight: search<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Read IPA Locations<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
ipaPermDefaultAttr: objectclass<br>
ipaPermDefaultAttr: description<br>
ipaPermDefaultAttr: idnsname<br>
ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: read ipa
locations,cn=permissions<br>
,cn=pbac,dc=ipa,dc=rdmedia,<wbr>dc=com<br>
# System: Remove IPA Locations +
334bfc2c-cdae11e6-8a85a70a-<wbr>bda98fae, permissio<br>
ns, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn: cn=System: Remove IPA
Locations+nsuniqueid=334bfc2c-<wbr>cdae11e6-8a85a70a-bda9<br>
8fae,cn=permissions,cn=pbac,<wbr>dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=<wbr>ipaLocationObject)<br>
ipaPermRight: delete<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Remove IPA Locations<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: remove ipa
locations,cn=permissio<br>
ns,cn=pbac,dc=ipa,dc=rdmedia,<wbr>dc=com<br>
# System: Read Locations of IPA Servers +
334bfc30-cdae11e6-8a85a70a-<wbr>bda98fae, <br>
permissions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn: cn=System: Read Locations of IPA
Servers+nsuniqueid=334bfc30-<wbr>cdae11e6-8a85<br>
a70a-bda98fae,cn=permissions,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
ipaPermTargetFilter: (objectclass=ipaConfigObject)<br>
ipaPermRight: read<br>
ipaPermRight: compare<br>
ipaPermRight: search<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Read Locations of IPA Servers<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
ipaPermDefaultAttr: objectclass<br>
ipaPermDefaultAttr: ipaserviceweight<br>
ipaPermDefaultAttr: ipalocation<br>
ipaPermDefaultAttr: cn<br>
ipaPermLocation:
cn=masters,cn=ipa,cn=etc,dc=<wbr>ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: read locations of
ipa servers,cn=<br>
permissions,cn=pbac,dc=ipa,<wbr>dc=rdmedia,dc=com<br>
# System: Read Status of Services on IPA Servers +
334bfc34-cdae11e6-8a85a70a-b<br>
da98fae, permissions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn: cn=System: Read Status of Services on IPA
Servers+nsuniqueid=334bfc34-<wbr>cdae<br>
11e6-8a85a70a-bda98fae,cn=<wbr>permissions,cn=pbac,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaConfigObject)<br>
ipaPermRight: read<br>
ipaPermRight: compare<br>
ipaPermRight: search<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Read Status of Services on IPA Servers<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
ipaPermDefaultAttr: objectclass<br>
ipaPermDefaultAttr: ipaconfigstring<br>
ipaPermDefaultAttr: cn<br>
ipaPermLocation:
cn=masters,cn=ipa,cn=etc,dc=<wbr>ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: read status of
services on ipa se<br>
rvers,cn=permissions,cn=pbac,<wbr>dc=ipa,dc=rdmedia,dc=com<br>
# System: Manage Service Principals +
334bfc38-cdae11e6-8a85a70a-<wbr>bda98fae, perm<br>
issions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn: cn=System: Manage Service
Principals+nsuniqueid=<wbr>334bfc38-cdae11e6-8a85a70a<br>
-bda98fae,cn=permissions,cn=<wbr>pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaservice)<br>
ipaPermRight: write<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Manage Service Principals<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=Service
Administrators,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=c<br>
om<br>
ipaPermDefaultAttr: krbprincipalname<br>
ipaPermDefaultAttr: krbcanonicalname<br>
ipaPermLocation:
cn=services,cn=accounts,dc=<wbr>ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: manage service
principals,cn=perm<br>
issions,cn=pbac,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
# System: Manage User Principals +
334bfc45-cdae11e6-8a85a70a-<wbr>bda98fae, permiss<br>
ions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn: cn=System: Manage User
Principals+nsuniqueid=<wbr>334bfc45-cdae11e6-8a85a70a-bd<br>
a98fae,cn=permissions,cn=<wbr>pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=posixaccount)<br>
ipaPermRight: write<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Manage User Principals<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=User
Administrators,cn=privileges,<wbr>cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
member: cn=Modify Users and Reset
passwords,cn=privileges,cn=<wbr>pbac,dc=ipa,dc=rd<br>
media,dc=com<br>
ipaPermDefaultAttr: krbprincipalname<br>
ipaPermDefaultAttr: krbcanonicalname<br>
ipaPermLocation: cn=users,cn=accounts,dc=ipa,<wbr>dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: manage user
principals,cn=permiss<br>
ions,cn=pbac,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
# locations + 334bfba2-cdae11e6-8a85a70a-<wbr>bda98fae, etc, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn:
cn=locations+nsuniqueid=<wbr>334bfba2-cdae11e6-8a85a70a-<wbr>bda98fae,cn=etc,dc=ipa,<br>
dc=rdmedia,dc=com<br>
objectClass: nsContainer<br>
objectClass: top<br>
cn: locations<br>
nsds5ReplConflict: namingConflict
cn=locations,cn=etc,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
aci: (targetfilter =
"(objectclass=<wbr>ipaLocationObject)")(version 3.0;acl "permi<br>
ssion:System: Add IPA Locations";allow (add) groupdn =
"<a class="m_8208528144818540294moz-txt-link-freetext">ldap:///cn=System</a>: Ad<br>
d IPA
Locations,cn=permissions,cn=<wbr>pbac,dc=ipa,dc=rdmedia,dc=com"<wbr>;)<br>
aci: (targetattr = "description")(targetfilter =
"(objectclass=ipaLocationObje<br>
ct)")(version 3.0;acl "permission:System: Modify IPA
Locations";allow (write)<br>
groupdn = "<a class="m_8208528144818540294moz-txt-link-freetext">ldap:///cn=System</a>: Modify IPA
Locations,cn=permissions,cn=<wbr>pbac,dc<br>
=ipa,dc=rdmedia,dc=com";)<br>
aci: (targetattr = "createtimestamp || description || entryusn
|| idnsname || <br>
modifytimestamp || objectclass")(targetfilter =
"(objectclass=ipaLocationObje<br>
ct)")(version 3.0;acl "permission:System: Read IPA
Locations";allow (compare,<br>
read,search) groupdn = "<a class="m_8208528144818540294moz-txt-link-freetext">ldap:///cn=System</a>: Read IPA
Locations,cn=permissions,<br>
cn=pbac,dc=ipa,dc=rdmedia,dc=<wbr>com";)<br>
aci: (targetfilter =
"(objectclass=<wbr>ipaLocationObject)")(version 3.0;acl "permi<br>
ssion:System: Remove IPA Locations";allow (delete) groupdn =
"<a class="m_8208528144818540294moz-txt-link-freetext">ldap:///cn=Syst</a><br>
em: Remove IPA
Locations,cn=permissions,cn=<wbr>pbac,dc=ipa,dc=rdmedia,dc=com"<wbr>;)<br>
# <a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>
+ 1b780d06-017611e6-966aeb96-<wbr>de53d9d8, computers, accoun<br>
ts, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn: fqdn=<a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>+<wbr>nsuniqueid=1b780d06-017611e6-<wbr>966aeb96-de53d9d8,c<br>
n=computers,cn=accounts,dc=<wbr>ipa,dc=rdmedia,dc=com<br>
krbExtraData::
AAJIQA5XaG9zdC9uZW9uLmlwYS5yZG<wbr>1lZGlhLmNvbUBJUEEuUkRNRURJQS5D<wbr>T00<br>
A<br>
enrolledBy:
uid=admin,cn=users,cn=<wbr>accounts,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
krbLastPwdChange: 20160413124912Z<br>
krbPrincipalKey::
MIIBKKADAgEBoQMCAQGiAwIBAaMDAg<wbr>EBpIIBEDCCAQwwS6FJMEegAwIBEqFA<br>
BD4gAPd2yVptQC/d3mk7xdb3skL+<wbr>KkkUzewAxCF0FJgXXuBVt1y2GHtnhz<wbr>ILNe91amjovgXAFEujn<br>
<wbr>8x6YrwHXDA7oTkwN6ADAgERoTAELhA<wbr>APbI3gwakFyt9EnCqDLWst6FeXKO0F<wbr>wvx3+gZZOGmYQpr0Z<br>
ujLLtmJuJVmS8wQ6FBMD+<wbr>gAwIBEKE4BDYYABMJXEKVH2Yn4nGzJ<wbr>5woqDjO2dVUx8nQ+1NSi6dREwy<br>
8T+<wbr>7VrbdVOpaQgkUx4czwkhxKvVcwO6E5<wbr>MDegAwIBF6EwBC4QABWhTKkWc50oJl<wbr>pSw/FK2yhl+ZUo<br>
MZt0XHA/<wbr>xdPXDD3DxGV5cx2MgvJEhJzs<br>
cn: <a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a><br>
objectClass: ipaobject<br>
objectClass: ieee802device<br>
objectClass: nshost<br>
objectClass: ipaservice<br>
objectClass: pkiuser<br>
objectClass: ipahost<br>
objectClass: krbprincipal<br>
objectClass: krbprincipalaux<br>
objectClass: ipasshhost<br>
objectClass: top<br>
objectClass: ipaSshGroupOfPubKeys<br>
fqdn: <a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a><br>
managedBy: fqdn=<a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>,cn=<wbr>computers,cn=accounts,dc=ipa,<wbr>dc=rdmedi<br>
a,dc=com<br>
krbPrincipalName: host/<a href="mailto:neon.ipa.rdmedia.com@IPA.RDMEDIA.COM" target="_blank">neon.ipa.rdmedia.com@IPA.<wbr>RDMEDIA.COM</a><br>
serverHostName: neon<br>
ipaUniqueID: 1eaa355c-0176-11e6-8dd5-<wbr>001a4aa7101c<br>
krbPwdPolicyReference: cn=Default Host Password
Policy,cn=computers,cn=account<br>
s,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict fqdn=<a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>,cn=<wbr>computers,cn=ac<br>
counts,dc=ipa,dc=rdmedia,dc=<wbr>com<br>
# cas + 334bfba8-cdae11e6-8a85a70a-<wbr>bda98fae, ca, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn:
cn=cas+nsuniqueid=334bfba8-<wbr>cdae11e6-8a85a70a-bda98fae,cn=<wbr>ca,dc=ipa,dc=rdme<br>
dia,dc=com<br>
objectClass: nsContainer<br>
objectClass: top<br>
cn: cas<br>
nsds5ReplConflict: namingConflict
cn=cas,cn=ca,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
"permission:System<br>
: Add CA";allow (add) groupdn = "<a class="m_8208528144818540294moz-txt-link-freetext">ldap:///cn=System</a>: Add
CA,cn=permissions,cn=<br>
pbac,dc=ipa,dc=rdmedia,dc=<wbr>com";)<br>
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
"permission:System<br>
: Delete CA";allow (delete) groupdn = "<a class="m_8208528144818540294moz-txt-link-freetext">ldap:///cn=System</a>:
Delete CA,cn=permis<br>
sions,cn=pbac,dc=ipa,dc=<wbr>rdmedia,dc=com";)<br>
aci: (targetattr = "cn || description")(targetfilter =
"(objectclass=ipaca)")(<br>
version 3.0;acl "permission:System: Modify CA";allow (write)
groupdn = "ldap:<br>
///cn=System: Modify
CA,cn=permissions,cn=pbac,dc=<wbr>ipa,dc=rdmedia,dc=com";)<br>
aci: (targetattr = "cn || createtimestamp || description ||
entryusn || ipacai<br>
d || ipacaissuerdn || ipacasubjectdn || modifytimestamp ||
objectclass")(targ<br>
etfilter = "(objectclass=ipaca)")(version 3.0;acl
"permission:System: Read CA<br>
s";allow (compare,read,search) userdn = <a class="m_8208528144818540294moz-txt-link-rfc2396E">"ldap:///all"</a>;)<br>
# custodia + 334bfbdb-cdae11e6-8a85a70a-<wbr>bda98fae, ipa, etc, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn:
cn=custodia+nsuniqueid=<wbr>334bfbdb-cdae11e6-8a85a70a-<wbr>bda98fae,cn=ipa,cn=etc,d<br>
c=ipa,dc=rdmedia,dc=com<br>
objectClass: nsContainer<br>
objectClass: top<br>
cn: custodia<br>
nsds5ReplConflict: namingConflict
cn=custodia,cn=ipa,cn=etc,dc=<wbr>ipa,dc=rdmedia,<br>
dc=com<br>
# domain + 334bfb9e-cdae11e6-8a85a70a-<wbr>bda98fae, topology, ipa,
etc, ipa.rdmedia<br>
.com<br>
dn:
cn=domain+nsuniqueid=334bfb9e-<wbr>cdae11e6-8a85a70a-bda98fae,cn=<wbr>topology,cn=ip<br>
a,cn=etc,dc=ipa,dc=rdmedia,<wbr>dc=com<br>
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
internalModifiersName in<br>
ternalModifyTimestamp<br>
ipaReplTopoConfRoot: dc=ipa,dc=rdmedia,dc=com<br>
objectClass: top<br>
objectClass: iparepltopoconf<br>
nsDS5ReplicatedAttributeListTo<wbr>tal: (objectclass=*) $ EXCLUDE
entryusn krblasts<br>
uccessfulauth krblastfailedauth krbloginfailedcount<br>
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
memberof idnssoaserial<br>
entryusn krblastsuccessfulauth krblastfailedauth
krbloginfailedcount<br>
cn: domain<br>
nsds5ReplConflict: namingConflict
cn=domain,cn=topology,cn=ipa,<wbr>cn=etc,dc=ipa,d<br>
c=rdmedia,dc=com<br>
# ca + 334bfbe0-cdae11e6-8a85a70a-<wbr>bda98fae, topology, ipa,
etc, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn:
cn=ca+nsuniqueid=334bfbe0-<wbr>cdae11e6-8a85a70a-bda98fae,cn=<wbr>topology,cn=ipa,cn<br>
=etc,dc=ipa,dc=rdmedia,dc=com<br>
objectClass: top<br>
objectClass: iparepltopoconf<br>
cn: ca<br>
ipaReplTopoConfRoot: o=ipaca<br>
nsds5ReplConflict: namingConflict
cn=ca,cn=topology,cn=ipa,cn=<wbr>etc,dc=ipa,dc=rd<br>
media,dc=com<br>
# dogtag + 334bfbdd-cdae11e6-8a85a70a-<wbr>bda98fae, custodia +
334bfbdb-cdae11e6-8a<br>
85a70a-bda98fae, ipa, etc, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn:
cn=dogtag+nsuniqueid=334bfbdd-<wbr>cdae11e6-8a85a70a-bda98fae,cn=<wbr>custodia+nsuni<br>
queid=334bfbdb-cdae11e6-<wbr>8a85a70a-bda98fae,cn=ipa,cn=<wbr>etc,dc=ipa,dc=rdmedia,dc=<br>
com<br>
objectClass: nsContainer<br>
objectClass: top<br>
cn: dogtag<br>
nsds5ReplConflict: namingConflict
cn=dogtag,cn=custodia,cn=ipa,<wbr>cn=etc,dc=ipa,d<br>
c=rdmedia,dc=com<br>
# lawrencium + 6c7e3d83-c11711e6-8a85a70a-<wbr>bda98fae, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a>.,
dns, ipa.<br>
<a href="http://rdmedia.com" target="_blank">rdmedia.com</a><br>
dn:
idnsName=lawrencium+<wbr>nsuniqueid=6c7e3d83-c11711e6-<wbr>8a85a70a-bda98fae,idnsnam<br>
e=<a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a>.,cn=dns,dc=<wbr>ipa,dc=rdmedia,dc=com<br>
aRecord: 192.168.50.55<br>
dNSTTL: 1200<br>
objectClass: idnsRecord<br>
objectClass: top<br>
idnsName: lawrencium<br>
nsds5ReplConflict: namingConflict
idnsname=lawrencium,idnsname=<a href="http://ipa.rdmedia.com" target="_blank">i<wbr>pa.rdmedia.com</a><br>
.,cn=dns,dc=ipa,dc=rdmedia,<wbr>dc=com<br>
# mendelevium + e5710f85-c5c511e6-8a85a70a-<wbr>bda98fae, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a>.,
dns, ipa<br>
.<a href="http://rdmedia.com" target="_blank">rdmedia.com</a><br>
dn:
idnsName=mendelevium+<wbr>nsuniqueid=e5710f85-c5c511e6-<wbr>8a85a70a-bda98fae,idnsna<br>
me=<a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a>.,cn=dns,<wbr>dc=ipa,dc=rdmedia,dc=com<br>
aRecord: 192.168.50.52<br>
dNSTTL: 1200<br>
objectClass: idnsRecord<br>
objectClass: top<br>
idnsName: mendelevium<br>
nsds5ReplConflict: namingConflict
idnsname=mendelevium,idnsname=<a href="http://ipa.rdmedia.co" target="_blank"><wbr>ipa.rdmedia.co</a><br>
m.,cn=dns,dc=ipa,dc=rdmedia,<wbr>dc=com<br>
# 41 + e764de07-5e2f11e6-bd76eb96-<wbr>de53d9d8,
120.100.10.in-addr.arpa., dns, ipa.<br>
<a href="http://rdmedia.com" target="_blank">rdmedia.com</a><br>
dn:
idnsname=41+nsuniqueid=<wbr>e764de07-5e2f11e6-bd76eb96-<wbr>de53d9d8,idnsname=120.10<br>
0.10.in-addr.arpa.,cn=dns,dc=<wbr>ipa,dc=rdmedia,dc=com<br>
objectClass: top<br>
objectClass: idnsrecord<br>
pTRRecord: <a href="http://arsenica.ipa.rdmedia.com" target="_blank">arsenica.ipa.rdmedia.com</a>.<br>
idnsName: 41<br>
nsds5ReplConflict: namingConflict
idnsname=41,idnsname=120.100.<wbr>10.in-addr.arpa<br>
.,cn=dns,dc=ipa,dc=rdmedia,<wbr>dc=com<br>
# ipa + 58d90aec-cdae11e6-8a85a70a-<wbr>bda98fae, cas +
334bfba8-cdae11e6-8a85a70a-b<br>
da98fae, ca, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a><br>
dn:
cn=ipa+nsuniqueid=58d90aec-<wbr>cdae11e6-8a85a70a-bda98fae,cn=<wbr>cas+nsuniqueid=33<br>
4bfba8-cdae11e6-8a85a70a-<wbr>bda98fae,cn=ca,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
description: IPA CA<br>
ipaCaIssuerDN: CN=Certificate Authority,O=<a href="http://IPA.RDMEDIA.COM" target="_blank">IPA.RDMEDIA.COM</a><br>
objectClass: top<br>
objectClass: ipaca<br>
ipaCaSubjectDN: CN=Certificate Authority,O=<a href="http://IPA.RDMEDIA.COM" target="_blank">IPA.RDMEDIA.COM</a><br>
ipaCaId: 21547c03-13c3-4f4f-992b-<wbr>b0257012d1c1<br>
cn: ipansds5ReplConflict<br>
nsds5ReplConflict: namingConflict
cn=ipa,cn=cas,cn=ca,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
# search result<br>
search: 2<br>
result: 0 Success<br>
# numResponses: 28<br>
# numEntries: 27</blockquote>
<div><br>
</div>
<div>So when I try eg. this...</div>
<div><br>
</div>
<blockquote class="gmail_quote">[root@moscovium ~]# ldapmodify
-x -D "cn=directory manager" -W -h <a href="http://moscovium.ipa.rdmedia.com" target="_blank">moscovium.ipa.rdmedia.com</a>
-p 389<br>
Enter LDAP Password: <br>
dn: fqdn=<a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>+<wbr>nsuniqueid=1b780d06-017611e6-<wbr>966aeb96-de53d9d8,c<br>
n=computers,cn=accounts,dc=<wbr>ipa,dc=rdmedia,dc=com<br>
changetype: modrdn<br>
newrdn fqdn=<a href="http://neontemp.ipa.rdmedia.com" target="_blank">neontemp.ipa.rdmedia.com</a><br>
deleteoldrdn: 0</blockquote>
</div>
</blockquote></div></div>
It has to be <br>
newrdn: fqdn=<a href="http://neontemp.ipa.rdmedia.com" target="_blank">neontemp.ipa.rdmedia.com</a><br>
the ":" was missing.<br>
But you don't always have to do the modrdn steps, only if you want
to keep the conflict entry under a different dn.<br>
<br>
I would suggest you do the search for conflicts again, and just
returning the nsds5ReplConflict attribute, you get then something
like:<br>
dn:
idnsname=41+nsuniqueid=<wbr>e764de07-5e2f11e6-bd76eb96-<wbr>de53d9d8,idnsname=120.10.in-
addr.arpa.,cn=dns,dc=ipa,dc=<wbr>rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict idnsname=mendelevium,idnsname=<a href="http://ipa.rdmedia.co" target="_blank"><wbr>ipa.rdmedia.co</a><br>
m.,cn=dns,dc=ipa,dc=rdmedia,<wbr>dc=com<br>
<br>
<br>
next do a search for both entries, the conflict entry and the one
referenced in the and the <br>
nsds5ReplConflict attribute, if the original entry exists and you
want to keep this, you can just delete the conflict entry<br>
<br>
ldapmodify -x -D "cn=directory manager" ....<br>
dn: fqdn=<a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>+<wbr>nsuniqueid=1b780d06-017611e6-<wbr>966aeb96-de53d9d8,c<br>
n=computers,cn=accounts,dc=<wbr>ipa,dc=rdmedia,dc=com<br>
changetype: delete<span class=""><br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>...I get:</div>
<div><br>
</div>
<blockquote class="gmail_quote">ldapmodify: invalid format (line
3) entry: "fqdn=<a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>+<wbr>nsuniqueid=1b780d06-017611e6-<wbr>966aeb96-de53d9d8,cn=<wbr>computers,cn=accounts,dc=ipa,<wbr>dc=rdmedia,dc=com"</blockquote>
<div> </div>
<div>So my question: what can I do to resolve the conflicts?</div>
<div><br>
</div>
<div>-- <br>
<div class="m_8208528144818540294gmail_signature">
<div dir="ltr">Tiemen Ruiten<br>
Systems Engineer<br>
R&D Media<br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_8208528144818540294mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</span><span class="HOEnZb"><font color="#888888"><pre class="m_8208528144818540294moz-signature" cols="72">--
Red Hat GmbH, <a class="m_8208528144818540294moz-txt-link-freetext" href="http://www.de.redhat.com/" target="_blank">http://www.de.redhat.com/</a>, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander</pre>
</font></span></div>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Tiemen Ruiten<br>Systems Engineer<br>R&D Media<br></div></div>
</div>