<div dir="ltr">Thank you very much Ludwig, that worked. I had to do a ldapdelete -r (recursive) to remove a few containers which apparently had some tombstone entries in them. Domain is now running at level 1!</div><div class="gmail_extra"> <div class="gmail_quote">On 16 February 2017 at 13:58, Ludwig Krispenz <<a href="mailto:lkrispen@redhat.com" target="_blank">lkrispen@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><div><div class="h5"> <div class="m_8208528144818540294moz-cite-prefix">On 02/16/2017 01:32 PM, Tiemen Ruiten wrote: </div> <blockquote type="cite"> <div dir="ltr">Hello, <div> </div> <div>I have a FreeIPA setup in which some masters suffered from a few uncontrolled shutdowns and now there are replication conflicts (which prevent from setting the Domain Level to 1). </div> <div> </div> <div>I was trying to follow the instructions here: <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html</a></div> <div> </div> <div>But unfortunately I'm not getting anywhere. This the result of an ldapsearch for replication conflicts:</div> <div> </div> <blockquote class="gmail_quote"> [root@moscovium ~]# ldapsearch -x -D "cn=directory manager" -W -b "dc=ipa,dc=rdmedia,dc=com" "nsds5ReplConflict=*" \* nsds5ReplConflict Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=ipa,dc=rdmedia,dc=com> with scope subtree # filter: nsds5ReplConflict=* # requesting: * nsds5ReplConflict # # servers + 334bfc53-cdae11e6-8a85a70a-bda98fae, dns, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=servers+nsuniqueid=334bfc53-cdae11e6-8a85a70a-bda98fae,cn=dns,dc=ipa,dc =rdmedia,dc=com objectClass: nsContainer objectClass: top cn: servers nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=ipa,dc=rdmedia,dc=com # System: Add CA + 334bfbe5-cdae11e6-8a85a70a-bda98fae, permissions, pbac, ipa. <a href="http://rdmedia.com" target="_blank">rdmedia.com</a> dn: cn=System: Add CA+nsuniqueid=334bfbe5-cdae11e6-8a85a70a-bda98fae,cn=permis sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=ipaca) ipaPermRight: add ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Add CA objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=CA Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: add ca,cn=permissions,cn=pbac,dc= ipa,dc=rdmedia,dc=com </blockquote> <blockquote class="gmail_quote"># System: Delete CA + 334bfbe9-cdae11e6-8a85a70a-bda98fae, permissions, pbac, i <a href="http://pa.rdmedia.com" target="_blank">pa.rdmedia.com</a> dn: cn=System: Delete CA+nsuniqueid=334bfbe9-cdae11e6-8a85a70a-bda98fae,cn=per missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=ipaca) ipaPermRight: delete ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Delete CA objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=CA Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: delete ca,cn=permissions,cn=pbac, dc=ipa,dc=rdmedia,dc=com # System: Modify CA + 334bfbed-cdae11e6-8a85a70a-bda98fae, permissions, pbac, i <a href="http://pa.rdmedia.com" target="_blank">pa.rdmedia.com</a> dn: cn=System: Modify CA+nsuniqueid=334bfbed-cdae11e6-8a85a70a-bda98fae,cn=per missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=ipaca) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify CA objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=CA Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermDefaultAttr: description ipaPermDefaultAttr: cn ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: modify ca,cn=permissions,cn=pbac, dc=ipa,dc=rdmedia,dc=com # System: Read CAs + 334bfbf1-cdae11e6-8a85a70a-bda98fae, permissions, pbac, ip <a href="http://a.rdmedia.com" target="_blank">a.rdmedia.com</a> dn: cn=System: Read CAs+nsuniqueid=334bfbf1-cdae11e6-8a85a70a-bda98fae,cn=perm issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=ipaca) ipaPermRight: read ipaPermRight: compare ipaPermRight: search ipaPermBindRuleType: all ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Read CAs objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 ipaPermDefaultAttr: description ipaPermDefaultAttr: ipacaissuerdn ipaPermDefaultAttr: objectclass ipaPermDefaultAttr: ipacasubjectdn ipaPermDefaultAttr: ipacaid ipaPermDefaultAttr: cn ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: read cas,cn=permissions,cn=pbac,d c=ipa,dc=rdmedia,dc=com # System: Modify DNS Servers Configuration + 334bfbf6-cdae11e6-8a85a70a-bda98fa e, permissions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=System: Modify DNS Servers Configuration+nsuniqueid=334bfbf6-cdae11e6-8 a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=idnsServerConfigObject) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify DNS Servers Configuration objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermDefaultAttr: idnssoamname ipaPermDefaultAttr: idnssubstitutionvariable ipaPermDefaultAttr: idnsforwardpolicy ipaPermDefaultAttr: idnsforwarders ipaPermLocation: dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: modify dns servers configuration, cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com # System: Read DNS Servers Configuration + 334bfbfa-cdae11e6-8a85a70a-bda98fae, permissions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=System: Read DNS Servers Configuration+nsuniqueid=334bfbfa-cdae11e6-8a8 5a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=idnsServerConfigObject) ipaPermRight: read ipaPermRight: compare ipaPermRight: search ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Read DNS Servers Configuration objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com member: cn=DNS Servers,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermDefaultAttr: idnsforwardpolicy ipaPermDefaultAttr: objectclass ipaPermDefaultAttr: idnsforwarders ipaPermDefaultAttr: idnsserverid ipaPermDefaultAttr: idnssubstitutionvariable ipaPermDefaultAttr: idnssoamname ipaPermLocation: dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: read dns servers configuration,cn =permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com # System: Manage Host Principals + 334bfc0b-cdae11e6-8a85a70a-bda98fae, permiss ions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=System: Manage Host Principals+nsuniqueid=334bfc0b-cdae11e6-8a85a70a-bd a98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=ipahost) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Host Principals objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Host Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermDefaultAttr: krbprincipalname ipaPermDefaultAttr: krbcanonicalname ipaPermLocation: cn=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: manage host principals,cn=permiss ions,cn=pbac,dc=ipa,dc=rdmedia,dc=com # System: Add IPA Locations + 334bfc20-cdae11e6-8a85a70a-bda98fae, permissions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=System: Add IPA Locations+nsuniqueid=334bfc20-cdae11e6-8a85a70a-bda98fa e,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=ipaLocationObject) ipaPermRight: add ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Add IPA Locations objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: add ipa locations,cn=permissions, cn=pbac,dc=ipa,dc=rdmedia,dc=com # System: Modify IPA Locations + 334bfc24-cdae11e6-8a85a70a-bda98fae, permissio ns, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=System: Modify IPA Locations+nsuniqueid=334bfc24-cdae11e6-8a85a70a-bda9 8fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=ipaLocationObject) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify IPA Locations objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermDefaultAttr: description ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: modify ipa locations,cn=permissio ns,cn=pbac,dc=ipa,dc=rdmedia,dc=com # System: Read IPA Locations + 334bfc28-cdae11e6-8a85a70a-bda98fae, permissions , pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=System: Read IPA Locations+nsuniqueid=334bfc28-cdae11e6-8a85a70a-bda98f ae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=ipaLocationObject) ipaPermRight: read ipaPermRight: compare ipaPermRight: search ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Read IPA Locations objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermDefaultAttr: objectclass ipaPermDefaultAttr: description ipaPermDefaultAttr: idnsname ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: read ipa locations,cn=permissions ,cn=pbac,dc=ipa,dc=rdmedia,dc=com # System: Remove IPA Locations + 334bfc2c-cdae11e6-8a85a70a-bda98fae, permissio ns, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=System: Remove IPA Locations+nsuniqueid=334bfc2c-cdae11e6-8a85a70a-bda9 8fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=ipaLocationObject) ipaPermRight: delete ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Remove IPA Locations objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: remove ipa locations,cn=permissio ns,cn=pbac,dc=ipa,dc=rdmedia,dc=com # System: Read Locations of IPA Servers + 334bfc30-cdae11e6-8a85a70a-bda98fae, permissions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=System: Read Locations of IPA Servers+nsuniqueid=334bfc30-cdae11e6-8a85 a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=ipaConfigObject) ipaPermRight: read ipaPermRight: compare ipaPermRight: search ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Read Locations of IPA Servers objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermDefaultAttr: objectclass ipaPermDefaultAttr: ipaserviceweight ipaPermDefaultAttr: ipalocation ipaPermDefaultAttr: cn ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: read locations of ipa servers,cn= permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com # System: Read Status of Services on IPA Servers + 334bfc34-cdae11e6-8a85a70a-b da98fae, permissions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=System: Read Status of Services on IPA Servers+nsuniqueid=334bfc34-cdae 11e6-8a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=ipaConfigObject) ipaPermRight: read ipaPermRight: compare ipaPermRight: search ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Read Status of Services on IPA Servers objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermDefaultAttr: objectclass ipaPermDefaultAttr: ipaconfigstring ipaPermDefaultAttr: cn ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: read status of services on ipa se rvers,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com # System: Manage Service Principals + 334bfc38-cdae11e6-8a85a70a-bda98fae, perm issions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=System: Manage Service Principals+nsuniqueid=334bfc38-cdae11e6-8a85a70a -bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=ipaservice) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage Service Principals objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=Service Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=c om ipaPermDefaultAttr: krbprincipalname ipaPermDefaultAttr: krbcanonicalname ipaPermLocation: cn=services,cn=accounts,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: manage service principals,cn=perm issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com # System: Manage User Principals + 334bfc45-cdae11e6-8a85a70a-bda98fae, permiss ions, pbac, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=System: Manage User Principals+nsuniqueid=334bfc45-cdae11e6-8a85a70a-bd a98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com ipaPermTargetFilter: (objectclass=posixaccount) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Manage User Principals objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=User Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com member: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=ipa,dc=rd media,dc=com ipaPermDefaultAttr: krbprincipalname ipaPermDefaultAttr: krbcanonicalname ipaPermLocation: cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict cn=system: manage user principals,cn=permiss ions,cn=pbac,dc=ipa,dc=rdmedia,dc=com # locations + 334bfba2-cdae11e6-8a85a70a-bda98fae, etc, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=locations+nsuniqueid=334bfba2-cdae11e6-8a85a70a-bda98fae,cn=etc,dc=ipa, dc=rdmedia,dc=com objectClass: nsContainer objectClass: top cn: locations nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi ssion:System: Add IPA Locations";allow (add) groupdn = "<a class="m_8208528144818540294moz-txt-link-freetext">ldap:///cn=System</a>: Ad d IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";) aci: (targetattr = "description")(targetfilter = "(objectclass=ipaLocationObje ct)")(version 3.0;acl "permission:System: Modify IPA Locations";allow (write) groupdn = "<a class="m_8208528144818540294moz-txt-link-freetext">ldap:///cn=System</a>: Modify IPA Locations,cn=permissions,cn=pbac,dc =ipa,dc=rdmedia,dc=com";) aci: (targetattr = "createtimestamp || description || entryusn || idnsname || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationObje ct)")(version 3.0;acl "permission:System: Read IPA Locations";allow (compare, read,search) groupdn = "<a class="m_8208528144818540294moz-txt-link-freetext">ldap:///cn=System</a>: Read IPA Locations,cn=permissions, cn=pbac,dc=ipa,dc=rdmedia,dc=com";) aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi ssion:System: Remove IPA Locations";allow (delete) groupdn = "<a class="m_8208528144818540294moz-txt-link-freetext">ldap:///cn=Syst</a> em: Remove IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";) # <a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a> + 1b780d06-017611e6-966aeb96-de53d9d8, computers, accoun ts, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: fqdn=<a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com krbExtraData:: AAJIQA5XaG9zdC9uZW9uLmlwYS5yZG1lZGlhLmNvbUBJUEEuUkRNRURJQS5DT00 A enrolledBy: uid=admin,cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com krbLastPwdChange: 20160413124912Z krbPrincipalKey:: MIIBKKADAgEBoQMCAQGiAwIBAaMDAgEBpIIBEDCCAQwwS6FJMEegAwIBEqFA BD4gAPd2yVptQC/d3mk7xdb3skL+KkkUzewAxCF0FJgXXuBVt1y2GHtnhzILNe91amjovgXAFEujn 8x6YrwHXDA7oTkwN6ADAgERoTAELhAAPbI3gwakFyt9EnCqDLWst6FeXKO0Fwvx3+gZZOGmYQpr0Z ujLLtmJuJVmS8wQ6FBMD+gAwIBEKE4BDYYABMJXEKVH2Yn4nGzJ5woqDjO2dVUx8nQ+1NSi6dREwy 8T+7VrbdVOpaQgkUx4czwkhxKvVcwO6E5MDegAwIBF6EwBC4QABWhTKkWc50oJlpSw/FK2yhl+ZUo MZt0XHA/xdPXDD3DxGV5cx2MgvJEhJzs cn: <a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a> objectClass: ipaobject objectClass: ieee802device objectClass: nshost objectClass: ipaservice objectClass: pkiuser objectClass: ipahost objectClass: krbprincipal objectClass: krbprincipalaux objectClass: ipasshhost objectClass: top objectClass: ipaSshGroupOfPubKeys fqdn: <a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a> managedBy: fqdn=<a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>,cn=computers,cn=accounts,dc=ipa,dc=rdmedi a,dc=com krbPrincipalName: host/<a href="mailto:neon.ipa.rdmedia.com@IPA.RDMEDIA.COM" target="_blank">neon.ipa.rdmedia.com@IPA.RDMEDIA.COM</a> serverHostName: neon ipaUniqueID: 1eaa355c-0176-11e6-8dd5-001a4aa7101c krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=account s,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict fqdn=<a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>,cn=computers,cn=ac counts,dc=ipa,dc=rdmedia,dc=com # cas + 334bfba8-cdae11e6-8a85a70a-bda98fae, ca, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=cas+nsuniqueid=334bfba8-cdae11e6-8a85a70a-bda98fae,cn=ca,dc=ipa,dc=rdme dia,dc=com objectClass: nsContainer objectClass: top cn: cas nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System : Add CA";allow (add) groupdn = "<a class="m_8208528144818540294moz-txt-link-freetext">ldap:///cn=System</a>: Add CA,cn=permissions,cn= pbac,dc=ipa,dc=rdmedia,dc=com";) aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System : Delete CA";allow (delete) groupdn = "<a class="m_8208528144818540294moz-txt-link-freetext">ldap:///cn=System</a>: Delete CA,cn=permis sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";) aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")( version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap: ///cn=System: Modify CA,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";) aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacai d || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targ etfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CA s";allow (compare,read,search) userdn = <a class="m_8208528144818540294moz-txt-link-rfc2396E">"ldap:///all"</a>;) # custodia + 334bfbdb-cdae11e6-8a85a70a-bda98fae, ipa, etc, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=custodia+nsuniqueid=334bfbdb-cdae11e6-8a85a70a-bda98fae,cn=ipa,cn=etc,d c=ipa,dc=rdmedia,dc=com objectClass: nsContainer objectClass: top cn: custodia nsds5ReplConflict: namingConflict cn=custodia,cn=ipa,cn=etc,dc=ipa,dc=rdmedia, dc=com # domain + 334bfb9e-cdae11e6-8a85a70a-bda98fae, topology, ipa, etc, ipa.rdmedia .com dn: cn=domain+nsuniqueid=334bfb9e-cdae11e6-8a85a70a-bda98fae,cn=topology,cn=ip a,cn=etc,dc=ipa,dc=rdmedia,dc=com nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in ternalModifyTimestamp ipaReplTopoConfRoot: dc=ipa,dc=rdmedia,dc=com objectClass: top objectClass: iparepltopoconf nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount cn: domain nsds5ReplConflict: namingConflict cn=domain,cn=topology,cn=ipa,cn=etc,dc=ipa,d c=rdmedia,dc=com # ca + 334bfbe0-cdae11e6-8a85a70a-bda98fae, topology, ipa, etc, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=ca+nsuniqueid=334bfbe0-cdae11e6-8a85a70a-bda98fae,cn=topology,cn=ipa,cn =etc,dc=ipa,dc=rdmedia,dc=com objectClass: top objectClass: iparepltopoconf cn: ca ipaReplTopoConfRoot: o=ipaca nsds5ReplConflict: namingConflict cn=ca,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=rd media,dc=com # dogtag + 334bfbdd-cdae11e6-8a85a70a-bda98fae, custodia + 334bfbdb-cdae11e6-8a 85a70a-bda98fae, ipa, etc, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=dogtag+nsuniqueid=334bfbdd-cdae11e6-8a85a70a-bda98fae,cn=custodia+nsuni queid=334bfbdb-cdae11e6-8a85a70a-bda98fae,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc= com objectClass: nsContainer objectClass: top cn: dogtag nsds5ReplConflict: namingConflict cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=ipa,d c=rdmedia,dc=com # lawrencium + 6c7e3d83-c11711e6-8a85a70a-bda98fae, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a>., dns, ipa. <a href="http://rdmedia.com" target="_blank">rdmedia.com</a> dn: idnsName=lawrencium+nsuniqueid=6c7e3d83-c11711e6-8a85a70a-bda98fae,idnsnam e=<a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a>.,cn=dns,dc=ipa,dc=rdmedia,dc=com aRecord: 192.168.50.55 dNSTTL: 1200 objectClass: idnsRecord objectClass: top idnsName: lawrencium nsds5ReplConflict: namingConflict idnsname=lawrencium,idnsname=<a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> .,cn=dns,dc=ipa,dc=rdmedia,dc=com # mendelevium + e5710f85-c5c511e6-8a85a70a-bda98fae, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a>., dns, ipa .<a href="http://rdmedia.com" target="_blank">rdmedia.com</a> dn: idnsName=mendelevium+nsuniqueid=e5710f85-c5c511e6-8a85a70a-bda98fae,idnsna me=<a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a>.,cn=dns,dc=ipa,dc=rdmedia,dc=com aRecord: 192.168.50.52 dNSTTL: 1200 objectClass: idnsRecord objectClass: top idnsName: mendelevium nsds5ReplConflict: namingConflict idnsname=mendelevium,idnsname=<a href="http://ipa.rdmedia.co" target="_blank">ipa.rdmedia.co</a> m.,cn=dns,dc=ipa,dc=rdmedia,dc=com # 41 + e764de07-5e2f11e6-bd76eb96-de53d9d8, 120.100.10.in-addr.arpa., dns, ipa. <a href="http://rdmedia.com" target="_blank">rdmedia.com</a> dn: idnsname=41+nsuniqueid=e764de07-5e2f11e6-bd76eb96-de53d9d8,idnsname=120.10 0.10.in-addr.arpa.,cn=dns,dc=ipa,dc=rdmedia,dc=com objectClass: top objectClass: idnsrecord pTRRecord: <a href="http://arsenica.ipa.rdmedia.com" target="_blank">arsenica.ipa.rdmedia.com</a>. idnsName: 41 nsds5ReplConflict: namingConflict idnsname=41,idnsname=120.100.10.in-addr.arpa .,cn=dns,dc=ipa,dc=rdmedia,dc=com # ipa + 58d90aec-cdae11e6-8a85a70a-bda98fae, cas + 334bfba8-cdae11e6-8a85a70a-b da98fae, ca, <a href="http://ipa.rdmedia.com" target="_blank">ipa.rdmedia.com</a> dn: cn=ipa+nsuniqueid=58d90aec-cdae11e6-8a85a70a-bda98fae,cn=cas+nsuniqueid=33 4bfba8-cdae11e6-8a85a70a-bda98fae,cn=ca,dc=ipa,dc=rdmedia,dc=com description: IPA CA ipaCaIssuerDN: CN=Certificate Authority,O=<a href="http://IPA.RDMEDIA.COM" target="_blank">IPA.RDMEDIA.COM</a> objectClass: top objectClass: ipaca ipaCaSubjectDN: CN=Certificate Authority,O=<a href="http://IPA.RDMEDIA.COM" target="_blank">IPA.RDMEDIA.COM</a> ipaCaId: 21547c03-13c3-4f4f-992b-b0257012d1c1 cn: ipansds5ReplConflict nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com # search result search: 2 result: 0 Success # numResponses: 28 # numEntries: 27</blockquote> <div> </div> <div>So when I try eg. this...</div> <div> </div> <blockquote class="gmail_quote">[root@moscovium ~]# ldapmodify -x -D "cn=directory manager" -W -h <a href="http://moscovium.ipa.rdmedia.com" target="_blank">moscovium.ipa.rdmedia.com</a> -p 389 Enter LDAP Password: dn: fqdn=<a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com changetype: modrdn newrdn fqdn=<a href="http://neontemp.ipa.rdmedia.com" target="_blank">neontemp.ipa.rdmedia.com</a> deleteoldrdn: 0</blockquote> </div> </blockquote></div></div> It has to be newrdn: fqdn=<a href="http://neontemp.ipa.rdmedia.com" target="_blank">neontemp.ipa.rdmedia.com</a> the ":" was missing. But you don't always have to do the modrdn steps, only if you want to keep the conflict entry under a different dn. I would suggest you do the search for conflicts again, and just returning the nsds5ReplConflict attribute, you get then something like: dn: idnsname=41+nsuniqueid=e764de07-5e2f11e6-bd76eb96-de53d9d8,idnsname=120.10.in- addr.arpa.,cn=dns,dc=ipa,dc=rdmedia,dc=com nsds5ReplConflict: namingConflict idnsname=mendelevium,idnsname=<a href="http://ipa.rdmedia.co" target="_blank">ipa.rdmedia.co</a> m.,cn=dns,dc=ipa,dc=rdmedia,dc=com next do a search for both entries, the conflict entry and the one referenced in the and the nsds5ReplConflict attribute, if the original entry exists and you want to keep this, you can just delete the conflict entry ldapmodify -x -D "cn=directory manager" .... dn: fqdn=<a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com changetype: delete <blockquote type="cite"> <div dir="ltr"> <div> </div> <div>...I get:</div> <div> </div> <blockquote class="gmail_quote">ldapmodify: invalid format (line 3) entry: "fqdn=<a href="http://neon.ipa.rdmedia.com" target="_blank">neon.ipa.rdmedia.com</a>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,cn=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com"</blockquote> <div> </div> <div>So my question: what can I do to resolve the conflicts?</div> <div> </div> <div>-- <div class="m_8208528144818540294gmail_signature"> <div dir="ltr">Tiemen Ruiten Systems Engineer R&D Media </div> </div> </div> </div> <fieldset class="m_8208528144818540294mimeAttachmentHeader"></fieldset> </blockquote> <pre class="m_8208528144818540294moz-signature" cols="72">-- Red Hat GmbH, <a class="m_8208528144818540294moz-txt-link-freetext" href="http://www.de.redhat.com/" target="_blank">http://www.de.redhat.com/</a>, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander</pre> </div> -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote></div> <div> </div>-- <div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Tiemen Ruiten Systems Engineer R&D Media </div></div> </div>