[Freeipa-users] ipa user-del not deleting the ldap entry

Fri Jul 11 20:50:11 UTC 2014

On 06/25/2014 03:25 PM, Rich Megginson wrote:
> On 06/25/2014 09:19 AM, Chase Khoury wrote:
>> rpm -qa|grep ipa
>> ipa-server-3.0.0-37.el6.x86_64
>>
>> rpm -qa|grep 389
>> 389-ds-base-1.2.11.15-29.el6.x86_64
>> 389-ds-base-libs.1.2.11.15-29.el6.x86_64
>>
>> =======================================
>> /var/log/dirsrv/slapd-DOMAIN/errors
>> =======================================
>> [23/Jun/214:11:34:27-0400] referint-plugin - _update_all_per_mod:
>> entry 
>> cn=667a2b330ee4c889c6dadcd66c086dc,ou=tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com:
>> deleting "member: uid=foo,cn=users,cn=accounts,dc=example,dc=com"
>> failed (16)
>> [23/Jun/2014:11:34:27-0400]referint-plugin - _update_all_per_mod:
>> entry 
>> cn=enabled_users,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com:
>> deleting "member: uid=foo,cn=users,cn=accounts,dc=example,dc=com"
>> failed (16)
>> [23/Jun/2014:11:34:27-0400] referint-plugin - _update_all_per_mod:
>> entry cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com: deleting
>> "member:uid=foo,cn=users,cn=accounts,dc=example,dc=com" failed (16)
>> [23/Jun/2014:11:34:43-0400] ipalockout_preop - [file ipa_lockout.c,
>> line 722]: Failed to retrieve entry
>> "uid=rhospadmin,cn=users,cn=accounts,dc=example,dc=com": 32
>> [23/Jun/2014:11:34:43-0400]ipalockout_postop - [file ipa_lockout.c,
>> line 473]: Failed to retrieve entry
>> "uid=rhospadmin,cn=users,cn=accounts,dc=example,dc=com": 32
>> [23/Jun/2014:11:35:39-0400] referint-plugin - _update_all_per_mod:
>> entry 
>> cn=enabled_tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com:
>> deleting "member: uid=tenants,cn=users,cn=accounts,dc=example,dc=com"
>> failed (16)
>> [23/Jun/2014:11:35:39-0400] referint-plugin - _update_all_per_mod:
>> entry 
>> cn=enabled_tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com:
>> deleting "member:
>> uid=openstack,cn=users,cn=accounts,dc=example,dc=com" failed (16)
>> [23/Jun/2014:11:35:41-0400] ldbm_back_modify -Attempt to modify a
>> tombstone entry
>> nsuiqueid=d2138508-faeb11e3-89c8890f-56b4c812,cn=Manage
>> OpenStack,cn=privileges,cn=pbac,dc=example,dc=com
>> =======================================
>
> Not sure what the problem is.  Please open a ticket.
> https://fedorahosted.org/freeipa/newticket
>
>>
>>
>> On 6/24/14, Rich Megginson <rmeggins at redhat.com> wrote:
>>> On 06/24/2014 09:46 AM, Chase Khoury wrote:
>>>> Hello,
>>>>    I am having issues with deleting an ipa user. When I do an 'ipa
>>>> user-del foo' there still remains reminisces of the user that are
>>>> causing issues.
>>>> I have a freeIPA server setup with 3 replica servers set up.
>>>> When I did an ipa user-del foo it did not fully delete the user.
>>>> if I do an ipa user-add foo after the delete I get an "ipa ERROR: user
>>>> with the name "foo" already exists"
>>>> If I do a ipa user-show foo I get "ipa ERROR: foo: user not found"
>>>> if I do an ipa user-find foo it returns an entry.
>>>> --------------
>>>> 1 user matched
>>>> --------------
>>>>     User login: foo
>>>>     First name: foo
>>>>     Last name: bar
>>>>     Home directory: /home/foo
>>>>     login shell: /bin/bash
>>>>     Email address: foo at bar.com
>>>>     UID: 5021
>>>>     GID: 5021
>>>>     Account disabled: False
>>>>     Password: True
>>>>     Kerberos keys available: True
>>>> ----------------------------
>>>> Number of entries returned 1
>>>> ----------------------------
>>>>
>>>> If I do an ldapsearch for the user it still has a user entry.
>>>> When trying to do an ldapdelete I get the error "Server is unwilling
>>>> to perform (53)"
>>>>
>>>> Does anyone know why this happened or how to clean up the server so I
>>>> can get it into a state when I can successful do an ipa-user-add foo?
>>> What version of ipa are you using?  What version of 389?
>>> rpm -qa|grep ipa
>>> rpm -qa|grep 389
>>>
>>> Can you provide excerpts from your 389 errors log
>>> /var/log/dirsrv/slapd-DOMAIN/errors from around the time of the 
>>> problems
>>> mentioned above?
>>>
>>>
>
Was this ever figured out? I do not remember seeing the ticket.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.