[Freeipa-users] ipa user-del not deleting the ldap entry

Wed Jun 25 19:25:33 UTC 2014

On 06/25/2014 09:19 AM, Chase Khoury wrote:
> rpm -qa|grep ipa
> ipa-server-3.0.0-37.el6.x86_64
>
> rpm -qa|grep 389
> 389-ds-base-1.2.11.15-29.el6.x86_64
> 389-ds-base-libs.1.2.11.15-29.el6.x86_64
>
> =======================================
> /var/log/dirsrv/slapd-DOMAIN/errors
> =======================================
> [23/Jun/214:11:34:27-0400] referint-plugin - _update_all_per_mod:
> entry cn=667a2b330ee4c889c6dadcd66c086dc,ou=tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com:
> deleting "member: uid=foo,cn=users,cn=accounts,dc=example,dc=com"
> failed (16)
> [23/Jun/2014:11:34:27-0400]referint-plugin - _update_all_per_mod:
> entry cn=enabled_users,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com:
> deleting "member: uid=foo,cn=users,cn=accounts,dc=example,dc=com"
> failed (16)
> [23/Jun/2014:11:34:27-0400] referint-plugin - _update_all_per_mod:
> entry cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com: deleting
> "member:uid=foo,cn=users,cn=accounts,dc=example,dc=com" failed (16)
> [23/Jun/2014:11:34:43-0400] ipalockout_preop - [file ipa_lockout.c,
> line 722]: Failed to retrieve entry
> "uid=rhospadmin,cn=users,cn=accounts,dc=example,dc=com": 32
> [23/Jun/2014:11:34:43-0400]ipalockout_postop - [file ipa_lockout.c,
> line 473]: Failed to retrieve entry
> "uid=rhospadmin,cn=users,cn=accounts,dc=example,dc=com": 32
> [23/Jun/2014:11:35:39-0400] referint-plugin - _update_all_per_mod:
> entry cn=enabled_tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com:
> deleting "member: uid=tenants,cn=users,cn=accounts,dc=example,dc=com"
> failed (16)
> [23/Jun/2014:11:35:39-0400] referint-plugin - _update_all_per_mod:
> entry cn=enabled_tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com:
> deleting "member:
> uid=openstack,cn=users,cn=accounts,dc=example,dc=com" failed (16)
> [23/Jun/2014:11:35:41-0400] ldbm_back_modify -Attempt to modify a
> tombstone entry
> nsuiqueid=d2138508-faeb11e3-89c8890f-56b4c812,cn=Manage
> OpenStack,cn=privileges,cn=pbac,dc=example,dc=com
> =======================================

Not sure what the problem is.  Please open a ticket.
https://fedorahosted.org/freeipa/newticket

>
>
> On 6/24/14, Rich Megginson <rmeggins at redhat.com> wrote:
>> On 06/24/2014 09:46 AM, Chase Khoury wrote:
>>> Hello,
>>>    I am having issues with deleting an ipa user. When I do an 'ipa
>>> user-del foo' there still remains reminisces of the user that are
>>> causing issues.
>>> I have a freeIPA server setup with 3 replica servers set up.
>>> When I did an ipa user-del foo it did not fully delete the user.
>>> if I do an ipa user-add foo after the delete I get an "ipa ERROR: user
>>> with the name "foo" already exists"
>>> If I do a ipa user-show foo I get "ipa ERROR: foo: user not found"
>>> if I do an ipa user-find foo it returns an entry.
>>> --------------
>>> 1 user matched
>>> --------------
>>>     User login: foo
>>>     First name: foo
>>>     Last name: bar
>>>     Home directory: /home/foo
>>>     login shell: /bin/bash
>>>     Email address: foo at bar.com
>>>     UID: 5021
>>>     GID: 5021
>>>     Account disabled: False
>>>     Password: True
>>>     Kerberos keys available: True
>>> ----------------------------
>>> Number of entries returned 1
>>> ----------------------------
>>>
>>> If I do an ldapsearch for the user it still has a user entry.
>>> When trying to do an ldapdelete I get the error "Server is unwilling
>>> to perform (53)"
>>>
>>> Does anyone know why this happened or how to clean up the server so I
>>> can get it into a state when I can successful do an ipa-user-add foo?
>> What version of ipa are you using?  What version of 389?
>> rpm -qa|grep ipa
>> rpm -qa|grep 389
>>
>> Can you provide excerpts from your 389 errors log
>> /var/log/dirsrv/slapd-DOMAIN/errors from around the time of the problems
>> mentioned above?
>>
>>