[Freeipa-users] ipa user-find finds user but ipa user-del fails

Ron rap at phas.ubc.ca
Wed Sep 3 20:44:32 UTC 2014 

By the way, all three replica servers show the same:

[root at ipa]# ipa user-find --all --raw --login phys210e | grep dn:
  dn:
nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca

[root at ipa01]# ipa user-find --all --raw --login phys210e | grep dn:
  dn:
nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca

[root at ipa02]# ipa user-find --all --raw --login phys210e | grep dn:
  dn:
nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca

On 09/03/2014 12:26 PM, Rob Crittenden wrote:
> Ron wrote:
>> And here is the result of the user-show command:
>> [root at ipa slapd-pxxx-abc-CA]# ipa user-show --all --raw phys210e
>> ipa: ERROR: phys210e: user not found
> Sorry, thinko on my part. Do ipa user-find --all --raw --login phys210e
>
> user-show is going to have the same issue as user-delete.
>
> rob
>
>>
>>
>> On 09/03/2014 10:43 AM, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> Can you check /var/log/dirsrv/slapd-YOUR-REALM/access, search for the DEL
>>>> operation and see what was the error code that DS gave when it refused to
>>>> delete the user?
>>> Were I to guess the issue is that this is a replication conflict entry.
>>> If you do:
>>>
>>> # ipa user-show --all --raw phys210e |grep dn:
>>>
>>> It will likely begin with nsuniqueid=<hex>, ...
>>>
>>> The reason it can be found and not deleted is we create the dn to be
>>> removed, we don't search for it. So the user uid=phys210e,cn=users,...
>>> etc doesn't exist but the user nsuniqueid=<hex> ... does.
>>>
>>> You'll need to use ldapmodify or ldapdelete to remove the entry though
>>> I'd check your other masters to see what the state of the user is there.
>>>
>>> rob
>>>
>>>> Martin
>>>>
>>>> On 09/03/2014 06:18 PM, Ron wrote:
>>>>> user-find sees a user but user-del cannot remove it.  What can I do?
>>>>> Thanks.
>>>>> Regards,
>>>>> Ron
>>>>>
>>>>> [root at ipa]# ipa user-find --login phys210e
>>>>> --------------
>>>>> 1 user matched
>>>>> --------------
>>>>>   User login: phys210e
>>>>>   First name: Testing
>>>>>   Last name: Phys210
>>>>>   Home directory: /home2/phys210e
>>>>>   Login shell: /bin/bash
>>>>>   Email address: phys210e at pxxx.abc.ca
>>>>>   UID: 15010
>>>>>   GID: 15010
>>>>>   Account disabled: False
>>>>>   Password: True
>>>>>   Kerberos keys available: False
>>>>> ----------------------------
>>>>> Number of entries returned 1
>>>>> ----------------------------
>>>>> [root at ipa]# ipa user-del phys210e --continue
>>>>> ---------------
>>>>> Deleted user ""
>>>>> ---------------
>>>>>   Failed to remove: phys210e
>>>>>
>>>>>
>>>>> [root at ipa]# cat /etc/redhat-release
>>>>> Red Hat Enterprise Linux Server release 6.5 (Santiago)
>>>>>
>>>>> [root at ipa]# rpm -qa|grep ipa; rpm -qa|grep 389
>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>>>> ipa-admintools-3.0.0-37.el6.i686
>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>>>> libipa_hbac-1.9.2-129.el6_5.4.i686
>>>>> ipa-server-selinux-3.0.0-37.el6.i686
>>>>> python-iniparse-0.3.1-2.1.el6.noarch
>>>>> libipa_hbac-python-1.9.2-129.el6_5.4.i686
>>>>> ipa-server-3.0.0-37.el6.i686
>>>>> ipa-python-3.0.0-37.el6.i686
>>>>> ipa-client-3.0.0-37.el6.i686
>>>>> 389-ds-base-libs-1.2.11.15-33.el6_5.i686
>>>>> 389-ds-base-1.2.11.15-33.el6_5.i686
>>
>> -- 
>> Ron Parachoniak
>> Systems Manager, Department of Physics & Astronomy
>> University of British Columbia, Vancouver, B.C.  V6T 1Z1
>> Phone: (604) 838-6437
>>


-- 
Ron Parachoniak
Systems Manager, Department of Physics & Astronomy
University of British Columbia, Vancouver, B.C.  V6T 1Z1
Phone: (604) 838-6437

More information about the Freeipa-users mailing list