[Freeipa-users] ipa user-find finds user but ipa user-del fails

Wed Sep 3 21:24:34 UTC 2014

On 09/03/2014 02:44 PM, Ron wrote:
> By the way, all three replica servers show the same:
>
> [root at ipa]# ipa user-find --all --raw --login phys210e | grep dn:
>    dn:
> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
>
> [root at ipa01]# ipa user-find --all --raw --login phys210e | grep dn:
>    dn:
> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
>
> [root at ipa02]# ipa user-find --all --raw --login phys210e | grep dn:
>    dn:
> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca

These appear to be replication conflict entries.  Not sure what 
happened.  See 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html

>
> On 09/03/2014 12:26 PM, Rob Crittenden wrote:
>> Ron wrote:
>>> And here is the result of the user-show command:
>>> [root at ipa slapd-pxxx-abc-CA]# ipa user-show --all --raw phys210e
>>> ipa: ERROR: phys210e: user not found
>> Sorry, thinko on my part. Do ipa user-find --all --raw --login phys210e
>>
>> user-show is going to have the same issue as user-delete.
>>
>> rob
>>
>>>
>>> On 09/03/2014 10:43 AM, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> Can you check /var/log/dirsrv/slapd-YOUR-REALM/access, search for the DEL
>>>>> operation and see what was the error code that DS gave when it refused to
>>>>> delete the user?
>>>> Were I to guess the issue is that this is a replication conflict entry.
>>>> If you do:
>>>>
>>>> # ipa user-show --all --raw phys210e |grep dn:
>>>>
>>>> It will likely begin with nsuniqueid=<hex>, ...
>>>>
>>>> The reason it can be found and not deleted is we create the dn to be
>>>> removed, we don't search for it. So the user uid=phys210e,cn=users,...
>>>> etc doesn't exist but the user nsuniqueid=<hex> ... does.
>>>>
>>>> You'll need to use ldapmodify or ldapdelete to remove the entry though
>>>> I'd check your other masters to see what the state of the user is there.
>>>>
>>>> rob
>>>>
>>>>> Martin
>>>>>
>>>>> On 09/03/2014 06:18 PM, Ron wrote:
>>>>>> user-find sees a user but user-del cannot remove it.  What can I do?
>>>>>> Thanks.
>>>>>> Regards,
>>>>>> Ron
>>>>>>
>>>>>> [root at ipa]# ipa user-find --login phys210e
>>>>>> --------------
>>>>>> 1 user matched
>>>>>> --------------
>>>>>>    User login: phys210e
>>>>>>    First name: Testing
>>>>>>    Last name: Phys210
>>>>>>    Home directory: /home2/phys210e
>>>>>>    Login shell: /bin/bash
>>>>>>    Email address: phys210e at pxxx.abc.ca
>>>>>>    UID: 15010
>>>>>>    GID: 15010
>>>>>>    Account disabled: False
>>>>>>    Password: True
>>>>>>    Kerberos keys available: False
>>>>>> ----------------------------
>>>>>> Number of entries returned 1
>>>>>> ----------------------------
>>>>>> [root at ipa]# ipa user-del phys210e --continue
>>>>>> ---------------
>>>>>> Deleted user ""
>>>>>> ---------------
>>>>>>    Failed to remove: phys210e
>>>>>>
>>>>>>
>>>>>> [root at ipa]# cat /etc/redhat-release
>>>>>> Red Hat Enterprise Linux Server release 6.5 (Santiago)
>>>>>>
>>>>>> [root at ipa]# rpm -qa|grep ipa; rpm -qa|grep 389
>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>>>>> ipa-admintools-3.0.0-37.el6.i686
>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>>>>> libipa_hbac-1.9.2-129.el6_5.4.i686
>>>>>> ipa-server-selinux-3.0.0-37.el6.i686
>>>>>> python-iniparse-0.3.1-2.1.el6.noarch
>>>>>> libipa_hbac-python-1.9.2-129.el6_5.4.i686
>>>>>> ipa-server-3.0.0-37.el6.i686
>>>>>> ipa-python-3.0.0-37.el6.i686
>>>>>> ipa-client-3.0.0-37.el6.i686
>>>>>> 389-ds-base-libs-1.2.11.15-33.el6_5.i686
>>>>>> 389-ds-base-1.2.11.15-33.el6_5.i686
>>> -- 
>>> Ron Parachoniak
>>> Systems Manager, Department of Physics & Astronomy
>>> University of British Columbia, Vancouver, B.C.  V6T 1Z1
>>> Phone: (604) 838-6437
>>>
>