[Freeipa-users] ipa user-find finds user but ipa user-del fails

Ron rap at phas.ubc.ca
Wed Sep 3 23:50:23 UTC 2014 

So in my case I would need to do the "Renaming an Entry with a
Multi-Valued Naming Attribute" procedure on both IPA01 and IPA02?

Would another way of doing this be to remove IPA01 (and later IPA02) as
a replication-master and then re-add it?  I ask this because I have
about 70 of these entries.  I think they are there because I was using a
perl script (which used the perl ldap->add function) to create new user
entries and for a while the script called this (ldap->add) on IPA then
IPA02 immediately after.

-Ron

On 09/03/2014 02:24 PM, Rich Megginson wrote:
> On 09/03/2014 02:44 PM, Ron wrote:
>> By the way, all three replica servers show the same:
>>
>> [root at ipa]# ipa user-find --all --raw --login phys210e | grep dn:
>>    dn:
>> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
>>
>>
>> [root at ipa01]# ipa user-find --all --raw --login phys210e | grep dn:
>>    dn:
>> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
>>
>>
>> [root at ipa02]# ipa user-find --all --raw --login phys210e | grep dn:
>>    dn:
>> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
>>
>
> These appear to be replication conflict entries.  Not sure what
> happened.  See
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>
>>
>> On 09/03/2014 12:26 PM, Rob Crittenden wrote:
>>> Ron wrote:
>>>> And here is the result of the user-show command:
>>>> [root at ipa slapd-pxxx-abc-CA]# ipa user-show --all --raw phys210e
>>>> ipa: ERROR: phys210e: user not found
>>> Sorry, thinko on my part. Do ipa user-find --all --raw --login phys210e
>>>
>>> user-show is going to have the same issue as user-delete.
>>>
>>> rob
>>>
>>>>
>>>> On 09/03/2014 10:43 AM, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> Can you check /var/log/dirsrv/slapd-YOUR-REALM/access, search for
>>>>>> the DEL
>>>>>> operation and see what was the error code that DS gave when it
>>>>>> refused to
>>>>>> delete the user?
>>>>> Were I to guess the issue is that this is a replication conflict
>>>>> entry.
>>>>> If you do:
>>>>>
>>>>> # ipa user-show --all --raw phys210e |grep dn:
>>>>>
>>>>> It will likely begin with nsuniqueid=<hex>, ...
>>>>>
>>>>> The reason it can be found and not deleted is we create the dn to be
>>>>> removed, we don't search for it. So the user
>>>>> uid=phys210e,cn=users,...
>>>>> etc doesn't exist but the user nsuniqueid=<hex> ... does.
>>>>>
>>>>> You'll need to use ldapmodify or ldapdelete to remove the entry
>>>>> though
>>>>> I'd check your other masters to see what the state of the user is
>>>>> there.
>>>>>
>>>>> rob
>>>>>
>>>>>> Martin
>>>>>>
>>>>>> On 09/03/2014 06:18 PM, Ron wrote:
>>>>>>> user-find sees a user but user-del cannot remove it.  What can I
>>>>>>> do?
>>>>>>> Thanks.
>>>>>>> Regards,
>>>>>>> Ron
>>>>>>>
>>>>>>> [root at ipa]# ipa user-find --login phys210e
>>>>>>> --------------
>>>>>>> 1 user matched
>>>>>>> --------------
>>>>>>>    User login: phys210e
>>>>>>>    First name: Testing
>>>>>>>    Last name: Phys210
>>>>>>>    Home directory: /home2/phys210e
>>>>>>>    Login shell: /bin/bash
>>>>>>>    Email address: phys210e at pxxx.abc.ca
>>>>>>>    UID: 15010
>>>>>>>    GID: 15010
>>>>>>>    Account disabled: False
>>>>>>>    Password: True
>>>>>>>    Kerberos keys available: False
>>>>>>> ----------------------------
>>>>>>> Number of entries returned 1
>>>>>>> ----------------------------
>>>>>>> [root at ipa]# ipa user-del phys210e --continue
>>>>>>> ---------------
>>>>>>> Deleted user ""
>>>>>>> ---------------
>>>>>>>    Failed to remove: phys210e
>>>>>>>
>>>>>>>
>>>>>>> [root at ipa]# cat /etc/redhat-release
>>>>>>> Red Hat Enterprise Linux Server release 6.5 (Santiago)
>>>>>>>
>>>>>>> [root at ipa]# rpm -qa|grep ipa; rpm -qa|grep 389
>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>>>>>> ipa-admintools-3.0.0-37.el6.i686
>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>>>>>> libipa_hbac-1.9.2-129.el6_5.4.i686
>>>>>>> ipa-server-selinux-3.0.0-37.el6.i686
>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch
>>>>>>> libipa_hbac-python-1.9.2-129.el6_5.4.i686
>>>>>>> ipa-server-3.0.0-37.el6.i686
>>>>>>> ipa-python-3.0.0-37.el6.i686
>>>>>>> ipa-client-3.0.0-37.el6.i686
>>>>>>> 389-ds-base-libs-1.2.11.15-33.el6_5.i686
>>>>>>> 389-ds-base-1.2.11.15-33.el6_5.i686
>>>> -- 
>>>> Ron Parachoniak
>>>> Systems Manager, Department of Physics & Astronomy
>>>> University of British Columbia, Vancouver, B.C.  V6T 1Z1
>>>> Phone: (604) 838-6437
>>>>
>>
>


-- 
Ron Parachoniak
Systems Manager, Department of Physics & Astronomy
University of British Columbia, Vancouver, B.C.  V6T 1Z1
Phone: (604) 838-6437

More information about the Freeipa-users mailing list