[Freeipa-users] ipa user-find finds user but ipa user-del fails

Thu Sep 4 09:48:32 UTC 2014

Ah, ok. As Rob advised, you will need to delete it via ldapdelete CLI or via
any LDAP GUI application of choice.

BTW, this is upstream ticket tracking better means to resolve replication
conflicts:
https://fedorahosted.org/freeipa/ticket/1025

Martin

On 09/03/2014 10:44 PM, Ron wrote:
> By the way, all three replica servers show the same:
> 
> [root at ipa]# ipa user-find --all --raw --login phys210e | grep dn:
>   dn:
> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
> 
> [root at ipa01]# ipa user-find --all --raw --login phys210e | grep dn:
>   dn:
> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
> 
> [root at ipa02]# ipa user-find --all --raw --login phys210e | grep dn:
>   dn:
> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
> 
> On 09/03/2014 12:26 PM, Rob Crittenden wrote:
>> Ron wrote:
>>> And here is the result of the user-show command:
>>> [root at ipa slapd-pxxx-abc-CA]# ipa user-show --all --raw phys210e
>>> ipa: ERROR: phys210e: user not found
>> Sorry, thinko on my part. Do ipa user-find --all --raw --login phys210e
>>
>> user-show is going to have the same issue as user-delete.
>>
>> rob
>>
>>>
>>>
>>> On 09/03/2014 10:43 AM, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> Can you check /var/log/dirsrv/slapd-YOUR-REALM/access, search for the DEL
>>>>> operation and see what was the error code that DS gave when it refused to
>>>>> delete the user?
>>>> Were I to guess the issue is that this is a replication conflict entry.
>>>> If you do:
>>>>
>>>> # ipa user-show --all --raw phys210e |grep dn:
>>>>
>>>> It will likely begin with nsuniqueid=<hex>, ...
>>>>
>>>> The reason it can be found and not deleted is we create the dn to be
>>>> removed, we don't search for it. So the user uid=phys210e,cn=users,...
>>>> etc doesn't exist but the user nsuniqueid=<hex> ... does.
>>>>
>>>> You'll need to use ldapmodify or ldapdelete to remove the entry though
>>>> I'd check your other masters to see what the state of the user is there.
>>>>
>>>> rob
>>>>
>>>>> Martin
>>>>>
>>>>> On 09/03/2014 06:18 PM, Ron wrote:
>>>>>> user-find sees a user but user-del cannot remove it.  What can I do?
>>>>>> Thanks.
>>>>>> Regards,
>>>>>> Ron
>>>>>>
>>>>>> [root at ipa]# ipa user-find --login phys210e
>>>>>> --------------
>>>>>> 1 user matched
>>>>>> --------------
>>>>>>   User login: phys210e
>>>>>>   First name: Testing
>>>>>>   Last name: Phys210
>>>>>>   Home directory: /home2/phys210e
>>>>>>   Login shell: /bin/bash
>>>>>>   Email address: phys210e at pxxx.abc.ca
>>>>>>   UID: 15010
>>>>>>   GID: 15010
>>>>>>   Account disabled: False
>>>>>>   Password: True
>>>>>>   Kerberos keys available: False
>>>>>> ----------------------------
>>>>>> Number of entries returned 1
>>>>>> ----------------------------
>>>>>> [root at ipa]# ipa user-del phys210e --continue
>>>>>> ---------------
>>>>>> Deleted user ""
>>>>>> ---------------
>>>>>>   Failed to remove: phys210e
>>>>>>
>>>>>>
>>>>>> [root at ipa]# cat /etc/redhat-release
>>>>>> Red Hat Enterprise Linux Server release 6.5 (Santiago)
>>>>>>
>>>>>> [root at ipa]# rpm -qa|grep ipa; rpm -qa|grep 389
>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>>>>> ipa-admintools-3.0.0-37.el6.i686
>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>>>>> libipa_hbac-1.9.2-129.el6_5.4.i686
>>>>>> ipa-server-selinux-3.0.0-37.el6.i686
>>>>>> python-iniparse-0.3.1-2.1.el6.noarch
>>>>>> libipa_hbac-python-1.9.2-129.el6_5.4.i686
>>>>>> ipa-server-3.0.0-37.el6.i686
>>>>>> ipa-python-3.0.0-37.el6.i686
>>>>>> ipa-client-3.0.0-37.el6.i686
>>>>>> 389-ds-base-libs-1.2.11.15-33.el6_5.i686
>>>>>> 389-ds-base-1.2.11.15-33.el6_5.i686
>>>
>>> -- 
>>> Ron Parachoniak
>>> Systems Manager, Department of Physics & Astronomy
>>> University of British Columbia, Vancouver, B.C.  V6T 1Z1
>>> Phone: (604) 838-6437
>>>
> 
> 