[Freeipa-users] ipa user-find finds user but ipa user-del fails

Martin Kosek mkosek at redhat.com
Fri Sep 5 06:44:21 UTC 2014 

On 09/04/2014 10:31 PM, Ron wrote:
> So I tried to delete an entry on IPA01 without success:
> 
> [root at ipa01 ~]# ldapdelete -D
> "uid=admin,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca" -W -x
> "cn=userxyz+nsuniqueid=62c9c682-32ce11e4-8c13b928-a98b9061,cn=groups,cn=accounts,dc=xxxx,dc=abc,dc=ca"
> Enter LDAP Password:
> ldap_delete: Server is unwilling to perform (53)
>     additional info: Deleting a managed entry is not allowed. It needs
> to be manually unlinked first
> 
> Same problem if I try to use ldapmodify:
> 
> [root at ipa01 ~]# ldapmodify -D
> "uid=admin,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca" -W -x
> Enter LDAP Password:
> dn:
> cn=userxyz+nsuniqueid=62c9c682-32ce11e4-8c13b928-a98b9061,cn=groups,cn=accounts,dc=xxxx,dc=abc,dc=ca
> changetype: modrdn
> newrdn: uid=19000
> deleteoldrdn: 0
> 
> modifying rdn of entry
> "cn=userxyz+nsuniqueid=62c9c682-32ce11e4-8c13b928-a98b9061,cn=groups,cn=accounts,dc=xxxx,dc=abc,dc=ca"
> ldap_rename: Server is unwilling to perform (53)
>     additional info: Renaming a managed entry is not allowed. It needs
> to be manually unlinked first.
> 
> (19000 is just an unused uid)
> 
> Would this be because of the private group associated with the user?

Exactly.

> How do I unlink the entry?  Would I use the following?
> ipa group-detach userxyz

You would normally use it, but I am not sure it would work given that group DN
is changed with the nsuniqueid RDN.

However, you can manually detach the group with ldapmodify:

$ kinit admin
$ ipa group-show fbar --all --raw
  dn: cn=fbar,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
  cn: fbar
  description: User private group for fbar
  gidnumber: 82600004
  ipaUniqueID: 2fbdbdd2-34c7-11e4-a98a-001a4a2221bf
  mepManagedBy: uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
  objectClass: posixgroup
  objectClass: ipaobject
  objectClass: mepManagedEntry
  objectClass: top

$ ldapmodify -Y GSSAPI -h `hostname`
SASL/GSSAPI authentication started
SASL username: admin at MKOSEK-FEDORA20.TEST
SASL SSF: 56
SASL data security layer installed.
dn: cn=fbar,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
changetype: modify
delete: objectClass
objectClass: mepManagedEntry
-
delete: mepManagedBy
mepManagedBy: uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test

modifying entry "cn=fbar,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test"


Now the ldapdelete on group should work.

> Thanks again for all your help!
> -Ron
> 
> On 09/04/2014 02:48 AM, Martin Kosek wrote:
>> Ah, ok. As Rob advised, you will need to delete it via ldapdelete CLI or via
>> any LDAP GUI application of choice.
>>
>> BTW, this is upstream ticket tracking better means to resolve replication
>> conflicts:
>> https://fedorahosted.org/freeipa/ticket/1025
>>
>> Martin
>>
>> On 09/03/2014 10:44 PM, Ron wrote:
>>> By the way, all three replica servers show the same:
>>>
>>> [root at ipa]# ipa user-find --all --raw --login phys210e | grep dn:
>>>   dn:
>>> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
>>>
>>> [root at ipa01]# ipa user-find --all --raw --login phys210e | grep dn:
>>>   dn:
>>> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
>>>
>>> [root at ipa02]# ipa user-find --all --raw --login phys210e | grep dn:
>>>   dn:
>>> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
>

More information about the Freeipa-users mailing list