[Freeipa-users] ipa user-find finds user but ipa user-del fails
Ron
rap at phas.ubc.ca
Fri Sep 5 23:40:03 UTC 2014
So, just for completeness in case someone else experiences the same
issue, what I did in the end was install JXplorer and then use it to
delete the problem entries. They appeared as (for example):
nsuniqueid=4034e309-d63711e3-9b7eb928-a98b9061+uid=disk100,cn=users,cn=accounts,dc=xxx,dc=abc,dc=ca
Just right-clicked and selected "delete".
Based on ease of installation and ease of use, I highly recommend
JXplorer (for solving problems like this). It can also be run in a
readonly mode which is nice just to poke around without the possibility
of messing things up.
Regards,
Ron
On 09/04/2014 02:17 PM, Rich Megginson wrote:
> On 09/04/2014 02:31 PM, Ron wrote:
>> So I tried to delete an entry on IPA01 without success:
>>
>> [root at ipa01 ~]# ldapdelete -D
>> "uid=admin,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca" -W -x
>> "cn=userxyz+nsuniqueid=62c9c682-32ce11e4-8c13b928-a98b9061,cn=groups,cn=accounts,dc=xxxx,dc=abc,dc=ca"
>>
>> Enter LDAP Password:
>> ldap_delete: Server is unwilling to perform (53)
>> additional info: Deleting a managed entry is not allowed. It needs
>> to be manually unlinked first
>>
>> Same problem if I try to use ldapmodify:
>>
>> [root at ipa01 ~]# ldapmodify -D
>> "uid=admin,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca" -W -x
>> Enter LDAP Password:
>> dn:
>> cn=userxyz+nsuniqueid=62c9c682-32ce11e4-8c13b928-a98b9061,cn=groups,cn=accounts,dc=xxxx,dc=abc,dc=ca
>>
>> changetype: modrdn
>> newrdn: uid=19000
>> deleteoldrdn: 0
>>
>> modifying rdn of entry
>> "cn=userxyz+nsuniqueid=62c9c682-32ce11e4-8c13b928-a98b9061,cn=groups,cn=accounts,dc=xxxx,dc=abc,dc=ca"
>>
>> ldap_rename: Server is unwilling to perform (53)
>> additional info: Renaming a managed entry is not allowed. It needs
>> to be manually unlinked first.
>>
>> (19000 is just an unused uid)
>>
>> Would this be because of the private group associated with the user?
>>
>> How do I unlink the entry? Would I use the following?
>> ipa group-detach userxyz
>
> Yes, see https://fedorahosted.org/freeipa/ticket/75
>
>>
>> Thanks again for all your help!
>> -Ron
>>
>> On 09/04/2014 02:48 AM, Martin Kosek wrote:
>>> Ah, ok. As Rob advised, you will need to delete it via ldapdelete
>>> CLI or via
>>> any LDAP GUI application of choice.
>>>
>>> BTW, this is upstream ticket tracking better means to resolve
>>> replication
>>> conflicts:
>>> https://fedorahosted.org/freeipa/ticket/1025
>>>
>>> Martin
>>>
>>> On 09/03/2014 10:44 PM, Ron wrote:
>>>> By the way, all three replica servers show the same:
>>>>
>>>> [root at ipa]# ipa user-find --all --raw --login phys210e | grep dn:
>>>> dn:
>>>> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
>>>>
>>>>
>>>> [root at ipa01]# ipa user-find --all --raw --login phys210e | grep dn:
>>>> dn:
>>>> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
>>>>
>>>>
>>>> [root at ipa02]# ipa user-find --all --raw --login phys210e | grep dn:
>>>> dn:
>>>> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca
>>>>
>
--
Ron Parachoniak
Systems Manager, Department of Physics & Astronomy
University of British Columbia, Vancouver, B.C. V6T 1Z1
Phone: (604) 838-6437
More information about the Freeipa-users
mailing list