[Freeipa-users] deleting ipa user

thierry bordaz tbordaz at redhat.com
Wed Apr 29 15:49:29 UTC 2015 

On 04/29/2015 05:35 PM, Andy Thompson wrote:
>> -----Original Message-----
>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
>> Sent: Wednesday, April 29, 2015 11:28 AM
>> To: Andy Thompson
>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] deleting ipa user
>>
>>
>> On 04/29/2015 05:08 PM, Andy Thompson wrote:
>>>> -----Original Message-----
>>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
>>>> Sent: Wednesday, April 29, 2015 10:59 AM
>>>> To: Andy Thompson
>>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] deleting ipa user
>>>>
>>>>
>>>> On 04/29/2015 04:49 PM, Andy Thompson wrote:
>>>>>> -----Original Message-----
>>>>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
>>>>>> Sent: Wednesday, April 29, 2015 10:51 AM
>>>>>> To: Andy Thompson
>>>>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] deleting ipa user
>>>>>>
>>>>>> did you run the searches as directory manager ?
>>>>>>
>>>>> Yep sure did
>>>> that's weird, as directory manager you should be able to see the
>>>> nscpentrywsi attribute, could you paste your full search request ?
>>> This returns the object
>>>
>>> ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D
>>> "cn=directory manager" -W  -b "dc=..."
>>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>> f0a
>>> bc1a8))"  | grep -i objectClass
>>>
>>> This returns nothing
>>>
>>> ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D
>>> "cn=directory manager" -W  -b "dc=..."
>>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>> f0a
>>> bc1a8))"  nscpentrywsi | grep -i objectClass
>> and if you omit the grep ? still puzzled.
> Ah if I omit the grep on the second server I get
>
> dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: objectClass;vucsn-55364a42000500040000: posixgroup
> nscpentrywsi: objectClass;vucsn-55364a42000500040000: ipaobject
> nscpentrywsi: objectClass;vucsn-55364a42000500040000: mepManagedEntry
> nscpentrywsi: objectClass;vucsn-55364a42000500040000: top
> nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone
> nscpentrywsi: cn;vucsn-55364a42000500040000;mdcsn-55364a42000500040000: gfeigh
> nscpentrywsi: gidNumber;vucsn-55364a42000500040000: 1249000003
> nscpentrywsi: description;vucsn-55364a42000500040000: User private group for username
> nscpentrywsi: mepManagedBy;vucsn-55364a42000500040000: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: creatorsName;vucsn-55364a42000500040000: cn=Managed Entries,cn=plugins,cn=config
> nscpentrywsi: modifiersName;vucsn-55364a42000500040000: cn=Managed Entries,cn=plugins,cn=config
> nscpentrywsi: createTimestamp;vucsn-55364a42000500040000: 20150421130152Z
> nscpentrywsi: modifyTimestamp;vucsn-55364a42000500040000: 20150421130152Z
> nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8
> nscpentrywsi: ipaUniqueID;vucsn-55364a42000500040000: 94dc1638-e826-11e4-878a-005056a92af3
> nscpentrywsi: parentid: 4
> nscpentrywsi: entryid: 385
> nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8
> nscpentrywsi: nstombstonecsn: 5540deb8000300030000
> nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: entryusn: 52327
>
> thought I tried that before, apparently not.

This is looking like that on the replica where the errors are logged. 
The entry is a tombstone but can not be find with the nsuniqueid.
If on that server you do

ldapsearch -LLL -o ldif-wrap=no -Hldap://mdhixnpipa02  -x -D "cn=directory manager" -W  -b "dc=..." "(&(objectclass=nstombstone)(ipaUniqueID=94dc1638-e826-11e4-878a-005056a92af3))"


>
>> what is logged in the access log for these two searches?
>>>
>>>>>> On 04/29/2015 04:34 PM, Andy Thompson wrote:
>>>>>>>> -----Original Message-----
>>>>>>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
>>>>>>>> Sent: Wednesday, April 29, 2015 10:28 AM
>>>>>>>> To: Andy Thompson
>>>>>>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com
>>>>>>>> Subject: Re: [Freeipa-users] deleting ipa user
>>>>>>>>
>>>>>>>> can you do the followin search on both servers ?
>>>>>>>>
>>>>>>>>       ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx  -x -D
>>>>>>>> "cn=directory manager" - w xxx  -b "dc=xxx...."
>>>>>>>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-
>>>>>> 99f1b343-
>>>>>>>> f0abc1a8))"
>>>>>>>> nscpentrywsi | grep -i objectClass
>>>>>>> The server that I initially attempted the deletion on returns nothing.
>>>>>>> The second server (the one currently throwing the consumer failed
>>>>>>> replay error)  returns this if I remove the nscpentrywsi attribute
>>>>>>> filter.  If I leave the attribute filter I don't get anything
>>>>>>>
>>>>>>> objectClass: posixgroup
>>>>>>> objectClass: ipaobject
>>>>>>> objectClass: mepManagedEntry
>>>>>>> objectClass: top
>>>>>>> objectClass: nsTombstone
>>>>>>>
>>>>>>> -andy

More information about the Freeipa-users mailing list