[Freeipa-users] Duplicate objects after 4.1 ipa-server upgrade

Ludwig Krispenz lkrispen at redhat.com
Tue Nov 3 15:49:00 UTC 2015 

On 11/03/2015 04:24 PM, Andrew Krause wrote:
> I upgraded 4 at the same time actually.  It makes sense why the objects were created and I do understand how replication conflicts are handled.  I just wanted to be absolutely certain that it was ok to delete these objects since it seems pointless to ever keep them around.  Has there been any talk of a mechanism to just handle this on a regular basis (not that this situation should happen regularly)?
there are requests to hide these conflict entries so that the do not 
interfere with other operations and there is ongoing discussion  in DS 
to implement another mechanism which doesn't have these side effects.
But on the other hand these entries are not generated out of the blue, 
they indicate a scenario on the application/client side where the same 
entry is added simultaneously on two or more servers. maybe as Martin 
said by upgrading in parallel or by impatient clients which move to 
another servers if no immediat success or by misconfigured proxies or 
load balancers which send ops to multiple masters. So these  conflict 
entries could also seen as a hint that somthing is or was wrong.
You can proactively check for these entries before and harm is done and 
delete them. Do
ldapsearch -b "<SUFFIX>" "nsds5ReplConflict=*" nsds5ReplConflict
>
>
>> On Nov 3, 2015, at 1:42 AM, Martin Kosek <mkosek at redhat.com> wrote:
>>
>> On 11/03/2015 12:05 AM, Andrew Krause wrote:
>>> After upgrading to 4.1 I have duplicated permission objects in my directory with names including nsuniqueid.  Is it safe to delete all of these objects?  Somehow this is only causing an issue for a specific user hitting a specific HBAC policy.
>>>
>>> (Mon Nov  2 14:29:23 2015) [sssd[be[blue-shift.com]]] [hbac_eval_user_element] (0x0080): Parse error on [cn=Read PassSync Managers Configuration+nsuniqueid=4ae3220f-4d2b11e5-a06ffcc2-215714a9 …………..
>>> (Mon Nov  2 14:29:23 2015) [sssd[be[blue-shift.com]]] [hbac_ctx_to_rules] (0x0020): Could not construct eval request
>>> (Mon Nov  2 14:29:23 2015) [sssd[be[blue-shift.com]]] [ipa_hbac_evaluate_rules] (0x0020): Could not construct HBAC rules
>>>
>>>
>>> This is causing authentication to fail for the user in question, and I would like to get rid of these useless objects if they are no longer necessary.
>> It looks like you had some replication problem in your network, or maybe
>> upgraded 2 FreeIPA instances at the same time, so they both generated
>> conflicting permissions?
>>
>> In any case, it should be case to delete the permissions with nsuniqueid,
>> FreeIPA should generate the managed permissions from scratch anyway, if they
>> are missing and upgrade is run again.
>>
>> More info on replication conflicts here:
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html#Solving_Common_Replication_Conflicts-Solving_Naming_Conflicts
>>
>> Martin
>

More information about the Freeipa-users mailing list