[Freeipa-users] freeipa 4.1 replication conflict resolve issue

Martin Basti mbasti at redhat.com
Wed Dec 21 16:23:29 UTC 2016 


On 21.12.2016 12:08, Ludwig Krispenz wrote:
>
> On 12/21/2016 05:11 AM, Ian Chen wrote:
>> hello list,
>>
>> I tried to search for answer, but not solution come up yet. please help.
>>
>> the setup with multiple nodes has IPA version:
>> ipa-server-4.1.0-18.el7.centos.4.x86_64
>>
>>
>> after adding a replication with an old node, replicaiton conflict 
>> occured.
>>
>> ---- node104
>> dn: 
>> nsuniqueid=5820a804-af9211e6-bbce8d9c-0794b841+uid=test2,cn=users,cn=acco
>>  unts,dc=...
>> uid: test2
>> nsds5ReplConflict: namingConflict uid=test2,cn=users,cn=accounts,dc=...
>> krbPrincipalName: test2 at ...
>> krbLastPwdChange: 20161220054653Z
>> krbPasswordExpiration: 20170320054653Z
>> ipaUniqueID: 606b2260-af92-11e6-a928-0050568faf9d
>>
>>
>> ---- node203
>> dn: uid=test2,cn=users,cn=accounts,dc=...
>> uid: test2
>> krbPrincipalName: test2 at ...
>> krbLastPwdChange: 20161220054653Z
>> krbPasswordExpiration: 20170320054653Z
>> ipaUniqueID: 606b2260-af92-11e6-a928-0050568faf9d
>>
>>
>> I tried rename RDN following this
>> https://mkosek.fedorapeople.org/publican_site/en-US/FreeIPA/3.4/html/FreeIPA_Guide/ipa-replica-manage.html

hello,

guide ^ is deprecated, please use the 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html

For replication conflict is useful this guide 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html

Martin

>>
>> but when trying to delete uid, then change RDN back to uid, there is 
>> this error
>>
>> modifying entry "cn=TempValue,cn=users,cn=accounts,dc=..."
>> ldap_modify: Object class violation (65)
>>     additional info: missing attribute "uid" required by object class 
>> "posixAccount"
>>
>> I cannot delete object class posixAccount then add it back
> I cannot see which commands you really tried to execute and failed, so 
> could you provide the full log of what you did if you want to follow 
> the steps in the IPA doc.
>
> But I do not think that you need to go thru the MOD/MODRDN/... 
> sequence if you do not want to keep both entries. If a conflict 
> arises, one entry keeps the original dn, the other gets a dn with 
> "nsuniquid=....+..." and the nsds5ReplConflict attribute. you can 
> check the entries and inmost cases you just want to keep the 
> "original" and just delete the conflict entry
>>
>>
>
> -- 
> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161221/5ff94cfd/attachment.htm>

More information about the Freeipa-users mailing list