[Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

[John Popowitch]

Ok, so I'm looking at fixing the conflicts for ' System: Modify Certificate Profile'.
I ran this on each server:
ldapsearch -Y GSSAPI -b 'dc=aws,dc=cappex,dc=com' "cn=*Modify Certificate Profile*" \* nsds5ReplConflict

And now to make things interesting, this query has different results on each server.
Server #1:
# System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per
 missions, pbac, aws.cappex.com
dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895
 f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=
 privileges,cn=pbac,dc=aws,dc=cappex,dc=com
ipaPermTargetFilter: (objectclass=ipacertprofile)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Certificate Profile
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacertprofilestoreissued
ipaPermDefaultAttr: cn
ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com
nsds5ReplConflict: namingConflict cn=System: Modify Certificate Profile,cn=per
 missions,cn=pbac,dc=aws,dc=cappex,dc=com

Server #2:
# System: Modify Certificate Profile, permissions, pbac, aws.cappex.com
dn: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws,dc=cap
 pex,dc=com
ipaPermTargetFilter: (objectclass=ipacertprofile)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Certificate Profile
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=aws,dc=cappex,dc=com
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacertprofilestoreissued
ipaPermDefaultAttr: cn
ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com

# System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per
 missions, pbac, aws.cappex.com
dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895
 f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=
 privileges,cn=pbac,dc=aws,dc=cappex,dc=com
ipaPermTargetFilter: (objectclass=ipacertprofile)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Certificate Profile
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacertprofilestoreissued
ipaPermDefaultAttr: cn
ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com
nsds5ReplConflict: namingConflict cn=system: modify certificate profile,cn=per
 missions,cn=pbac,dc=aws,dc=cappex,dc=com

Server #3:
# System: Modify Certificate Profile, permissions, pbac, aws.cappex.com
dn: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws,dc=cap
 pex,dc=com
member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=
 privileges,cn=pbac,dc=aws,dc=cappex,dc=com
ipaPermTargetFilter: (objectclass=ipacertprofile)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Certificate Profile
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacertprofilestoreissued
ipaPermDefaultAttr: cn
ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com

I realize that this is a horrible state of replication.
My question is, what happens if I modify or delete an entry on one server that doesn't exist on another?
Thanks.
-John