[Freeipa-users] how to resolve replication conflicts
Ludwig Krispenz
lkrispen at redhat.com
Thu Feb 16 12:58:42 UTC 2017
On 02/16/2017 01:32 PM, Tiemen Ruiten wrote:
> Hello,
>
> I have a FreeIPA setup in which some masters suffered from a few
> uncontrolled shutdowns and now there are replication conflicts (which
> prevent from setting the Domain Level to 1).
>
> I was trying to follow the instructions here:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html
>
> But unfortunately I'm not getting anywhere. This the result of an
> ldapsearch for replication conflicts:
>
>
> [root at moscovium ~]# ldapsearch -x -D "cn=directory manager" -W -b
> "dc=ipa,dc=rdmedia,dc=com" "nsds5ReplConflict=*" \* nsds5ReplConflict
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=ipa,dc=rdmedia,dc=com> with scope subtree
> # filter: nsds5ReplConflict=*
> # requesting: * nsds5ReplConflict
> #
> # servers + 334bfc53-cdae11e6-8a85a70a-bda98fae, dns,
> ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn:
> cn=servers+nsuniqueid=334bfc53-cdae11e6-8a85a70a-bda98fae,cn=dns,dc=ipa,dc
> =rdmedia,dc=com
> objectClass: nsContainer
> objectClass: top
> cn: servers
> nsds5ReplConflict: namingConflict
> cn=servers,cn=dns,dc=ipa,dc=rdmedia,dc=com
> # System: Add CA + 334bfbe5-cdae11e6-8a85a70a-bda98fae,
> permissions, pbac, ipa.
> rdmedia.com <http://rdmedia.com>
> dn: cn=System: Add
> CA+nsuniqueid=334bfbe5-cdae11e6-8a85a70a-bda98fae,cn=permis
> sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaca)
> ipaPermRight: add
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Add CA
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=CA
> Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: add
> ca,cn=permissions,cn=pbac,dc=
> ipa,dc=rdmedia,dc=com
>
> # System: Delete CA + 334bfbe9-cdae11e6-8a85a70a-bda98fae,
> permissions, pbac, i
> pa.rdmedia.com <http://pa.rdmedia.com>
> dn: cn=System: Delete
> CA+nsuniqueid=334bfbe9-cdae11e6-8a85a70a-bda98fae,cn=per
> missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaca)
> ipaPermRight: delete
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Delete CA
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=CA
> Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: delete
> ca,cn=permissions,cn=pbac,
> dc=ipa,dc=rdmedia,dc=com
> # System: Modify CA + 334bfbed-cdae11e6-8a85a70a-bda98fae,
> permissions, pbac, i
> pa.rdmedia.com <http://pa.rdmedia.com>
> dn: cn=System: Modify
> CA+nsuniqueid=334bfbed-cdae11e6-8a85a70a-bda98fae,cn=per
> missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaca)
> ipaPermRight: write
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Modify CA
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=CA
> Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermDefaultAttr: description
> ipaPermDefaultAttr: cn
> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: modify
> ca,cn=permissions,cn=pbac,
> dc=ipa,dc=rdmedia,dc=com
> # System: Read CAs + 334bfbf1-cdae11e6-8a85a70a-bda98fae,
> permissions, pbac, ip
> a.rdmedia.com <http://a.rdmedia.com>
> dn: cn=System: Read
> CAs+nsuniqueid=334bfbf1-cdae11e6-8a85a70a-bda98fae,cn=perm
> issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaca)
> ipaPermRight: read
> ipaPermRight: compare
> ipaPermRight: search
> ipaPermBindRuleType: all
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Read CAs
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> ipaPermDefaultAttr: description
> ipaPermDefaultAttr: ipacaissuerdn
> ipaPermDefaultAttr: objectclass
> ipaPermDefaultAttr: ipacasubjectdn
> ipaPermDefaultAttr: ipacaid
> ipaPermDefaultAttr: cn
> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: read
> cas,cn=permissions,cn=pbac,d
> c=ipa,dc=rdmedia,dc=com
> # System: Modify DNS Servers Configuration +
> 334bfbf6-cdae11e6-8a85a70a-bda98fa
> e, permissions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn: cn=System: Modify DNS Servers
> Configuration+nsuniqueid=334bfbf6-cdae11e6-8
> a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
> ipaPermRight: write
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Modify DNS Servers Configuration
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=DNS
> Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermDefaultAttr: idnssoamname
> ipaPermDefaultAttr: idnssubstitutionvariable
> ipaPermDefaultAttr: idnsforwardpolicy
> ipaPermDefaultAttr: idnsforwarders
> ipaPermLocation: dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: modify dns servers
> configuration,
> cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> # System: Read DNS Servers Configuration +
> 334bfbfa-cdae11e6-8a85a70a-bda98fae,
> permissions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn: cn=System: Read DNS Servers
> Configuration+nsuniqueid=334bfbfa-cdae11e6-8a8
> 5a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
> ipaPermRight: read
> ipaPermRight: compare
> ipaPermRight: search
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Read DNS Servers Configuration
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=DNS
> Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> member: cn=DNS Servers,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermDefaultAttr: idnsforwardpolicy
> ipaPermDefaultAttr: objectclass
> ipaPermDefaultAttr: idnsforwarders
> ipaPermDefaultAttr: idnsserverid
> ipaPermDefaultAttr: idnssubstitutionvariable
> ipaPermDefaultAttr: idnssoamname
> ipaPermLocation: dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: read dns servers
> configuration,cn
> =permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> # System: Manage Host Principals +
> 334bfc0b-cdae11e6-8a85a70a-bda98fae, permiss
> ions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn: cn=System: Manage Host
> Principals+nsuniqueid=334bfc0b-cdae11e6-8a85a70a-bd
> a98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipahost)
> ipaPermRight: write
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Manage Host Principals
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=Host
> Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> member: cn=Host
> Enrollment,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermDefaultAttr: krbprincipalname
> ipaPermDefaultAttr: krbcanonicalname
> ipaPermLocation: cn=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: manage host
> principals,cn=permiss
> ions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> # System: Add IPA Locations + 334bfc20-cdae11e6-8a85a70a-bda98fae,
> permissions,
> pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn: cn=System: Add IPA
> Locations+nsuniqueid=334bfc20-cdae11e6-8a85a70a-bda98fa
> e,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
> ipaPermRight: add
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Add IPA Locations
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=DNS
> Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: add ipa
> locations,cn=permissions,
> cn=pbac,dc=ipa,dc=rdmedia,dc=com
> # System: Modify IPA Locations +
> 334bfc24-cdae11e6-8a85a70a-bda98fae, permissio
> ns, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn: cn=System: Modify IPA
> Locations+nsuniqueid=334bfc24-cdae11e6-8a85a70a-bda9
> 8fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
> ipaPermRight: write
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Modify IPA Locations
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=DNS
> Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermDefaultAttr: description
> ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: modify ipa
> locations,cn=permissio
> ns,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> # System: Read IPA Locations +
> 334bfc28-cdae11e6-8a85a70a-bda98fae, permissions
> , pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn: cn=System: Read IPA
> Locations+nsuniqueid=334bfc28-cdae11e6-8a85a70a-bda98f
> ae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
> ipaPermRight: read
> ipaPermRight: compare
> ipaPermRight: search
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Read IPA Locations
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=DNS
> Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermDefaultAttr: objectclass
> ipaPermDefaultAttr: description
> ipaPermDefaultAttr: idnsname
> ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: read ipa
> locations,cn=permissions
> ,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> # System: Remove IPA Locations +
> 334bfc2c-cdae11e6-8a85a70a-bda98fae, permissio
> ns, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn: cn=System: Remove IPA
> Locations+nsuniqueid=334bfc2c-cdae11e6-8a85a70a-bda9
> 8fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
> ipaPermRight: delete
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Remove IPA Locations
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=DNS
> Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: remove ipa
> locations,cn=permissio
> ns,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> # System: Read Locations of IPA Servers +
> 334bfc30-cdae11e6-8a85a70a-bda98fae,
> permissions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn: cn=System: Read Locations of IPA
> Servers+nsuniqueid=334bfc30-cdae11e6-8a85
> a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
> ipaPermRight: read
> ipaPermRight: compare
> ipaPermRight: search
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Read Locations of IPA Servers
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=DNS
> Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermDefaultAttr: objectclass
> ipaPermDefaultAttr: ipaserviceweight
> ipaPermDefaultAttr: ipalocation
> ipaPermDefaultAttr: cn
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: read locations of ipa
> servers,cn=
> permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> # System: Read Status of Services on IPA Servers +
> 334bfc34-cdae11e6-8a85a70a-b
> da98fae, permissions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn: cn=System: Read Status of Services on IPA
> Servers+nsuniqueid=334bfc34-cdae
> 11e6-8a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
> ipaPermRight: read
> ipaPermRight: compare
> ipaPermRight: search
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Read Status of Services on IPA Servers
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=DNS
> Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermDefaultAttr: objectclass
> ipaPermDefaultAttr: ipaconfigstring
> ipaPermDefaultAttr: cn
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: read status of
> services on ipa se
> rvers,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> # System: Manage Service Principals +
> 334bfc38-cdae11e6-8a85a70a-bda98fae, perm
> issions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn: cn=System: Manage Service
> Principals+nsuniqueid=334bfc38-cdae11e6-8a85a70a
> -bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaservice)
> ipaPermRight: write
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Manage Service Principals
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=Service
> Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=c
> om
> ipaPermDefaultAttr: krbprincipalname
> ipaPermDefaultAttr: krbcanonicalname
> ipaPermLocation: cn=services,cn=accounts,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: manage service
> principals,cn=perm
> issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> # System: Manage User Principals +
> 334bfc45-cdae11e6-8a85a70a-bda98fae, permiss
> ions, pbac, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn: cn=System: Manage User
> Principals+nsuniqueid=334bfc45-cdae11e6-8a85a70a-bd
> a98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=posixaccount)
> ipaPermRight: write
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Manage User Principals
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=User
> Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> member: cn=Modify Users and Reset
> passwords,cn=privileges,cn=pbac,dc=ipa,dc=rd
> media,dc=com
> ipaPermDefaultAttr: krbprincipalname
> ipaPermDefaultAttr: krbcanonicalname
> ipaPermLocation: cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: manage user
> principals,cn=permiss
> ions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> # locations + 334bfba2-cdae11e6-8a85a70a-bda98fae, etc,
> ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn:
> cn=locations+nsuniqueid=334bfba2-cdae11e6-8a85a70a-bda98fae,cn=etc,dc=ipa,
> dc=rdmedia,dc=com
> objectClass: nsContainer
> objectClass: top
> cn: locations
> nsds5ReplConflict: namingConflict
> cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
> ssion:System: Add IPA Locations";allow (add) groupdn =
> "ldap:///cn=System: Ad
> d IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
> aci: (targetattr = "description")(targetfilter =
> "(objectclass=ipaLocationObje
> ct)")(version 3.0;acl "permission:System: Modify IPA
> Locations";allow (write)
> groupdn = "ldap:///cn=System: Modify IPA
> Locations,cn=permissions,cn=pbac,dc
> =ipa,dc=rdmedia,dc=com";)
> aci: (targetattr = "createtimestamp || description || entryusn ||
> idnsname ||
> modifytimestamp || objectclass")(targetfilter =
> "(objectclass=ipaLocationObje
> ct)")(version 3.0;acl "permission:System: Read IPA
> Locations";allow (compare,
> read,search) groupdn = "ldap:///cn=System: Read IPA
> Locations,cn=permissions,
> cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
> ssion:System: Remove IPA Locations";allow (delete) groupdn =
> "ldap:///cn=Syst
> em: Remove IPA
> Locations,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
> # neon.ipa.rdmedia.com <http://neon.ipa.rdmedia.com> +
> 1b780d06-017611e6-966aeb96-de53d9d8, computers, accoun
> ts, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn: fqdn=neon.ipa.rdmedia.com
> <http://neon.ipa.rdmedia.com>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c
> n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com
> krbExtraData::
> AAJIQA5XaG9zdC9uZW9uLmlwYS5yZG1lZGlhLmNvbUBJUEEuUkRNRURJQS5DT00
> A
> enrolledBy: uid=admin,cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com
> krbLastPwdChange: 20160413124912Z
> krbPrincipalKey::
> MIIBKKADAgEBoQMCAQGiAwIBAaMDAgEBpIIBEDCCAQwwS6FJMEegAwIBEqFA
> BD4gAPd2yVptQC/d3mk7xdb3skL+KkkUzewAxCF0FJgXXuBVt1y2GHtnhzILNe91amjovgXAFEujn
> 8x6YrwHXDA7oTkwN6ADAgERoTAELhAAPbI3gwakFyt9EnCqDLWst6FeXKO0Fwvx3+gZZOGmYQpr0Z
> ujLLtmJuJVmS8wQ6FBMD+gAwIBEKE4BDYYABMJXEKVH2Yn4nGzJ5woqDjO2dVUx8nQ+1NSi6dREwy
> 8T+7VrbdVOpaQgkUx4czwkhxKvVcwO6E5MDegAwIBF6EwBC4QABWhTKkWc50oJlpSw/FK2yhl+ZUo
> MZt0XHA/xdPXDD3DxGV5cx2MgvJEhJzs
> cn: neon.ipa.rdmedia.com <http://neon.ipa.rdmedia.com>
> objectClass: ipaobject
> objectClass: ieee802device
> objectClass: nshost
> objectClass: ipaservice
> objectClass: pkiuser
> objectClass: ipahost
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: ipasshhost
> objectClass: top
> objectClass: ipaSshGroupOfPubKeys
> fqdn: neon.ipa.rdmedia.com <http://neon.ipa.rdmedia.com>
> managedBy: fqdn=neon.ipa.rdmedia.com
> <http://neon.ipa.rdmedia.com>,cn=computers,cn=accounts,dc=ipa,dc=rdmedi
> a,dc=com
> krbPrincipalName: host/neon.ipa.rdmedia.com at IPA.RDMEDIA.COM
> <mailto:neon.ipa.rdmedia.com at IPA.RDMEDIA.COM>
> serverHostName: neon
> ipaUniqueID: 1eaa355c-0176-11e6-8dd5-001a4aa7101c
> krbPwdPolicyReference: cn=Default Host Password
> Policy,cn=computers,cn=account
> s,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict fqdn=neon.ipa.rdmedia.com
> <http://neon.ipa.rdmedia.com>,cn=computers,cn=ac
> counts,dc=ipa,dc=rdmedia,dc=com
> # cas + 334bfba8-cdae11e6-8a85a70a-bda98fae, ca, ipa.rdmedia.com
> <http://ipa.rdmedia.com>
> dn:
> cn=cas+nsuniqueid=334bfba8-cdae11e6-8a85a70a-bda98fae,cn=ca,dc=ipa,dc=rdme
> dia,dc=com
> objectClass: nsContainer
> objectClass: top
> cn: cas
> nsds5ReplConflict: namingConflict
> cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
> : Add CA";allow (add) groupdn = "ldap:///cn=System: Add
> CA,cn=permissions,cn=
> pbac,dc=ipa,dc=rdmedia,dc=com";)
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
> : Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete
> CA,cn=permis
> sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
> aci: (targetattr = "cn || description")(targetfilter =
> "(objectclass=ipaca)")(
> version 3.0;acl "permission:System: Modify CA";allow (write)
> groupdn = "ldap:
> ///cn=System: Modify
> CA,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)
> aci: (targetattr = "cn || createtimestamp || description ||
> entryusn || ipacai
> d || ipacaissuerdn || ipacasubjectdn || modifytimestamp ||
> objectclass")(targ
> etfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System: Read CA
> s";allow (compare,read,search) userdn = "ldap:///all";)
> # custodia + 334bfbdb-cdae11e6-8a85a70a-bda98fae, ipa, etc,
> ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn:
> cn=custodia+nsuniqueid=334bfbdb-cdae11e6-8a85a70a-bda98fae,cn=ipa,cn=etc,d
> c=ipa,dc=rdmedia,dc=com
> objectClass: nsContainer
> objectClass: top
> cn: custodia
> nsds5ReplConflict: namingConflict
> cn=custodia,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,
> dc=com
> # domain + 334bfb9e-cdae11e6-8a85a70a-bda98fae, topology, ipa,
> etc, ipa.rdmedia
> .com
> dn:
> cn=domain+nsuniqueid=334bfb9e-cdae11e6-8a85a70a-bda98fae,cn=topology,cn=ip
> a,cn=etc,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
> internalModifiersName in
> ternalModifyTimestamp
> ipaReplTopoConfRoot: dc=ipa,dc=rdmedia,dc=com
> objectClass: top
> objectClass: iparepltopoconf
> nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE
> entryusn krblasts
> uccessfulauth krblastfailedauth krbloginfailedcount
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
> cn: domain
> nsds5ReplConflict: namingConflict
> cn=domain,cn=topology,cn=ipa,cn=etc,dc=ipa,d
> c=rdmedia,dc=com
> # ca + 334bfbe0-cdae11e6-8a85a70a-bda98fae, topology, ipa, etc,
> ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn:
> cn=ca+nsuniqueid=334bfbe0-cdae11e6-8a85a70a-bda98fae,cn=topology,cn=ipa,cn
> =etc,dc=ipa,dc=rdmedia,dc=com
> objectClass: top
> objectClass: iparepltopoconf
> cn: ca
> ipaReplTopoConfRoot: o=ipaca
> nsds5ReplConflict: namingConflict
> cn=ca,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=rd
> media,dc=com
> # dogtag + 334bfbdd-cdae11e6-8a85a70a-bda98fae, custodia +
> 334bfbdb-cdae11e6-8a
> 85a70a-bda98fae, ipa, etc, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn:
> cn=dogtag+nsuniqueid=334bfbdd-cdae11e6-8a85a70a-bda98fae,cn=custodia+nsuni
> queid=334bfbdb-cdae11e6-8a85a70a-bda98fae,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=
> com
> objectClass: nsContainer
> objectClass: top
> cn: dogtag
> nsds5ReplConflict: namingConflict
> cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=ipa,d
> c=rdmedia,dc=com
> # lawrencium + 6c7e3d83-c11711e6-8a85a70a-bda98fae,
> ipa.rdmedia.com <http://ipa.rdmedia.com>., dns, ipa.
> rdmedia.com <http://rdmedia.com>
> dn:
> idnsName=lawrencium+nsuniqueid=6c7e3d83-c11711e6-8a85a70a-bda98fae,idnsnam
> e=ipa.rdmedia.com
> <http://ipa.rdmedia.com>.,cn=dns,dc=ipa,dc=rdmedia,dc=com
> aRecord: 192.168.50.55
> dNSTTL: 1200
> objectClass: idnsRecord
> objectClass: top
> idnsName: lawrencium
> nsds5ReplConflict: namingConflict
> idnsname=lawrencium,idnsname=ipa.rdmedia.com <http://ipa.rdmedia.com>
> .,cn=dns,dc=ipa,dc=rdmedia,dc=com
> # mendelevium + e5710f85-c5c511e6-8a85a70a-bda98fae,
> ipa.rdmedia.com <http://ipa.rdmedia.com>., dns, ipa
> .rdmedia.com <http://rdmedia.com>
> dn:
> idnsName=mendelevium+nsuniqueid=e5710f85-c5c511e6-8a85a70a-bda98fae,idnsna
> me=ipa.rdmedia.com
> <http://ipa.rdmedia.com>.,cn=dns,dc=ipa,dc=rdmedia,dc=com
> aRecord: 192.168.50.52
> dNSTTL: 1200
> objectClass: idnsRecord
> objectClass: top
> idnsName: mendelevium
> nsds5ReplConflict: namingConflict
> idnsname=mendelevium,idnsname=ipa.rdmedia.co <http://ipa.rdmedia.co>
> m.,cn=dns,dc=ipa,dc=rdmedia,dc=com
> # 41 + e764de07-5e2f11e6-bd76eb96-de53d9d8,
> 120.100.10.in-addr.arpa., dns, ipa.
> rdmedia.com <http://rdmedia.com>
> dn:
> idnsname=41+nsuniqueid=e764de07-5e2f11e6-bd76eb96-de53d9d8,idnsname=120.10
> 0.10.in-addr.arpa.,cn=dns,dc=ipa,dc=rdmedia,dc=com
> objectClass: top
> objectClass: idnsrecord
> pTRRecord: arsenica.ipa.rdmedia.com <http://arsenica.ipa.rdmedia.com>.
> idnsName: 41
> nsds5ReplConflict: namingConflict
> idnsname=41,idnsname=120.100.10.in-addr.arpa
> .,cn=dns,dc=ipa,dc=rdmedia,dc=com
> # ipa + 58d90aec-cdae11e6-8a85a70a-bda98fae, cas +
> 334bfba8-cdae11e6-8a85a70a-b
> da98fae, ca, ipa.rdmedia.com <http://ipa.rdmedia.com>
> dn:
> cn=ipa+nsuniqueid=58d90aec-cdae11e6-8a85a70a-bda98fae,cn=cas+nsuniqueid=33
> 4bfba8-cdae11e6-8a85a70a-bda98fae,cn=ca,dc=ipa,dc=rdmedia,dc=com
> description: IPA CA
> ipaCaIssuerDN: CN=Certificate Authority,O=IPA.RDMEDIA.COM
> <http://IPA.RDMEDIA.COM>
> objectClass: top
> objectClass: ipaca
> ipaCaSubjectDN: CN=Certificate Authority,O=IPA.RDMEDIA.COM
> <http://IPA.RDMEDIA.COM>
> ipaCaId: 21547c03-13c3-4f4f-992b-b0257012d1c1
> cn: ipansds5ReplConflict
> nsds5ReplConflict: namingConflict
> cn=ipa,cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
> # search result
> search: 2
> result: 0 Success
> # numResponses: 28
> # numEntries: 27
>
>
> So when I try eg. this...
>
> [root at moscovium ~]# ldapmodify -x -D "cn=directory manager" -W -h
> moscovium.ipa.rdmedia.com <http://moscovium.ipa.rdmedia.com> -p 389
> Enter LDAP Password:
> dn: fqdn=neon.ipa.rdmedia.com
> <http://neon.ipa.rdmedia.com>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c
> n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com
> changetype: modrdn
> newrdn fqdn=neontemp.ipa.rdmedia.com <http://neontemp.ipa.rdmedia.com>
> deleteoldrdn: 0
>
It has to be
newrdn: fqdn=neontemp.ipa.rdmedia.com <http://neontemp.ipa.rdmedia.com>
the ":" was missing.
But you don't always have to do the modrdn steps, only if you want to
keep the conflict entry under a different dn.
I would suggest you do the search for conflicts again, and just
returning the nsds5ReplConflict attribute, you get then something like:
dn:
idnsname=41+nsuniqueid=e764de07-5e2f11e6-bd76eb96-de53d9d8,idnsname=120.10.in-
addr.arpa.,cn=dns,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict
idnsname=mendelevium,idnsname=ipa.rdmedia.co <http://ipa.rdmedia.co>
m.,cn=dns,dc=ipa,dc=rdmedia,dc=com
next do a search for both entries, the conflict entry and the one
referenced in the and the
nsds5ReplConflict attribute, if the original entry exists and you want
to keep this, you can just delete the conflict entry
ldapmodify -x -D "cn=directory manager" ....
dn: fqdn=neon.ipa.rdmedia.com
<http://neon.ipa.rdmedia.com>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c
n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com
changetype: delete
>
> ...I get:
>
> ldapmodify: invalid format (line 3) entry:
> "fqdn=neon.ipa.rdmedia.com
> <http://neon.ipa.rdmedia.com>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,cn=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com"
>
> So my question: what can I do to resolve the conflicts?
>
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
>
>
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170216/db32648d/attachment.htm>
More information about the Freeipa-users
mailing list