[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
thierry bordaz
tbordaz at redhat.com
Tue Jan 24 16:56:54 UTC 2017
On 01/24/2017 04:18 PM, Harald Dunkel wrote:
> Hi Thierry,
>
> On 01/24/17 15:01, thierry bordaz wrote:
>>> Hopefully yes, but there were 2 conflicts that already made some
>>> problems:
>>>
>>> deleting entry "cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de"
>>> ldap_delete: Server is unwilling to perform (53)
>>> additional info: Deleting a managed entry is not allowed. It needs to be manually unlinked first.
>>>
>>>
>>> deleting entry "cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de"
>>> ldap_delete: Operations error (1)
>>>
>>> I got these problems before I became more careful with this.
>> This will be a difficulty to setup that script.
>> You may be unable to delete some entries (managed entry, tombstones..).
>>
>> I think one target of the script is to get the 'valid' entries at the expected level: having the expected set of attribute/values. A kind of merge of valid/conflict entries.
>> Then you may have to moddn some conflict children under the valid entry.
>> At the end, remove the conflict entries.
> I agree. But I still need to work on a snapshot first, without
> the risk of making things worse.
>
> Would you suggest to disconnect ipabak from the network and ipa1,
> cleanup the mess as far as possible, and then connect ipabak
> to the network again to rely upon the regular replica synchroni-
> zation?
Yes, as soon as ipaback is in sync with ipa1 and you took a snapshot of
ipaback, I think you can disconnect ipaback and run your script on it
(iterating with the snapshot).
>
>> As I said, setting up such script could take you more time than fixing manually the 43 conflicts.
>>
> Maybe there is a misunderstanding about "script" here: Its not
> a high-end shell script with man page and command line flags and
> so on. It is just a sequence of variable assignments and commands
> to run. Goal is to avoid having to type the same stuff twice, and
> to make use of copy and paste in an editor. One key feature is to
> get something reproducible.
>
>
> Every helpful advice is highly welcome
> Harri
>
More information about the Freeipa-users
mailing list