[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
thierry bordaz
tbordaz at redhat.com
Thu Jan 26 15:55:15 UTC 2017
On 01/26/2017 10:55 AM, Harald Dunkel wrote:
> Hi Thierry,
>
> good new: I got rid of most of the conflicting entries. There
> are only 2 left (see below). They look circular somehow.
That is excellent news. Great !
>
> Please note that the unwanted list of ipa servers is empty. The
> official list looks OK. The record for cn=ipaservers,cn=ng,cn=alt\
> ,dc=example,dc=de looks fine, too. It points to the official list.
> So hopefully the duplicates are not a big deal.
>
> It would be nice to get rid of both, though.
>
>
> Any helpful hint is highly appreciated
> Harri
> ------------------------------------------------------------------
>
> % cat <<EOF | ldapmodify -D "cn=directory manager" -w secret -x
>> dn: cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
>> changetype: delete
>> EOF
> deleting entry "cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de"
> ldap_delete: Server is unwilling to perform (53)
> additional info: Deleting a managed entry is not allowed. It needs to be manually unlinked first.
>
>
> % cat <<EOF | ldapmodify -D "cn=directory manager" -w secret -x
>> dn: cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
>> changetype: delete
>> EOF
> deleting entry "cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de"
> ldap_delete: Operations error (1)
Those entries are managed entries and it is not possible to delete them
from direct ldap command.
A solution proposed by Ludwig is not first make them unmanaged:
cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
changetype: modify
modify: objectclass
delete: mepManagedEntry
cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
changetype: modify
modify: objectclass
delete: mepManagedEntry
Then retry to delete them.
It should work for the first one but unsure it will succeed for the second one.
> % ldapsearch -o ldif-wrap=no -D "cn=directory manager" -w secret -b "cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de" -s base
> # extended LDIF
> #
> # LDAPv3
> # base <cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # ipaservers + 109be304-ccd911e6-a5b3d0c8-d8da17db, ng, alt, example.de
> dn: cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
> ipaUniqueID: 15699da0-ccd9-11e6-b194-fe4936c476ff
> mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
> description: ipaNetgroup ipaservers
> cn: ipaservers
> nisDomainName: example.de
> objectClass: ipanisnetgroup
> objectClass: ipaobject
> objectClass: mepManagedEntry
> objectClass: ipaAssociation
> objectClass: top
> memberHost: cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> % ldapsearch -o ldif-wrap=no -D "cn=directory manager" -w secret -b "cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de" -s base
> # extended LDIF
> #
> # LDAPv3
> # base <cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # ipaservers + 109be302-ccd911e6-a5b3d0c8-d8da17db, hostgroups, accounts, example.de
> dn: cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
> ipaUniqueID: 14a4041e-ccd9-11e6-b194-fe4936c476ff
> cn: ipaservers
> description: IPA server hosts
> objectClass: top
> objectClass: ipahostgroup
> objectClass: ipaobject
> objectClass: groupOfNames
> objectClass: nestedGroup
> objectClass: mepOriginEntry
> mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de
> memberOf: cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
More information about the Freeipa-users
mailing list