[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

thierry bordaz tbordaz at redhat.com
Mon Jan 30 08:10:55 UTC 2017 


On 01/27/2017 12:51 PM, Harald Dunkel wrote:
> Hi Thierry,
>
> On 01/26/17 16:55, thierry bordaz wrote:
>>
>> Those entries are managed entries and it is not possible to delete them from direct ldap command.
>> A solution proposed by Ludwig is not first make them unmanaged:
>>
>> cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
>> changetype: modify
>> modify: objectclass
>> delete: mepManagedEntry
>>
>> cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
>> changetype: modify
>> modify: objectclass
>> delete: mepManagedEntry
>>
>> Then retry to delete them.
>> It should work for the first one but unsure it will succeed for the second one.
>>
> I am not sure about this "managed" thing. This sounds like some
> kind of external influence.
>
> How can I make sure that removing these entries doesn't break
> something? Is the original entry managed in the same way as
> the duplicate?
>
>
> Regards
> Harri
>
Hello Harri,

sorry for this late answer.

I understand your concern and in fact it is difficult to anticipate a  
potential bad impact of this cleanup. However,I think it is safe to get 
rid of the following entry.
Before doing so you may check it exists

cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de that is managedBy the ipaservers_hostgoups.

dn: cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
objectClass: mepManagedEntry


If you are willing to remove that entry you need to remove the mepmanagedEntry oc. So you need to remove the mepManagedBy and oc in the same operation


Regarding the following entry
  dn: cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
objectClass: mepOriginEntry
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de

You may want to check if it exists an entry it manages, looking for "(mepManagedBy=
cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
)". If it exists none, you should be able to remove it.

Also I think working on ipabak, you should be able to do some tests on the cleanup instance to validate everything is working fine.

regards
thierry

More information about the Freeipa-users mailing list