[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

thierry bordaz tbordaz at redhat.com
Tue Jan 31 15:56:00 UTC 2017 


On 01/31/2017 03:37 PM, Harald Dunkel wrote:
> Hi Thierry,
>
> On 01/30/17 09:10, thierry bordaz wrote:
>> I understand your concern and in fact it is difficult to anticipate a  potential bad impact of this cleanup. However,I think it is safe to get rid of the following entry.
>> Before doing so you may check it exists
>>
>> cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de that is managedBy the ipaservers_hostgoups.
>>
>> dn: cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
>> mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
>> objectClass: mepManagedEntry
>>
>>
>> If you are willing to remove that entry you need to remove the mepmanagedEntry oc. So you need to remove the mepManagedBy and oc in the same operation
>>
>>
>> Regarding the following entry
>>   dn: cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
>> objectClass: mepOriginEntry
>> mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de
>>
>> You may want to check if it exists an entry it manages, looking for "(mepManagedBy=
>> cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
>> )". If it exists none, you should be able to remove it.
>>
>> Also I think working on ipabak, you should be able to do some tests on the cleanup instance to validate everything is working fine.
>>
> This looks like a pretty high risk, even if ipabak says everything
> is fine.
>
> The major problem was the failure on Debian Wheezy using the very old
> sssd. This seems to be gone now by resolving the "easy" cases.
>
> About the "hard" cases: AFAICS
>
> ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
>
> doesn't list any hosts (the official entry does), and
>
> cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
>
> points to the duplicate entry only. They are not referenced anywhere
> else in the ldap database. So I would suggest to wait and see if
> I run in any problem here. Would you agree to this, or do you expect
> problems later?
Hello,

I fully agree. Wait for a problem to occur, if it occurs.
In case this entry would create a problem and you are afraid of deleting 
it, I think we may decide to hide it to the application (ipa).
You can do this by adding the 'objectclass: ldapsubentry'. It may be 
suffisant to workaround the problem, if the problem occurs.
With this option, you would keep the conflict entry and keep the 
possibility to "resurrect" it later.

>
> I highly appreciate your help
You are very welcome
thierry
>
> Regards
> Harri
>
>
>
>
>
>> regards
>> thierry
>>

More information about the Freeipa-users mailing list