<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">Here is what is in the /var/log/dirsrv/slapd-YOUR-REALM/access... logfile: <tt>conn=17342 fd=86 slot=86 connection from 142.103.xxx.xx to 142.103.xxx.xx</tt><tt> </tt><tt>conn=17342 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI</tt><tt> </tt><tt>conn=17342 op=0 RESULT err=14 tag=97 nentries=0 etime=1, SASL bind in progress</tt><tt> </tt><tt>conn=17342 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI</tt><tt> </tt><tt>conn=17342 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress</tt><tt> </tt><tt>conn=17342 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI</tt><tt> </tt><tt>conn=17342 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=pxxx,dc=abc,dc=ca"</tt><tt> </tt><tt>conn=17342 op=3 SRCH base="cn=ipaconfig,cn=etc,dc=pxxx,dc=abc,dc=ca" scope=0 filter="(objectClass=*)" attrs=ALL</tt><tt> </tt><tt>conn=17342 op=3 RESULT err=0 tag=101 nentries=1 etime=0</tt><tt> </tt><tt>conn=17342 op=4 SRCH base="cn=users,cn=accounts,dc=pxxx,dc=abc,dc=ca" scope=1 filter="(&(objectClass=posixaccount)(memberOf=cn=admins,cn=groups,cn=accounts,dc=pxxx,dc=abc,dc=ca))" attrs="telephoneNumber sshpubkeyfp uid title loginShell uidNumber gidNumber sn homeDirectory mail givenName nsAccountLock"</tt><tt> </tt><tt>conn=17342 op=4 RESULT err=0 tag=101 nentries=1 etime=0</tt><tt> </tt><tt>conn=17342 op=5 SRCH base="uid=admin,cn=users,cn=accounts,dc=pxxx,dc=abc,dc=ca" scope=0 filter="(userPassword=*)" attrs="userPassword"</tt><tt> </tt><tt>conn=17342 op=5 RESULT err=0 tag=101 nentries=1 etime=0</tt><tt> </tt><tt>conn=17342 op=6 SRCH base="uid=admin,cn=users,cn=accounts,dc=pxxx,dc=abc,dc=ca" scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"</tt><tt> </tt><tt>conn=17342 op=6 RESULT err=0 tag=101 nentries=1 etime=0</tt><tt> </tt><tt>conn=17342 op=7 SRCH base="uid=admin,cn=users,cn=accounts,dc=pxxx,dc=abc,dc=ca" scope=0 filter="(objectClass=*)" attrs="ipaSshPubKey"</tt><tt> </tt><tt>conn=17342 op=7 RESULT err=0 tag=101 nentries=1 etime=0</tt><tt> </tt><tt>conn=17342 op=8 DEL dn="uid=phys210e,cn=users,cn=accounts,dc=pxxx,dc=abc,dc=ca"</tt><tt> </tt><tt>conn=17342 op=8 RESULT err=32 tag=107 nentries=0 etime=0</tt><tt> </tt><tt>conn=17342 op=9 UNBIND</tt><tt> </tt><tt>conn=17342 op=9 fd=86 closed - U1</tt> And here is the result of the user-show command: [root@ipa slapd-pxxx-abc-CA]# ipa user-find --login phys210e -------------- 1 user matched -------------- User login: phys210e First name: Testing Last name: Phys210 Home directory: /home2/phys210e Login shell: /bin/bash Email address: <a class="moz-txt-link-abbreviated" href="mailto:phys210e@pxxx.abc.ca">phys210e@pxxx.abc.ca</a> UID: 15010 GID: 15010 Account disabled: False Password: True Kerberos keys available: False ---------------------------- Number of entries returned 1 ---------------------------- [root@ipa slapd-pxxx-abc-CA]# ipa user-show --all --raw phys210e ipa: ERROR: phys210e: user not found On 09/03/2014 10:43 AM, Rob Crittenden wrote: </div> <blockquote cite="mid:54075346.4030505@redhat.com" type="cite"> <pre wrap="">Martin Kosek wrote: </pre> <blockquote type="cite"> <pre wrap="">Can you check /var/log/dirsrv/slapd-YOUR-REALM/access, search for the DEL operation and see what was the error code that DS gave when it refused to delete the user? </pre> </blockquote> <pre wrap=""> Were I to guess the issue is that this is a replication conflict entry. If you do: # ipa user-show --all --raw phys210e |grep dn: It will likely begin with nsuniqueid=<hex>, ... The reason it can be found and not deleted is we create the dn to be removed, we don't search for it. So the user uid=phys210e,cn=users,... etc doesn't exist but the user nsuniqueid=<hex> ... does. You'll need to use ldapmodify or ldapdelete to remove the entry though I'd check your other masters to see what the state of the user is there. rob </pre> <blockquote type="cite"> <pre wrap=""> Martin On 09/03/2014 06:18 PM, Ron wrote: </pre> <blockquote type="cite"> <pre wrap="">user-find sees a user but user-del cannot remove it. What can I do? Thanks. Regards, Ron [root@ipa]# ipa user-find --login phys210e -------------- 1 user matched -------------- User login: phys210e First name: Testing Last name: Phys210 Home directory: /home2/phys210e Login shell: /bin/bash Email address: <a class="moz-txt-link-abbreviated" href="mailto:phys210e@pxxx.abc.ca">phys210e@pxxx.abc.ca</a> UID: 15010 GID: 15010 Account disabled: False Password: True Kerberos keys available: False ---------------------------- Number of entries returned 1 ---------------------------- [root@ipa]# ipa user-del phys210e --continue --------------- Deleted user "" --------------- Failed to remove: phys210e [root@ipa]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.5 (Santiago) [root@ipa]# rpm -qa|grep ipa; rpm -qa|grep 389 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-admintools-3.0.0-37.el6.i686 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.i686 ipa-server-selinux-3.0.0-37.el6.i686 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.9.2-129.el6_5.4.i686 ipa-server-3.0.0-37.el6.i686 ipa-python-3.0.0-37.el6.i686 ipa-client-3.0.0-37.el6.i686 389-ds-base-libs-1.2.11.15-33.el6_5.i686 389-ds-base-1.2.11.15-33.el6_5.i686 </pre> </blockquote> <pre wrap=""> </pre> </blockquote> <pre wrap=""> </pre> </blockquote> <pre class="moz-signature" cols="72">-- Ron Parachoniak Systems Manager, Department of Physics & Astronomy University of British Columbia, Vancouver, B.C. V6T 1Z1 Phone: (604) 838-6437</pre> </body> </html>