<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 02/16/2017 01:32 PM, Tiemen Ruiten
wrote:<br>
</div>
<blockquote
cite="mid:CAAegNz0emvaqSAGMotzzwJzEkkodZJrfdqq8Eo9hRMeYBVOmpQ@mail.gmail.com"
type="cite">
<meta http-equiv="Context-Type" content="text/html; charset=UTF-8">
<div dir="ltr">Hello,
<div><br>
</div>
<div>I have a FreeIPA setup in which some masters suffered from
a few uncontrolled shutdowns and now there are replication
conflicts (which prevent from setting the Domain Level to 1). </div>
<div><br>
</div>
<div>I was trying to follow the instructions here: <a
moz-do-not-send="true"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html</a></div>
<div><br>
</div>
<div>But unfortunately I'm not getting anywhere. This the result
of an ldapsearch for replication conflicts:</div>
<div><br>
</div>
<blockquote class="gmail_quote"><br>
[root@moscovium ~]# ldapsearch -x -D "cn=directory manager" -W
-b "dc=ipa,dc=rdmedia,dc=com" "nsds5ReplConflict=*" \*
nsds5ReplConflict<br>
Enter LDAP Password: <br>
# extended LDIF<br>
#<br>
# LDAPv3<br>
# base <dc=ipa,dc=rdmedia,dc=com> with scope subtree<br>
# filter: nsds5ReplConflict=*<br>
# requesting: * nsds5ReplConflict <br>
#<br>
# servers + 334bfc53-cdae11e6-8a85a70a-bda98fae, dns, <a
moz-do-not-send="true" href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn:
cn=servers+nsuniqueid=334bfc53-cdae11e6-8a85a70a-bda98fae,cn=dns,dc=ipa,dc<br>
=rdmedia,dc=com<br>
objectClass: nsContainer<br>
objectClass: top<br>
cn: servers<br>
nsds5ReplConflict: namingConflict
cn=servers,cn=dns,dc=ipa,dc=rdmedia,dc=com<br>
# System: Add CA + 334bfbe5-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, ipa.<br>
<a moz-do-not-send="true" href="http://rdmedia.com">rdmedia.com</a><br>
dn: cn=System: Add
CA+nsuniqueid=334bfbe5-cdae11e6-8a85a70a-bda98fae,cn=permis<br>
sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaca)<br>
ipaPermRight: add<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Add CA<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=CA
Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: add
ca,cn=permissions,cn=pbac,dc=<br>
ipa,dc=rdmedia,dc=com </blockquote>
<blockquote class="gmail_quote"># System: Delete CA +
334bfbe9-cdae11e6-8a85a70a-bda98fae, permissions, pbac, i<br>
<a moz-do-not-send="true" href="http://pa.rdmedia.com">pa.rdmedia.com</a><br>
dn: cn=System: Delete
CA+nsuniqueid=334bfbe9-cdae11e6-8a85a70a-bda98fae,cn=per<br>
missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaca)<br>
ipaPermRight: delete<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Delete CA<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=CA
Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: delete
ca,cn=permissions,cn=pbac,<br>
dc=ipa,dc=rdmedia,dc=com<br>
# System: Modify CA + 334bfbed-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, i<br>
<a moz-do-not-send="true" href="http://pa.rdmedia.com">pa.rdmedia.com</a><br>
dn: cn=System: Modify
CA+nsuniqueid=334bfbed-cdae11e6-8a85a70a-bda98fae,cn=per<br>
missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaca)<br>
ipaPermRight: write<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Modify CA<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=CA
Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermDefaultAttr: description<br>
ipaPermDefaultAttr: cn<br>
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: modify
ca,cn=permissions,cn=pbac,<br>
dc=ipa,dc=rdmedia,dc=com<br>
# System: Read CAs + 334bfbf1-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, ip<br>
<a moz-do-not-send="true" href="http://a.rdmedia.com">a.rdmedia.com</a><br>
dn: cn=System: Read
CAs+nsuniqueid=334bfbf1-cdae11e6-8a85a70a-bda98fae,cn=perm<br>
issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaca)<br>
ipaPermRight: read<br>
ipaPermRight: compare<br>
ipaPermRight: search<br>
ipaPermBindRuleType: all<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Read CAs<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
ipaPermDefaultAttr: description<br>
ipaPermDefaultAttr: ipacaissuerdn<br>
ipaPermDefaultAttr: objectclass<br>
ipaPermDefaultAttr: ipacasubjectdn<br>
ipaPermDefaultAttr: ipacaid<br>
ipaPermDefaultAttr: cn<br>
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: read
cas,cn=permissions,cn=pbac,d<br>
c=ipa,dc=rdmedia,dc=com<br>
# System: Modify DNS Servers Configuration +
334bfbf6-cdae11e6-8a85a70a-bda98fa<br>
e, permissions, pbac, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn: cn=System: Modify DNS Servers
Configuration+nsuniqueid=334bfbf6-cdae11e6-8<br>
a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)<br>
ipaPermRight: write<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Modify DNS Servers Configuration<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermDefaultAttr: idnssoamname<br>
ipaPermDefaultAttr: idnssubstitutionvariable<br>
ipaPermDefaultAttr: idnsforwardpolicy<br>
ipaPermDefaultAttr: idnsforwarders<br>
ipaPermLocation: dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: modify dns
servers configuration,<br>
cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
# System: Read DNS Servers Configuration +
334bfbfa-cdae11e6-8a85a70a-bda98fae,<br>
permissions, pbac, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn: cn=System: Read DNS Servers
Configuration+nsuniqueid=334bfbfa-cdae11e6-8a8<br>
5a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)<br>
ipaPermRight: read<br>
ipaPermRight: compare<br>
ipaPermRight: search<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Read DNS Servers Configuration<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
member: cn=DNS
Servers,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermDefaultAttr: idnsforwardpolicy<br>
ipaPermDefaultAttr: objectclass<br>
ipaPermDefaultAttr: idnsforwarders<br>
ipaPermDefaultAttr: idnsserverid<br>
ipaPermDefaultAttr: idnssubstitutionvariable<br>
ipaPermDefaultAttr: idnssoamname<br>
ipaPermLocation: dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: read dns servers
configuration,cn<br>
=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
# System: Manage Host Principals +
334bfc0b-cdae11e6-8a85a70a-bda98fae, permiss<br>
ions, pbac, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn: cn=System: Manage Host
Principals+nsuniqueid=334bfc0b-cdae11e6-8a85a70a-bd<br>
a98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipahost)<br>
ipaPermRight: write<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Manage Host Principals<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=Host
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
member: cn=Host
Enrollment,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermDefaultAttr: krbprincipalname<br>
ipaPermDefaultAttr: krbcanonicalname<br>
ipaPermLocation:
cn=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: manage host
principals,cn=permiss<br>
ions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
# System: Add IPA Locations +
334bfc20-cdae11e6-8a85a70a-bda98fae, permissions,<br>
pbac, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn: cn=System: Add IPA
Locations+nsuniqueid=334bfc20-cdae11e6-8a85a70a-bda98fa<br>
e,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaLocationObject)<br>
ipaPermRight: add<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Add IPA Locations<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: add ipa
locations,cn=permissions,<br>
cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
# System: Modify IPA Locations +
334bfc24-cdae11e6-8a85a70a-bda98fae, permissio<br>
ns, pbac, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn: cn=System: Modify IPA
Locations+nsuniqueid=334bfc24-cdae11e6-8a85a70a-bda9<br>
8fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaLocationObject)<br>
ipaPermRight: write<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Modify IPA Locations<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermDefaultAttr: description<br>
ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: modify ipa
locations,cn=permissio<br>
ns,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
# System: Read IPA Locations +
334bfc28-cdae11e6-8a85a70a-bda98fae, permissions<br>
, pbac, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn: cn=System: Read IPA
Locations+nsuniqueid=334bfc28-cdae11e6-8a85a70a-bda98f<br>
ae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaLocationObject)<br>
ipaPermRight: read<br>
ipaPermRight: compare<br>
ipaPermRight: search<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Read IPA Locations<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermDefaultAttr: objectclass<br>
ipaPermDefaultAttr: description<br>
ipaPermDefaultAttr: idnsname<br>
ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: read ipa
locations,cn=permissions<br>
,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
# System: Remove IPA Locations +
334bfc2c-cdae11e6-8a85a70a-bda98fae, permissio<br>
ns, pbac, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn: cn=System: Remove IPA
Locations+nsuniqueid=334bfc2c-cdae11e6-8a85a70a-bda9<br>
8fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaLocationObject)<br>
ipaPermRight: delete<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Remove IPA Locations<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermLocation: cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: remove ipa
locations,cn=permissio<br>
ns,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
# System: Read Locations of IPA Servers +
334bfc30-cdae11e6-8a85a70a-bda98fae, <br>
permissions, pbac, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn: cn=System: Read Locations of IPA
Servers+nsuniqueid=334bfc30-cdae11e6-8a85<br>
a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaConfigObject)<br>
ipaPermRight: read<br>
ipaPermRight: compare<br>
ipaPermRight: search<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Read Locations of IPA Servers<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermDefaultAttr: objectclass<br>
ipaPermDefaultAttr: ipaserviceweight<br>
ipaPermDefaultAttr: ipalocation<br>
ipaPermDefaultAttr: cn<br>
ipaPermLocation:
cn=masters,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: read locations of
ipa servers,cn=<br>
permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
# System: Read Status of Services on IPA Servers +
334bfc34-cdae11e6-8a85a70a-b<br>
da98fae, permissions, pbac, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn: cn=System: Read Status of Services on IPA
Servers+nsuniqueid=334bfc34-cdae<br>
11e6-8a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaConfigObject)<br>
ipaPermRight: read<br>
ipaPermRight: compare<br>
ipaPermRight: search<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Read Status of Services on IPA Servers<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermDefaultAttr: objectclass<br>
ipaPermDefaultAttr: ipaconfigstring<br>
ipaPermDefaultAttr: cn<br>
ipaPermLocation:
cn=masters,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: read status of
services on ipa se<br>
rvers,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
# System: Manage Service Principals +
334bfc38-cdae11e6-8a85a70a-bda98fae, perm<br>
issions, pbac, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn: cn=System: Manage Service
Principals+nsuniqueid=334bfc38-cdae11e6-8a85a70a<br>
-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=ipaservice)<br>
ipaPermRight: write<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Manage Service Principals<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=Service
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=c<br>
om<br>
ipaPermDefaultAttr: krbprincipalname<br>
ipaPermDefaultAttr: krbcanonicalname<br>
ipaPermLocation:
cn=services,cn=accounts,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: manage service
principals,cn=perm<br>
issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
# System: Manage User Principals +
334bfc45-cdae11e6-8a85a70a-bda98fae, permiss<br>
ions, pbac, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn: cn=System: Manage User
Principals+nsuniqueid=334bfc45-cdae11e6-8a85a70a-bd<br>
a98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
ipaPermTargetFilter: (objectclass=posixaccount)<br>
ipaPermRight: write<br>
ipaPermBindRuleType: permission<br>
ipaPermissionType: V2<br>
ipaPermissionType: MANAGED<br>
ipaPermissionType: SYSTEM<br>
cn: System: Manage User Principals<br>
objectClass: ipapermission<br>
objectClass: top<br>
objectClass: groupofnames<br>
objectClass: ipapermissionv2<br>
member: cn=User
Administrators,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
member: cn=Modify Users and Reset
passwords,cn=privileges,cn=pbac,dc=ipa,dc=rd<br>
media,dc=com<br>
ipaPermDefaultAttr: krbprincipalname<br>
ipaPermDefaultAttr: krbcanonicalname<br>
ipaPermLocation: cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict cn=system: manage user
principals,cn=permiss<br>
ions,cn=pbac,dc=ipa,dc=rdmedia,dc=com<br>
# locations + 334bfba2-cdae11e6-8a85a70a-bda98fae, etc, <a
moz-do-not-send="true" href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn:
cn=locations+nsuniqueid=334bfba2-cdae11e6-8a85a70a-bda98fae,cn=etc,dc=ipa,<br>
dc=rdmedia,dc=com<br>
objectClass: nsContainer<br>
objectClass: top<br>
cn: locations<br>
nsds5ReplConflict: namingConflict
cn=locations,cn=etc,dc=ipa,dc=rdmedia,dc=com<br>
aci: (targetfilter =
"(objectclass=ipaLocationObject)")(version 3.0;acl "permi<br>
ssion:System: Add IPA Locations";allow (add) groupdn =
"<a class="moz-txt-link-freetext" href="ldap:///cn=System">ldap:///cn=System</a>: Ad<br>
d IPA
Locations,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)<br>
aci: (targetattr = "description")(targetfilter =
"(objectclass=ipaLocationObje<br>
ct)")(version 3.0;acl "permission:System: Modify IPA
Locations";allow (write)<br>
groupdn = "<a class="moz-txt-link-freetext" href="ldap:///cn=System">ldap:///cn=System</a>: Modify IPA
Locations,cn=permissions,cn=pbac,dc<br>
=ipa,dc=rdmedia,dc=com";)<br>
aci: (targetattr = "createtimestamp || description || entryusn
|| idnsname || <br>
modifytimestamp || objectclass")(targetfilter =
"(objectclass=ipaLocationObje<br>
ct)")(version 3.0;acl "permission:System: Read IPA
Locations";allow (compare,<br>
read,search) groupdn = "<a class="moz-txt-link-freetext" href="ldap:///cn=System">ldap:///cn=System</a>: Read IPA
Locations,cn=permissions,<br>
cn=pbac,dc=ipa,dc=rdmedia,dc=com";)<br>
aci: (targetfilter =
"(objectclass=ipaLocationObject)")(version 3.0;acl "permi<br>
ssion:System: Remove IPA Locations";allow (delete) groupdn =
"<a class="moz-txt-link-freetext" href="ldap:///cn=Syst">ldap:///cn=Syst</a><br>
em: Remove IPA
Locations,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)<br>
# <a moz-do-not-send="true"
href="http://neon.ipa.rdmedia.com">neon.ipa.rdmedia.com</a>
+ 1b780d06-017611e6-966aeb96-de53d9d8, computers, accoun<br>
ts, <a moz-do-not-send="true" href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn: fqdn=<a moz-do-not-send="true"
href="http://neon.ipa.rdmedia.com">neon.ipa.rdmedia.com</a>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c<br>
n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com<br>
krbExtraData::
AAJIQA5XaG9zdC9uZW9uLmlwYS5yZG1lZGlhLmNvbUBJUEEuUkRNRURJQS5DT00<br>
A<br>
enrolledBy:
uid=admin,cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com<br>
krbLastPwdChange: 20160413124912Z<br>
krbPrincipalKey::
MIIBKKADAgEBoQMCAQGiAwIBAaMDAgEBpIIBEDCCAQwwS6FJMEegAwIBEqFA<br>
BD4gAPd2yVptQC/d3mk7xdb3skL+KkkUzewAxCF0FJgXXuBVt1y2GHtnhzILNe91amjovgXAFEujn<br>
8x6YrwHXDA7oTkwN6ADAgERoTAELhAAPbI3gwakFyt9EnCqDLWst6FeXKO0Fwvx3+gZZOGmYQpr0Z<br>
ujLLtmJuJVmS8wQ6FBMD+gAwIBEKE4BDYYABMJXEKVH2Yn4nGzJ5woqDjO2dVUx8nQ+1NSi6dREwy<br>
8T+7VrbdVOpaQgkUx4czwkhxKvVcwO6E5MDegAwIBF6EwBC4QABWhTKkWc50oJlpSw/FK2yhl+ZUo<br>
MZt0XHA/xdPXDD3DxGV5cx2MgvJEhJzs<br>
cn: <a moz-do-not-send="true"
href="http://neon.ipa.rdmedia.com">neon.ipa.rdmedia.com</a><br>
objectClass: ipaobject<br>
objectClass: ieee802device<br>
objectClass: nshost<br>
objectClass: ipaservice<br>
objectClass: pkiuser<br>
objectClass: ipahost<br>
objectClass: krbprincipal<br>
objectClass: krbprincipalaux<br>
objectClass: ipasshhost<br>
objectClass: top<br>
objectClass: ipaSshGroupOfPubKeys<br>
fqdn: <a moz-do-not-send="true"
href="http://neon.ipa.rdmedia.com">neon.ipa.rdmedia.com</a><br>
managedBy: fqdn=<a moz-do-not-send="true"
href="http://neon.ipa.rdmedia.com">neon.ipa.rdmedia.com</a>,cn=computers,cn=accounts,dc=ipa,dc=rdmedi<br>
a,dc=com<br>
krbPrincipalName: host/<a moz-do-not-send="true"
href="mailto:neon.ipa.rdmedia.com@IPA.RDMEDIA.COM">neon.ipa.rdmedia.com@IPA.RDMEDIA.COM</a><br>
serverHostName: neon<br>
ipaUniqueID: 1eaa355c-0176-11e6-8dd5-001a4aa7101c<br>
krbPwdPolicyReference: cn=Default Host Password
Policy,cn=computers,cn=account<br>
s,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict fqdn=<a
moz-do-not-send="true" href="http://neon.ipa.rdmedia.com">neon.ipa.rdmedia.com</a>,cn=computers,cn=ac<br>
counts,dc=ipa,dc=rdmedia,dc=com<br>
# cas + 334bfba8-cdae11e6-8a85a70a-bda98fae, ca, <a
moz-do-not-send="true" href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn:
cn=cas+nsuniqueid=334bfba8-cdae11e6-8a85a70a-bda98fae,cn=ca,dc=ipa,dc=rdme<br>
dia,dc=com<br>
objectClass: nsContainer<br>
objectClass: top<br>
cn: cas<br>
nsds5ReplConflict: namingConflict
cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com<br>
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
"permission:System<br>
: Add CA";allow (add) groupdn = "<a class="moz-txt-link-freetext" href="ldap:///cn=System">ldap:///cn=System</a>: Add
CA,cn=permissions,cn=<br>
pbac,dc=ipa,dc=rdmedia,dc=com";)<br>
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
"permission:System<br>
: Delete CA";allow (delete) groupdn = "<a class="moz-txt-link-freetext" href="ldap:///cn=System">ldap:///cn=System</a>:
Delete CA,cn=permis<br>
sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)<br>
aci: (targetattr = "cn || description")(targetfilter =
"(objectclass=ipaca)")(<br>
version 3.0;acl "permission:System: Modify CA";allow (write)
groupdn = "ldap:<br>
///cn=System: Modify
CA,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com";)<br>
aci: (targetattr = "cn || createtimestamp || description ||
entryusn || ipacai<br>
d || ipacaissuerdn || ipacasubjectdn || modifytimestamp ||
objectclass")(targ<br>
etfilter = "(objectclass=ipaca)")(version 3.0;acl
"permission:System: Read CA<br>
s";allow (compare,read,search) userdn = <a class="moz-txt-link-rfc2396E" href="ldap:///all">"ldap:///all"</a>;)<br>
# custodia + 334bfbdb-cdae11e6-8a85a70a-bda98fae, ipa, etc, <a
moz-do-not-send="true" href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn:
cn=custodia+nsuniqueid=334bfbdb-cdae11e6-8a85a70a-bda98fae,cn=ipa,cn=etc,d<br>
c=ipa,dc=rdmedia,dc=com<br>
objectClass: nsContainer<br>
objectClass: top<br>
cn: custodia<br>
nsds5ReplConflict: namingConflict
cn=custodia,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,<br>
dc=com<br>
# domain + 334bfb9e-cdae11e6-8a85a70a-bda98fae, topology, ipa,
etc, ipa.rdmedia<br>
.com<br>
dn:
cn=domain+nsuniqueid=334bfb9e-cdae11e6-8a85a70a-bda98fae,cn=topology,cn=ip<br>
a,cn=etc,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
internalModifiersName in<br>
ternalModifyTimestamp<br>
ipaReplTopoConfRoot: dc=ipa,dc=rdmedia,dc=com<br>
objectClass: top<br>
objectClass: iparepltopoconf<br>
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE
entryusn krblasts<br>
uccessfulauth krblastfailedauth krbloginfailedcount<br>
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
memberof idnssoaserial<br>
entryusn krblastsuccessfulauth krblastfailedauth
krbloginfailedcount<br>
cn: domain<br>
nsds5ReplConflict: namingConflict
cn=domain,cn=topology,cn=ipa,cn=etc,dc=ipa,d<br>
c=rdmedia,dc=com<br>
# ca + 334bfbe0-cdae11e6-8a85a70a-bda98fae, topology, ipa,
etc, <a moz-do-not-send="true" href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn:
cn=ca+nsuniqueid=334bfbe0-cdae11e6-8a85a70a-bda98fae,cn=topology,cn=ipa,cn<br>
=etc,dc=ipa,dc=rdmedia,dc=com<br>
objectClass: top<br>
objectClass: iparepltopoconf<br>
cn: ca<br>
ipaReplTopoConfRoot: o=ipaca<br>
nsds5ReplConflict: namingConflict
cn=ca,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=rd<br>
media,dc=com<br>
# dogtag + 334bfbdd-cdae11e6-8a85a70a-bda98fae, custodia +
334bfbdb-cdae11e6-8a<br>
85a70a-bda98fae, ipa, etc, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn:
cn=dogtag+nsuniqueid=334bfbdd-cdae11e6-8a85a70a-bda98fae,cn=custodia+nsuni<br>
queid=334bfbdb-cdae11e6-8a85a70a-bda98fae,cn=ipa,cn=etc,dc=ipa,dc=rdmedia,dc=<br>
com<br>
objectClass: nsContainer<br>
objectClass: top<br>
cn: dogtag<br>
nsds5ReplConflict: namingConflict
cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=ipa,d<br>
c=rdmedia,dc=com<br>
# lawrencium + 6c7e3d83-c11711e6-8a85a70a-bda98fae, <a
moz-do-not-send="true" href="http://ipa.rdmedia.com">ipa.rdmedia.com</a>.,
dns, ipa.<br>
<a moz-do-not-send="true" href="http://rdmedia.com">rdmedia.com</a><br>
dn:
idnsName=lawrencium+nsuniqueid=6c7e3d83-c11711e6-8a85a70a-bda98fae,idnsnam<br>
e=<a moz-do-not-send="true" href="http://ipa.rdmedia.com">ipa.rdmedia.com</a>.,cn=dns,dc=ipa,dc=rdmedia,dc=com<br>
aRecord: 192.168.50.55<br>
dNSTTL: 1200<br>
objectClass: idnsRecord<br>
objectClass: top<br>
idnsName: lawrencium<br>
nsds5ReplConflict: namingConflict
idnsname=lawrencium,idnsname=<a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
.,cn=dns,dc=ipa,dc=rdmedia,dc=com<br>
# mendelevium + e5710f85-c5c511e6-8a85a70a-bda98fae, <a
moz-do-not-send="true" href="http://ipa.rdmedia.com">ipa.rdmedia.com</a>.,
dns, ipa<br>
.<a moz-do-not-send="true" href="http://rdmedia.com">rdmedia.com</a><br>
dn:
idnsName=mendelevium+nsuniqueid=e5710f85-c5c511e6-8a85a70a-bda98fae,idnsna<br>
me=<a moz-do-not-send="true" href="http://ipa.rdmedia.com">ipa.rdmedia.com</a>.,cn=dns,dc=ipa,dc=rdmedia,dc=com<br>
aRecord: 192.168.50.52<br>
dNSTTL: 1200<br>
objectClass: idnsRecord<br>
objectClass: top<br>
idnsName: mendelevium<br>
nsds5ReplConflict: namingConflict
idnsname=mendelevium,idnsname=<a moz-do-not-send="true"
href="http://ipa.rdmedia.co">ipa.rdmedia.co</a><br>
m.,cn=dns,dc=ipa,dc=rdmedia,dc=com<br>
# 41 + e764de07-5e2f11e6-bd76eb96-de53d9d8,
120.100.10.in-addr.arpa., dns, ipa.<br>
<a moz-do-not-send="true" href="http://rdmedia.com">rdmedia.com</a><br>
dn:
idnsname=41+nsuniqueid=e764de07-5e2f11e6-bd76eb96-de53d9d8,idnsname=120.10<br>
0.10.in-addr.arpa.,cn=dns,dc=ipa,dc=rdmedia,dc=com<br>
objectClass: top<br>
objectClass: idnsrecord<br>
pTRRecord: <a moz-do-not-send="true"
href="http://arsenica.ipa.rdmedia.com">arsenica.ipa.rdmedia.com</a>.<br>
idnsName: 41<br>
nsds5ReplConflict: namingConflict
idnsname=41,idnsname=120.100.10.in-addr.arpa<br>
.,cn=dns,dc=ipa,dc=rdmedia,dc=com<br>
# ipa + 58d90aec-cdae11e6-8a85a70a-bda98fae, cas +
334bfba8-cdae11e6-8a85a70a-b<br>
da98fae, ca, <a moz-do-not-send="true"
href="http://ipa.rdmedia.com">ipa.rdmedia.com</a><br>
dn:
cn=ipa+nsuniqueid=58d90aec-cdae11e6-8a85a70a-bda98fae,cn=cas+nsuniqueid=33<br>
4bfba8-cdae11e6-8a85a70a-bda98fae,cn=ca,dc=ipa,dc=rdmedia,dc=com<br>
description: IPA CA<br>
ipaCaIssuerDN: CN=Certificate Authority,O=<a
moz-do-not-send="true" href="http://IPA.RDMEDIA.COM">IPA.RDMEDIA.COM</a><br>
objectClass: top<br>
objectClass: ipaca<br>
ipaCaSubjectDN: CN=Certificate Authority,O=<a
moz-do-not-send="true" href="http://IPA.RDMEDIA.COM">IPA.RDMEDIA.COM</a><br>
ipaCaId: 21547c03-13c3-4f4f-992b-b0257012d1c1<br>
cn: ipansds5ReplConflict<br>
nsds5ReplConflict: namingConflict
cn=ipa,cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com<br>
# search result<br>
search: 2<br>
result: 0 Success<br>
# numResponses: 28<br>
# numEntries: 27</blockquote>
<div><br>
</div>
<div>So when I try eg. this...</div>
<div><br>
</div>
<blockquote class="gmail_quote">[root@moscovium ~]# ldapmodify
-x -D "cn=directory manager" -W -h <a moz-do-not-send="true"
href="http://moscovium.ipa.rdmedia.com">moscovium.ipa.rdmedia.com</a>
-p 389<br>
Enter LDAP Password: <br>
dn: fqdn=<a moz-do-not-send="true"
href="http://neon.ipa.rdmedia.com">neon.ipa.rdmedia.com</a>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c<br>
n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com<br>
changetype: modrdn<br>
newrdn fqdn=<a moz-do-not-send="true"
href="http://neontemp.ipa.rdmedia.com">neontemp.ipa.rdmedia.com</a><br>
deleteoldrdn: 0</blockquote>
</div>
</blockquote>
It has to be <br>
newrdn: fqdn=<a moz-do-not-send="true"
href="http://neontemp.ipa.rdmedia.com">neontemp.ipa.rdmedia.com</a><br>
the ":" was missing.<br>
But you don't always have to do the modrdn steps, only if you want
to keep the conflict entry under a different dn.<br>
<br>
I would suggest you do the search for conflicts again, and just
returning the nsds5ReplConflict attribute, you get then something
like:<br>
dn:
idnsname=41+nsuniqueid=e764de07-5e2f11e6-bd76eb96-de53d9d8,idnsname=120.10.in-
addr.arpa.,cn=dns,dc=ipa,dc=rdmedia,dc=com<br>
nsds5ReplConflict: namingConflict idnsname=mendelevium,idnsname=<a
moz-do-not-send="true" href="http://ipa.rdmedia.co">ipa.rdmedia.co</a><br>
m.,cn=dns,dc=ipa,dc=rdmedia,dc=com<br>
<br>
<br>
next do a search for both entries, the conflict entry and the one
referenced in the and the <br>
nsds5ReplConflict attribute, if the original entry exists and you
want to keep this, you can just delete the conflict entry<br>
<br>
ldapmodify -x -D "cn=directory manager" ....<br>
dn: fqdn=<a moz-do-not-send="true"
href="http://neon.ipa.rdmedia.com">neon.ipa.rdmedia.com</a>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,c<br>
n=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com<br>
changetype: delete<br>
<blockquote
cite="mid:CAAegNz0emvaqSAGMotzzwJzEkkodZJrfdqq8Eo9hRMeYBVOmpQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>...I get:</div>
<div><br>
</div>
<blockquote class="gmail_quote">ldapmodify: invalid format (line
3) entry: "fqdn=<a moz-do-not-send="true"
href="http://neon.ipa.rdmedia.com">neon.ipa.rdmedia.com</a>+nsuniqueid=1b780d06-017611e6-966aeb96-de53d9d8,cn=computers,cn=accounts,dc=ipa,dc=rdmedia,dc=com"</blockquote>
<div> </div>
<div>So my question: what can I do to resolve the conflicts?</div>
<div><br>
</div>
<div>-- <br>
<div class="gmail_signature">
<div dir="ltr">Tiemen Ruiten<br>
Systems Engineer<br>
R&D Media<br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Red Hat GmbH, <a class="moz-txt-link-freetext" href="http://www.de.redhat.com/">http://www.de.redhat.com/</a>, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander</pre>
</body>
</html>