On 09-07-2021 21:33, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
Hi,
ipahealthcheck gives me this warning
[
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "WARNING",
"uuid": "237f4271-6e93-4d42-a15d-accdb936e51b",
"when": "20210709182051Z",
"duration": "45.967890",
"kw": {
"key": "DSREPLLE0002",
"items": [
"Replication",
"Conflict Entries"
],
"msg": "There were 1 conflict entries found under the replication
suffix \"o=ipaca\"."
}
}
]
ldapsearch does not reveal any hit, however nsconf does.
[root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D
'cn=Directory Manager' -b 'o=ipaca' '(nsds5ReplConflict=*)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (nsds5ReplConflict=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
[root@linge ~]# dsconf slapd-EXAMPLE-COM repl-conflict list o=ipaca
dn:
cn=iparep4.example.com:443+nsuniqueid=ee993401-84ef11eb-93f498e2-54354ddc,cn=CAList,ou=Security
Domain,o=ipaca
Clone: TRUE
DomainManager: TRUE
SecureAdminPort: 443
SecureAgentPort: 443
SecureEEClientAuthPort: 443
SecurePort: 443
SubsystemName: CA iparep4.example.com 8443
UnSecurePort: 80
cn: iparep4.example.com:443
host: iparep4.example.com
nsds5replconflict: namingConflict (ADD)
cn=iparep4.example.com:443,cn=calist,ou=security domain,o=ipaca
objectClass: top
objectClass: pkiSubsystem
objectClass: ldapsubentry
How is that possible?
389 filters out conflict entries now. Add this filter and you should see
it with ldapsearch:
(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
That makes no difference. Both BASEDN and o=ipaca result in no hits.
(( Can ldapsearch really filter out more if the filter expression is less
restrictive? ))
[root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D 'cn=Directory
Manager' -b 'o=ipaca' '(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
[root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D 'cn=Directory
Manager' -b $BASEDN '(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
--
Kees
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure