[Freeipa-users] Re: ipahealthcheck: ldapsearch finds no replconflict but nsconf does

Sat, 10 Jul 2021 06:19:48 -0700 

On 09-07-2021 21:33, Rob Crittenden wrote:

Kees Bakker via FreeIPA-users wrote:

Hi,

ipahealthcheck gives me this warning

[
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationCheck",
     "result": "WARNING",
     "uuid": "237f4271-6e93-4d42-a15d-accdb936e51b",
     "when": "20210709182051Z",
     "duration": "45.967890",
     "kw": {
       "key": "DSREPLLE0002",
       "items": [
         "Replication",
         "Conflict Entries"
       ],
       "msg": "There were 1 conflict entries found under the replication
suffix \"o=ipaca\"."
     }
   }
]


ldapsearch does not reveal any hit, however nsconf does.


[root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D
'cn=Directory Manager' -b 'o=ipaca' '(nsds5ReplConflict=*)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (nsds5ReplConflict=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


[root@linge ~]# dsconf slapd-EXAMPLE-COM  repl-conflict list o=ipaca
dn:
cn=iparep4.example.com:443+nsuniqueid=ee993401-84ef11eb-93f498e2-54354ddc,cn=CAList,ou=Security
Domain,o=ipaca
Clone: TRUE
DomainManager: TRUE
SecureAdminPort: 443
SecureAgentPort: 443
SecureEEClientAuthPort: 443
SecurePort: 443
SubsystemName: CA iparep4.example.com 8443
UnSecurePort: 80
cn: iparep4.example.com:443
host: iparep4.example.com
nsds5replconflict: namingConflict (ADD)
cn=iparep4.example.com:443,cn=calist,ou=security domain,o=ipaca
objectClass: top
objectClass: pkiSubsystem
objectClass: ldapsubentry


How is that possible?

389 filters out conflict entries now. Add this filter and you should see
it with ldapsearch:

(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))



That makes no difference. Both BASEDN and o=ipaca result in no hits.
(( Can ldapsearch really filter out more if the filter expression is less 
restrictive? ))

[root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D 'cn=Directory 
Manager' -b 'o=ipaca' '(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

[root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D 'cn=Directory 
Manager' -b $BASEDN '(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

--
Kees
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to