Kees Bakker wrote:
> Thanks Flo,
>
> Yes! That's the one.
>
> Anyway, back to ipahealthcheck. How can we improve it so that users
> don't have to struggle
> with pdb in discovering what is actually wrong? ("we" => Rob :-)
>
> Only because I came across the following I was able to see the problem
> using dsconf.
>
> (Pdb) print(result['fix'])
> While conflict entries are expected to occur in an MMR environment, they
> should be resolved. In regards to conflict entries there is always the
> original/counterpart
> entry that has a normal DN, and then the conflict version of that
> entry. Technically both
> entries are valid, you as the administrator, needs to decide which entry
> you want to keep.
> First examine/compare both entries to determine which one you want to
> keep or remove. You
> can use the CLI tool "dsconf" to resolve the conflict. Here is an example:
>
> List the conflict entries:
>
> # dsconf slapd-EXAMPLE-COM repl-conflict list dc=example,dc=com
>
> Examine conflict entry and its counterpart entry:
>
> # dsconf slapd-EXAMPLE-COM repl-conflict compare <DN of
> conflict entry>
>
> Remove conflict entry and keep only the original/counterpart entry:
>
> # dsconf slapd-EXAMPLE-COM repl-conflict delete <DN of conflict
> entry>
>
> Replace the original/counterpart entry with the conflict entry:
>
> # dsconf slapd-EXAMPLE-COM repl-conflict swap <DN of conflict
> entry>
Only the DS checks provide this field. There are no plans to include it
ipa-healthcheck at this time.
>
> BTW. LDAP (and ldapsearch) remains a mystery to me. How can a less
> restrictive filter
> show less results?
Because it is the *server* which filters the results.
Returning the conflict entries routinely confused LDAP clients which
only expected a single return, for say, a query for a user.
rob
> -- Kees
>
> On 12-07-2021 09:41, Florence Renaud wrote:
>> The correct search filter must include (objectClass=ldapSubEntry):
>>
>> ldapsearch -H ldaps://linge.example.com <http://linge.example.com> -W
>> -D 'cn=Directory Manager' -b 'o=ipaca'
>> '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))' nsds5ReplConflict
>>
>> HTH,
>> flo
>>
>> On Sat, Jul 10, 2021 at 3:20 PM Kees Bakker via FreeIPA-users
>> <freeipa-users@lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>
>> On 09-07-2021 21:33, Rob Crittenden wrote:
>> > Kees Bakker via FreeIPA-users wrote:
>> >> Hi,
>> >>
>> >> ipahealthcheck gives me this warning
>> >>
>> >> [
>> >> {
>> >> "source": "ipahealthcheck.ds.replication",
>> >> "check": "ReplicationCheck",
>> >> "result": "WARNING",
>> >> "uuid": "237f4271-6e93-4d42-a15d-accdb936e51b",
>> >> "when": "20210709182051Z",
>> >> "duration": "45.967890",
>> >> "kw": {
>> >> "key": "DSREPLLE0002",
>> >> "items": [
>> >> "Replication",
>> >> "Conflict Entries"
>> >> ],
>> >> "msg": "There were 1 conflict entries found under the
>> replication
>> >> suffix \"o=ipaca\"."
>> >> }
>> >> }
>> >> ]
>> >>
>> >>
>> >> ldapsearch does not reveal any hit, however nsconf does.
>> >>
>> >>
>> >> [root@linge ~]# ldapsearch -H ldaps://linge.example.com
>> <http://linge.example.com> -W -D
>> >> 'cn=Directory Manager' -b 'o=ipaca' '(nsds5ReplConflict=*)'
>> >> Enter LDAP Password:
>> >> # extended LDIF
>> >> #
>> >> # LDAPv3
>> >> # base <o=ipaca> with scope subtree
>> >> # filter: (nsds5ReplConflict=*)
>> >> # requesting: ALL
>> >> #
>> >>
>> >> # search result
>> >> search: 2
>> >> result: 0 Success
>> >>
>> >> # numResponses: 1
>> >>
>> >>
>> >> [root@linge ~]# dsconf slapd-EXAMPLE-COM repl-conflict list
>> o=ipaca
>> >> dn:
>> >>
>>
>> cn=iparep4.example.com:443+nsuniqueid=ee993401-84ef11eb-93f498e2-54354ddc,cn=CAList,ou=Security
>> >> Domain,o=ipaca
>> >> Clone: TRUE
>> >> DomainManager: TRUE
>> >> SecureAdminPort: 443
>> >> SecureAgentPort: 443
>> >> SecureEEClientAuthPort: 443
>> >> SecurePort: 443
>> >> SubsystemName: CA iparep4.example.com
>> <http://iparep4.example.com> 8443
>> >> UnSecurePort: 80
>> >> cn: iparep4.example.com:443 <http://iparep4.example.com:443>
>> >> host: iparep4.example.com <http://iparep4.example.com>
>> >> nsds5replconflict: namingConflict (ADD)
>> >> cn=iparep4.example.com:443
>> <http://iparep4.example.com:443>,cn=calist,ou=security domain,o=ipaca
>> >> objectClass: top
>> >> objectClass: pkiSubsystem
>> >> objectClass: ldapsubentry
>> >>
>> >>
>> >> How is that possible?
>> > 389 filters out conflict entries now. Add this filter and you
>> should see
>> > it with ldapsearch:
>> >
>> > (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
>> >
>>
>> That makes no difference. Both BASEDN and o=ipaca result in no hits.
>> (( Can ldapsearch really filter out more if the filter expression
>> is less restrictive? ))
>>
>> [root@linge ~]# ldapsearch -H ldaps://linge.example.com
>> <http://linge.example.com> -W -D 'cn=Directory Manager' -b
>> 'o=ipaca' '(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))'
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <o=ipaca> with scope subtree
>> # filter: (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>> [root@linge ~]# ldapsearch -H ldaps://linge.example.com
>> <http://linge.example.com> -W -D 'cn=Directory Manager' -b $BASEDN
>> '(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))'
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=example,dc=com> with scope subtree
>> # filter: (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>> --
>> Kees
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> <https://fedoraproject.org/wiki/Mailing_list_guidelines>
>> List Archives:
>>
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>> <https://pagure.io/fedora-infrastructure>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
