Hi, in your first message, the output of $ dsconf -D "cn=Directory Manager" ldap://$(hostname) repl-conflict list-glue "dc=noc,dc=net" mentions: dn: cn=sg1-replica.noc.net,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net *nsds5replconflict: deletedEntryHasChildren*
It means that the replication tried to delete this entry on 1 server but there were subentries below that one. Is this replica sg1-replica.noc.net still present in the topology? If it has been removed, you can delete the entry and its children. Otherwise you need to keep it. The other conflict is dn: krbprincipalname=HTTP/mi1-replica.noc....@noc.net +nsuniqueid=0264df8b-fca611ee-a3cba8b9-8a6b8039,cn=services,cn=accounts,dc=noc,dc=net Can you show the content of the entry and the content of the conflict entry? The differences may help understand why there is a conflict. ldapsearch -D "cn=directory manager" -W -b krbprincipalname=HTTP/ mi1-replica.noc....@noc.net +nsuniqueid=0264df8b-fca611ee-a3cba8b9-8a6b8039,cn=services,cn=accounts,dc=noc,dc=net ldapsearch -D "cn=directory manager" -W -b krbprincipalname=HTTP/ mi1-replica.noc....@noc.net,cn=services,cn=accounts,dc=noc,dc=net flo On Tue, Apr 23, 2024 at 12:08 PM Lee Csk via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > ipa-server-4.9.12-14 fixes this issue: > > https://issues.redhat.com/browse/RHEL-28847 and must be installed with > the > > corresponding bind update that fixes > > https://issues.redhat.com/browse/RHEL-25648: bind-9.11.36-11.el8_9.1 > > Do you have the right bind version? > > > > flo > > I do not have access to those RHEL issues unfortunately. > > That is a good point however, observed that various replica servers > running different bind versions. > Some: bind-9.11.36-11.el8_9.x86_64 > Others: bind-9.11.36-11.el8_9.1.x86_64 > > We are updating them now slowly, and already updated 2 replica servers to > the latest bind version - however the LDAP Conflicts don't disappear. > > Thanks, > Lee > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
