On 04/29/2015 05:35 PM, Andy Thompson wrote:
-----Original Message-----
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 11:28 AM
To: Andy Thompson
Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:08 PM, Andy Thompson wrote:
-----Original Message-----
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 10:59 AM
To: Andy Thompson
Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
On 04/29/2015 04:49 PM, Andy Thompson wrote:
-----Original Message-----
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 10:51 AM
To: Andy Thompson
Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
did you run the searches as directory manager ?
Yep sure did
that's weird, as directory manager you should be able to see the
nscpentrywsi attribute, could you paste your full search request ?
This returns the object
ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D
"cn=directory manager" -W -b "dc=..."
"(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0a
bc1a8))" | grep -i objectClass
This returns nothing
ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D
"cn=directory manager" -W -b "dc=..."
"(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0a
bc1a8))" nscpentrywsi | grep -i objectClass
and if you omit the grep ? still puzzled.
Ah if I omit the grep on the second server I get
dn:
nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn:
nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: objectClass;vucsn-55364a42000500040000: posixgroup
nscpentrywsi: objectClass;vucsn-55364a42000500040000: ipaobject
nscpentrywsi: objectClass;vucsn-55364a42000500040000: mepManagedEntry
nscpentrywsi: objectClass;vucsn-55364a42000500040000: top
nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone
nscpentrywsi: cn;vucsn-55364a42000500040000;mdcsn-55364a42000500040000: gfeigh
nscpentrywsi: gidNumber;vucsn-55364a42000500040000: 1249000003
nscpentrywsi: description;vucsn-55364a42000500040000: User private group for
username
nscpentrywsi: mepManagedBy;vucsn-55364a42000500040000: uid=
username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: creatorsName;vucsn-55364a42000500040000: cn=Managed
Entries,cn=plugins,cn=config
nscpentrywsi: modifiersName;vucsn-55364a42000500040000: cn=Managed
Entries,cn=plugins,cn=config
nscpentrywsi: createTimestamp;vucsn-55364a42000500040000: 20150421130152Z
nscpentrywsi: modifyTimestamp;vucsn-55364a42000500040000: 20150421130152Z
nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8
nscpentrywsi: ipaUniqueID;vucsn-55364a42000500040000:
94dc1638-e826-11e4-878a-005056a92af3
nscpentrywsi: parentid: 4
nscpentrywsi: entryid: 385
nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8
nscpentrywsi: nstombstonecsn: 5540deb8000300030000
nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: entryusn: 52327
thought I tried that before, apparently not.
This is looking like that on the replica where the errors are logged.
The entry is a tombstone but can not be find with the nsuniqueid.
If on that server you do
ldapsearch -LLL -o ldif-wrap=no -Hldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b
"dc=..." "(&(objectclass=nstombstone)(ipaUniqueID=94dc1638-e826-11e4-878a-005056a92af3))"
what is logged in the access log for these two searches?
On 04/29/2015 04:34 PM, Andy Thompson wrote:
-----Original Message-----
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 10:28 AM
To: Andy Thompson
Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
can you do the followin search on both servers ?
ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D
"cn=directory manager" - w xxx -b "dc=xxx...."
"(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-
99f1b343-
f0abc1a8))"
nscpentrywsi | grep -i objectClass
The server that I initially attempted the deletion on returns nothing.
The second server (the one currently throwing the consumer failed
replay error) returns this if I remove the nscpentrywsi attribute
filter. If I leave the attribute filter I don't get anything
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
objectClass: nsTombstone
-andy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
