On 01/17/17 16:12, Harald Dunkel wrote:
On 01/17/17 11:38, Sumit Bose wrote:
On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote:
It seems something got corrupted in my ipa setup. I found this in the
sssd log file on Wheezy:
(Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0400): Processing
source hosts for rule [allow_all]
(Tue Jan 17 10:19:02 2017) [hbac_eval_user_element] (0x0080): Parse error on
[cn=System: Manage Host
Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de]
Looks like there was a replication conflict, please see
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
how to resolve it.
% ldapsearch -D "cn=directory manager" -w secret -b "dc=example,dc=de"
"nsds5ReplConflict=*" \* nsds5ReplConflict | grep nsds5ReplConflict | wc -l
26
PS:
nsds5ReplConflict: namingConflict
cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de
nsds5ReplConflict: namingConflict
cn=domain,cn=topology,cn=ipa,cn=etc,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=dns
administrators,cn=privileges,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=dns
servers,cn=privileges,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=custodia,cn=ipa,cn=etc,dc=example,dc=de
nsds5ReplConflict: namingConflict
cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=system: add
ca,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=system: delete
ca,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=system: modify
ca,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=system: read
cas,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=system: modify dns servers
configuration,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=system: read dns servers
configuration,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=System: Manage Host
Principals,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=System: Add IPA
Locations,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=System: Modify IPA
Locations,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=System: Read IPA
Locations,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=System: Remove IPA
Locations,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=System: Read Locations of IPA
Servers,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=System: Read Status of Services on IPA
Servers,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=System: Manage Service
Principals,cn=permissions,cn=pbac,dc=example,dc=de
nsds5ReplConflict: namingConflict cn=System: Manage User
Principals,cn=permissions,cn=pbac,dc=example,dc=de
This looks like a problem of ipa-server-install. These entries were created
in the very first seconds.
