Hi Thierry, On 01/30/17 09:10, thierry bordaz wrote: > > I understand your concern and in fact it is difficult to anticipate a > potential bad impact of this cleanup. However,I think it is safe to get rid > of the following entry. > Before doing so you may check it exists > > cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de that is managedBy the > ipaservers_hostgoups. > > dn: > cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de > mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de > objectClass: mepManagedEntry > > > If you are willing to remove that entry you need to remove the > mepmanagedEntry oc. So you need to remove the mepManagedBy and oc in the same > operation > > > Regarding the following entry > dn: > cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de > objectClass: mepOriginEntry > mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de > > You may want to check if it exists an entry it manages, looking for > "(mepManagedBy= > cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de > )". If it exists none, you should be able to remove it. > > Also I think working on ipabak, you should be able to do some tests on the > cleanup instance to validate everything is working fine. >
This looks like a pretty high risk, even if ipabak says everything is fine. The major problem was the failure on Debian Wheezy using the very old sssd. This seems to be gone now by resolving the "easy" cases. About the "hard" cases: AFAICS ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de doesn't list any hosts (the official entry does), and cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de points to the duplicate entry only. They are not referenced anywhere else in the ldap database. So I would suggest to wait and see if I run in any problem here. Would you agree to this, or do you expect problems later? I highly appreciate your help Regards Harri > regards > thierry > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
