After a lot of patching in order to get the environment up to date in order
to add a new CA replica and remove our IPA 3.0 servers we ended up with a
bunch of conflicts and other inconsistencies:
$ ldapsearch -o ldif-wrap=no -ZZ -LLLx -h "ipa0.domain.tld" -D
"cn=directory manager" -w secret -b "dc=domain,dc=tld"
"nsds5ReplConflict=*" \ nsds5ReplConflict
dn:
cn=ipaservers+nsuniqueid=e8d2f705-512111e7-9205b5bf-43202000,cn=hostgroups,cn=accounts,dc=domain,dc=tld
dn:
cn=ipaservers+nsuniqueid=e8d2f707-512111e7-9205b5bf-43202000,cn=ng,cn=alt,dc=domain,dc=tld
dn:
cn=domain+nsuniqueid=e8d2f70e-512111e7-9205b5bf-43202000,cn=topology,cn=ipa,cn=etc,dc=domain,dc=tld
dn:
cn=locations+nsuniqueid=e8d2f712-512111e7-9205b5bf-43202000,cn=etc,dc=domain,dc=tld
dn: cn=DNS
Administrators+nsuniqueid=e8d2f718-512111e7-9205b5bf-43202000,cn=privileges,cn=pbac,dc=domain,dc=tld
dn: cn=DNS
Servers+nsuniqueid=e8d2f71a-512111e7-9205b5bf-43202000,cn=privileges,cn=pbac,dc=domain,dc=tld
dn:
cn=cas+nsuniqueid=e8d2f71c-512111e7-9205b5bf-43202000,cn=ca,dc=domain,dc=tld
dn:
cn=dogtag+nsuniqueid=e8d2f74d-512111e7-9205b5bf-43202000,cn=custodia,cn=ipa,cn=etc,dc=domain,dc=tld
dn:
cn=ca+nsuniqueid=e8d2f750-512111e7-9205b5bf-43202000,cn=topology,cn=ipa,cn=etc,dc=domain,dc=tld
dn: cn=System: Add
CA+nsuniqueid=e8d2f75d-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Delete
CA+nsuniqueid=e8d2f761-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Modify
CA+nsuniqueid=e8d2f765-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Read
CAs+nsuniqueid=e8d2f769-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Modify DNS Servers
Configuration+nsuniqueid=e8d2f77a-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Read DNS Servers
Configuration+nsuniqueid=e8d2f77e-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Add IPA
Locations+nsuniqueid=e8d2f807-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Modify IPA
Locations+nsuniqueid=e8d2f80b-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Read IPA
Locations+nsuniqueid=e8d2f80f-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Remove IPA
Locations+nsuniqueid=e8d2f813-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Read Locations of IPA
Servers+nsuniqueid=e8d2f82c-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Read Status of Services on IPA
Servers+nsuniqueid=e8d2f830-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Manage Service
Principals+nsuniqueid=e8d2f834-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Manage User
Principals+nsuniqueid=e8d2f866-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn:
dnaHostname=ipa1.domain.tld+dnaPortNum=0+nsuniqueid=c90407a3-51e311e7-9205b5bf-43202000,cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=domain,dc=tld
Looking only at the first one I see two entries for it:
$ ldapsearch -o ldif-wrap=no -ZZ -LLLx -h "ipa0.domain.tld" -D
"cn=directory manager" -w secret -b
cn=ipaservers+nsuniqueid=e8d2f705-512111e7-9205b5bf-43202000,cn=hostgroups,cn=accounts,dc=domain,dc=tld
-s base
dn:
cn=ipaservers+nsuniqueid=e8d2f705-512111e7-9205b5bf-43202000,cn=hostgroups,cn=accounts,dc=domain,dc=tld
ipaUniqueID: fe7226e4-5121-11e7-82f1-005056972fd9
cn: ipaservers
description: IPA server hosts
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=domain,dc=tld
member: fqdn=ipa1.domain.tld,cn=computers,cn=accounts,dc=domain,dc=tld
[jbowman@idm ipa_check_consistency]$ ldapsearch -o ldif-wrap=no -ZZ -LLLx
-h "ipa0.domain.tld" -D "cn=directory manager" -w secret -b
cn=ipaservers,cn=hostgroups,cn=accounts,dc=domain,dc=tld -s base
dn: cn=ipaservers,cn=hostgroups,cn=accounts,dc=domain,dc=tld
ipaUniqueID: 319cb1ce-c21b-11e6-bab9-005056977521
cn: ipaservers
description: IPA server hosts
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=domain,dc=tld
member: fqdn=ipa1.domain.tld,cn=computers,cn=accounts,dc=domain,dc=tld
member: fqdn=ipa4.domain.tld,cn=computers,cn=accounts,dc=domain,dc=tld
member: fqdn=ipa5.domain.tld,cn=computers,cn=accounts,dc=domain,dc=tld
memberOf: cn=replication
administrators,cn=privileges,cn=pbac,dc=domain,dc=tld
memberOf: cn=add replication
agreements,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=modify replication
agreements,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=remove replication
agreements,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=read passsync managers
configuration,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=modify passsync managers
configuration,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=read ldbm database
configuration,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=add configuration
sub-entries,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=modify dna range,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=read dna range,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=read replication
agreements,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf:
ipauniqueid=87c611a4-3753-11e3-a382-0050568e07ed,cn=sudorules,cn=sudo,dc=domain,dc=tld
memberOf: cn=ipaservers,cn=ng,cn=alt,dc=domain,dc=tld
memberOf:
cn=ipaservers+nsuniqueid=e8d2f707-512111e7-9205b5bf-43202000,cn=ng,cn=alt,dc=domain,dc=tld
I made the mistake of trying to delete:
cn=ipaservers+nsuniqueid=e8d2f705-512111e7-9205b5bf-43202000,cn=hostgroups,cn=accounts,dc=domain,dc=tld
After a successful deletion with ldapmodify, the entry is removed on 5 of
the 6 servers but 1 server (in this case ipa1.domain.tld) it deletes the
valid entry on that server. I'm concerned these errors could cause other
issues further down the road and would like to get them cleared up but not
having much success which doesn't build confidence unfortunately. Any tips
would be appreciated.
If it helps ipa0 = RHEL 6 with IPA 3.0
ipa1 = RHEL 7 with IPA 4.4 (recently updated from 4.2)
ipa2 = RHEL 6 with IPA 3.0
ipa3 = RHEL 6 with IPA 3.0
ipa4 = RHEL 7 with IPA 4.4
ipa5 = RHEL 7 with IPA 4.4
Thanks!