Was detached and deleted prior to the user's deletion.
First modified by
dn: cn=<USERID>,cn=groups,cn=accounts,dc=cxn
changetype: modify
delete: objectclass
objectclass: mepManagedEntry
-
delete: mepManagedBy

Then deleted.
--
Sándor Juhász
System Administrator
ChemAxon Kft.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964


On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden <rcritten@redhat.com> wrote:
Sandor Juhasz via FreeIPA-users wrote:
> We have an entry, what after clicking delete on the UI got partially
> deleted.
> The compat tree entry is gone.
> The accounts tree entry is there.
> ldapsearch finds the entry by uid, but does fail by dn.
> ipa user-show <USERID> finds the user
> ipa user-del <USERID> says no such user
> ldapdelete fails to delete the entry by dn with err=32
> Web ui shows user
> User content can be modified from ipa cli and web ui - like name, shell,
> but cannot be deleted
> Other entries can be created and deleted without issue.
> We have 4way master-master replication. Tried cli on 3 and got same
> result and issue.
> The third is not touched and the entry is available there both accounts
> and compat tree.
>
>
> ipa-server-4.6.4-10.el7.centos.3.x86_64
> CentOS Linux release 7.6.1810 (Core)
>
> On full broken master:
> # <USERID>, users, accounts, cxn
> dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn
> gecos: FOO BAR
> displayName: FOO BAR
> krbLastAdminUnlock: 20190807124134Z
> krbLoginFailedCount: 0
> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn
> memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn
> memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn
> gidNumber: <GID>
> uidNumber: <UID>
> ipaUniqueID: <RANDOMUNIQUEID>
> cn: BAZ
> givenName: FOO
> krbPrincipalName: <USERID>@CXN
> mail: <MAIL>
> homeDirectory: /home/<USERID>
> sn: BAR
> initials: cU
> loginShell: /bin/false
> objectClass: ipaobject
> objectClass: person
> objectClass: top
> objectClass: ipasshuser
> objectClass: inetorgperson
> objectClass: organizationalperson
> objectClass: krbticketpolicyaux
> objectClass: krbprincipalaux
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: ipaSshGroupOfPubKeys
> objectClass: mepOriginEntry
> krbCanonicalName: <USERID>@CXN
> uid: <USERID>
> mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn
> krbPasswordExpiration: 20170615133527Z
> krbLastPwdChange: 20170615133527Z
> krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A

Can you check to see if the group entry exists,
cn=<USERID>,cn=groups,cn=accounts,dc=cxn via ldapsearch?

rob