Janez Molicnik via FreeIPA-users wrote:
I've seen a similar thread from two years ago, but with no
solution. Something similar happened here. We use FreeIPA VERSION: 4.6.8, API_VERSION:
2.237 on CentOS Linux release 7.8.2003 (Core) and when I've tried to rename the test
user, I got the following error:
ipa user-mod --rename=testis test.is
ipa: ERROR: Operations error:
Look in the Apachee error_log. A more detailed error may be found there
for whatever the operations error was.
Now the renamed user is inaccessible as an object - if I try to list
all users with test in their names in the WebUI I always get the error:
Operations Error
Some operations failed.
testis: user not found
Same, check the error_log.
While if I try to use the CLI tool to search for users with test in their name, the new
renamed user is displayed among other test users:
ipa user-find test
User login: testis
First name: test
Last name: is
Home directory: /home/test.is
Login shell: /bin/bash
Principal name: testis(a)REALM.COM
Principal alias: testis(a)REALM.COM
Email address: test.is(a)mail.com
UID: 545200935
GID: 545200935
Job Title: Diretore
SSH public key fingerprint: SHA256:hash (ssh-rsa)
Account disabled: False
But I can't reference it directly:
ipa user-find testis
---------------
0 users matched
---------------
...
ipa user-find test.is
---------------
0 users matched
---------------
But if I go to replica server and search it there, the user is there, un-renamed.. like
it was:
[root@ipa2 ~]# ipa user-find test.is
--------------
1 user matched
--------------
User login: test.is
First name: test
Last name: is
Home directory: /home/test.is
Login shell: /bin/bash
Principal name: test.is(a)REALM.COM
Principal alias: test.is(a)REALM.COM
Email address: test.is(a)mail.com
UID: 545200935
GID: 545200935
Job Title: Diretore
SSH public key fingerprint: SHA256:hash (ssh-rsa)
Account disabled: False
I'm not sure if that means that replication isn't working or some bad
mod wasn't replicated.
I can also see the new renamed user on 1st server with Apache Directory Studio, but it
does not display any attribute values when selected.
So my question is how to delete this user and synchronize both replicas? I've also
searched on the internet and I cannot believe that there are so little resources about
this issue. I found some old bug reports that user-mod rename wouldn't rename the
principal, but it did in our case. Only email and home directory remained un-renamed.
I'd try ldapsearch to find the user.
ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test uid=testis
If you can get the dn you can delete it.
rob