The correct search filter must include (objectClass=ldapSubEntry):
ldapsearch -H ldaps://linge.example.com -W -D 'cn=Directory Manager' -b 'o=ipaca' '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))' nsds5ReplConflict
HTH,flo
On Sat, Jul 10, 2021 at 3:20 PM Kees Bakker via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
On 09-07-2021 21:33, Rob Crittenden wrote:
> Kees Bakker via FreeIPA-users wrote:
>> Hi,
>>
>> ipahealthcheck gives me this warning
>>
>> [
>> {
>> "source": "ipahealthcheck.ds.replication",
>> "check": "ReplicationCheck",
>> "result": "WARNING",
>> "uuid": "237f4271-6e93-4d42-a15d-accdb936e51b",
>> "when": "20210709182051Z",
>> "duration": "45.967890",
>> "kw": {
>> "key": "DSREPLLE0002",
>> "items": [
>> "Replication",
>> "Conflict Entries"
>> ],
>> "msg": "There were 1 conflict entries found under the replication
>> suffix \"o=ipaca\"."
>> }
>> }
>> ]
>>
>>
>> ldapsearch does not reveal any hit, however nsconf does.
>>
>>
>> [root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D
>> 'cn=Directory Manager' -b 'o=ipaca' '(nsds5ReplConflict=*)'
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <o=ipaca> with scope subtree
>> # filter: (nsds5ReplConflict=*)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>>
>> [root@linge ~]# dsconf slapd-EXAMPLE-COM repl-conflict list o=ipaca
>> dn:
>> cn=iparep4.example.com:443+nsuniqueid=ee993401-84ef11eb-93f498e2-54354ddc,cn=CAList,ou=Security
>> Domain,o=ipaca
>> Clone: TRUE
>> DomainManager: TRUE
>> SecureAdminPort: 443
>> SecureAgentPort: 443
>> SecureEEClientAuthPort: 443
>> SecurePort: 443
>> SubsystemName: CA iparep4.example.com 8443
>> UnSecurePort: 80
>> cn: iparep4.example.com:443
>> host: iparep4.example.com
>> nsds5replconflict: namingConflict (ADD)
>> cn=iparep4.example.com:443,cn=calist,ou=security domain,o=ipaca
>> objectClass: top
>> objectClass: pkiSubsystem
>> objectClass: ldapsubentry
>>
>>
>> How is that possible?
> 389 filters out conflict entries now. Add this filter and you should see
> it with ldapsearch:
>
> (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
>
That makes no difference. Both BASEDN and o=ipaca result in no hits.
(( Can ldapsearch really filter out more if the filter expression is less restrictive? ))
[root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D 'cn=Directory Manager' -b 'o=ipaca' '(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
[root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D 'cn=Directory Manager' -b $BASEDN '(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (&(!(objectclass=nstombstone))(nsds5ReplConflict=*))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
--
Kees
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure