J N via FreeIPA-users wrote: >> J N via FreeIPA-users wrote: >> >> One is probably a replication conflict entry. Add --all --raw to the >> command and look at the dn. If it contains nsUniqueId it's a conflict >> entry. If both entries are identical you can delete it using ldapdelete. >> otherwise for preservation purposes you'd want to add/remove anything >> missing from the non-conflict entry. Once you have it the way you want, >> then you can delete the conflict. >> >> rob > > $ ipa hbacrule-find --all --raw > -------------------- > 2 HBAC rules matched > -------------------- > dn: ipaUniqueID=ae750172-e8e0-11ed-a25b-020017076333,cn=hbac,dc=lab,dc=local > cn: test_rule > hostcategory: all > servicecategory: all > description: Test rule > ipaenabledflag: TRUE > accessRuleType: allow > ipaUniqueID: ae750172-e8e0-11ed-a25b-020017076333 > objectClass: ipaassociation > objectClass: ipahbacrule > > dn: ipaUniqueID=ae89c6ca-e8e0-11ed-ae60-020017018325,cn=hbac,dc=lab,dc=local > cn: test_rule > hostcategory: all > servicecategory: all > description: Test rule > ipaenabledflag: TRUE > accessRuleType: allow > ipaUniqueID: ae89c6ca-e8e0-11ed-ae60-020017018325 > objectClass: ipaassociation > objectClass: ipahbacrule > > > Trying to delete using ldapdelete: > > $ kinit admin > Password for [email protected] > > $ ldapdelete -x -H ldap://ipa.lab.local > "ipaUniqueID=6fda040a-e8f2-11ed-a130-020017076333,cn=hbac,dc=lab,dc=local" -W > Enter LDAP Password: > ldap_delete: Insufficient access (50) > additional info: Insufficient 'delete' privilege to delete the entry > 'ipaUniqueID=6fda040a-e8f2-11ed-a130-020017076333,cn=hbac,dc=lab,dc=local'.
Instead of -x and -W use -Y GSSAPI and it will use the admin Kerberos credentials. I can't explain how two rules got created with the same name. I can only chalk it up to replication. It in fact is not a conflict because the DN's are unique. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
