So, just for completeness in case someone else experiences the same issue, what I did in the end was install JXplorer and then use it to delete the problem entries. They appeared as (for example):
nsuniqueid=4034e309-d63711e3-9b7eb928-a98b9061+uid=disk100,cn=users,cn=accounts,dc=xxx,dc=abc,dc=ca Just right-clicked and selected "delete". Based on ease of installation and ease of use, I highly recommend JXplorer (for solving problems like this). It can also be run in a readonly mode which is nice just to poke around without the possibility of messing things up. Regards, Ron On 09/04/2014 02:17 PM, Rich Megginson wrote: > On 09/04/2014 02:31 PM, Ron wrote: >> So I tried to delete an entry on IPA01 without success: >> >> [root@ipa01 ~]# ldapdelete -D >> "uid=admin,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca" -W -x >> "cn=userxyz+nsuniqueid=62c9c682-32ce11e4-8c13b928-a98b9061,cn=groups,cn=accounts,dc=xxxx,dc=abc,dc=ca" >> >> Enter LDAP Password: >> ldap_delete: Server is unwilling to perform (53) >> additional info: Deleting a managed entry is not allowed. It needs >> to be manually unlinked first >> >> Same problem if I try to use ldapmodify: >> >> [root@ipa01 ~]# ldapmodify -D >> "uid=admin,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca" -W -x >> Enter LDAP Password: >> dn: >> cn=userxyz+nsuniqueid=62c9c682-32ce11e4-8c13b928-a98b9061,cn=groups,cn=accounts,dc=xxxx,dc=abc,dc=ca >> >> changetype: modrdn >> newrdn: uid=19000 >> deleteoldrdn: 0 >> >> modifying rdn of entry >> "cn=userxyz+nsuniqueid=62c9c682-32ce11e4-8c13b928-a98b9061,cn=groups,cn=accounts,dc=xxxx,dc=abc,dc=ca" >> >> ldap_rename: Server is unwilling to perform (53) >> additional info: Renaming a managed entry is not allowed. It needs >> to be manually unlinked first. >> >> (19000 is just an unused uid) >> >> Would this be because of the private group associated with the user? >> >> How do I unlink the entry? Would I use the following? >> ipa group-detach userxyz > > Yes, see https://fedorahosted.org/freeipa/ticket/75 > >> >> Thanks again for all your help! >> -Ron >> >> On 09/04/2014 02:48 AM, Martin Kosek wrote: >>> Ah, ok. As Rob advised, you will need to delete it via ldapdelete >>> CLI or via >>> any LDAP GUI application of choice. >>> >>> BTW, this is upstream ticket tracking better means to resolve >>> replication >>> conflicts: >>> https://fedorahosted.org/freeipa/ticket/1025 >>> >>> Martin >>> >>> On 09/03/2014 10:44 PM, Ron wrote: >>>> By the way, all three replica servers show the same: >>>> >>>> [root@ipa]# ipa user-find --all --raw --login phys210e | grep dn: >>>> dn: >>>> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca >>>> >>>> >>>> [root@ipa01]# ipa user-find --all --raw --login phys210e | grep dn: >>>> dn: >>>> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca >>>> >>>> >>>> [root@ipa02]# ipa user-find --all --raw --login phys210e | grep dn: >>>> dn: >>>> nsuniqueid=ef3d3a81-2e3111e4-8c13b928-a98b9061+uid=phys210e,cn=users,cn=accounts,dc=xxxx,dc=abc,dc=ca >>>> > -- Ron Parachoniak Systems Manager, Department of Physics & Astronomy University of British Columbia, Vancouver, B.C. V6T 1Z1 Phone: (604) 838-6437 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
