[Freeipa-users] User removed from IPA but still present in LDAP, so cannot him again in IPA web UI

[Alexander Bokovoy]

On Thu, 01 Oct 2015, Fujisan wrote:
>Hello,
>
>I want to add user 'user1'  with the freeipa web UI. It is not present in
>the list of users in the web UI but when I click "add", it says 'user with
>name "user1" already exists'.
>
>ldapsearch shows 'user1' is there:
>---------------------------------------------------------------
>$ ldapsearch -x -h ipasrv uid=user1
># extended LDIF
>#
># LDAPv3
># base <dc=mydomain> (default) with scope subtree
># filter: uid=user1
># requesting: ALL
>#
>
># user1, users, compat, mydomain
>dn: uid=user1,cn=users,cn=compat,dc=mydomain
>objectClass: posixAccount
>objectClass: top
>cn: user one
>gidNumber: 1029
>gecos: user one
>uidNumber: 1029
>loginShell: /bin/bash
>homeDirectory: /home/user1
>uid: user1
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 2
># numEntries: 1
>---------------------------------------------------------------
>
>and ldapdelete doesn't work:
>---------------------------------------------------------------
>$ ldapdelete -x -h ipasrv 'uid=user1,cn=users,cn=compat,dc=mydomain'
>ldap_delete: No such object (32)
>    matched DN: dc=mydomain
>---------------------------------------------------------------
>
>How can I remove 'user1' completely?
Compat tree (cn=compat,dc=mydomain) is a read-only tree which is
generated based on the primary tree (in cn=accounts,dc=mydomain).

If there is no entry in the primary tree, there wouldn't be any entry in
compat tree because it only adds (or removes) entries based on their
existence in the primary tree.

What I see looks like a replication conflict that might have left an
entry named
uid=user1+nsuniqueid=<something>,cn=users,cn=accounts,dc=mydomain and
which caused creation of this compat tree entry.

Can you show output of 
  ldapsearch -D cn=directory\ manager -W -b cn=accounts,dc=mydomain '(uid=user1*)'
?
-- 
/ Alexander Bokovoy