Frank, I agree with you that it should not be possible. Unfortunately, the idsbulkload documentation makes it very clear that, to perform efficiently, it doesn't check for duplicates before adding entries. So, as counterintuitive as it may seem to any LDAP administrator who thinks that DN is the unique value, you unfortunately can do it. It also leads to a mess as you can't use LDAP delete commands to delete the duplicates. I tried. The server hung, then idsldapmodify responded with "DSA has timed out." Worse yet, these entries are group entries. If I try to remove a user who's in one of those groups, it won't remove the user. The user isn't duplicated, but the server is trying to remove the user from the member attribute of the duplicated entry, but only one of the duplicates has "member" attributes. So, trying to delete the user's entry from my directory tree results in "no such attribute".
Dave, I did open a support case yesterday. IBM support says it should be doable using the ISVD web administration console. I'm getting it up and running then working with support to hopefully resolve this. Seems to me that there should be a db2 way to do this, but perhaps it's much more complicated?
Thanks, all.
Keith
------------------------------
Keith Wessel
------------------------------
Original Message:
Sent: Tue July 23, 2024 06:46 AM
From: Frank Tate
Subject: Getting rid of duplicate entries without dropping the instance
Hi Keith,
I think you may be reading something wrong in your ldapsearch output. AFAIK, it is impossible for two entries to have the same DN. It's like two files having the exact same full path - it should not be possible; that one path points to the same file. Can you post your ldapsearch output (redacted appropriately, of course) for those entries?
If you can't post your ldapsearch output, you might be able to poke around the DB2 database itself to look for these entires. There's an LDAP_ENTRY table that maps EID to DN, and there's an IBMENTRYUUID table that maps EID to a UUID. And then there is one table for each attribute, where each one of those tables has an EID column that refers to the same EID as LDAP_ENTRY and IBMENTRYUUID. I have had success in the past manually deleting entries using this data, but I'm pretty sure it's not supported.
Frank
------------------------------
Frank Tate
Gulfsoft Consulting
https://www.gulfsoft.com
AIOps Experts. Contact us for implementation help.
Original Message:
Sent: Sat July 20, 2024 12:30 PM
From: Keith Wessel
Subject: Getting rid of duplicate entries without dropping the instance
Hi, all,
I discovered yesterday that a previous idsbulkload had created a couple of duplicate entries in my LDAP instance. Yes, I know that the documentation specifically says to make your your LDIF doesn't contain duplicates as the command doesn't check. For now on, I'm an idsldif2db guy for small jobs. Thankfully, it's only two entries; on my test instance, each of those two entries exist three times, and on my prod instance, they exist twice. From the output of ldapsearch, they have the same DN, cn, and objectclass, but only one of each set of entries contains additional data.
I'd really, really, REALLY like to avoid dropping and re-creating the instance. It's not hard. It's just a production outage that I'd like to avoid. Is there any way, either at the IVSD level or at the DB2 level, that I can clean up the duplicates?
------------------------------
Keith Wessel
------------------------------