This technote shows how to debug a condition that may prevent removing a subtree using ldapdelete -s
When trying to delete a subtree with (ids)ldapdelete -D <admin_dn> -w ? -s <subtree> error 53 is returned, "DSA is unwilling to perform"
The server will not delete any subtrees if there are any nested replication contexts.
Diagnosing the problem
In order to diagnose the issue, collect a dynamic ascii server trace:
a. idsldaptrace -D <admin_dn> -w ? -p <ldap_port> -a <admin_port> -l on -t start -m 65535 -o /tmp/server_trace.out
b. Attempt to delete the subtree with idsldapdelete -D <admin_dn> -w ? -s <subtree>
c. idsldaptrace -D <admin_dn> -w ? -p <ldap_port> -a <admin_port> -l off -t stop
Resolving the problem: Once we had the trace file, we could see the following message in the server trace:
061:18:43:24 T2314 K659627 anyNestedSubtree:internal search returns more than 1 replctxt with base=o=sample
Resolving the problem
Perform the following search:
idsldapsearch -D <admin_dn> -w ? -b <subtree> objectclass=ibm-replicationContext
If one or more DNs are returned, perform a delete on each DN. Once the replication contexts are removed, then the subtree delete (idsldapdelete -s) can be used successfully to remove the entire subtree