IBM Support

DSA is unwilling to perform deleting subtree

Technote (troubleshooting)


This technote shows how to debug a condition that may prevent removing a subtree using ldapdelete -s


When trying to delete a subtree with (ids)ldapdelete -D <admin_dn> -w ? -s <subtree> error 53 is returned, "DSA is unwilling to perform"


The server will not delete any subtrees if there are any nested replication contexts.

Diagnosing the problem

In order to diagnose the issue, collect a dynamic ascii server trace:

a. idsldaptrace -D <admin_dn> -w ? -p <ldap_port> -a <admin_port> -l on -t start -m 65535 -o /tmp/server_trace.out

b. Attempt to delete the subtree with idsldapdelete -D <admin_dn> -w ? -s <subtree>

c. idsldaptrace -D <admin_dn> -w ? -p <ldap_port> -a <admin_port> -l off -t stop

Resolving the problem: Once we had the trace file, we could see the following message in the server trace:

061:18:43:24 T2314 K659627 anyNestedSubtree:internal search returns more than 1 replctxt with base=o=sample

Resolving the problem

Perform the following search:

idsldapsearch -D <admin_dn> -w ? -b <subtree> objectclass=ibm-replicationContext

If one or more DNs are returned, perform a delete on each DN. Once the replication contexts are removed, then the subtree delete (idsldapdelete -s) can be used successfully to remove the entire subtree

Document information

More support for: IBM Security Directory Server

Software version: 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.4, 8.0, 8.0.1

Operating system(s): Platform Independent

Reference #: 1470129

Modified date: 05 January 2015

Translate this page: