Hi so there are replication conflicts in the LDAP database. To find the conflicting entries, run the following commands on each server: export BASEDN=<basedn value from /etc/ipa/default.conf> ldapsearch -D "cn=Directory Manager" -W -b $BASEDN "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
And then follow the guide *B.2. Identity Management Replicas* [1] in order to solve the conflicts. HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#trouble-replica On Tue, Jul 6, 2021 at 6:09 PM lejeczek via FreeIPA-users < [email protected]> wrote: > > > On 06/07/2021 07:27, Florence Renaud wrote: > > Hi, > > > > is the topology at domain level 1 or domain level 0? > > # kinit admin > > # ipa domainlevel-get > > > > If the level is 1, the right command in order to remove a > > replica + ignore topology disconnect issues is > > # kinit admin > > # ipa server-del <hostname> --ignore-topology-disconnect > > > > The error "not allowed on non-leaf entry" means that the > > command tried to delete an LDAP entry which has child > > entries. You can have a look at the directory server logs > > in /var/log/dirsrv/slapd-IPA-TEST/access and look for a > > DEL operation which returned an error (something with > > RESULT err=<value different from 0>). > > > > HTH, > > flo > > > > > I cannot see any meaningful "DEL" in 'access' at/around the > time of 'server-del' execution, though in 'errors' > ... > [06/Jul/2021:17:00:47.672237100 +0100] - ERR - > ldbm_back_delete - conn=5935 op=244 Deleting entry > cn=midway.ccnr.ceb.private.cam.ac.uk,cn=masters,cn=ipa,cn=etc,dc=ccn,dc=priv,dc=dom > > has replication conflicts as children. > > many thanks, L > > > On Mon, Jul 5, 2021 at 10:45 PM lejeczek via FreeIPA-users > > <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hi guys. > > > > Two masters from which third got disconnected in a > > "dirty" > > manner. > > > > -> $ ipa-replica-manage del midway.ccn.priv.dom > > Server removal aborted: > > > > Replication topology in suffix 'domain' is disconnected: > > Topology does not allow server love.ccn.priv.dom to > > replicate with servers: > > midway.ccn.priv.dom > > Topology does not allow server midway.ccn.priv.dom to > > replicate with servers: > > love.ccn.priv.dom > > punch.ccn.priv.dom > > Topology does not allow server punch.ccn.priv.dom to > > replicate with servers: > > midway.ccn.priv.dom. > > > > -> $ ipa topologysegment-find domain > > ----------------- > > 1 segment matched > > ----------------- > > Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom > > Left node: punch.ccn.priv.dom > > Right node: love.ccn.priv.dom > > Connectivity: both > > ---------------------------- > > Number of entries returned 1 > > > > -> $ ipa-replica-manage del midway.ccn.priv.dom --force > > ipa: WARNING: > > /usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973: > > > > The subsystem in PKIConnection.__init__() has been > > deprecated > > (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes > > <https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes>). > > Updating DNS system records > > Not allowed on non-leaf entry > > > > I've tried to 'reinitialize' but without success. > > Anybody care to share suggestions & thoughts? > > many thanks, L. > > _______________________________________________ > > FreeIPA-users mailing list -- > > [email protected] > > <mailto:[email protected]> > > To unsubscribe send an email to > > [email protected] > > <mailto:[email protected]> > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > <https://fedoraproject.org/wiki/Mailing_list_guidelines> > > List Archives: > > > https://lists.fedorahosted.org/archives/list/[email protected] > > < > https://lists.fedorahosted.org/archives/list/[email protected] > > > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > <https://pagure.io/fedora-infrastructure> > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
