Tested this again making sure that dirsrv is not running and the replica record is back.
I am obviously doing something wrong. My steps are below. I appreciate your time on this. # # check dirsrv is currently running # [root@ipa006 ~]# ps aux | grep dirsrv dirsrv 3221639 31.4 5.4 2418488 883856 ? Ssl Apr24 322:04 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-AD-companyx-FM -i /run/dirsrv/slapd-AD-companyx-FM.pid root 3281205 0.0 0.0 6412 2204 pts/2 S+ 09:11 0:00 grep --color=auto dirsrv # # shutdown dirsrv # [root@ipa006 ~]# time systemctl stop dirsrv@AD-companyx-FM.service real 10m0.130s user 0m0.009s sys 0m0.012s # # check dirsrv is not running 1 # [root@ipa006 ~]# ps aux | grep dirsrv root 3282962 0.0 0.0 6412 2244 pts/2 S+ 09:47 0:00 grep --color=auto dirsrv # # check dirsrv is not running 2 # [root@ipa006 slapd-AD-companyx-FM]# ipactl status Directory Service: STOPPED krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running # # go to right folder # [root@ipa006 ~]# cd /etc/dirsrv/slapd-AD-companyx-FM/ # # make a backup just incase # [root@ipa006 slapd-AD-companyx-FM]# cp dse.ldif dse.ldif.nickx-25apr23 # # edit ldif # [root@ipa006 slapd-AD-companyx-FM]# vi dse.ldif # # remove this record. Hoping its the right thing to do. # dn: cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm,cn=replica,cn=dc\3Dad\2Cdc\3Ddi ce\2Cdc\3Dfm,cn=mapping tree,cn=config objectClass: nsds5replicationagreement objectClass: ipaReplTopoManagedAgreement objectClass: top cn: ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm nsDS5ReplicaHost: bad_serverdc.ad.companyx.fm nsDS5ReplicaPort: 389 nsds5replicaTimeout: 300 nsDS5ReplicaRoot: dc=ad,dc=companyx,dc=fm description: ipa006.ad.companyx.fm to bad_serverdc.ad.companyx.fm ipaReplTopoManagedAgreementState: managed agreement - generated by topology pl ugin nsDS5ReplicaTransportInfo: LDAP nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in ternalModifyTimestamp nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount creatorsName: cn=IPA Topology Configuration,cn=plugins,cn=config modifiersName: cn=IPA Topology Configuration,cn=plugins,cn=config createTimestamp: 20230425095140Z modifyTimestamp: 20230425095140Z # # check no records exist in dse.ldif # [root@ipa006 slapd-AD-companyx-FM]# grep bad_server dse.ldif [root@ipa006 slapd-AD-companyx-FM]# [root@ipa006 slapd-AD-companyx-FM]# time systemctl start dirsrv@AD-companyx-FM.service real 0m12.343s user 0m0.006s sys 0m0.007s # # Look in logs # Apr 25 09:51:51 ipa006.ad.companyx.fm ns-slapd[3283119]: [25/Apr/2023:09:51:51.484197325 +0000] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm" (bad_serverdc:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () # # check dse.ldif again - find entry is back ! # [root@ipa006 slapd-AD-companyx-FM]# grep bad_server dse.ldif dn: cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm,cn=replica,cn=dc\3Dad\2Cdc\3Ddi cn: ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm nsDS5ReplicaHost: bad_serverdc.ad.companyx.fm description: ipa006.ad.companyx.fm to bad_serverdc.ad.companyx.fm # # scratch head and ponder life, the universe and everything # _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue