Harikumar Krishnan via FreeIPA-users wrote:
> Howdy folks,
>
> We also have a similar issue. Some servers in our IPA topology show ghost
> replicas and if comes down to an entry like the following for an old replica
> which no longer exists
>
> $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=DICOMP,dc=NET
> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
> Enter LDAP Password:
> dn: cn=replica,cn=dc\3Ddicomp\2Cdc\3Dnet,cn=mapping tree,cn=config
> cn: replica
> nsDS5Flags: 1
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsDS5ReplicaBindDNGroup: cn=replication
> managers,cn=sysaccounts,cn=etc,dc=dicomp,dc=net
> nsDS5ReplicaBindDnGroupCheckInterval: 60
> nsDS5ReplicaId: 11
> nsDS5ReplicaName: 13387f82-373b11eb-a1r2gff0-4sda870
> nsDS5ReplicaRoot: dc=dicomp,dc=net
> nsDS5ReplicaType: 3
> nsState:: CwAAAAAAAABzzalmAAAAAAAAAAAAAAAAUpEAAAAAAAALAAAAAAAAAA==
> nsds5ReplicaBackoffMax: 300
> nsds5ReplicaLegacyConsumer: off
> nsds5ReplicaReleaseTimeout: 60
> objectClass: top
> objectClass: nsds5replica
> objectClass: extensibleobject
> nsds50ruv: {replicageneration} 5fc9ab2e000000040000
> nsds50ruv: {replica 11 ldap://camper26.dicomp.net:389} 5fcbf1fa0000000b0000
> 66aa5
> edc0000000b0000
> nsds50ruv: {replica 3 ldap://camper21.dicomp.net:389} 5fc9ab34000000030000
> 66aa53c
> e000100030000
> nsds50ruv: {replica 5 ldap://camper23.dicomp.net:389} 5fc9b44b000000050000
> 66aa58
> d0000000050000
> nsds50ruv: {replica 10 ldap://camper24.dicomp.net:389} 5fc9c7650000000a0000
> 66aa5
> 3d10004000a0000
> nsds50ruv: {replica 33 ldap://ipa.dicomp.net:389} 626998ac000100210000
> 66aa5af1
> 000100210000
> nsds50ruv: {replica 45 ldap://az1-iparepl-01.dicomp.net:389}
> 629644dc0001002d00
> 00 66aa58960000002d0000
> nsds50ruv: {replica 46 ldap://au1-compca-01.dicomp.net:389}
> 6297aca50002002e0000
> 66aa59130003002e0000
> nsds50ruv: {replica 48 ldap://nz1-freeipa-backup.dicomp.net:389}
> 62c8635e000200
> 300000 66aa4991000800300000
> nsds50ruv: {replica 56 ldap://in1-iparepl-01.dicomp.net:389}
> 667aa1b90001003800
> 00 66aa553d000000380000
> nsds50ruv: {replica 57 ldap://camper27.dicomp.net:389} 667bac3f000100390000
> 66aa5
> 547000000390000
> nsds50ruv: {replica 60 ldap://camper25.dicomp.net:389} 667cf5c50000003c0000
> 66aa5a
> e00000003c0000
> nsds50ruv: {replica 63 ldap://camper22.dicomp.net:389} 667d3ec50001003f0000
> 66aa
> 5d720000003f0000
> nsds50ruv: {replica 64 ldap://nz1-compca-01.dicomp.net:389}
> 668e3565000100400000
> 66aa5d7e000000400000
> nsds5agmtmaxcsn:
> dc=dicomp,dc=net;camper26.dicomp.net-to-camper27.dicomp.net;camper27.dicomp.net;389;57;66aa55c00000000b0000
> nsds5agmtmaxcsn:
> dc=dicomp,dc=net;camper26.dicomp.net-to-in1-iparepl-01.dicomp.net;
> in1-iparepl-01.dicomp.net;389;56;66aa55c00000000b0000
> nsruvReplicaLastModified: {replica 11 ldap://camper26.dicomp.net:389} 66a9cd8a
> nsruvReplicaLastModified: {replica 3 ldap://camper21.dicomp.net:389} 66a9c27f
> nsruvReplicaLastModified: {replica 5 ldap://camper23.dicomp.net:389} 66a9c780
> nsruvReplicaLastModified: {replica 10 ldap://camper24.dicomp.net:389} 66a9c281
> nsruvReplicaLastModified: {replica 33 ldap://ipa.dicomp.net:389} 66a9c9a4
> nsruvReplicaLastModified: {replica 45 ldap://az1-iparepl-01.dicomp.net:389}
> 66a
> 9c745
> nsruvReplicaLastModified: {replica 46 ldap://au1-compca-01.dicomp.net:389}
> 66a9c
> 7c5
> nsruvReplicaLastModified: {replica 48
> ldap://nz1-freeipa-backup.dicomp.net:389}
> 66a9c306
> nsruvReplicaLastModified: {replica 56 ldap://in1-iparepl-01.dicomp.net:389}
> 66a
> 9c3eb
> nsruvReplicaLastModified: {replica 57 ldap://camper27.dicomp.net:389} 66a9c3f5
> nsruvReplicaLastModified: {replica 60 ldap://camper25.dicomp.net:389} 66a9c990
> nsruvReplicaLastModified: {replica 63 ldap://camper22.dicomp.net:389} 66a9cc21
> nsruvReplicaLastModified: {replica 64 ldap://nz1-compca-01.dicomp.net:389}
> 66a9c
> c63
> nsruvReplicaLastModified: {replica 52} 66a9cd67
> nsds5ReplicaChangeCount: 117369
> nsds5replicareapactive: 0
>
> This one
> nsruvReplicaLastModified: {replica 52} 66a9cd67
>
> does not have an associated nsds50ruv associated with it so removal via other
> tool does not work.
>
> Trying to remove them via an LDAP modify too fails with an error
> additional info: Deletion of nsruvReplicaLastModified attribute is not allowed
>
> Any help on gettng these records to vanish is very much appreciated as its
> causing cipa to believe there are ghost replicas.
> Looking at the cipa code tells me that its looking for entries for replica
> without an associated LDAP url to count towards ghost replicas.
You didn't say what you tried and how it failed. Either cleanruv or
cleanallruv should do the trick.
rob
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
