On Tue, Mar 17, 2015 at 3:09 PM, Kim Perrin <kper...@doctorondemand.com> wrote:
> On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin <kper...@doctorondemand.com>
> wrote:
>> Thanks for the reply Rob.
>>
>> On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
>>> Kim Perrin wrote:
>>>> Hello all,
>>>>
>>>> For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42)
>>>> environment. We've had 2 masters since the start. Several replicas
>>>> have had problems that required me to remove them. I’ve removed them
>>>> all (except the very last one) by running ‘ipa-server-install
>>>> --uninstall’ and then ipa-replica-manage clean-ruv’. The latest
>>>> replica I tried to remove failed on both commands. On further
>>>> inspection I see all the previous replicas have orphaned entries in
>>>> the ldap db. How do I remove all the entries? (I’ve listed the
>>>> entries below). Is this process safe (in what is currently a single
>>>> ipa server environment)? Note, I’ve seen the one of the necessary
>>>> LDIFs that can be ‘run’ to remove the entries -- I just don’t
>>>> understand how to run an ldif.
>>>
>>> You're skipping the step of ipa-replica-manage del <master-to-remove>?
>>> That should do most of this cleanup for you.
>> I did run 'ipa-replica-manage del <master-to-remove>' for all these as well.
>>
>>
>>>
>>> For the CA you use ipa-csreplica-manage. Unfortunately that utility
>>> lacks the RUV commands.
On using the 'ipa-csreplica-manage' command to remove the CAs - the
del option failed with
"Unable to delete replica noc3-prd.companyz.com: Can't contact LDAP server"
And failed with the same response for a couple other listed servers as well.
>>>
>>> rob
>>>
>>>> Relevant entries -
>>>>
>>>> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s
>>>> sub -b cn=config objectclass=nsds5replica
>>>> Enter LDAP Password:
>>>> dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config
>>>> cn: replica
>>>> nsDS5Flags: 1
>>>> objectClass: top
>>>> objectClass: nsds5replica
>>>> objectClass: extensibleobject
>>>> nsDS5ReplicaType: 3
>>>> nsDS5ReplicaRoot: dc=companyz,dc=com
>>>> nsds5ReplicaLegacyConsumer: off
>>>> nsDS5ReplicaId: 4
>>>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>>>> nsDS5ReplicaBindDN:
>>>> krbprincipalname=ldap/noc2prd.companyz....@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
>>>> nsDS5ReplicaBindDN:
>>>> krbprincipalname=ldap/util1prd.companyz....@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
>>>> nsDS5ReplicaBindDN:
>>>> krbprincipalname=ldap/noc3prd.companyz....@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
>>>> nsDS5ReplicaBindDN:
>>>> krbprincipalname=ldap/noc4prd.companyz....@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
>>>> nsState:: BAAAAAAAAABlZwhVAAAAAAAAAAAAAAAADgAAAAAAAAAFAAAAAAAAAA==
>>>> nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3
>>>> nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com
>>>> nsds5ReplicaChangeCount: 682699
>>>> nsds5replicareapactive: 0
>>>>
>>>> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b
>>>> o=ipaca
>>>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
>>>> -p 7389 -h noc1-prd
>>>> Enter LDAP Password:
>>>> dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,o=ipaca
>>>> objectClass: top
>>>> objectClass: nsTombstone
>>>> objectClass: extensibleobject
>>>> nsds50ruv: {replicageneration} 5317a449000000600000
>>>> nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a455000000
>>>> 600000 550878b9000000600000
>>>> nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce018000000
>>>> 470000 531ce069000300470000
>>>> nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde8000000
>>>> 4c0000 53f659500004004c0000
>>>> nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf216000000
>>>> 510000 531bf265000100510000
>>>> nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a3222000000
>>>> 560000 531a3256000400560000
>>>> nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf000000
>>>> 5b0000 531949920000005b0000
>>>> nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a45000000
>>>> 0610000 5317a48a000100610000
>>>> o: ipaca
>>>> nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389}
>>>> 550878ab
>>>> nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389}
>>>> 00000000
>>>> nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389}
>>>> 00000000
>>>> nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389}
>>>> 00000000
>>>> nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389}
>>>> 00000000
>>>> nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389}
>>>> 00000000
>>>> nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389
>>>> } 00000000
>>>>
>>>> -- and here is an example LDIF to remove the last record listed above -
>>>>
>>>> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
>>>> changetype: modify
>>>> replace: nsds5task
>>>> nsds5task: CLEANRUV97
>>>
>>> That doesn't look right. It should look like:
>>>
>>> dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config
>>> changetype: add
>>> objectclass: top
>>> objectclass: extensibleObject
>>> replica-base-dn: dc=companyz,dc=com
>>> replica-id: 97
>>> cn: clean 97
>>>
>>> Be careful which RUV you remove. You only want to remove those that are
>>> no longer active.
>> Thanks for the additional spec on the LDIF, though I still don't
>> understand how to run this. Is there somewhere you can point me to
>> with example commands to run such LDIFs?
> I figured out how to enter the ldif changes.
>
>> -Kim
>>>
>>> rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
