Dear all, First of all, thanks to mbasti for helping out so far.
We have a 3-node master cluster (—setup-ca) on 4.1 and setup a 4th using 4.2.0 as we want to migrate there. First, we had some orphan entries in ipa-replica-manage list. We removed those by manually removing the LDAP node + children in cn=etc,cn=ipa,cn=masters. Then, we saw that there is still an orphan entry here: ldapsearch -xLLL -D "cn=directory manager" -W -b dc=uni,dc=lu '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))’ In particular, there is one ghost entry for nsDS5ReplicaBindDN This is the details of ldapsearch -x -D 'cn=directory manager' -W -b 'cn=Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat,ou=csusers,cn=config' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat,ou=csusers,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat, csusers, config dn: cn=Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat,ou=csusers ,cn=config objectClass: top objectClass: person cn: Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat sn: manager userPassword:: **REMOVED** = # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 In addition, in slapd error log, i periodically (every 5 mins) see the following errors: [04/Jul/2016:15:47:08 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://server1.uni.lu:389/o%3Dipaca) failed. [04/Jul/2016:15:47:08 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://server1.uni.lu:389/o%3Dipaca) failed. [04/Jul/2016:15:47:08 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://server1.uni.lu:389/o%3Dipaca) failed. Could anybody help me to clean up the orphaned master replica (that is dead) and also tell if these attr_replace errors are related? Thank you for your help in this, Kind regards, — Christophe -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project