and on replica3 do a search -b "cn=config"
"objectclass=nsds5replicationagreement"
$ ldapsearch -LLL -b "cn=config"
"objectclass=nsds5replicationagreement" -D "cn=Directory Manager" -w
'<password>'
dn:
cn=f22replica3.bagam.net-to-f22replica1.bagam.net,cn=replica,cn=dc\3Dbagam
\2Cdc\3Dnet,cn=mapping tree,cn=config
objectClass: nsds5replicationagreement
objectClass: ipaReplTopoManagedAgreement
objectClass: top
cn: f22replica3.bagam.net-to-f22replica1.bagam.net
nsDS5ReplicaHost: f22replica1.bagam.net
nsDS5ReplicaPort: 389
nsds5replicaTimeout: 300
nsDS5ReplicaRoot: dc=bagam,dc=net
description: f22replica3.bagam.net to f22replica1.bagam.net
ipaReplTopoManagedAgreementState: managed agreement - generated by
topology pl
ugin
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
internalModifiersName in
ternalModifyTimestamp
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn
krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150617151930Z
nsds5replicaLastUpdateEnd: 20150617151930Z
nsds5replicaChangesSentSinceStartup:: Njo1LzMyOSA0OjcvMCA=
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
Incremental upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z
dn:
cn=meTof22master.bagam.net,cn=replica,cn=dc\3Dbagam\2Cdc\3Dnet,cn=mapping
tree,cn=config
cn: meTof22master.bagam.net
description: me to f22master.bagam.net
ipaReplTopoManagedAgreementState: managed agreement - controlled by
topology p
lugin
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicaHost: f22master.bagam.net
nsDS5ReplicaPort: 389
nsDS5ReplicaRoot: dc=bagam,dc=net
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn
krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsds50ruv: {replicageneration} 557fdff1000000040000
nsds50ruv: {replica 4 ldap://f22master.bagam.net:389}
557fdffc000100040000 558
00f44000300040000
nsds50ruv: {replica 6 ldap://f22replica3.bagam.net:389}
55800e1b000000060000 5
5800f44000400060000
nsds50ruv: {replica 5 ldap://f22replica2.bagam.net:389}
557fed70000000050000 5
5800553000300050000
nsds50ruv: {replica 3 ldap://f22replica1.bagam.net:389}
557fdffa000000030000 5
58009b4000200030000
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
internalModifiersName in
ternalModifyTimestamp
nsds5replicaTimeout: 120
nsruvReplicaLastModified: {replica 4 ldap://f22master.bagam.net:389}
00000000
nsruvReplicaLastModified: {replica 6
ldap://f22replica3.bagam.net:389} 0000000
0
nsruvReplicaLastModified: {replica 5
ldap://f22replica2.bagam.net:389} 0000000
0
nsruvReplicaLastModified: {replica 3
ldap://f22replica1.bagam.net:389} 0000000
0
objectClass: nsds5replicationagreement
objectClass: top
objectClass: ipaReplTopoManagedAgreement
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150617151930Z
nsds5replicaLastUpdateEnd: 20150617151930Z
nsds5replicaChangesSentSinceStartup:: Njo1LzMzNCA=
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
Incremental upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z
dn:
cn=cloneAgreement1-f22replica3.bagam.net-pki-tomcat,cn=replica,cn=o\3Dipac
a,cn=mapping tree,cn=config
cn: cloneAgreement1-f22replica3.bagam.net-pki-tomcat
description: cloneAgreement1-f22replica3.bagam.net-pki-tomcat
nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-f22replica3.bagam.
net-pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaBindMethod: Simple
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUTRZbVk0TUdFM1l5MHpZV1F4TTJFeg0KTnkwNE5HVXhNamczTmkxak1qSmtNalkwTndBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQmxGYWZ1U3ROY2pNbV
J4NFNUc2pBcQ==}j+d3WWGnksSdSnVQ2S0irQ==
nsDS5ReplicaHost: f22master.bagam.net
nsDS5ReplicaPort: 389
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaTransportInfo: TLS
nsds50ruv: {replicageneration} 557fe04c000000600000
nsds50ruv: {replica 96 ldap://f22master.bagam.net:389}
557fe05b000000600000 55
800ea7000000600000
nsds50ruv: {replica 86 ldap://f22replica3.bagam.net:389}
55800eb4000000560000
55800eb6000200560000
nsds50ruv: {replica 91 ldap://f22replica2.bagam.net:389}
557fede80000005b0000
557fedea0002005b0000
nsds50ruv: {replica 97 ldap://f22replica1.bagam.net:389}
557fe06c000000610000
557fe326000000610000
nsruvReplicaLastModified: {replica 96 ldap://f22master.bagam.net:389}
00000000
nsruvReplicaLastModified: {replica 86
ldap://f22replica3.bagam.net:389} 000000
00
nsruvReplicaLastModified: {replica 91
ldap://f22replica2.bagam.net:389} 000000
00
nsruvReplicaLastModified: {replica 97
ldap://f22replica1.bagam.net:389} 000000
00
objectClass: top
objectClass: nsds5replicationagreement
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150617150850Z
nsds5replicaLastUpdateEnd: 20150617150850Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
Incremental upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z
would like to see the raw data.
It reproduces though even in a situation with the topology
replica3 <-> master <-> replica1 <-> replica2 and you disable the
replica1-replica2 segment on replica3 (quite expectedly)
and disable one of the segments, one would expect the changes
implemented on master would not be replicated to other nodes
(or do I misunderstand the concept of disabling a segment?).
However, in reality any changes in master do get replicated
despite the segment is disabled.
Is it a correct behavior?
The second question is: if disabled segments should not let the
changes through, then we probably should implement a check for
topology disconnection in similar way as `ipa
topologysegment-del` does. I mean, whenever a user tries to
disable a segment, the plugin should probably check whether it
disconnects any of the nodes.
well, I think disabling should be temporary, you want to
disconnect for some time. eg for debugging, not deleting the
agreement completely, I would allow this.