On 06/07/2021 17:23, Florence Renaud wrote:
Hi
so there are replication conflicts in the LDAP database.
To find the conflicting entries, run the following
commands on each server:
export BASEDN=<basedn value from /etc/ipa/default.conf>
ldapsearch -D "cn=Directory Manager" -W -b $BASEDN
"(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \*
nsds5ReplConflict
And then follow the guide /B.2. Identity Management
Replicas/ [1] in order to solve the conflicts.
HTH,
flo
I've found backups and thought I was lucky, yet - though
restoration seems to work and I'm able to remove missing
master/replica with no "Not allowed on non-leaf entry" error..
...replication between two existing masters seems to be
"broken", data does not replicate.
If I try 'force-sync' I see, on the requesting master:
...
[09/Jul/2021:10:05:01.553662244 +0100] - ERR -
NSMMReplicationPlugin - prot_notify_agmt_changed -
Replication agreement for
agmt="cn=punch.ccnr.ceb.private.cam.ac.uk-to-love.ccn.priv.dom"
(love:389) could not be updated. For replication to take
place, please enable the suffix and restart the server
...
sroogling that did not get me much info. What the issue here?
many thanks, L.
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#trouble-replica
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#trouble-replica>
On Tue, Jul 6, 2021 at 6:09 PM lejeczek via FreeIPA-users
<[email protected]
<mailto:[email protected]>> wrote:
On 06/07/2021 07:27, Florence Renaud wrote:
> Hi,
>
> is the topology at domain level 1 or domain level 0?
> # kinit admin
> # ipa domainlevel-get
>
> If the level is 1, the right command in order to
remove a
> replica + ignore topology disconnect issues is
> # kinit admin
> # ipa server-del <hostname> --ignore-topology-disconnect
>
> The error "not allowed on non-leaf entry" means that
the
> command tried to delete an LDAP entry which has child
> entries. You can have a look at the directory server
logs
> in /var/log/dirsrv/slapd-IPA-TEST/access and look for a
> DEL operation which returned an error (something with
> RESULT err=<value different from 0>).
>
> HTH,
> flo
>
>
I cannot see any meaningful "DEL" in 'access'
at/around the
time of 'server-del' execution, though in 'errors'
...
[06/Jul/2021:17:00:47.672237100 +0100] - ERR -
ldbm_back_delete - conn=5935 op=244 Deleting entry
cn=midway.ccnr.ceb.private.cam.ac.uk
<http://midway.ccnr.ceb.private.cam.ac.uk>,cn=masters,cn=ipa,cn=etc,dc=ccn,dc=priv,dc=dom
has replication conflicts as children.
many thanks, L
> On Mon, Jul 5, 2021 at 10:45 PM lejeczek via
FreeIPA-users
> <[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>> wrote:
>
> Hi guys.
>
> Two masters from which third got disconnected in a
> "dirty"
> manner.
>
> -> $ ipa-replica-manage del midway.ccn.priv.dom
> Server removal aborted:
>
> Replication topology in suffix 'domain' is
disconnected:
> Topology does not allow server love.ccn.priv.dom to
> replicate with servers:
> midway.ccn.priv.dom
> Topology does not allow server
midway.ccn.priv.dom to
> replicate with servers:
> love.ccn.priv.dom
> punch.ccn.priv.dom
> Topology does not allow server punch.ccn.priv.dom to
> replicate with servers:
> midway.ccn.priv.dom.
>
> -> $ ipa topologysegment-find domain
> -----------------
> 1 segment matched
> -----------------
> Segment name:
punch.ccn.priv.dom-to-love.ccn.priv.dom
> Left node: punch.ccn.priv.dom
> Right node: love.ccn.priv.dom
> Connectivity: both
> ----------------------------
> Number of entries returned 1
>
> -> $ ipa-replica-manage del midway.ccn.priv.dom
--force
> ipa: WARNING:
>
/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973:
>
> The subsystem in PKIConnection.__init__() has been
> deprecated
>
(https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes
<https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes>
>
<https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes
<https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes>>).
> Updating DNS system records
> Not allowed on non-leaf entry
>
> I've tried to 'reinitialize' but without success.
> Anybody care to share suggestions & thoughts?
> many thanks, L.
> _______________________________________________
> FreeIPA-users mailing list --
> [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> To unsubscribe send an email to
> [email protected]
<mailto:[email protected]>
>
<mailto:[email protected]
<mailto:[email protected]>>
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
<https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
>
<https://docs.fedoraproject.org/en-US/project/code-of-conduct/
<https://docs.fedoraproject.org/en-US/project/code-of-conduct/>>
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
<https://fedoraproject.org/wiki/Mailing_list_guidelines>
>
<https://fedoraproject.org/wiki/Mailing_list_guidelines
<https://fedoraproject.org/wiki/Mailing_list_guidelines>>
> List Archives:
>
https://lists.fedorahosted.org/archives/list/[email protected]
<https://lists.fedorahosted.org/archives/list/[email protected]>
>
<https://lists.fedorahosted.org/archives/list/[email protected]
<https://lists.fedorahosted.org/archives/list/[email protected]>>
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
<https://pagure.io/fedora-infrastructure>
> <https://pagure.io/fedora-infrastructure
<https://pagure.io/fedora-infrastructure>>
>
_______________________________________________
FreeIPA-users mailing list --
[email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
<https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
<https://fedoraproject.org/wiki/Mailing_list_guidelines>
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
<https://lists.fedorahosted.org/archives/list/[email protected]>
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
<https://pagure.io/fedora-infrastructure>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
