lejeczek via FreeIPA-users wrote: > > > On 06/07/2021 17:23, Florence Renaud wrote: >> Hi >> so there are replication conflicts in the LDAP database. >> >> To find the conflicting entries, run the following commands on each >> server: >> export BASEDN=<basedn value from /etc/ipa/default.conf> >> ldapsearch -D "cn=Directory Manager" -W -b $BASEDN >> "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict >> >> And then follow the guide /B.2. Identity Management Replicas/ [1] in >> order to solve the conflicts. >> >> HTH, >> flo >> > I've found backups and thought I was lucky, yet - though restoration > seems to work and I'm able to remove missing master/replica with no "Not > allowed on non-leaf entry" error.. > ...replication between two existing masters seems to be "broken", data > does not replicate. > If I try 'force-sync' I see, on the requesting master: > ... > [09/Jul/2021:10:05:01.553662244 +0100] - ERR - NSMMReplicationPlugin - > prot_notify_agmt_changed - Replication agreement for > agmt="cn=punch.ccnr.ceb.private.cam.ac.uk-to-love.ccn.priv.dom" > (love:389) could not be updated. For replication to take place, please > enable the suffix and restart the server > ... > > sroogling that did not get me much info. What the issue here?
What does "I found backups" mean? Are you talking about ipa-backup and ipa-restore? If you run ipa-restore then you need to re-init all other servers from that one. rob > many thanks, L. > > >> [1] >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#trouble-replica >> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#trouble-replica> >> >> >> On Tue, Jul 6, 2021 at 6:09 PM lejeczek via FreeIPA-users >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> >> On 06/07/2021 07:27, Florence Renaud wrote: >> > Hi, >> > >> > is the topology at domain level 1 or domain level 0? >> > # kinit admin >> > # ipa domainlevel-get >> > >> > If the level is 1, the right command in order to >> remove a >> > replica + ignore topology disconnect issues is >> > # kinit admin >> > # ipa server-del <hostname> --ignore-topology-disconnect >> > >> > The error "not allowed on non-leaf entry" means that >> the >> > command tried to delete an LDAP entry which has child >> > entries. You can have a look at the directory server >> logs >> > in /var/log/dirsrv/slapd-IPA-TEST/access and look for a >> > DEL operation which returned an error (something with >> > RESULT err=<value different from 0>). >> > >> > HTH, >> > flo >> > >> > >> I cannot see any meaningful "DEL" in 'access' >> at/around the >> time of 'server-del' execution, though in 'errors' >> ... >> [06/Jul/2021:17:00:47.672237100 +0100] - ERR - >> ldbm_back_delete - conn=5935 op=244 Deleting entry >> cn=midway.ccnr.ceb.private.cam.ac.uk >> >> <http://midway.ccnr.ceb.private.cam.ac.uk>,cn=masters,cn=ipa,cn=etc,dc=ccn,dc=priv,dc=dom >> >> >> has replication conflicts as children. >> >> many thanks, L >> >> > On Mon, Jul 5, 2021 at 10:45 PM lejeczek via >> FreeIPA-users >> > <[email protected] >> <mailto:[email protected]> >> > <mailto:[email protected] >> <mailto:[email protected]>>> wrote: >> > >> > Hi guys. >> > >> > Two masters from which third got disconnected in a >> > "dirty" >> > manner. >> > >> > -> $ ipa-replica-manage del midway.ccn.priv.dom >> > Server removal aborted: >> > >> > Replication topology in suffix 'domain' is >> disconnected: >> > Topology does not allow server love.ccn.priv.dom to >> > replicate with servers: >> > midway.ccn.priv.dom >> > Topology does not allow server >> midway.ccn.priv.dom to >> > replicate with servers: >> > love.ccn.priv.dom >> > punch.ccn.priv.dom >> > Topology does not allow server punch.ccn.priv.dom to >> > replicate with servers: >> > midway.ccn.priv.dom. >> > >> > -> $ ipa topologysegment-find domain >> > ----------------- >> > 1 segment matched >> > ----------------- >> > Segment name: >> punch.ccn.priv.dom-to-love.ccn.priv.dom >> > Left node: punch.ccn.priv.dom >> > Right node: love.ccn.priv.dom >> > Connectivity: both >> > ---------------------------- >> > Number of entries returned 1 >> > >> > -> $ ipa-replica-manage del midway.ccn.priv.dom >> --force >> > ipa: WARNING: >> > >> /usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973: >> > >> > The subsystem in PKIConnection.__init__() has been >> > deprecated >> > >> (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes >> <https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes> >> > >> <https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes >> <https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes>>). >> > Updating DNS system records >> > Not allowed on non-leaf entry >> > >> > I've tried to 'reinitialize' but without success. >> > Anybody care to share suggestions & thoughts? >> > many thanks, L. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
