> On Jun 23, 2023, at 08:30, Florence Blanc-Renaud <f...@redhat.com> wrote: > > Hi, > > On Thu, Jun 22, 2023 at 3:18 PM Joe Rhodes via FreeIPA-users > <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >> >> >>> On Jun 21, 2023, at 18:07, Rob Crittenden <rcrit...@redhat.com >>> <mailto:rcrit...@redhat.com>> wrote: >>> >>> Joe Rhodes via FreeIPA-users wrote: >>>> Hello all! >>>> >>>> I have a CentOS 7 based FreeIPA system that I’m migrating to Rocky 9. >>>> As suggested, I’ve created a Rocky 8 instance replica first. >>>> >>>> As I’ve been working on this (in a dev environment first), I’ve gotten >>>> myself into a state where I have two servers in the config that I cannot >>>> delete. (The VMs have been uninstalled and deleted.) >>>> >>>> ipa server-find >>>> >>>> --------------------- >>>> >>>> 7 IPA servers matched >>>> >>>> --------------------- >>>> >>>> Server name: ia-ipa-1.dev.purestake.tech >>>> >>>> Min domain level: 0 >>>> >>>> Max domain level: 1 >>>> >>>> >>>> Server name: ia-ipa-2.dev.purestake.tech >>>> >>>> Min domain level: 0 >>>> >>>> Max domain level: 1 >>>> >>>> >>>> Server name: joe-rocky-8.dev.purestake.tech >>>> >>>> Min domain level: 1 >>>> >>>> Max domain level: 1 >>>> >>>> >>>> Server name: joe-rocky-9.dev.purestake.tech >>>> >>>> Min domain level: 1 >>>> >>>> Max domain level: 1 >>>> >>>> >>>> Server name: oh-ipa-1.dev.purestake.tech >>>> >>>> Min domain level: 0 >>>> >>>> Max domain level: 1 >>>> >>>> >>>> Server name: oh-ipa-2.dev.purestake.tech >>>> >>>> Min domain level: 0 >>>> >>>> Max domain level: 1 >>>> >>>> >>>> Server name: oh-ipa-21.dev.purestake.tech >>>> >>>> Min domain level: 1 >>>> >>>> Max domain level: 1 >>>> >>>> >>>> >>>> The two servers I want to delete are joe-rocky-9 and oh-ipa-21. >>>> >>>> Trying to delete either give me: >>>> >>>> ipa server-del joe-rocky-9.dev.purestake.tech >>>> >>>> Removing joe-rocky-9.dev.purestake.tech from replication topology, >>>> please wait... >>>> >>>> ipa: ERROR: Server removal aborted: >>>> >>>> >>>> Replication topology in suffix 'domain' is disconnected: >>>> >>>> Topology does not allow server ia-ipa-1.dev.purestake.tech to replicate >>>> with servers: >>>> >>>> joe-rocky-9.dev.purestake.tech >>>> >>>> Topology does not allow server ia-ipa-2.dev.purestake.tech to replicate >>>> with servers: >>>> >>>> joe-rocky-9.dev.purestake.tech >>>> >>>> Topology does not allow server joe-rocky-8.dev.purestake.tech to >>>> replicate with servers: >>>> >>>> joe-rocky-9.dev.purestake.tech >>>> >>>> Topology does not allow server joe-rocky-9.dev.purestake.tech to >>>> replicate with servers: >>>> >>>> joe-rocky-8.dev.purestake.tech >>>> >>>> oh-ipa-1.dev.purestake.tech >>>> >>>> oh-ipa-2.dev.purestake.tech >>>> >>>> ia-ipa-1.dev.purestake.tech >>>> >>>> oh-ipa-21.dev.purestake.tech >>>> >>>> ia-ipa-2.dev.purestake.tech >>>> >>>> Topology does not allow server oh-ipa-1.dev.purestake.tech to replicate >>>> with servers: >>>> >>>> joe-rocky-9.dev.purestake.tech >>>> >>>> Topology does not allow server oh-ipa-2.dev.purestake.tech to replicate >>>> with servers: >>>> >>>> joe-rocky-9.dev.purestake.tech >>>> >>>> Topology does not allow server oh-ipa-21.dev.purestake.tech to replicate >>>> with servers: >>>> >>>> joe-rocky-9.dev.purestake.tech. >>>> >>>> >>>> and attempting to delete, ignoring the replication topology: >>>> >>>> ipa server-del joe-rocky-9.dev.purestake.tech --ignore-topology-disconnect >>>> >>>> Removing joe-rocky-9.dev.purestake.tech from replication topology, >>>> please wait... >>>> >>>> ipa: ERROR: Not allowed on non-leaf entry > This error shows that there are child entries below the entry for the server. > You mentioned replication conflicts, what is the output of: > # ldapsearch -D "cn=Directory Manager" -W -b $BASEDN > "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict > (replace $BASEDN with your base dn). > > You may have to manually remove the replication conflict entries before the > server entry can be deleted. > flo >
Flo: YES! This was the ldap search I needed! "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))” Once I did that, I found all my conflict entries. I think I was missing the "objectClass=ldapSubEntry” in earlier searches. Your search showed me my conflict entries for the two servers I was trying to delete: # oh-ipa-21.dev.purestake.tech + 33c7e594-0c6611ee-ab65dcc1-bdea5cb1, masters, ipa, etc, dev.purestake.tech dn: cn=oh-ipa-21.dev.purestake.tech,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # KDC + 33c7e59a-0c6611ee-ab65dcc1-bdea5cb1, oh-ipa-21.dev.purestake.tech, masters, ipa, etc, dev.purestake.tech dn: cn=KDC+nsuniqueid=33c7e59a-0c6611ee-ab65dcc1-bdea5cb1,cn=oh-ipa-21.dev.purestake.tech,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # oh-ipa-21.dev.purestake.tech + ea2fc894-0c6e11ee-a26cd21b-447b37f1, masters, ipa, etc, dev.purestake.tech dn: cn=oh-ipa-21.dev.purestake.tech+nsuniqueid=ea2fc894-0c6e11ee-a26cd21b-447b37f1,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # oh-ipa-21.dev.purestake.tech + 1c90f4ab-0c7611ee-82aaaf7c-510224ff, masters, ipa, etc, dev.purestake.tech dn: cn=oh-ipa-21.dev.purestake.tech+nsuniqueid=1c90f4ab-0c7611ee-82aaaf7c-510224ff,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # KDC + 1c90f4b1-0c7611ee-82aaaf7c-510224ff, oh-ipa-21.dev.purestake.tech, masters, ipa, etc, dev.purestake.tech dn: cn=KDC+nsuniqueid=1c90f4b1-0c7611ee-82aaaf7c-510224ff,cn=oh-ipa-21.dev.purestake.tech,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # KPASSWD + 1c90f4b2-0c7611ee-82aaaf7c-510224ff, oh-ipa-21.dev.purestake.tech, masters, ipa, etc, dev.purestake.tech dn: cn=KPASSWD+nsuniqueid=1c90f4b2-0c7611ee-82aaaf7c-510224ff,cn=oh-ipa-21.dev.purestake.tech,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # oh-ipa-21.dev.purestake.tech + 03d60e2b-0c7911ee-9fd2cbfa-da889042, masters, ipa, etc, dev.purestake.tech dn: cn=oh-ipa-21.dev.purestake.tech+nsuniqueid=03d60e2b-0c7911ee-9fd2cbfa-da889042,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # KDC + 03d60e31-0c7911ee-9fd2cbfa-da889042, oh-ipa-21.dev.purestake.tech, masters, ipa, etc, dev.purestake.tech dn: cn=KDC+nsuniqueid=03d60e31-0c7911ee-9fd2cbfa-da889042,cn=oh-ipa-21.dev.purestake.tech,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # oh-ipa-21.dev.purestake.tech + 3680061c-0c7911ee-9fd2cbfa-da889042, servers, dns, dev.purestake.tech dn: idnsserverid=oh-ipa-21.dev.purestake.tech+nsuniqueid=3680061c-0c7911ee-9fd2cbfa-da889042,cn=servers,cn=dns,dc=dev,dc=purestake,dc=tech # joe-rocky-9.dev.purestake.tech + c8be1f14-0eb011ee-b6bda485-29466b86, masters, ipa, etc, dev.purestake.tech dn: cn=joe-rocky-9.dev.purestake.tech+nsuniqueid=c8be1f14-0eb011ee-b6bda485-29466b86,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # KDC + c8be1f1a-0eb011ee-b6bda485-29466b86, joe-rocky-9.dev.purestake.tech, masters, ipa, etc, dev.purestake.tech dn: cn=KDC+nsuniqueid=c8be1f1a-0eb011ee-b6bda485-29466b86,cn=joe-rocky-9.dev.purestake.tech,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # KPASSWD + c8be1f1b-0eb011ee-b6bda485-29466b86, joe-rocky-9.dev.purestake.tech, masters, ipa, etc, dev.purestake.tech dn: cn=KPASSWD+nsuniqueid=c8be1f1b-0eb011ee-b6bda485-29466b86,cn=joe-rocky-9.dev.purestake.tech,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # HTTP + d673a48a-0eb011ee-b6bda485-29466b86, joe-rocky-9.dev.purestake.tech, masters, ipa, etc, dev.purestake.tech dn: cn=HTTP+nsuniqueid=d673a48a-0eb011ee-b6bda485-29466b86,cn=joe-rocky-9.dev.purestake.tech,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # OTPD + d673a48b-0eb011ee-b6bda485-29466b86, joe-rocky-9.dev.purestake.tech, masters, ipa, etc, dev.purestake.tech dn: cn=OTPD+nsuniqueid=d673a48b-0eb011ee-b6bda485-29466b86,cn=joe-rocky-9.dev.purestake.tech,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # KEYS + d673a48c-0eb011ee-b6bda485-29466b86, joe-rocky-9.dev.purestake.tech, masters, ipa, etc, dev.purestake.tech dn: cn=KEYS+nsuniqueid=d673a48c-0eb011ee-b6bda485-29466b86,cn=joe-rocky-9.dev.purestake.tech,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech # joe-rocky-9.dev.purestake.tech + f441099b-0eb011ee-b6bda485-29466b86, servers, dns, dev.purestake.tech dn: idnsserverid=joe-rocky-9.dev.purestake.tech+nsuniqueid=f441099b-0eb011ee-b6bda485-29466b86,cn=servers,cn=dns,dc=dev,dc=purestake,dc=tech # DNS + f441099e-0eb011ee-b6bda485-29466b86, joe-rocky-9.dev.purestake.tech, masters, ipa, etc, dev.purestake.tech dn: cn=DNS+nsuniqueid=f441099e-0eb011ee-b6bda485-29466b86,cn=joe-rocky-9.dev.purestake.tech,cn=masters,cn=ipa,cn=etc,dc=dev,dc=purestake,dc=tech I was able to ldapdelete those entries and then the servers that I couldn’t before. They’re now gone from the GUI and CLI lists. Thanks so much! Just for concise searching in the future, I did this ldap searc command from a functioning/existing IPA server: ldapsearch -D "cn=Directory Manager” -W -b "dc=dev,dc=purestake,dc=tech" -o ldif-wrap=no "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))” dn which gave me a list of replication error objects above. (It had nothing to do with the nsTombstone objects as I had been thinking earlier.) I then uses standard ldapdelete commands to delete those objects (as -D "cn=Directory Manager”) and then the servers deleted normally.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue