Hi, On Tue, Apr 23, 2024 at 9:53 AM Lee Csk via FreeIPA-users < [email protected]> wrote:
> After performing a usual Yum update's on multiple IPA servers (not at the > same time, one server reportedly started hanging), we started observing > "LDAP Conflicts" in multiple IPA replication servers: > > az2-replica.noc.net > | LDAP Conflicts | 9 | FAIL | > mi2-replica.noc.net: > | LDAP Conflicts | 9 | FAIL | > mi1-replica.noc.net: > | LDAP Conflicts | 9 | FAIL | > az1-replica.noc.net: > | LDAP Conflicts | 10 | FAIL | > sg1-replicate.noc.net: > | LDAP Conflicts | 3 | FAIL | > sg2-replica.noc.net > | LDAP Conflicts | 3 | FAIL | > > The "Replication status" while reports OK, we observe also flapping at > times between OK and FAIL too. > > We have tried to follow on one of the replication servers: > https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_replication-solving_common_replication_conflicts#Solving_Common_Replication_Conflicts-Solving_Orphan_Entry_Conflicts > - by removing the orphan entry, however the replication broke completely > on it (ipa service couldn't start back up), requiring a full re-install of > that specific replica. > > ]$ sudo -u admin /home/admin/.local/bin/cipa -H localhost |grep "LDAP > Conflicts" > | LDAP Conflicts | 0 | OK | > > $ dsconf -D "cn=Directory Manager" ldap://$(hostname) repl-conflict > list-glue "dc=noc,dc=net" > Enter password for cn=Directory Manager on ldap://az1-replica.noc.net: > dn: cn=sg1-replica.noc.net,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net > cn: sg1-replica.noc.net > ipaLocation: idnsname=singapore,cn=locations,cn=etc,dc=noc,dc=net > ipaMaxDomainLevel: 1 > ipaMinDomainLevel: 1 > ipaReplTopoManagedSuffix: dc=noc,dc=net > nsds5replconflict: deletedEntryHasChildren > objectClass: top > objectClass: nsContainer > objectClass: ipaReplTopoManagedServer > objectClass: ipaConfigObject > objectClass: ipaSupportedDomainLevelConfig > objectClass: ipalocationmember > objectClass: extensibleobject > objectClass: glue > > $ ldapsearch -H ldaps://$(hostname) -W -D 'cn=Directory Manager' > '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))' nsds5ReplConflict > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=noc,dc=net> (default) with scope subtree > # filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*)) > # requesting: nsds5ReplConflict > # > > # sg1-replica.noc.net + 039c4293-257f11ed-a255f732-cfd01100, masters, > ipa, etc, noc.net > dn: cn=sg1-replica.noc.net > +nsuniqueid=039c4293-257f11ed-a255f732-cfd01100,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net > nsds5ReplConflict: namingConflict (ADD) cn=sg1-replica.noc.net > ,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net > > # HTTP/[email protected] + > 0264df8b-fca611ee-a3cba8b9-8a6b8039,services, accounts, noc.net > dn: krbprincipalname=HTTP/[email protected] > +nsuniqueid=0264df8b-fca611ee-a3cba8b9-8a6b8039,cn=services,cn=accounts,dc=noc,dc=net > nsds5ReplConflict: namingConflict (ADD) krbprincipalname=http/ > [email protected],cn=services,cn=accounts,dc=noc,dc=net > > # search result > search: 2 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > OR: > > az1-replica.noc.net:/$ ldapsearch -H ldap://$(hostname) -D "cn=Directory > Manager" -W -b "dc=noc,dc=net" > "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=noc,dc=net> with scope subtree > # filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*)) > # requesting: * nsds5ReplConflict > # > > # sg1-replica.noc.net + 039c4293-257f11ed-a255f732-cfd01100, masters, ipa, > etc, noc.net > dn: cn=sg1-replica.noc.net+nsuniqueid=039c4293-257f11ed-a255f732-cfd01100 > ,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net > ipaLocation: idnsname=singapore,cn=locations,cn=etc,dc=noc,dc=net > objectClass: top > objectClass: nsContainer > objectClass: ipaReplTopoManagedServer > objectClass: ipaConfigObject > objectClass: ipaSupportedDomainLevelConfig > objectClass: ldapsubentry > objectClass: ipalocationmember > cn: sg1-replica.noc.net > ipaReplTopoManagedSuffix: dc=noc,dc=net > ipaMinDomainLevel: 1 > ipaMaxDomainLevel: 1 > nsds5ReplConflict: namingConflict (ADD) cn=sg1-replica.noc.net,cn=masters > ,cn=ipa,cn=etc,dc=noc,dc=net > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > We expect: | LDAP Conflicts | 0 | OK | > > Running versions: > ipa-server-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64 > ipa-client-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64 > 389-ds-base-1.4.3.37-2.module_el8.9.0+3710+3183c30a.alma.1.x86_64 > krb5-server-1.18.2-26.el8_9.x86_64 > > The yum update happened from: > ipa-server-4.9.12-11.module_el8.9.0+3715+e4197dc9.alma.1.x86_64 > to: > ipa-server-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64 > ipa-server-4.9.12-14 fixes this issue: https://issues.redhat.com/browse/RHEL-28847 and must be installed with the corresponding bind update that fixes https://issues.redhat.com/browse/RHEL-25648: bind-9.11.36-11.el8_9.1 Do you have the right bind version? flo > > Please advise, how its best to resolve these "LDAP Conflicts". > How to remove, or retain if its the case? > > Thanks, > Lee > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
