Howdy folks,
We also have a similar issue. Some servers in our IPA topology show ghost
replicas and if comes down to an entry like the following for an old replica
which no longer exists
$ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=DICOMP,dc=NET
'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
Enter LDAP Password:
dn: cn=replica,cn=dc\3Ddicomp\2Cdc\3Dnet,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDNGroup: cn=replication
managers,cn=sysaccounts,cn=etc,dc=dicomp,dc=net
nsDS5ReplicaBindDnGroupCheckInterval: 60
nsDS5ReplicaId: 11
nsDS5ReplicaName: 13387f82-373b11eb-a1r2gff0-4sda870
nsDS5ReplicaRoot: dc=dicomp,dc=net
nsDS5ReplicaType: 3
nsState:: CwAAAAAAAABzzalmAAAAAAAAAAAAAAAAUpEAAAAAAAALAAAAAAAAAA==
nsds5ReplicaBackoffMax: 300
nsds5ReplicaLegacyConsumer: off
nsds5ReplicaReleaseTimeout: 60
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsds50ruv: {replicageneration} 5fc9ab2e000000040000
nsds50ruv: {replica 11 ldap://camper26.dicomp.net:389} 5fcbf1fa0000000b0000
66aa5
edc0000000b0000
nsds50ruv: {replica 3 ldap://camper21.dicomp.net:389} 5fc9ab34000000030000
66aa53c
e000100030000
nsds50ruv: {replica 5 ldap://camper23.dicomp.net:389} 5fc9b44b000000050000
66aa58
d0000000050000
nsds50ruv: {replica 10 ldap://camper24.dicomp.net:389} 5fc9c7650000000a0000
66aa5
3d10004000a0000
nsds50ruv: {replica 33 ldap://ipa.dicomp.net:389} 626998ac000100210000 66aa5af1
000100210000
nsds50ruv: {replica 45 ldap://az1-iparepl-01.dicomp.net:389} 629644dc0001002d00
00 66aa58960000002d0000
nsds50ruv: {replica 46 ldap://au1-compca-01.dicomp.net:389} 6297aca50002002e0000
66aa59130003002e0000
nsds50ruv: {replica 48 ldap://nz1-freeipa-backup.dicomp.net:389} 62c8635e000200
300000 66aa4991000800300000
nsds50ruv: {replica 56 ldap://in1-iparepl-01.dicomp.net:389} 667aa1b90001003800
00 66aa553d000000380000
nsds50ruv: {replica 57 ldap://camper27.dicomp.net:389} 667bac3f000100390000
66aa5
547000000390000
nsds50ruv: {replica 60 ldap://camper25.dicomp.net:389} 667cf5c50000003c0000
66aa5a
e00000003c0000
nsds50ruv: {replica 63 ldap://camper22.dicomp.net:389} 667d3ec50001003f0000 66aa
5d720000003f0000
nsds50ruv: {replica 64 ldap://nz1-compca-01.dicomp.net:389} 668e3565000100400000
66aa5d7e000000400000
nsds5agmtmaxcsn:
dc=dicomp,dc=net;camper26.dicomp.net-to-camper27.dicomp.net;camper27.dicomp.net;389;57;66aa55c00000000b0000
nsds5agmtmaxcsn:
dc=dicomp,dc=net;camper26.dicomp.net-to-in1-iparepl-01.dicomp.net;
in1-iparepl-01.dicomp.net;389;56;66aa55c00000000b0000
nsruvReplicaLastModified: {replica 11 ldap://camper26.dicomp.net:389} 66a9cd8a
nsruvReplicaLastModified: {replica 3 ldap://camper21.dicomp.net:389} 66a9c27f
nsruvReplicaLastModified: {replica 5 ldap://camper23.dicomp.net:389} 66a9c780
nsruvReplicaLastModified: {replica 10 ldap://camper24.dicomp.net:389} 66a9c281
nsruvReplicaLastModified: {replica 33 ldap://ipa.dicomp.net:389} 66a9c9a4
nsruvReplicaLastModified: {replica 45 ldap://az1-iparepl-01.dicomp.net:389} 66a
9c745
nsruvReplicaLastModified: {replica 46 ldap://au1-compca-01.dicomp.net:389} 66a9c
7c5
nsruvReplicaLastModified: {replica 48 ldap://nz1-freeipa-backup.dicomp.net:389}
66a9c306
nsruvReplicaLastModified: {replica 56 ldap://in1-iparepl-01.dicomp.net:389} 66a
9c3eb
nsruvReplicaLastModified: {replica 57 ldap://camper27.dicomp.net:389} 66a9c3f5
nsruvReplicaLastModified: {replica 60 ldap://camper25.dicomp.net:389} 66a9c990
nsruvReplicaLastModified: {replica 63 ldap://camper22.dicomp.net:389} 66a9cc21
nsruvReplicaLastModified: {replica 64 ldap://nz1-compca-01.dicomp.net:389} 66a9c
c63
nsruvReplicaLastModified: {replica 52} 66a9cd67
nsds5ReplicaChangeCount: 117369
nsds5replicareapactive: 0
This one
nsruvReplicaLastModified: {replica 52} 66a9cd67
does not have an associated nsds50ruv associated with it so removal via other
tool does not work.
Trying to remove them via an LDAP modify too fails with an error
additional info: Deletion of nsruvReplicaLastModified attribute is not allowed
Any help on gettng these records to vanish is very much appreciated as its
causing cipa to believe there are ghost replicas.
Looking at the cipa code tells me that its looking for entries for replica
without an associated LDAP url to count towards ghost replicas.
Thanks !
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
