[Freeipa-users] Re: Help with Ghost Replica removal please.

Thu, 01 Aug 2024 11:26:58 -0700 

Harikumar Krishnan via FreeIPA-users wrote:
> Howdy folks, 
> 
> We also have a similar issue. Some servers in our IPA topology show ghost 
> replicas and if comes down to an entry like the following for an old replica 
> which no longer exists
> 
> $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=DICOMP,dc=NET  
> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
> Enter LDAP Password:
> dn: cn=replica,cn=dc\3Ddicomp\2Cdc\3Dnet,cn=mapping tree,cn=config
> cn: replica
> nsDS5Flags: 1
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsDS5ReplicaBindDNGroup: cn=replication 
> managers,cn=sysaccounts,cn=etc,dc=dicomp,dc=net
> nsDS5ReplicaBindDnGroupCheckInterval: 60
> nsDS5ReplicaId: 11
> nsDS5ReplicaName: 13387f82-373b11eb-a1r2gff0-4sda870
> nsDS5ReplicaRoot: dc=dicomp,dc=net
> nsDS5ReplicaType: 3
> nsState:: CwAAAAAAAABzzalmAAAAAAAAAAAAAAAAUpEAAAAAAAALAAAAAAAAAA==
> nsds5ReplicaBackoffMax: 300
> nsds5ReplicaLegacyConsumer: off
> nsds5ReplicaReleaseTimeout: 60
> objectClass: top
> objectClass: nsds5replica
> objectClass: extensibleobject
> nsds50ruv: {replicageneration} 5fc9ab2e000000040000
> nsds50ruv: {replica 11 ldap://camper26.dicomp.net:389} 5fcbf1fa0000000b0000 
> 66aa5
>  edc0000000b0000
> nsds50ruv: {replica 3 ldap://camper21.dicomp.net:389} 5fc9ab34000000030000 
> 66aa53c
>  e000100030000
> nsds50ruv: {replica 5 ldap://camper23.dicomp.net:389} 5fc9b44b000000050000 
> 66aa58
>  d0000000050000
> nsds50ruv: {replica 10 ldap://camper24.dicomp.net:389} 5fc9c7650000000a0000 
> 66aa5
>  3d10004000a0000
> nsds50ruv: {replica 33 ldap://ipa.dicomp.net:389} 626998ac000100210000 
> 66aa5af1
>  000100210000
> nsds50ruv: {replica 45 ldap://az1-iparepl-01.dicomp.net:389} 
> 629644dc0001002d00
>  00 66aa58960000002d0000
> nsds50ruv: {replica 46 ldap://au1-compca-01.dicomp.net:389} 
> 6297aca50002002e0000
>   66aa59130003002e0000
> nsds50ruv: {replica 48 ldap://nz1-freeipa-backup.dicomp.net:389} 
> 62c8635e000200
>  300000 66aa4991000800300000
> nsds50ruv: {replica 56 ldap://in1-iparepl-01.dicomp.net:389} 
> 667aa1b90001003800
>  00 66aa553d000000380000
> nsds50ruv: {replica 57 ldap://camper27.dicomp.net:389} 667bac3f000100390000 
> 66aa5
>  547000000390000
> nsds50ruv: {replica 60 ldap://camper25.dicomp.net:389} 667cf5c50000003c0000 
> 66aa5a
>  e00000003c0000
> nsds50ruv: {replica 63 ldap://camper22.dicomp.net:389} 667d3ec50001003f0000 
> 66aa
>  5d720000003f0000
> nsds50ruv: {replica 64 ldap://nz1-compca-01.dicomp.net:389} 
> 668e3565000100400000
>   66aa5d7e000000400000
> nsds5agmtmaxcsn: 
> dc=dicomp,dc=net;camper26.dicomp.net-to-camper27.dicomp.net;camper27.dicomp.net;389;57;66aa55c00000000b0000
> nsds5agmtmaxcsn: 
> dc=dicomp,dc=net;camper26.dicomp.net-to-in1-iparepl-01.dicomp.net;
>  in1-iparepl-01.dicomp.net;389;56;66aa55c00000000b0000
> nsruvReplicaLastModified: {replica 11 ldap://camper26.dicomp.net:389} 66a9cd8a
> nsruvReplicaLastModified: {replica 3 ldap://camper21.dicomp.net:389} 66a9c27f
> nsruvReplicaLastModified: {replica 5 ldap://camper23.dicomp.net:389} 66a9c780
> nsruvReplicaLastModified: {replica 10 ldap://camper24.dicomp.net:389} 66a9c281
> nsruvReplicaLastModified: {replica 33 ldap://ipa.dicomp.net:389} 66a9c9a4
> nsruvReplicaLastModified: {replica 45 ldap://az1-iparepl-01.dicomp.net:389} 
> 66a
>  9c745
> nsruvReplicaLastModified: {replica 46 ldap://au1-compca-01.dicomp.net:389} 
> 66a9c
>  7c5
> nsruvReplicaLastModified: {replica 48 
> ldap://nz1-freeipa-backup.dicomp.net:389}
>   66a9c306
> nsruvReplicaLastModified: {replica 56 ldap://in1-iparepl-01.dicomp.net:389} 
> 66a
>  9c3eb
> nsruvReplicaLastModified: {replica 57 ldap://camper27.dicomp.net:389} 66a9c3f5
> nsruvReplicaLastModified: {replica 60 ldap://camper25.dicomp.net:389} 66a9c990
> nsruvReplicaLastModified: {replica 63 ldap://camper22.dicomp.net:389} 66a9cc21
> nsruvReplicaLastModified: {replica 64 ldap://nz1-compca-01.dicomp.net:389} 
> 66a9c
>  c63
> nsruvReplicaLastModified: {replica 52} 66a9cd67
> nsds5ReplicaChangeCount: 117369
> nsds5replicareapactive: 0
> 
> This one 
> nsruvReplicaLastModified: {replica 52} 66a9cd67
> 
> does not have an associated nsds50ruv associated with it so removal via other 
> tool does not work.
> 
> Trying to remove them via an LDAP modify too fails with an error
> additional info: Deletion of nsruvReplicaLastModified attribute is not allowed
> 
> Any help on gettng these records to vanish is very much appreciated as its 
> causing cipa to believe there are ghost replicas.
> Looking at the cipa code tells me that its looking for entries for replica 
> without an associated LDAP url to count towards ghost replicas.

You didn't say what you tried and how it failed. Either cleanruv or
cleanallruv should do the trick.

rob

-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to