On Fri, 2012-04-13 at 13:39 -0400, Dan Scott wrote:
> I've been using FreeIPA for a couple of years (Upgraded/Migrated from
> FreeIPA 1). The servers are in various states (Some upgraded from
> Fedora 10/11 through each release, some fresh installs of Fedora
> 15/16). I've also had to add/remove replicas many times - and run into
> problems installing which required some manual intervention.
> I'm convinced that my LDAP directories contain lots of cruft which has
> built up and is causing problems on my system. There may even be some
> corruption since there's an entry which I'm unable to remove - this
> entry does not get replicated to the other servers. I also see
> inconsistent replication states on the servers. i.e. server1 shows
> that it's replicating with server2 but server2 does not show that it's
> replicating with server1.
> Is there some way that I can refresh/clean my LDAP directories and
> ensure that everything's running correctly.
Well it really depends on what you need to achieve.
Of course you have the big hammer of setting up a brand new realm and
then migrating over users/groups, but that would require to start from
scratch with hbac and related rules and re-enrollment of users and
In general if you haven't willfully changed stuff manually over ldap you
should be in good shape. It should be sufficient to find out and fix why
DS is not allowing you to delete that entry you want to delete and then
you should be able to clean up stuff trhough the CLI or the WebUI tools.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list