Hello folks,

i have two FreeIPA 3.3 Machines running on CentOS7: ipa01.internal and ipa02.internal. Both have a CA installed. Initially ipa02 is a replication from ipa01. Recently ipa01 had some trouble while ipa02 was running fine (see "FreeIPA 3.3 performance issues with many hosts" on this maillinglist).

So what i did was to uninstall ipa01 via "ipa-server-install --uninstall" and recreated ipa01 as a replica of ipa02 via "ipa-replica-install --setup-ca". Since then I was having trouble with replication. It seems to be there is still some RUV information about the old ipa01 in the database.

Well long story short: I want to completely delete ipa02 from the replication agreement on host ipa01 to be able to re-add ipa02 later.

Currently the situation on ipa01 is as follows:

root@ipa01:~ > ipa-replica-manage list
Directory Manager password:

ipa01.internal: master
ipa02.internal: master

root@ipa01:~ > ipa-replica-manage list-ruv
Directory Manager password:

ipa01.internal:389: 6
ipa02.internal:389: 5

root@ipa01:~ > ipa-csreplica-manage list
Directory Manager password:

ipa01.internal: master
ipa02.internal: master

root@ipa01:~ > ldapsearch -D "cn=directory manager" -W -b "cn=mapping tree,cn=config" 'objectClass=nsDS5ReplicationAgreement' nsds50ruv -LLL
Enter LDAP Password:
dn: cn=cloneAgreement1-ipa01.internal-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=ma
 pping tree,cn=config
nsds50ruv: {replicageneration} 54748540000000600000
nsds50ruv: {replica 97 ldap://ipa02.internal:389} 54748548000000610000 56139e1
nsds50ruv: {replica 1095 ldap://ipa01.internal:389} 56139e17000004470000 56139
nsds50ruv: {replica 96 ldap://ipa01.internal:389}

I'm a bit worried about the ldapsearch command. There is a nsds50ruv attribute with value 1035. It appeared after I readded ipa01 into the replication agreement. Do I need to get rid of it and if yes, how?

Another question is: ipa02 is not responsible anymore, so the CLEANALLRUV Task started on ipa01 by "ipa-replica-manage del ..." would not be able to connect to ipa02. According to 389ds documentation it would stay active a long time trying to connect to the other host. Is it save to abort the task via "ipa-replica-manage abort-clean-ruv ..." after a while?

Thanks in advance!

Kind regards,

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to