[Freeipa-users] Cleanly removing replication agreement

Thu, 08 Oct 2015 08:53:11 -0700 

Hello folks,
i have two FreeIPA 3.3 Machines running on CentOS7: ipa01.internal and ipa02.internal. Both have a CA installed. Initially ipa02 is a replication from ipa01. Recently ipa01 had some trouble while ipa02 was running fine (see "FreeIPA 3.3 performance issues with many hosts" on this maillinglist). 


So what i did was to uninstall ipa01 via "ipa-server-install 
--uninstall" and recreated ipa01 as a replica of ipa02 via 
"ipa-replica-install --setup-ca". Since then I was having trouble with 
replication. It seems to be there is still some RUV information about 
the old ipa01 in the database.



Well long story short: I want to completely delete ipa02 from the 
replication agreement on host ipa01 to be able to re-add ipa02 later.


Currently the situation on ipa01 is as follows:

root@ipa01:~ > ipa-replica-manage list
Directory Manager password:

ipa01.internal: master
ipa02.internal: master

root@ipa01:~ > ipa-replica-manage list-ruv
Directory Manager password:

ipa01.internal:389: 6
ipa02.internal:389: 5

root@ipa01:~ > ipa-csreplica-manage list
Directory Manager password:

ipa01.internal: master
ipa02.internal: master


root@ipa01:~ > ldapsearch -D "cn=directory manager" -W -b "cn=mapping 
tree,cn=config" 'objectClass=nsDS5ReplicationAgreement' nsds50ruv -LLL

Enter LDAP Password:

dn: 
cn=cloneAgreement1-ipa01.internal-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=ma

 pping tree,cn=config
nsds50ruv: {replicageneration} 54748540000000600000

nsds50ruv: {replica 97 ldap://ipa02.internal:389} 54748548000000610000 
56139e1

 8000200610000

nsds50ruv: {replica 1095 ldap://ipa01.internal:389} 56139e17000004470000 
56139

 e1e000204470000
nsds50ruv: {replica 96 ldap://ipa01.internal:389}



I'm a bit worried about the ldapsearch command. There is a nsds50ruv 
attribute with value 1035. It appeared after I readded ipa01 into the 
replication agreement. Do I need to get rid of it and if yes, how?



Another question is: ipa02 is not responsible anymore, so the 
CLEANALLRUV Task started on ipa01 by "ipa-replica-manage del ..." would 
not be able to connect to ipa02. According to 389ds documentation it 
would stay active a long time trying to connect to the other host.  Is 
it save to abort the task via "ipa-replica-manage abort-clean-ruv ..." 
after a while?


Thanks in advance!


Kind regards,
Dominik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






















					Reply via email to