Alexander Bokovoy wrote:
> On Fri, 08 Jan 2016, Karl Forner wrote:
>> Ok.
>> I read a work-around on
>> It says that if one has figured out a safe new range for the replica, the
>> range could be set using:
>> ldapmodify -x -D 'cn=Directory Manager' -W
>> Enter LDAP Password:
>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config
>> changetype: modify
>> replace: dnaNextValue
>> dnaNextValue: 1689700000
>> -
>> replace: dnaMaxValue
>> dnaMaxValue: 1689799999
>> ^D
>> modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config"
>> I suppose this can be dangerous, but would you consider it as a
>> work-around, or should it be avoided at all means ?
> Rob is one of FreeIPA project original developers and he wrote this
> code, so he knows it well. To derive dnaMaxValue/dnaNextValue you need to
> consult older server's data, if it is still available (in
> /etc/dirsrv/slapd-INSTANCE/dse.ldif).
> At worst you'd need to back out the change if things would work.

I purposely used rather weak working in my blog to ensure that one
thinks carefully about making this kind of change. If your original
master can be brought back up that is definitely the best way to resolve it.

If it was nuked from orbit then yeah the you'll need to manually set it.

Note that you can use ipa-replica-manage to do this as well and it has a
much less scary syntax:

$ ipa-replica-manage dnarange-set 1689700000-1689799999

I guess the range 1689600000-1689699999 is the rest of the original
range, presumably assigned to the original master?


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to