On 09/26/2016 02:56 PM, Natxo Asenjo wrote:



On Mon, Sep 26, 2016 at 1:54 PM, Natxo Asenjo <natxo.ase...@gmail.com <mailto:natxo.ase...@gmail.com>> wrote:




    On Mon, Sep 26, 2016 at 1:50 PM, Ludwig Krispenz
    <lkris...@redhat.com <mailto:lkris...@redhat.com>> wrote:


        On 09/26/2016 01:36 PM, Natxo Asenjo wrote:
        And in my example, the replica id would be 66, 96, 71 and 97, correct?
        no, I don't think so. you searched 2 times the same host "-h
        kdc04.unix.iriszorg.nl <http://kdc04.unix.iriszorg.nl>".
        you need to search on kdc03 to find the current replicaid of
        kdc03 and you have to keep it.



    yes, you are right :(

     $ ldapsearch -Z -h kdc03.unix.iriszorg.nl
    <http://kdc03.unix.iriszorg.nl> -D "cn=Directory Manager" -W -b
    "o=ipaca"
    
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
    | grep "nsds50ruv\|nsDS5ReplicaId"
    Enter LDAP Password:
    nsDS5ReplicaId: 66
    nsds50ruv: {replicageneration} 50c1015c000000600000
    nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389
    <http://kdc03.unix.iriszorg.nl:389>} 57e23f66000000420000
    nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389
    <http://kdc04.unix.iriszorg.nl:389>} 57e4d75a0000044700
    nsds50ruv: {replica 96 ldap://kdc01.unix.iriszorg.nl:7389
    <http://kdc01.unix.iriszorg.nl:7389>} 50c1016c00000060000
    nsds50ruv: {replica 71 ldap://kdc03.unix.iriszorg.nl:389
    <http://kdc03.unix.iriszorg.nl:389>} 57e140c7000000470000
    nsds50ruv: {replica 97 ldap://kdc02.unix.iriszorg.nl:7389
    <http://kdc02.unix.iriszorg.nl:7389>} 50c1016800000061000


    so I need to keep 66 and 1095, and run the task on 96, 71 and 97,
    it would seem.

    Thanks for spotting my error.



ok, so I have now run the commands against both ldap hosts (the kdc03 and the kdc04), and now I have this:
you need to run it only against one host, it will propagate itself to the other replicas, if it can - see below.

# ldapsearch -Z -h kdc04.unix.iriszorg.nl <http://kdc04.unix.iriszorg.nl> -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId"
Enter LDAP Password:
nsDS5ReplicaId: 1095
nsds50ruv: {replicageneration} 50c1015c000000600000
nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389 <http://kdc04.unix.iriszorg.nl:389>} 57e4d75a0000044700 nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389 <http://kdc03.unix.iriszorg.nl:389>} 57e23f66000000420000

# ldapsearch -Z -h kdc03.unix.iriszorg.nl <http://kdc03.unix.iriszorg.nl> -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId"
Enter LDAP Password:
nsDS5ReplicaId: 66
nsds50ruv: {replicageneration} 50c1015c000000600000
nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389 <http://kdc03.unix.iriszorg.nl:389>} 57e23f66000000420000 nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389 <http://kdc04.unix.iriszorg.nl:389>} 57e4d75a0000044700 nsds50ruv: {replica 96 ldap://kdc01.unix.iriszorg.nl:7389 <http://kdc01.unix.iriszorg.nl:7389>} 50c1016c00000060000 nsds50ruv: {replica 71 ldap://kdc03.unix.iriszorg.nl:389 <http://kdc03.unix.iriszorg.nl:389>} 57e140c7000000470000 nsds50ruv: {replica 97 ldap://kdc02.unix.iriszorg.nl:7389 <http://kdc02.unix.iriszorg.nl:7389>} 50c1016800000061000

so the command has not been successful in the kdc03. in the dirsrv errors log I see:

[26/Sep/2016:14:50:54 +0200] NSMMReplicationPlugin - CleanAllRUV Task (rid 71): Not all replicas online, retrying in 640 seconds...
this looks like there is still a replication agreement to one of the no longer existing servers.

can you search for "... -b "cn=config" "objectclass=nsds5replicationagreement"

and remove the ones no longer needed.
[26/Sep/2016:14:51:00 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)

but those replicas are gone (decommissioned). So how can I remove them?



--
regards,
Natxo





--
--
Groeten,
natxo



--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to