Hello After I have lost the entire IPA infrastructure (due to admin error:( ) I have recreated one server that I had a ipa backup for and restored the backup.
First problem I had were the replication agreements with the now missing servers. I have used ipa-replica-manage del --force --clean <replica name> for all the replicas. It did not work without --force. So now I have this: ipa --version VERSION: 4.3.1, API_VERSION: 2.164 root@de-fra-irx08-ldap01 ~#ipa-replica-manage list de-fra-irx08-ldap01.ipa.XXXXXX: master root@de-fra-irx08-ldap01 ~# ipa-replica-manage list-ruv de-fra-irx08-ldap01.ipa.XXXXXX:389: 8 root@de-fra-irx08-ldap01 ~# ipa-csreplica-manage list Directory Manager password: de-fra-irx08-ldap01.ipa.XXXXXX: master But I still get this in the error log: NSMMReplicationPlugin - agmt="cn=masterAgreement1-ro-buh-nx02-ldap01.ipa.XXXXXX-pki-tomcat" (ro-buh-nx02-ldap01:389): Replication bind w ith SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () root@de-fra-irx08-ldap01 ~# ldapsearch -D "cn=Directory Manager" -W -LLL -x -b "cn=replica,cn=dc\3Dipa\2Cdc\3DXXXXXX,cn=mapping tree,cn=config" Enter LDAP Password: dn: cn=replica,cn=dc\3Dipa\2Cdc\3DXXXXXX,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/ro-buh-nx02-ldap01.ipa.XXXXXX@IPA.B IGSTEP,cn=services,cn=accounts,dc=ipa,dc=XXXXXX nsDS5ReplicaBindDN: krbprincipalname=ldap/uk-rdg-evr01-ldap01.ipa.XXXXXX@IPA. XXXXXX,cn=services,cn=accounts,dc=ipa,dc=XXXXXX nsDS5ReplicaId: 8 nsDS5ReplicaName: b4848193-ef4611e5-8893afc8-cadb562e nsDS5ReplicaRoot: dc=ipa,dc=XXXXXX nsDS5ReplicaType: 3 nsState:: CAAAAAAAAAAU/glYAAAAAAAAAAAAAAAA2gQAAAAAAAAUAAAAAAAAAA== nsds5ReplicaLegacyConsumer: off nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=ipa, dc=XXXXXX nsds5replicabinddngroupcheckinterval: 60 objectClass: nsds5replica objectClass: top objectClass: extensibleobject nsds5ReplicaChangeCount: 550 nsds5replicareapactive: 0 root@de-fra-irx08-ldap01 ~# ldapsearch -D "cn=Directory Manager" -W -LLL -x -b "cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,cn=o\3Dipaca ,cn=mapping tree,cn=config" Enter LDAP Password: dn: cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,c n=o\3Dipaca,cn=mapping tree,cn=config cn: cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat description: cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-de-fra-irx08-ldap0 1.ipa.XXXXXX-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUTJPRE5rWXpkaVpDMWtPRFZpTTJJeg0KT0MxaFpHVm1aall5TUMwMk9HSTFOakExTVFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTF1K2UyWFJybUwyL0 ZWVTYrdmFDVw==}cJhPqOxvyGaExF/h3IO9UA== nsDS5ReplicaHost: ro-buh-nx02-ldap01.ipa.XXXXXX nsDS5ReplicaPort: 389 nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaTransportInfo: TLS nsds50ruv: {replicageneration} 56efacec000000600000 nsds50ruv: {replica 96 ldap://ro-buh-nx02-ldap01.ipa.XXXXXX:389} 56efacf10000 00600000 580711f2000000600000 nsds50ruv: {replica 81 ldap://de-fra-irx08-ldap02.ipa.XXXXXX:389} 57163ff7000 000510000 575fedb7000000510000 nsds50ruv: {replica 86 ldap://de-fra-irx08-ldap01.ipa.XXXXXX:389} 56efbe5b000 000560000 57179149000000560000 nsds50ruv: {replica 91 ldap://uk-rdg-evr01-ldap02.ipa.XXXXXX:389} 56efb7c5000 0005b0000 56efb80a0012005b0000 nsds50ruv: {replica 97 ldap://uk-rdg-evr01-ldap01.ipa.XXXXXX:389} 56efacf7000 000610000 575ffeda000000610000 nsds50ruv: {replica 66} 575eb9f6000300420000 575eb9f6000300420000 nsds50ruv: {replica 71} 575eade7000e00470000 575eade7000e00470000 nsruvReplicaLastModified: {replica 96 ldap://ro-buh-nx02-ldap01.ipa.XXXXXX:38 9} 00000000 nsruvReplicaLastModified: {replica 81 ldap://de-fra-irx08-ldap02.ipa.XXXXXX:3 89} 00000000 nsruvReplicaLastModified: {replica 86 ldap://de-fra-irx08-ldap01.ipa.XXXXXX:3 89} 00000000 nsruvReplicaLastModified: {replica 91 ldap://uk-rdg-evr01-ldap02.ipa.XXXXXX:3 89} 00000000 nsruvReplicaLastModified: {replica 97 ldap://uk-rdg-evr01-ldap01.ipa.XXXXXX:3 89} 00000000 nsruvReplicaLastModified: {replica 66} 00000000 nsruvReplicaLastModified: {replica 71} 00000000 objectClass: top objectClass: nsds5replicationagreement nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 19700101000000Z nsds5replicaLastUpdateEnd: 19700101000000Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't co ntact LDAP server nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 19700101000000Z nsds5replicaLastInitEnd: 19700101000000Z Is it safe to delete cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config ? Would this solve my problem? Regards, Gabriel Batir
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project