Re: [Freeipa-users] Can't remove all replica records from ldap
On 03/17/2015 06:27 PM, Kim Perrin wrote: On Tue, Mar 17, 2015 at 3:09 PM, Kim Perrin wrote: On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin wrote: Thanks for the reply Rob. On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden wrote: Kim Perrin wrote: Hello all, For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) environment. We've had 2 masters since the start. Several replicas have had problems that required me to remove them. I’ve removed them all (except the very last one) by running ‘ipa-server-install --uninstall’ and then ipa-replica-manage clean-ruv’. The latest replica I tried to remove failed on both commands. On further inspection I see all the previous replicas have orphaned entries in the ldap db. How do I remove all the entries? (I’ve listed the entries below). Is this process safe (in what is currently a single ipa server environment)? Note, I’ve seen the one of the necessary LDIFs that can be ‘run’ to remove the entries -- I just don’t understand how to run an ldif. You're skipping the step of ipa-replica-manage del ? That should do most of this cleanup for you. I did run 'ipa-replica-manage del ' for all these as well. For the CA you use ipa-csreplica-manage. Unfortunately that utility lacks the RUV commands. On using the 'ipa-csreplica-manage' command to remove the CAs - the del option failed with "Unable to delete replica noc3-prd.companyz.com: Can't contact LDAP server" And failed with the same response for a couple other listed servers as well. Yes, you would have to clean it manually. rob Relevant entries - kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s sub -b cn=config objectclass=nsds5replica Enter LDAP Password: dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 objectClass: top objectClass: nsds5replica objectClass: extensibleobject nsDS5ReplicaType: 3 nsDS5ReplicaRoot: dc=companyz,dc=com nsds5ReplicaLegacyConsumer: off nsDS5ReplicaId: 4 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/noc2prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com nsDS5ReplicaBindDN: krbprincipalname=ldap/util1prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com nsDS5ReplicaBindDN: krbprincipalname=ldap/noc3prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com nsDS5ReplicaBindDN: krbprincipalname=ldap/noc4prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com nsState:: BABlZwhVDgAFAA== nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3 nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com nsds5ReplicaChangeCount: 682699 nsds5replicareapactive: 0 kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b o=ipaca '(&(nsuniqueid=---)(objectclass=nstombstone))' -p 7389 -h noc1-prd Enter LDAP Password: dn: nsuniqueid=---,o=ipaca objectClass: top objectClass: nsTombstone objectClass: extensibleobject nsds50ruv: {replicageneration} 5317a4490060 nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a45500 60 550878b90060 nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce01800 47 531ce06900030047 nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde800 4c 53f65954004c nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf21600 51 531bf26500010051 nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a322200 56 531a325600040056 nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf00 5b 53194992005b nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a4500 061 5317a48a00010061 o: ipaca nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389} 550878ab nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389 } -- and here is an example LDIF to remove the last record listed above - dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV97 That doesn't look right. It should look like: dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config changetype: add objectclass: top objectclass: extensibleObject replica-base-dn: dc=companyz,dc=com replica-id: 97 cn: clean 97 Be careful which RUV you remove. You only want to remove those that are no longer active. Thanks for the additional spec on the LDIF,
Re: [Freeipa-users] Can't remove all replica records from ldap
On Tue, Mar 17, 2015 at 3:09 PM, Kim Perrin wrote: > On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin > wrote: >> Thanks for the reply Rob. >> >> On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden wrote: >>> Kim Perrin wrote: Hello all, For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) environment. We've had 2 masters since the start. Several replicas have had problems that required me to remove them. I’ve removed them all (except the very last one) by running ‘ipa-server-install --uninstall’ and then ipa-replica-manage clean-ruv’. The latest replica I tried to remove failed on both commands. On further inspection I see all the previous replicas have orphaned entries in the ldap db. How do I remove all the entries? (I’ve listed the entries below). Is this process safe (in what is currently a single ipa server environment)? Note, I’ve seen the one of the necessary LDIFs that can be ‘run’ to remove the entries -- I just don’t understand how to run an ldif. >>> >>> You're skipping the step of ipa-replica-manage del ? >>> That should do most of this cleanup for you. >> I did run 'ipa-replica-manage del ' for all these as well. >> >> >>> >>> For the CA you use ipa-csreplica-manage. Unfortunately that utility >>> lacks the RUV commands. On using the 'ipa-csreplica-manage' command to remove the CAs - the del option failed with "Unable to delete replica noc3-prd.companyz.com: Can't contact LDAP server" And failed with the same response for a couple other listed servers as well. >>> >>> rob >>> Relevant entries - kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s sub -b cn=config objectclass=nsds5replica Enter LDAP Password: dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 objectClass: top objectClass: nsds5replica objectClass: extensibleobject nsDS5ReplicaType: 3 nsDS5ReplicaRoot: dc=companyz,dc=com nsds5ReplicaLegacyConsumer: off nsDS5ReplicaId: 4 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/noc2prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com nsDS5ReplicaBindDN: krbprincipalname=ldap/util1prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com nsDS5ReplicaBindDN: krbprincipalname=ldap/noc3prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com nsDS5ReplicaBindDN: krbprincipalname=ldap/noc4prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com nsState:: BABlZwhVDgAFAA== nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3 nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com nsds5ReplicaChangeCount: 682699 nsds5replicareapactive: 0 kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b o=ipaca '(&(nsuniqueid=---)(objectclass=nstombstone))' -p 7389 -h noc1-prd Enter LDAP Password: dn: nsuniqueid=---,o=ipaca objectClass: top objectClass: nsTombstone objectClass: extensibleobject nsds50ruv: {replicageneration} 5317a4490060 nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a45500 60 550878b90060 nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce01800 47 531ce06900030047 nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde800 4c 53f65954004c nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf21600 51 531bf26500010051 nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a322200 56 531a325600040056 nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf00 5b 53194992005b nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a4500 061 5317a48a00010061 o: ipaca nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389} 550878ab nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389 } -- and here is an example LDIF to remove the last record listed above - dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config changetype: modify replace: n
Re: [Freeipa-users] Can't remove all replica records from ldap
On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin wrote: > Thanks for the reply Rob. > > On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden wrote: >> Kim Perrin wrote: >>> Hello all, >>> >>> For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) >>> environment. We've had 2 masters since the start. Several replicas >>> have had problems that required me to remove them. I’ve removed them >>> all (except the very last one) by running ‘ipa-server-install >>> --uninstall’ and then ipa-replica-manage clean-ruv’. The latest >>> replica I tried to remove failed on both commands. On further >>> inspection I see all the previous replicas have orphaned entries in >>> the ldap db. How do I remove all the entries? (I’ve listed the >>> entries below). Is this process safe (in what is currently a single >>> ipa server environment)? Note, I’ve seen the one of the necessary >>> LDIFs that can be ‘run’ to remove the entries -- I just don’t >>> understand how to run an ldif. >> >> You're skipping the step of ipa-replica-manage del ? >> That should do most of this cleanup for you. > I did run 'ipa-replica-manage del ' for all these as well. > > >> >> For the CA you use ipa-csreplica-manage. Unfortunately that utility >> lacks the RUV commands. >> >> rob >> >>> Relevant entries - >>> >>> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s >>> sub -b cn=config objectclass=nsds5replica >>> Enter LDAP Password: >>> dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config >>> cn: replica >>> nsDS5Flags: 1 >>> objectClass: top >>> objectClass: nsds5replica >>> objectClass: extensibleobject >>> nsDS5ReplicaType: 3 >>> nsDS5ReplicaRoot: dc=companyz,dc=com >>> nsds5ReplicaLegacyConsumer: off >>> nsDS5ReplicaId: 4 >>> nsDS5ReplicaBindDN: cn=replication manager,cn=config >>> nsDS5ReplicaBindDN: >>> krbprincipalname=ldap/noc2prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com >>> nsDS5ReplicaBindDN: >>> krbprincipalname=ldap/util1prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com >>> nsDS5ReplicaBindDN: >>> krbprincipalname=ldap/noc3prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com >>> nsDS5ReplicaBindDN: >>> krbprincipalname=ldap/noc4prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com >>> nsState:: BABlZwhVDgAFAA== >>> nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3 >>> nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com >>> nsds5ReplicaChangeCount: 682699 >>> nsds5replicareapactive: 0 >>> >>> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b >>> o=ipaca >>> '(&(nsuniqueid=---)(objectclass=nstombstone))' >>> -p 7389 -h noc1-prd >>> Enter LDAP Password: >>> dn: nsuniqueid=---,o=ipaca >>> objectClass: top >>> objectClass: nsTombstone >>> objectClass: extensibleobject >>> nsds50ruv: {replicageneration} 5317a4490060 >>> nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a45500 >>> 60 550878b90060 >>> nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce01800 >>> 47 531ce06900030047 >>> nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde800 >>> 4c 53f65954004c >>> nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf21600 >>> 51 531bf26500010051 >>> nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a322200 >>> 56 531a325600040056 >>> nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf00 >>> 5b 53194992005b >>> nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a4500 >>> 061 5317a48a00010061 >>> o: ipaca >>> nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389} >>> 550878ab >>> nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389} >>> >>> nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389} >>> >>> nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389} >>> >>> nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389} >>> >>> nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389} >>> >>> nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389 >>> } >>> >>> -- and here is an example LDIF to remove the last record listed above - >>> >>> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config >>> changetype: modify >>> replace: nsds5task >>> nsds5task: CLEANRUV97 >> >> That doesn't look right. It should look like: >> >> dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config >> changetype: add >> objectclass: top >> objectclass: extensibleObject >> replica-base-dn: dc=companyz,dc=com >> replica-id: 97 >> cn: clean 97 >> >> Be careful which RUV you remove. You only want to remove those that are >> no longer active. > Thanks for the add
Re: [Freeipa-users] Can't remove all replica records from ldap
Thanks for the reply Rob. On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden wrote: > Kim Perrin wrote: >> Hello all, >> >> For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) >> environment. We've had 2 masters since the start. Several replicas >> have had problems that required me to remove them. I’ve removed them >> all (except the very last one) by running ‘ipa-server-install >> --uninstall’ and then ipa-replica-manage clean-ruv’. The latest >> replica I tried to remove failed on both commands. On further >> inspection I see all the previous replicas have orphaned entries in >> the ldap db. How do I remove all the entries? (I’ve listed the >> entries below). Is this process safe (in what is currently a single >> ipa server environment)? Note, I’ve seen the one of the necessary >> LDIFs that can be ‘run’ to remove the entries -- I just don’t >> understand how to run an ldif. > > You're skipping the step of ipa-replica-manage del ? > That should do most of this cleanup for you. I did run 'ipa-replica-manage del ' for all these as well. > > For the CA you use ipa-csreplica-manage. Unfortunately that utility > lacks the RUV commands. > > rob > >> Relevant entries - >> >> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s >> sub -b cn=config objectclass=nsds5replica >> Enter LDAP Password: >> dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config >> cn: replica >> nsDS5Flags: 1 >> objectClass: top >> objectClass: nsds5replica >> objectClass: extensibleobject >> nsDS5ReplicaType: 3 >> nsDS5ReplicaRoot: dc=companyz,dc=com >> nsds5ReplicaLegacyConsumer: off >> nsDS5ReplicaId: 4 >> nsDS5ReplicaBindDN: cn=replication manager,cn=config >> nsDS5ReplicaBindDN: >> krbprincipalname=ldap/noc2prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com >> nsDS5ReplicaBindDN: >> krbprincipalname=ldap/util1prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com >> nsDS5ReplicaBindDN: >> krbprincipalname=ldap/noc3prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com >> nsDS5ReplicaBindDN: >> krbprincipalname=ldap/noc4prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com >> nsState:: BABlZwhVDgAFAA== >> nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3 >> nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com >> nsds5ReplicaChangeCount: 682699 >> nsds5replicareapactive: 0 >> >> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b >> o=ipaca >> '(&(nsuniqueid=---)(objectclass=nstombstone))' >> -p 7389 -h noc1-prd >> Enter LDAP Password: >> dn: nsuniqueid=---,o=ipaca >> objectClass: top >> objectClass: nsTombstone >> objectClass: extensibleobject >> nsds50ruv: {replicageneration} 5317a4490060 >> nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a45500 >> 60 550878b90060 >> nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce01800 >> 47 531ce06900030047 >> nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde800 >> 4c 53f65954004c >> nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf21600 >> 51 531bf26500010051 >> nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a322200 >> 56 531a325600040056 >> nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf00 >> 5b 53194992005b >> nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a4500 >> 061 5317a48a00010061 >> o: ipaca >> nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389} >> 550878ab >> nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389} >> >> nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389} >> >> nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389} >> >> nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389} >> >> nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389} >> >> nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389 >> } >> >> -- and here is an example LDIF to remove the last record listed above - >> >> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config >> changetype: modify >> replace: nsds5task >> nsds5task: CLEANRUV97 > > That doesn't look right. It should look like: > > dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config > changetype: add > objectclass: top > objectclass: extensibleObject > replica-base-dn: dc=companyz,dc=com > replica-id: 97 > cn: clean 97 > > Be careful which RUV you remove. You only want to remove those that are > no longer active. Thanks for the additional spec on the LDIF, though I still don't understand how to run this. Is there somewhere you can point me to with example commands to run such LDIFs? -Kim > > rob -- Ma
Re: [Freeipa-users] Can't remove all replica records from ldap
Kim Perrin wrote: > Hello all, > > For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) > environment. We've had 2 masters since the start. Several replicas > have had problems that required me to remove them. I’ve removed them > all (except the very last one) by running ‘ipa-server-install > --uninstall’ and then ipa-replica-manage clean-ruv’. The latest > replica I tried to remove failed on both commands. On further > inspection I see all the previous replicas have orphaned entries in > the ldap db. How do I remove all the entries? (I’ve listed the > entries below). Is this process safe (in what is currently a single > ipa server environment)? Note, I’ve seen the one of the necessary > LDIFs that can be ‘run’ to remove the entries -- I just don’t > understand how to run an ldif. You're skipping the step of ipa-replica-manage del ? That should do most of this cleanup for you. For the CA you use ipa-csreplica-manage. Unfortunately that utility lacks the RUV commands. rob > Relevant entries - > > kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s > sub -b cn=config objectclass=nsds5replica > Enter LDAP Password: > dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config > cn: replica > nsDS5Flags: 1 > objectClass: top > objectClass: nsds5replica > objectClass: extensibleobject > nsDS5ReplicaType: 3 > nsDS5ReplicaRoot: dc=companyz,dc=com > nsds5ReplicaLegacyConsumer: off > nsDS5ReplicaId: 4 > nsDS5ReplicaBindDN: cn=replication manager,cn=config > nsDS5ReplicaBindDN: > krbprincipalname=ldap/noc2prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com > nsDS5ReplicaBindDN: > krbprincipalname=ldap/util1prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com > nsDS5ReplicaBindDN: > krbprincipalname=ldap/noc3prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com > nsDS5ReplicaBindDN: > krbprincipalname=ldap/noc4prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com > nsState:: BABlZwhVDgAFAA== > nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3 > nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com > nsds5ReplicaChangeCount: 682699 > nsds5replicareapactive: 0 > > kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b > o=ipaca > '(&(nsuniqueid=---)(objectclass=nstombstone))' > -p 7389 -h noc1-prd > Enter LDAP Password: > dn: nsuniqueid=---,o=ipaca > objectClass: top > objectClass: nsTombstone > objectClass: extensibleobject > nsds50ruv: {replicageneration} 5317a4490060 > nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a45500 > 60 550878b90060 > nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce01800 > 47 531ce06900030047 > nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde800 > 4c 53f65954004c > nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf21600 > 51 531bf26500010051 > nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a322200 > 56 531a325600040056 > nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf00 > 5b 53194992005b > nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a4500 > 061 5317a48a00010061 > o: ipaca > nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389} > 550878ab > nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389} > > nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389} > > nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389} > > nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389} > > nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389} > > nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389 > } > > -- and here is an example LDIF to remove the last record listed above - > > dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config > changetype: modify > replace: nsds5task > nsds5task: CLEANRUV97 That doesn't look right. It should look like: dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config changetype: add objectclass: top objectclass: extensibleObject replica-base-dn: dc=companyz,dc=com replica-id: 97 cn: clean 97 Be careful which RUV you remove. You only want to remove those that are no longer active. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Can't remove all replica records from ldap
Hello all, For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) environment. We've had 2 masters since the start. Several replicas have had problems that required me to remove them. I’ve removed them all (except the very last one) by running ‘ipa-server-install --uninstall’ and then ipa-replica-manage clean-ruv’. The latest replica I tried to remove failed on both commands. On further inspection I see all the previous replicas have orphaned entries in the ldap db. How do I remove all the entries? (I’ve listed the entries below). Is this process safe (in what is currently a single ipa server environment)? Note, I’ve seen the one of the necessary LDIFs that can be ‘run’ to remove the entries -- I just don’t understand how to run an ldif. Relevant entries - kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s sub -b cn=config objectclass=nsds5replica Enter LDAP Password: dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 objectClass: top objectClass: nsds5replica objectClass: extensibleobject nsDS5ReplicaType: 3 nsDS5ReplicaRoot: dc=companyz,dc=com nsds5ReplicaLegacyConsumer: off nsDS5ReplicaId: 4 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/noc2prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com nsDS5ReplicaBindDN: krbprincipalname=ldap/util1prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com nsDS5ReplicaBindDN: krbprincipalname=ldap/noc3prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com nsDS5ReplicaBindDN: krbprincipalname=ldap/noc4prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com nsState:: BABlZwhVDgAFAA== nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3 nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com nsds5ReplicaChangeCount: 682699 nsds5replicareapactive: 0 kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b o=ipaca '(&(nsuniqueid=---)(objectclass=nstombstone))' -p 7389 -h noc1-prd Enter LDAP Password: dn: nsuniqueid=---,o=ipaca objectClass: top objectClass: nsTombstone objectClass: extensibleobject nsds50ruv: {replicageneration} 5317a4490060 nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a45500 60 550878b90060 nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce01800 47 531ce06900030047 nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde800 4c 53f65954004c nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf21600 51 531bf26500010051 nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a322200 56 531a325600040056 nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf00 5b 53194992005b nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a4500 061 5317a48a00010061 o: ipaca nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389} 550878ab nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389} nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389 } -- and here is an example LDIF to remove the last record listed above - dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV97 How do I ‘run’ this ldif? Thanks, Kim Perrin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project