Re: [Freeipa-users] Can't remove all replica records from ldap
On 03/17/2015 06:27 PM, Kim Perrin wrote:
On Tue, Mar 17, 2015 at 3:09 PM, Kim Perrin wrote:
On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin wrote:
Thanks for the reply Rob.
On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden wrote:
Kim Perrin wrote:
Hello all,
For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42)
environment. We've had 2 masters since the start. Several replicas
have had problems that required me to remove them. I’ve removed them
all (except the very last one) by running ‘ipa-server-install
--uninstall’ and then ipa-replica-manage clean-ruv’. The latest
replica I tried to remove failed on both commands. On further
inspection I see all the previous replicas have orphaned entries in
the ldap db. How do I remove all the entries? (I’ve listed the
entries below). Is this process safe (in what is currently a single
ipa server environment)? Note, I’ve seen the one of the necessary
LDIFs that can be ‘run’ to remove the entries -- I just don’t
understand how to run an ldif.
You're skipping the step of ipa-replica-manage del ?
That should do most of this cleanup for you.
I did run 'ipa-replica-manage del ' for all these as well.
For the CA you use ipa-csreplica-manage. Unfortunately that utility
lacks the RUV commands.
On using the 'ipa-csreplica-manage' command to remove the CAs - the
del option failed with
"Unable to delete replica noc3-prd.companyz.com: Can't contact LDAP server"
And failed with the same response for a couple other listed servers as well.
Yes, you would have to clean it manually.
rob
Relevant entries -
kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s
sub -b cn=config objectclass=nsds5replica
Enter LDAP Password:
dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsDS5ReplicaType: 3
nsDS5ReplicaRoot: dc=companyz,dc=com
nsds5ReplicaLegacyConsumer: off
nsDS5ReplicaId: 4
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN:
krbprincipalname=ldap/noc2prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
nsDS5ReplicaBindDN:
krbprincipalname=ldap/util1prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
nsDS5ReplicaBindDN:
krbprincipalname=ldap/noc3prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
nsDS5ReplicaBindDN:
krbprincipalname=ldap/noc4prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
nsState:: BABlZwhVDgAFAA==
nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3
nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com
nsds5ReplicaChangeCount: 682699
nsds5replicareapactive: 0
kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b
o=ipaca
'(&(nsuniqueid=---)(objectclass=nstombstone))'
-p 7389 -h noc1-prd
Enter LDAP Password:
dn: nsuniqueid=---,o=ipaca
objectClass: top
objectClass: nsTombstone
objectClass: extensibleobject
nsds50ruv: {replicageneration} 5317a4490060
nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a45500
60 550878b90060
nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce01800
47 531ce06900030047
nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde800
4c 53f65954004c
nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf21600
51 531bf26500010051
nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a322200
56 531a325600040056
nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf00
5b 53194992005b
nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a4500
061 5317a48a00010061
o: ipaca
nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389}
550878ab
nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389
}
-- and here is an example LDIF to remove the last record listed above -
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: CLEANRUV97
That doesn't look right. It should look like:
dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
replica-base-dn: dc=companyz,dc=com
replica-id: 97
cn: clean 97
Be careful which RUV you remove. You only want to remove those that are
no longer active.
Thanks for the additional spec on the LDIF,
Re: [Freeipa-users] Can't remove all replica records from ldap
On Tue, Mar 17, 2015 at 3:09 PM, Kim Perrin wrote:
> On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin
> wrote:
>> Thanks for the reply Rob.
>>
>> On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden wrote:
>>> Kim Perrin wrote:
Hello all,
For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42)
environment. We've had 2 masters since the start. Several replicas
have had problems that required me to remove them. I’ve removed them
all (except the very last one) by running ‘ipa-server-install
--uninstall’ and then ipa-replica-manage clean-ruv’. The latest
replica I tried to remove failed on both commands. On further
inspection I see all the previous replicas have orphaned entries in
the ldap db. How do I remove all the entries? (I’ve listed the
entries below). Is this process safe (in what is currently a single
ipa server environment)? Note, I’ve seen the one of the necessary
LDIFs that can be ‘run’ to remove the entries -- I just don’t
understand how to run an ldif.
>>>
>>> You're skipping the step of ipa-replica-manage del ?
>>> That should do most of this cleanup for you.
>> I did run 'ipa-replica-manage del ' for all these as well.
>>
>>
>>>
>>> For the CA you use ipa-csreplica-manage. Unfortunately that utility
>>> lacks the RUV commands.
On using the 'ipa-csreplica-manage' command to remove the CAs - the
del option failed with
"Unable to delete replica noc3-prd.companyz.com: Can't contact LDAP server"
And failed with the same response for a couple other listed servers as well.
>>>
>>> rob
>>>
Relevant entries -
kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s
sub -b cn=config objectclass=nsds5replica
Enter LDAP Password:
dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsDS5ReplicaType: 3
nsDS5ReplicaRoot: dc=companyz,dc=com
nsds5ReplicaLegacyConsumer: off
nsDS5ReplicaId: 4
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN:
krbprincipalname=ldap/noc2prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
nsDS5ReplicaBindDN:
krbprincipalname=ldap/util1prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
nsDS5ReplicaBindDN:
krbprincipalname=ldap/noc3prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
nsDS5ReplicaBindDN:
krbprincipalname=ldap/noc4prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
nsState:: BABlZwhVDgAFAA==
nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3
nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com
nsds5ReplicaChangeCount: 682699
nsds5replicareapactive: 0
kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b
o=ipaca
'(&(nsuniqueid=---)(objectclass=nstombstone))'
-p 7389 -h noc1-prd
Enter LDAP Password:
dn: nsuniqueid=---,o=ipaca
objectClass: top
objectClass: nsTombstone
objectClass: extensibleobject
nsds50ruv: {replicageneration} 5317a4490060
nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a45500
60 550878b90060
nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce01800
47 531ce06900030047
nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde800
4c 53f65954004c
nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf21600
51 531bf26500010051
nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a322200
56 531a325600040056
nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf00
5b 53194992005b
nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a4500
061 5317a48a00010061
o: ipaca
nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389}
550878ab
nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389
}
-- and here is an example LDIF to remove the last record listed above -
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
changetype: modify
replace: n
Re: [Freeipa-users] Can't remove all replica records from ldap
On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin wrote:
> Thanks for the reply Rob.
>
> On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden wrote:
>> Kim Perrin wrote:
>>> Hello all,
>>>
>>> For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42)
>>> environment. We've had 2 masters since the start. Several replicas
>>> have had problems that required me to remove them. I’ve removed them
>>> all (except the very last one) by running ‘ipa-server-install
>>> --uninstall’ and then ipa-replica-manage clean-ruv’. The latest
>>> replica I tried to remove failed on both commands. On further
>>> inspection I see all the previous replicas have orphaned entries in
>>> the ldap db. How do I remove all the entries? (I’ve listed the
>>> entries below). Is this process safe (in what is currently a single
>>> ipa server environment)? Note, I’ve seen the one of the necessary
>>> LDIFs that can be ‘run’ to remove the entries -- I just don’t
>>> understand how to run an ldif.
>>
>> You're skipping the step of ipa-replica-manage del ?
>> That should do most of this cleanup for you.
> I did run 'ipa-replica-manage del ' for all these as well.
>
>
>>
>> For the CA you use ipa-csreplica-manage. Unfortunately that utility
>> lacks the RUV commands.
>>
>> rob
>>
>>> Relevant entries -
>>>
>>> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s
>>> sub -b cn=config objectclass=nsds5replica
>>> Enter LDAP Password:
>>> dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config
>>> cn: replica
>>> nsDS5Flags: 1
>>> objectClass: top
>>> objectClass: nsds5replica
>>> objectClass: extensibleobject
>>> nsDS5ReplicaType: 3
>>> nsDS5ReplicaRoot: dc=companyz,dc=com
>>> nsds5ReplicaLegacyConsumer: off
>>> nsDS5ReplicaId: 4
>>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>>> nsDS5ReplicaBindDN:
>>> krbprincipalname=ldap/noc2prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
>>> nsDS5ReplicaBindDN:
>>> krbprincipalname=ldap/util1prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
>>> nsDS5ReplicaBindDN:
>>> krbprincipalname=ldap/noc3prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
>>> nsDS5ReplicaBindDN:
>>> krbprincipalname=ldap/noc4prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
>>> nsState:: BABlZwhVDgAFAA==
>>> nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3
>>> nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com
>>> nsds5ReplicaChangeCount: 682699
>>> nsds5replicareapactive: 0
>>>
>>> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b
>>> o=ipaca
>>> '(&(nsuniqueid=---)(objectclass=nstombstone))'
>>> -p 7389 -h noc1-prd
>>> Enter LDAP Password:
>>> dn: nsuniqueid=---,o=ipaca
>>> objectClass: top
>>> objectClass: nsTombstone
>>> objectClass: extensibleobject
>>> nsds50ruv: {replicageneration} 5317a4490060
>>> nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a45500
>>> 60 550878b90060
>>> nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce01800
>>> 47 531ce06900030047
>>> nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde800
>>> 4c 53f65954004c
>>> nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf21600
>>> 51 531bf26500010051
>>> nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a322200
>>> 56 531a325600040056
>>> nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf00
>>> 5b 53194992005b
>>> nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a4500
>>> 061 5317a48a00010061
>>> o: ipaca
>>> nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389}
>>> 550878ab
>>> nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389}
>>>
>>> nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389}
>>>
>>> nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389}
>>>
>>> nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389}
>>>
>>> nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389}
>>>
>>> nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389
>>> }
>>>
>>> -- and here is an example LDIF to remove the last record listed above -
>>>
>>> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
>>> changetype: modify
>>> replace: nsds5task
>>> nsds5task: CLEANRUV97
>>
>> That doesn't look right. It should look like:
>>
>> dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config
>> changetype: add
>> objectclass: top
>> objectclass: extensibleObject
>> replica-base-dn: dc=companyz,dc=com
>> replica-id: 97
>> cn: clean 97
>>
>> Be careful which RUV you remove. You only want to remove those that are
>> no longer active.
> Thanks for the add
Re: [Freeipa-users] Can't remove all replica records from ldap
Thanks for the reply Rob.
On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden wrote:
> Kim Perrin wrote:
>> Hello all,
>>
>> For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42)
>> environment. We've had 2 masters since the start. Several replicas
>> have had problems that required me to remove them. I’ve removed them
>> all (except the very last one) by running ‘ipa-server-install
>> --uninstall’ and then ipa-replica-manage clean-ruv’. The latest
>> replica I tried to remove failed on both commands. On further
>> inspection I see all the previous replicas have orphaned entries in
>> the ldap db. How do I remove all the entries? (I’ve listed the
>> entries below). Is this process safe (in what is currently a single
>> ipa server environment)? Note, I’ve seen the one of the necessary
>> LDIFs that can be ‘run’ to remove the entries -- I just don’t
>> understand how to run an ldif.
>
> You're skipping the step of ipa-replica-manage del ?
> That should do most of this cleanup for you.
I did run 'ipa-replica-manage del ' for all these as well.
>
> For the CA you use ipa-csreplica-manage. Unfortunately that utility
> lacks the RUV commands.
>
> rob
>
>> Relevant entries -
>>
>> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s
>> sub -b cn=config objectclass=nsds5replica
>> Enter LDAP Password:
>> dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config
>> cn: replica
>> nsDS5Flags: 1
>> objectClass: top
>> objectClass: nsds5replica
>> objectClass: extensibleobject
>> nsDS5ReplicaType: 3
>> nsDS5ReplicaRoot: dc=companyz,dc=com
>> nsds5ReplicaLegacyConsumer: off
>> nsDS5ReplicaId: 4
>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>> nsDS5ReplicaBindDN:
>> krbprincipalname=ldap/noc2prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
>> nsDS5ReplicaBindDN:
>> krbprincipalname=ldap/util1prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
>> nsDS5ReplicaBindDN:
>> krbprincipalname=ldap/noc3prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
>> nsDS5ReplicaBindDN:
>> krbprincipalname=ldap/noc4prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
>> nsState:: BABlZwhVDgAFAA==
>> nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3
>> nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com
>> nsds5ReplicaChangeCount: 682699
>> nsds5replicareapactive: 0
>>
>> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b
>> o=ipaca
>> '(&(nsuniqueid=---)(objectclass=nstombstone))'
>> -p 7389 -h noc1-prd
>> Enter LDAP Password:
>> dn: nsuniqueid=---,o=ipaca
>> objectClass: top
>> objectClass: nsTombstone
>> objectClass: extensibleobject
>> nsds50ruv: {replicageneration} 5317a4490060
>> nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a45500
>> 60 550878b90060
>> nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce01800
>> 47 531ce06900030047
>> nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde800
>> 4c 53f65954004c
>> nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf21600
>> 51 531bf26500010051
>> nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a322200
>> 56 531a325600040056
>> nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf00
>> 5b 53194992005b
>> nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a4500
>> 061 5317a48a00010061
>> o: ipaca
>> nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389}
>> 550878ab
>> nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389}
>>
>> nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389}
>>
>> nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389}
>>
>> nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389}
>>
>> nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389}
>>
>> nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389
>> }
>>
>> -- and here is an example LDIF to remove the last record listed above -
>>
>> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
>> changetype: modify
>> replace: nsds5task
>> nsds5task: CLEANRUV97
>
> That doesn't look right. It should look like:
>
> dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config
> changetype: add
> objectclass: top
> objectclass: extensibleObject
> replica-base-dn: dc=companyz,dc=com
> replica-id: 97
> cn: clean 97
>
> Be careful which RUV you remove. You only want to remove those that are
> no longer active.
Thanks for the additional spec on the LDIF, though I still don't
understand how to run this. Is there somewhere you can point me to
with example commands to run such LDIFs?
-Kim
>
> rob
--
Ma
Re: [Freeipa-users] Can't remove all replica records from ldap
Kim Perrin wrote:
> Hello all,
>
> For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42)
> environment. We've had 2 masters since the start. Several replicas
> have had problems that required me to remove them. I’ve removed them
> all (except the very last one) by running ‘ipa-server-install
> --uninstall’ and then ipa-replica-manage clean-ruv’. The latest
> replica I tried to remove failed on both commands. On further
> inspection I see all the previous replicas have orphaned entries in
> the ldap db. How do I remove all the entries? (I’ve listed the
> entries below). Is this process safe (in what is currently a single
> ipa server environment)? Note, I’ve seen the one of the necessary
> LDIFs that can be ‘run’ to remove the entries -- I just don’t
> understand how to run an ldif.
You're skipping the step of ipa-replica-manage del ?
That should do most of this cleanup for you.
For the CA you use ipa-csreplica-manage. Unfortunately that utility
lacks the RUV commands.
rob
> Relevant entries -
>
> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s
> sub -b cn=config objectclass=nsds5replica
> Enter LDAP Password:
> dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config
> cn: replica
> nsDS5Flags: 1
> objectClass: top
> objectClass: nsds5replica
> objectClass: extensibleobject
> nsDS5ReplicaType: 3
> nsDS5ReplicaRoot: dc=companyz,dc=com
> nsds5ReplicaLegacyConsumer: off
> nsDS5ReplicaId: 4
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsDS5ReplicaBindDN:
> krbprincipalname=ldap/noc2prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
> nsDS5ReplicaBindDN:
> krbprincipalname=ldap/util1prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
> nsDS5ReplicaBindDN:
> krbprincipalname=ldap/noc3prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
> nsDS5ReplicaBindDN:
> krbprincipalname=ldap/noc4prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
> nsState:: BABlZwhVDgAFAA==
> nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3
> nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com
> nsds5ReplicaChangeCount: 682699
> nsds5replicareapactive: 0
>
> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b
> o=ipaca
> '(&(nsuniqueid=---)(objectclass=nstombstone))'
> -p 7389 -h noc1-prd
> Enter LDAP Password:
> dn: nsuniqueid=---,o=ipaca
> objectClass: top
> objectClass: nsTombstone
> objectClass: extensibleobject
> nsds50ruv: {replicageneration} 5317a4490060
> nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a45500
> 60 550878b90060
> nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce01800
> 47 531ce06900030047
> nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde800
> 4c 53f65954004c
> nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf21600
> 51 531bf26500010051
> nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a322200
> 56 531a325600040056
> nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf00
> 5b 53194992005b
> nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a4500
> 061 5317a48a00010061
> o: ipaca
> nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389}
> 550878ab
> nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389}
>
> nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389}
>
> nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389}
>
> nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389}
>
> nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389}
>
> nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389
> }
>
> -- and here is an example LDIF to remove the last record listed above -
>
> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
> changetype: modify
> replace: nsds5task
> nsds5task: CLEANRUV97
That doesn't look right. It should look like:
dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
replica-base-dn: dc=companyz,dc=com
replica-id: 97
cn: clean 97
Be careful which RUV you remove. You only want to remove those that are
no longer active.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] Can't remove all replica records from ldap
Hello all,
For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42)
environment. We've had 2 masters since the start. Several replicas
have had problems that required me to remove them. I’ve removed them
all (except the very last one) by running ‘ipa-server-install
--uninstall’ and then ipa-replica-manage clean-ruv’. The latest
replica I tried to remove failed on both commands. On further
inspection I see all the previous replicas have orphaned entries in
the ldap db. How do I remove all the entries? (I’ve listed the
entries below). Is this process safe (in what is currently a single
ipa server environment)? Note, I’ve seen the one of the necessary
LDIFs that can be ‘run’ to remove the entries -- I just don’t
understand how to run an ldif.
Relevant entries -
kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s
sub -b cn=config objectclass=nsds5replica
Enter LDAP Password:
dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsDS5ReplicaType: 3
nsDS5ReplicaRoot: dc=companyz,dc=com
nsds5ReplicaLegacyConsumer: off
nsDS5ReplicaId: 4
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN:
krbprincipalname=ldap/noc2prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
nsDS5ReplicaBindDN:
krbprincipalname=ldap/util1prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
nsDS5ReplicaBindDN:
krbprincipalname=ldap/noc3prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
nsDS5ReplicaBindDN:
krbprincipalname=ldap/noc4prd.companyz@companyz.com,cn=services,cn=accounts,dc=companyz,dc=com
nsState:: BABlZwhVDgAFAA==
nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3
nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com
nsds5ReplicaChangeCount: 682699
nsds5replicareapactive: 0
kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b
o=ipaca
'(&(nsuniqueid=---)(objectclass=nstombstone))'
-p 7389 -h noc1-prd
Enter LDAP Password:
dn: nsuniqueid=---,o=ipaca
objectClass: top
objectClass: nsTombstone
objectClass: extensibleobject
nsds50ruv: {replicageneration} 5317a4490060
nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a45500
60 550878b90060
nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce01800
47 531ce06900030047
nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde800
4c 53f65954004c
nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf21600
51 531bf26500010051
nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a322200
56 531a325600040056
nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf00
5b 53194992005b
nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a4500
061 5317a48a00010061
o: ipaca
nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389}
550878ab
nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389}
nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389
}
-- and here is an example LDIF to remove the last record listed above -
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: CLEANRUV97
How do I ‘run’ this ldif?
Thanks,
Kim Perrin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
