Re: [Freeipa-users] Manual Cleanup
On 03/17/2017 12:25 AM, Standa Laznicka wrote: > Hello Ian, > > You could do: > `ipa-replica-manage del freeipa-dal.bpt.rocks --force --cleanup` > I have done this, it warns me that I should be careful, I say yes, and it returns almost immediately. The master still shows up [root@freeipa-sea ianh]# ipa-replica-manage del freeipa-dal.bpt.rocks --force --cleanup Cleaning a master is irreversible. This should not normally be require, so use cautiously. Continue to clean master? [no]: yes > Then you may need to check again for the master with `ipa-replica-manage > list`. If it's not there anymore, check whether some RUVs are still in > place with `ipa-replica-manage list-ruv`. > > The last command should get you RUVs on both CA and domain suffixes if > you're using FreeIPA >= 4.3.2 (hope I got the .z number right). If you > see that there's some RUVs left for the wrong host, try calling > `ipa-replica-manage clean-ruv ` which should remove the RUV (no > matter the suffix - CA or domain - just give it the number and it should > work given FreeIPA >= 4.3.2 is used). > There aren't any dangling RUV that I can see but the 'master' record is still there. [root@freeipa-sea ianh]# ipa-replica-manage list seattlenfs.bpt.rocks: master freeipa-dal.bpt.rocks: master freeipa-sea.bpt.rocks: master [root@freeipa-sea ianh]# ipa-replica-manage list freeipa-sea.bpt.rocks seattlenfs.bpt.rocks: replica [root@freeipa-sea ianh]# ipa-replica-manage list seattlenfs.bpt.rocks freeipa-sea.bpt.rocks: replica [root@freeipa-sea ianh]# ipa-replica-manage list-ruv Directory Manager password: Replica Update Vectors: freeipa-sea.bpt.rocks:389: 20 seattlenfs.bpt.rocks:389: 21 Certificate Server Replica Update Vectors: freeipa-sea.bpt.rocks:389: 1065 seattlenfs.bpt.rocks:389: 1290 Thanks for your help, but I think I need some ldapdelete magic. Does this mean anything to you? I manually removed every reference to freeipa-dal from dse.ldif and started the directory server I still see this: [root@freeipa-sea ianh]# ldapsearch -D "cn=directory manager" -W -b cn=config | grep freeipa-dal Enter LDAP Password: nsslapd-referral: ldap://freeipa-dal.bpt.rocks:389/o%3Dipaca I have to think it is stored somewhere else when the server is offline in a database file and gets inserted into the DSE at startup? I found a mess of references to freeipa-dal in this section. Is there a way to make it go away? [root@freeipa-sea ianh]# ldapsearch -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=bpt,dc=rocks' | grep freeipa-dalEnter LDAP Password: # freeipa-dal.bpt.rocks + f0b9918f-6a5011e6-a4bad0d8-a4feaa1b, masters, ipa, et dn: cn=freeipa-dal.bpt.rocks+nsuniqueid=f0b9918f-6a5011e6-a4bad0d8-a4feaa1b,cn cn: freeipa-dal.bpt.rocks # CA + 5148cf38-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b9918f-6a dn: cn=CA+nsuniqueid=5148cf38-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.ro # KDC + 5148cf40-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b9918f-6 dn: cn=KDC+nsuniqueid=5148cf40-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.r # KPASSWD + 5148cf41-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b991 dn: cn=KPASSWD+nsuniqueid=5148cf41-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.b # MEMCACHE + 5148cf42-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b99 dn: cn=MEMCACHE+nsuniqueid=5148cf42-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal. # HTTP + 5148cf45-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b9918f- dn: cn=HTTP+nsuniqueid=5148cf45-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt. # OTPD + 5148cf46-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b9918f- dn: cn=OTPD+nsuniqueid=5148cf46-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt. # DNS + 9cfb790e-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b9918f-6 dn: cn=DNS+nsuniqueid=9cfb790e-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.r # DNSKeySync + 9cfb791b-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b [root@freeipa-sea ianh]# > HTH, > Standa > > On 03/16/2017 07:14 PM, Ian Harding wrote: >> I've made some progress. But I have one zombie replication agreement to >> kill, I just don't know the syntax. >> >> freeipa-dal.bpt.rocks does not exist. I want all references to it to go >> away. >> >> How would I do that with ldapmodify? >> >> Thanks! >> >> >> [root@freeipa-sea slapd-BPT-ROCKS]# ldapsearch -D "cn=directory >> manager" -w ... -b "o=ipaca" >> "(&(objectclass=nstombstone)(nsUniqueId=---))" >> >> nscpentrywsi >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: >> (&(objectclass=nstombstone)(nsUniqueId=---)) >> >> # requesting: nscpentrywsi >> # >> >> # replica, o\3Dipaca, mapping tree, config >> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config >> nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config >> nscpentrywsi: cn: replica >> nscpentrywsi: createTimestamp: 20160814234939Z >> n
Re: [Freeipa-users] Manual Cleanup
On 03/16/2017 07:14 PM, Ian Harding wrote: I've made some progress. But I have one zombie replication agreement to kill, I just don't know the syntax. The output listed below is not replication agreement. But there is reference to RUV. freeipa-dal.bpt.rocks does not exist. I want all references to it to go away. How would I do that with ldapmodify? I wouldn't delete the entry below because cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config is a container for CA replication agreements and it should stay there. Btw, there should also be one for "domain" replication agreements. But in general, you could use ldapdelete command. If you want to investigate pure ldap data, then information about IPA masters is also stored in cn=masters,cn=ipa,cn=etc,dc=example,dc=test . This is the place where ipa server-find gets its info. Thanks! [root@freeipa-sea slapd-BPT-ROCKS]# ldapsearch -D "cn=directory manager" -w ... -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=---))" nscpentrywsi # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectclass=nstombstone)(nsUniqueId=---)) # requesting: nscpentrywsi # # replica, o\3Dipaca, mapping tree, config dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nscpentrywsi: cn: replica nscpentrywsi: createTimestamp: 20160814234939Z nscpentrywsi: creatorsName: cn=directory manager nscpentrywsi: modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=c onfig nscpentrywsi: modifyTimestamp: 20170316181544Z nscpentrywsi: nsDS5Flags: 1 nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-freei pa-sea.bpt.rocks-pki-tomcat,ou=csusers,cn=config nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-free ipa-dal.bpt.rocks-pki-tomcat,ou=csusers,cn=config nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-seat tlenfs.bpt.rocks-pki-tomcat,ou=csusers,cn=config nscpentrywsi: nsDS5ReplicaId: 1065 nscpentrywsi: nsDS5ReplicaName: b21a1f1e-627911e6-93e6ef4b-69dcc2d1 nscpentrywsi: nsDS5ReplicaRoot: o=ipaca nscpentrywsi: nsDS5ReplicaType: 3 nscpentrywsi: nsState:: KQQAAABO1spYKg == nscpentrywsi: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts, cn=etc,dc=bpt,dc=rocks nscpentrywsi: nsds5replicabinddngroupcheckinterval: 60 nscpentrywsi: objectClass: top nscpentrywsi: objectClass: nsDS5Replica nscpentrywsi: objectClass: extensibleobject nscpentrywsi: numSubordinates: 2 nscpentrywsi: nsds50ruv: {replicageneration} 57c291d90429 nscpentrywsi: nsds50ruv: {replica 1065 ldap://freeipa-sea.bpt.rocks:389} 57f84 0bf0429 58cad6670429 nscpentrywsi: nsds50ruv: {replica 1290 ldap://seattlenfs.bpt.rocks:389} nscpentrywsi: nsds50ruv: {replica 1295 ldap://freeipa-dal.bpt.rocks:389} nscpentrywsi: nsds5agmtmaxcsn: o=ipaca;cloneAgreement1-freeipa-sea.bpt.rocks-p ki-tomcat;seattlenfs.bpt.rocks;389;unavailable nscpentrywsi: nsds5agmtmaxcsn: o=ipaca;masterAgreement1-seattlenfs.bpt.rocks-p ki-tomcat;seattlenfs.bpt.rocks;389;unavailable nscpentrywsi: nsruvReplicaLastModified: {replica 1065 ldap://freeipa-sea.bpt.r ocks:389} 58cad63d nscpentrywsi: nsruvReplicaLastModified: {replica 1290 ldap://seattlenfs.bpt.ro cks:389} nscpentrywsi: nsruvReplicaLastModified: {replica 1295 ldap://freeipa-dal.bpt.r ocks:389} nscpentrywsi: nsds5ReplicaChangeCount: 15993 nscpentrywsi: nsds5replicareapactive: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage del freeipa-dal.bpt.rocks --forceDirectory Manager password: 'freeipa-sea.bpt.rocks' has no replication agreement for 'freeipa-dal.bpt.rocks' [root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list seattlenfs.bpt.rocks: master freeipa-dal.bpt.rocks: master freeipa-sea.bpt.rocks: master [root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list freeipa-sea.bpt.rocks seattlenfs.bpt.rocks: replica [root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage list Directory Manager password: seattlenfs.bpt.rocks: master freeipa-dal.bpt.rocks: CA not configured freeipa-sea.bpt.rocks: master -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Manual Cleanup
Hello Ian, You could do: `ipa-replica-manage del freeipa-dal.bpt.rocks --force --cleanup` Then you may need to check again for the master with `ipa-replica-manage list`. If it's not there anymore, check whether some RUVs are still in place with `ipa-replica-manage list-ruv`. The last command should get you RUVs on both CA and domain suffixes if you're using FreeIPA >= 4.3.2 (hope I got the .z number right). If you see that there's some RUVs left for the wrong host, try calling `ipa-replica-manage clean-ruv ` which should remove the RUV (no matter the suffix - CA or domain - just give it the number and it should work given FreeIPA >= 4.3.2 is used). HTH, Standa On 03/16/2017 07:14 PM, Ian Harding wrote: I've made some progress. But I have one zombie replication agreement to kill, I just don't know the syntax. freeipa-dal.bpt.rocks does not exist. I want all references to it to go away. How would I do that with ldapmodify? Thanks! [root@freeipa-sea slapd-BPT-ROCKS]# ldapsearch -D "cn=directory manager" -w ... -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=---))" nscpentrywsi # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectclass=nstombstone)(nsUniqueId=---)) # requesting: nscpentrywsi # # replica, o\3Dipaca, mapping tree, config dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nscpentrywsi: cn: replica nscpentrywsi: createTimestamp: 20160814234939Z nscpentrywsi: creatorsName: cn=directory manager nscpentrywsi: modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=c onfig nscpentrywsi: modifyTimestamp: 20170316181544Z nscpentrywsi: nsDS5Flags: 1 nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-freei pa-sea.bpt.rocks-pki-tomcat,ou=csusers,cn=config nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-free ipa-dal.bpt.rocks-pki-tomcat,ou=csusers,cn=config nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-seat tlenfs.bpt.rocks-pki-tomcat,ou=csusers,cn=config nscpentrywsi: nsDS5ReplicaId: 1065 nscpentrywsi: nsDS5ReplicaName: b21a1f1e-627911e6-93e6ef4b-69dcc2d1 nscpentrywsi: nsDS5ReplicaRoot: o=ipaca nscpentrywsi: nsDS5ReplicaType: 3 nscpentrywsi: nsState:: KQQAAABO1spYKg == nscpentrywsi: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts, cn=etc,dc=bpt,dc=rocks nscpentrywsi: nsds5replicabinddngroupcheckinterval: 60 nscpentrywsi: objectClass: top nscpentrywsi: objectClass: nsDS5Replica nscpentrywsi: objectClass: extensibleobject nscpentrywsi: numSubordinates: 2 nscpentrywsi: nsds50ruv: {replicageneration} 57c291d90429 nscpentrywsi: nsds50ruv: {replica 1065 ldap://freeipa-sea.bpt.rocks:389} 57f84 0bf0429 58cad6670429 nscpentrywsi: nsds50ruv: {replica 1290 ldap://seattlenfs.bpt.rocks:389} nscpentrywsi: nsds50ruv: {replica 1295 ldap://freeipa-dal.bpt.rocks:389} nscpentrywsi: nsds5agmtmaxcsn: o=ipaca;cloneAgreement1-freeipa-sea.bpt.rocks-p ki-tomcat;seattlenfs.bpt.rocks;389;unavailable nscpentrywsi: nsds5agmtmaxcsn: o=ipaca;masterAgreement1-seattlenfs.bpt.rocks-p ki-tomcat;seattlenfs.bpt.rocks;389;unavailable nscpentrywsi: nsruvReplicaLastModified: {replica 1065 ldap://freeipa-sea.bpt.r ocks:389} 58cad63d nscpentrywsi: nsruvReplicaLastModified: {replica 1290 ldap://seattlenfs.bpt.ro cks:389} nscpentrywsi: nsruvReplicaLastModified: {replica 1295 ldap://freeipa-dal.bpt.r ocks:389} nscpentrywsi: nsds5ReplicaChangeCount: 15993 nscpentrywsi: nsds5replicareapactive: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage del freeipa-dal.bpt.rocks --forceDirectory Manager password: 'freeipa-sea.bpt.rocks' has no replication agreement for 'freeipa-dal.bpt.rocks' [root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list seattlenfs.bpt.rocks: master freeipa-dal.bpt.rocks: master freeipa-sea.bpt.rocks: master [root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list freeipa-sea.bpt.rocks seattlenfs.bpt.rocks: replica [root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage list Directory Manager password: seattlenfs.bpt.rocks: master freeipa-dal.bpt.rocks: CA not configured freeipa-sea.bpt.rocks: master -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Manual Cleanup
I've made some progress. But I have one zombie replication agreement to kill, I just don't know the syntax. freeipa-dal.bpt.rocks does not exist. I want all references to it to go away. How would I do that with ldapmodify? Thanks! [root@freeipa-sea slapd-BPT-ROCKS]# ldapsearch -D "cn=directory manager" -w ... -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=---))" nscpentrywsi # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectclass=nstombstone)(nsUniqueId=---)) # requesting: nscpentrywsi # # replica, o\3Dipaca, mapping tree, config dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nscpentrywsi: cn: replica nscpentrywsi: createTimestamp: 20160814234939Z nscpentrywsi: creatorsName: cn=directory manager nscpentrywsi: modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=c onfig nscpentrywsi: modifyTimestamp: 20170316181544Z nscpentrywsi: nsDS5Flags: 1 nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-freei pa-sea.bpt.rocks-pki-tomcat,ou=csusers,cn=config nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-free ipa-dal.bpt.rocks-pki-tomcat,ou=csusers,cn=config nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-seat tlenfs.bpt.rocks-pki-tomcat,ou=csusers,cn=config nscpentrywsi: nsDS5ReplicaId: 1065 nscpentrywsi: nsDS5ReplicaName: b21a1f1e-627911e6-93e6ef4b-69dcc2d1 nscpentrywsi: nsDS5ReplicaRoot: o=ipaca nscpentrywsi: nsDS5ReplicaType: 3 nscpentrywsi: nsState:: KQQAAABO1spYKg == nscpentrywsi: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts, cn=etc,dc=bpt,dc=rocks nscpentrywsi: nsds5replicabinddngroupcheckinterval: 60 nscpentrywsi: objectClass: top nscpentrywsi: objectClass: nsDS5Replica nscpentrywsi: objectClass: extensibleobject nscpentrywsi: numSubordinates: 2 nscpentrywsi: nsds50ruv: {replicageneration} 57c291d90429 nscpentrywsi: nsds50ruv: {replica 1065 ldap://freeipa-sea.bpt.rocks:389} 57f84 0bf0429 58cad6670429 nscpentrywsi: nsds50ruv: {replica 1290 ldap://seattlenfs.bpt.rocks:389} nscpentrywsi: nsds50ruv: {replica 1295 ldap://freeipa-dal.bpt.rocks:389} nscpentrywsi: nsds5agmtmaxcsn: o=ipaca;cloneAgreement1-freeipa-sea.bpt.rocks-p ki-tomcat;seattlenfs.bpt.rocks;389;unavailable nscpentrywsi: nsds5agmtmaxcsn: o=ipaca;masterAgreement1-seattlenfs.bpt.rocks-p ki-tomcat;seattlenfs.bpt.rocks;389;unavailable nscpentrywsi: nsruvReplicaLastModified: {replica 1065 ldap://freeipa-sea.bpt.r ocks:389} 58cad63d nscpentrywsi: nsruvReplicaLastModified: {replica 1290 ldap://seattlenfs.bpt.ro cks:389} nscpentrywsi: nsruvReplicaLastModified: {replica 1295 ldap://freeipa-dal.bpt.r ocks:389} nscpentrywsi: nsds5ReplicaChangeCount: 15993 nscpentrywsi: nsds5replicareapactive: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage del freeipa-dal.bpt.rocks --forceDirectory Manager password: 'freeipa-sea.bpt.rocks' has no replication agreement for 'freeipa-dal.bpt.rocks' [root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list seattlenfs.bpt.rocks: master freeipa-dal.bpt.rocks: master freeipa-sea.bpt.rocks: master [root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list freeipa-sea.bpt.rocks seattlenfs.bpt.rocks: replica [root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage list Directory Manager password: seattlenfs.bpt.rocks: master freeipa-dal.bpt.rocks: CA not configured freeipa-sea.bpt.rocks: master -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project