Re: [Freeipa-users] Manual Cleanup
On 03/17/2017 12:25 AM, Standa Laznicka wrote: > Hello Ian, > > You could do: > `ipa-replica-manage del freeipa-dal.bpt.rocks --force --cleanup` > I have done this, it warns me that I should be careful, I say yes, and it returns almost immediately. The master still shows up [root@freeipa-sea ianh]# ipa-replica-manage del freeipa-dal.bpt.rocks --force --cleanup Cleaning a master is irreversible. This should not normally be require, so use cautiously. Continue to clean master? [no]: yes > Then you may need to check again for the master with `ipa-replica-manage > list`. If it's not there anymore, check whether some RUVs are still in > place with `ipa-replica-manage list-ruv`. > > The last command should get you RUVs on both CA and domain suffixes if > you're using FreeIPA >= 4.3.2 (hope I got the .z number right). If you > see that there's some RUVs left for the wrong host, try calling > `ipa-replica-manage clean-ruv ` which should remove the RUV (no > matter the suffix - CA or domain - just give it the number and it should > work given FreeIPA >= 4.3.2 is used). > There aren't any dangling RUV that I can see but the 'master' record is still there. [root@freeipa-sea ianh]# ipa-replica-manage list seattlenfs.bpt.rocks: master freeipa-dal.bpt.rocks: master freeipa-sea.bpt.rocks: master [root@freeipa-sea ianh]# ipa-replica-manage list freeipa-sea.bpt.rocks seattlenfs.bpt.rocks: replica [root@freeipa-sea ianh]# ipa-replica-manage list seattlenfs.bpt.rocks freeipa-sea.bpt.rocks: replica [root@freeipa-sea ianh]# ipa-replica-manage list-ruv Directory Manager password: Replica Update Vectors: freeipa-sea.bpt.rocks:389: 20 seattlenfs.bpt.rocks:389: 21 Certificate Server Replica Update Vectors: freeipa-sea.bpt.rocks:389: 1065 seattlenfs.bpt.rocks:389: 1290 Thanks for your help, but I think I need some ldapdelete magic. Does this mean anything to you? I manually removed every reference to freeipa-dal from dse.ldif and started the directory server I still see this: [root@freeipa-sea ianh]# ldapsearch -D "cn=directory manager" -W -b cn=config | grep freeipa-dal Enter LDAP Password: nsslapd-referral: ldap://freeipa-dal.bpt.rocks:389/o%3Dipaca I have to think it is stored somewhere else when the server is offline in a database file and gets inserted into the DSE at startup? I found a mess of references to freeipa-dal in this section. Is there a way to make it go away? [root@freeipa-sea ianh]# ldapsearch -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=bpt,dc=rocks' | grep freeipa-dalEnter LDAP Password: # freeipa-dal.bpt.rocks + f0b9918f-6a5011e6-a4bad0d8-a4feaa1b, masters, ipa, et dn: cn=freeipa-dal.bpt.rocks+nsuniqueid=f0b9918f-6a5011e6-a4bad0d8-a4feaa1b,cn cn: freeipa-dal.bpt.rocks # CA + 5148cf38-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b9918f-6a dn: cn=CA+nsuniqueid=5148cf38-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.ro # KDC + 5148cf40-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b9918f-6 dn: cn=KDC+nsuniqueid=5148cf40-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.r # KPASSWD + 5148cf41-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b991 dn: cn=KPASSWD+nsuniqueid=5148cf41-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.b # MEMCACHE + 5148cf42-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b99 dn: cn=MEMCACHE+nsuniqueid=5148cf42-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal. # HTTP + 5148cf45-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b9918f- dn: cn=HTTP+nsuniqueid=5148cf45-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt. # OTPD + 5148cf46-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b9918f- dn: cn=OTPD+nsuniqueid=5148cf46-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt. # DNS + 9cfb790e-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b9918f-6 dn: cn=DNS+nsuniqueid=9cfb790e-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.r # DNSKeySync + 9cfb791b-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks + f0b [root@freeipa-sea ianh]# > HTH, > Standa > > On 03/16/2017 07:14 PM, Ian Harding wrote: >> I've made some progress. But I have one zombie replication agreement to >> kill, I just don't know the syntax. >> >> freeipa-dal.bpt.rocks does not exist. I want all references to it to go >> away. >> >> How would I do that with ldapmodify? >> >> Thanks! >> >> >> [root@freeipa-sea slapd-BPT-ROCKS]# ldapsearch -D "cn=directory >> manager" -w ... -b "o=ipaca" >> "(&(objectclass=nstombstone)(nsUniqueId=---))" >> >> nscpentrywsi >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: >> (&(objectclass=nstombstone)(nsUniqueId=---)) >> >> # requesting: nscpentrywsi >> # >> >> # replica, o\3Dipaca, mapping tree, config >> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config >> nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config >> nscpentrywsi: cn: replica >> nscpentrywsi: createTimestamp: 20160814234939Z >> n
Re: [Freeipa-users] Manual Cleanup
On 03/16/2017 07:14 PM, Ian Harding wrote:
I've made some progress. But I have one zombie replication agreement to
kill, I just don't know the syntax.
The output listed below is not replication agreement. But there is
reference to RUV.
freeipa-dal.bpt.rocks does not exist. I want all references to it to go
away.
How would I do that with ldapmodify?
I wouldn't delete the entry below because
cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config is a container for CA
replication agreements and it should stay there. Btw, there should also
be one for "domain" replication agreements.
But in general, you could use ldapdelete command.
If you want to investigate pure ldap data, then information about IPA
masters is also stored in cn=masters,cn=ipa,cn=etc,dc=example,dc=test .
This is the place where ipa server-find gets its info.
Thanks!
[root@freeipa-sea slapd-BPT-ROCKS]# ldapsearch -D "cn=directory
manager" -w ... -b "o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=---))"
nscpentrywsi
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter:
(&(objectclass=nstombstone)(nsUniqueId=---))
# requesting: nscpentrywsi
#
# replica, o\3Dipaca, mapping tree, config
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nscpentrywsi: cn: replica
nscpentrywsi: createTimestamp: 20160814234939Z
nscpentrywsi: creatorsName: cn=directory manager
nscpentrywsi: modifiersName: cn=Multimaster Replication
Plugin,cn=plugins,cn=c
onfig
nscpentrywsi: modifyTimestamp: 20170316181544Z
nscpentrywsi: nsDS5Flags: 1
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
cloneAgreement1-freei
pa-sea.bpt.rocks-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-free
ipa-dal.bpt.rocks-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-seat
tlenfs.bpt.rocks-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaId: 1065
nscpentrywsi: nsDS5ReplicaName: b21a1f1e-627911e6-93e6ef4b-69dcc2d1
nscpentrywsi: nsDS5ReplicaRoot: o=ipaca
nscpentrywsi: nsDS5ReplicaType: 3
nscpentrywsi: nsState::
KQQAAABO1spYKg
==
nscpentrywsi: nsds5replicabinddngroup: cn=replication
managers,cn=sysaccounts,
cn=etc,dc=bpt,dc=rocks
nscpentrywsi: nsds5replicabinddngroupcheckinterval: 60
nscpentrywsi: objectClass: top
nscpentrywsi: objectClass: nsDS5Replica
nscpentrywsi: objectClass: extensibleobject
nscpentrywsi: numSubordinates: 2
nscpentrywsi: nsds50ruv: {replicageneration} 57c291d90429
nscpentrywsi: nsds50ruv: {replica 1065 ldap://freeipa-sea.bpt.rocks:389}
57f84
0bf0429 58cad6670429
nscpentrywsi: nsds50ruv: {replica 1290 ldap://seattlenfs.bpt.rocks:389}
nscpentrywsi: nsds50ruv: {replica 1295 ldap://freeipa-dal.bpt.rocks:389}
nscpentrywsi: nsds5agmtmaxcsn:
o=ipaca;cloneAgreement1-freeipa-sea.bpt.rocks-p
ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
nscpentrywsi: nsds5agmtmaxcsn:
o=ipaca;masterAgreement1-seattlenfs.bpt.rocks-p
ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
nscpentrywsi: nsruvReplicaLastModified: {replica 1065
ldap://freeipa-sea.bpt.r
ocks:389} 58cad63d
nscpentrywsi: nsruvReplicaLastModified: {replica 1290
ldap://seattlenfs.bpt.ro
cks:389}
nscpentrywsi: nsruvReplicaLastModified: {replica 1295
ldap://freeipa-dal.bpt.r
ocks:389}
nscpentrywsi: nsds5ReplicaChangeCount: 15993
nscpentrywsi: nsds5replicareapactive: 0
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage del
freeipa-dal.bpt.rocks --forceDirectory Manager password:
'freeipa-sea.bpt.rocks' has no replication agreement for
'freeipa-dal.bpt.rocks'
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
seattlenfs.bpt.rocks: master
freeipa-dal.bpt.rocks: master
freeipa-sea.bpt.rocks: master
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
freeipa-sea.bpt.rocks
seattlenfs.bpt.rocks: replica
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage list
Directory Manager password:
seattlenfs.bpt.rocks: master
freeipa-dal.bpt.rocks: CA not configured
freeipa-sea.bpt.rocks: master
--
Petr Vobornik
Associate Manager, Engineering, Identity Management
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Manual Cleanup
Hello Ian,
You could do:
`ipa-replica-manage del freeipa-dal.bpt.rocks --force --cleanup`
Then you may need to check again for the master with `ipa-replica-manage
list`. If it's not there anymore, check whether some RUVs are still in
place with `ipa-replica-manage list-ruv`.
The last command should get you RUVs on both CA and domain suffixes if
you're using FreeIPA >= 4.3.2 (hope I got the .z number right). If you
see that there's some RUVs left for the wrong host, try calling
`ipa-replica-manage clean-ruv ` which should remove the RUV (no
matter the suffix - CA or domain - just give it the number and it should
work given FreeIPA >= 4.3.2 is used).
HTH,
Standa
On 03/16/2017 07:14 PM, Ian Harding wrote:
I've made some progress. But I have one zombie replication agreement to
kill, I just don't know the syntax.
freeipa-dal.bpt.rocks does not exist. I want all references to it to go
away.
How would I do that with ldapmodify?
Thanks!
[root@freeipa-sea slapd-BPT-ROCKS]# ldapsearch -D "cn=directory
manager" -w ... -b "o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=---))"
nscpentrywsi
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter:
(&(objectclass=nstombstone)(nsUniqueId=---))
# requesting: nscpentrywsi
#
# replica, o\3Dipaca, mapping tree, config
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nscpentrywsi: cn: replica
nscpentrywsi: createTimestamp: 20160814234939Z
nscpentrywsi: creatorsName: cn=directory manager
nscpentrywsi: modifiersName: cn=Multimaster Replication
Plugin,cn=plugins,cn=c
onfig
nscpentrywsi: modifyTimestamp: 20170316181544Z
nscpentrywsi: nsDS5Flags: 1
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
cloneAgreement1-freei
pa-sea.bpt.rocks-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-free
ipa-dal.bpt.rocks-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-seat
tlenfs.bpt.rocks-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaId: 1065
nscpentrywsi: nsDS5ReplicaName: b21a1f1e-627911e6-93e6ef4b-69dcc2d1
nscpentrywsi: nsDS5ReplicaRoot: o=ipaca
nscpentrywsi: nsDS5ReplicaType: 3
nscpentrywsi: nsState::
KQQAAABO1spYKg
==
nscpentrywsi: nsds5replicabinddngroup: cn=replication
managers,cn=sysaccounts,
cn=etc,dc=bpt,dc=rocks
nscpentrywsi: nsds5replicabinddngroupcheckinterval: 60
nscpentrywsi: objectClass: top
nscpentrywsi: objectClass: nsDS5Replica
nscpentrywsi: objectClass: extensibleobject
nscpentrywsi: numSubordinates: 2
nscpentrywsi: nsds50ruv: {replicageneration} 57c291d90429
nscpentrywsi: nsds50ruv: {replica 1065 ldap://freeipa-sea.bpt.rocks:389}
57f84
0bf0429 58cad6670429
nscpentrywsi: nsds50ruv: {replica 1290 ldap://seattlenfs.bpt.rocks:389}
nscpentrywsi: nsds50ruv: {replica 1295 ldap://freeipa-dal.bpt.rocks:389}
nscpentrywsi: nsds5agmtmaxcsn:
o=ipaca;cloneAgreement1-freeipa-sea.bpt.rocks-p
ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
nscpentrywsi: nsds5agmtmaxcsn:
o=ipaca;masterAgreement1-seattlenfs.bpt.rocks-p
ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
nscpentrywsi: nsruvReplicaLastModified: {replica 1065
ldap://freeipa-sea.bpt.r
ocks:389} 58cad63d
nscpentrywsi: nsruvReplicaLastModified: {replica 1290
ldap://seattlenfs.bpt.ro
cks:389}
nscpentrywsi: nsruvReplicaLastModified: {replica 1295
ldap://freeipa-dal.bpt.r
ocks:389}
nscpentrywsi: nsds5ReplicaChangeCount: 15993
nscpentrywsi: nsds5replicareapactive: 0
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage del
freeipa-dal.bpt.rocks --forceDirectory Manager password:
'freeipa-sea.bpt.rocks' has no replication agreement for
'freeipa-dal.bpt.rocks'
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
seattlenfs.bpt.rocks: master
freeipa-dal.bpt.rocks: master
freeipa-sea.bpt.rocks: master
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
freeipa-sea.bpt.rocks
seattlenfs.bpt.rocks: replica
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage list
Directory Manager password:
seattlenfs.bpt.rocks: master
freeipa-dal.bpt.rocks: CA not configured
freeipa-sea.bpt.rocks: master
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] Manual Cleanup
I've made some progress. But I have one zombie replication agreement to
kill, I just don't know the syntax.
freeipa-dal.bpt.rocks does not exist. I want all references to it to go
away.
How would I do that with ldapmodify?
Thanks!
[root@freeipa-sea slapd-BPT-ROCKS]# ldapsearch -D "cn=directory
manager" -w ... -b "o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=---))"
nscpentrywsi
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter:
(&(objectclass=nstombstone)(nsUniqueId=---))
# requesting: nscpentrywsi
#
# replica, o\3Dipaca, mapping tree, config
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nscpentrywsi: cn: replica
nscpentrywsi: createTimestamp: 20160814234939Z
nscpentrywsi: creatorsName: cn=directory manager
nscpentrywsi: modifiersName: cn=Multimaster Replication
Plugin,cn=plugins,cn=c
onfig
nscpentrywsi: modifyTimestamp: 20170316181544Z
nscpentrywsi: nsDS5Flags: 1
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
cloneAgreement1-freei
pa-sea.bpt.rocks-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-free
ipa-dal.bpt.rocks-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-seat
tlenfs.bpt.rocks-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaId: 1065
nscpentrywsi: nsDS5ReplicaName: b21a1f1e-627911e6-93e6ef4b-69dcc2d1
nscpentrywsi: nsDS5ReplicaRoot: o=ipaca
nscpentrywsi: nsDS5ReplicaType: 3
nscpentrywsi: nsState::
KQQAAABO1spYKg
==
nscpentrywsi: nsds5replicabinddngroup: cn=replication
managers,cn=sysaccounts,
cn=etc,dc=bpt,dc=rocks
nscpentrywsi: nsds5replicabinddngroupcheckinterval: 60
nscpentrywsi: objectClass: top
nscpentrywsi: objectClass: nsDS5Replica
nscpentrywsi: objectClass: extensibleobject
nscpentrywsi: numSubordinates: 2
nscpentrywsi: nsds50ruv: {replicageneration} 57c291d90429
nscpentrywsi: nsds50ruv: {replica 1065 ldap://freeipa-sea.bpt.rocks:389}
57f84
0bf0429 58cad6670429
nscpentrywsi: nsds50ruv: {replica 1290 ldap://seattlenfs.bpt.rocks:389}
nscpentrywsi: nsds50ruv: {replica 1295 ldap://freeipa-dal.bpt.rocks:389}
nscpentrywsi: nsds5agmtmaxcsn:
o=ipaca;cloneAgreement1-freeipa-sea.bpt.rocks-p
ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
nscpentrywsi: nsds5agmtmaxcsn:
o=ipaca;masterAgreement1-seattlenfs.bpt.rocks-p
ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
nscpentrywsi: nsruvReplicaLastModified: {replica 1065
ldap://freeipa-sea.bpt.r
ocks:389} 58cad63d
nscpentrywsi: nsruvReplicaLastModified: {replica 1290
ldap://seattlenfs.bpt.ro
cks:389}
nscpentrywsi: nsruvReplicaLastModified: {replica 1295
ldap://freeipa-dal.bpt.r
ocks:389}
nscpentrywsi: nsds5ReplicaChangeCount: 15993
nscpentrywsi: nsds5replicareapactive: 0
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage del
freeipa-dal.bpt.rocks --forceDirectory Manager password:
'freeipa-sea.bpt.rocks' has no replication agreement for
'freeipa-dal.bpt.rocks'
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
seattlenfs.bpt.rocks: master
freeipa-dal.bpt.rocks: master
freeipa-sea.bpt.rocks: master
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
freeipa-sea.bpt.rocks
seattlenfs.bpt.rocks: replica
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage list
Directory Manager password:
seattlenfs.bpt.rocks: master
freeipa-dal.bpt.rocks: CA not configured
freeipa-sea.bpt.rocks: master
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
