Hello all, For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) environment. We've had 2 masters since the start. Several replicas have had problems that required me to remove them. I’ve removed them all (except the very last one) by running ‘ipa-server-install --uninstall’ and then ipa-replica-manage clean-ruv’. The latest replica I tried to remove failed on both commands. On further inspection I see all the previous replicas have orphaned entries in the ldap db. How do I remove all the entries? (I’ve listed the entries below). Is this process safe (in what is currently a single ipa server environment)? Note, I’ve seen the one of the necessary LDIFs that can be ‘run’ to remove the entries -- I just don’t understand how to run an ldif.
Relevant entries - kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s sub -b cn=config objectclass=nsds5replica Enter LDAP Password: dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 objectClass: top objectClass: nsds5replica objectClass: extensibleobject nsDS5ReplicaType: 3 nsDS5ReplicaRoot: dc=companyz,dc=com nsds5ReplicaLegacyConsumer: off nsDS5ReplicaId: 4 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=companyz,dc=com nsDS5ReplicaBindDN: krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=companyz,dc=com nsDS5ReplicaBindDN: krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=companyz,dc=com nsDS5ReplicaBindDN: krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=companyz,dc=com nsState:: BAAAAAAAAABlZwhVAAAAAAAAAAAAAAAADgAAAAAAAAAFAAAAAAAAAA== nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3 nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com nsds5ReplicaChangeCount: 682699 nsds5replicareapactive: 0 kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b o=ipaca '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' -p 7389 -h noc1-prd Enter LDAP Password: dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,o=ipaca objectClass: top objectClass: nsTombstone objectClass: extensibleobject nsds50ruv: {replicageneration} 5317a449000000600000 nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a455000000 600000 550878b9000000600000 nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce018000000 470000 531ce069000300470000 nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde8000000 4c0000 53f659500004004c0000 nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf216000000 510000 531bf265000100510000 nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a3222000000 560000 531a3256000400560000 nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf000000 5b0000 531949920000005b0000 nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a45000000 0610000 5317a48a000100610000 o: ipaca nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389} 550878ab nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389} 00000000 nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389} 00000000 nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389} 00000000 nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389} 00000000 nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389} 00000000 nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389 } 00000000 -- and here is an example LDIF to remove the last record listed above - dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV97 How do I ‘run’ this ldif? Thanks, Kim Perrin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
