Thanks for the reply Rob. On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden <[email protected]> wrote: > Kim Perrin wrote: >> Hello all, >> >> For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) >> environment. We've had 2 masters since the start. Several replicas >> have had problems that required me to remove them. I’ve removed them >> all (except the very last one) by running ‘ipa-server-install >> --uninstall’ and then ipa-replica-manage clean-ruv’. The latest >> replica I tried to remove failed on both commands. On further >> inspection I see all the previous replicas have orphaned entries in >> the ldap db. How do I remove all the entries? (I’ve listed the >> entries below). Is this process safe (in what is currently a single >> ipa server environment)? Note, I’ve seen the one of the necessary >> LDIFs that can be ‘run’ to remove the entries -- I just don’t >> understand how to run an ldif. > > You're skipping the step of ipa-replica-manage del <master-to-remove>? > That should do most of this cleanup for you. I did run 'ipa-replica-manage del <master-to-remove>' for all these as well.
> > For the CA you use ipa-csreplica-manage. Unfortunately that utility > lacks the RUV commands. > > rob > >> Relevant entries - >> >> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s >> sub -b cn=config objectclass=nsds5replica >> Enter LDAP Password: >> dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config >> cn: replica >> nsDS5Flags: 1 >> objectClass: top >> objectClass: nsds5replica >> objectClass: extensibleobject >> nsDS5ReplicaType: 3 >> nsDS5ReplicaRoot: dc=companyz,dc=com >> nsds5ReplicaLegacyConsumer: off >> nsDS5ReplicaId: 4 >> nsDS5ReplicaBindDN: cn=replication manager,cn=config >> nsDS5ReplicaBindDN: >> krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=companyz,dc=com >> nsDS5ReplicaBindDN: >> krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=companyz,dc=com >> nsDS5ReplicaBindDN: >> krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=companyz,dc=com >> nsDS5ReplicaBindDN: >> krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=companyz,dc=com >> nsState:: BAAAAAAAAABlZwhVAAAAAAAAAAAAAAAADgAAAAAAAAAFAAAAAAAAAA== >> nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3 >> nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com >> nsds5ReplicaChangeCount: 682699 >> nsds5replicareapactive: 0 >> >> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b >> o=ipaca >> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >> -p 7389 -h noc1-prd >> Enter LDAP Password: >> dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,o=ipaca >> objectClass: top >> objectClass: nsTombstone >> objectClass: extensibleobject >> nsds50ruv: {replicageneration} 5317a449000000600000 >> nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a455000000 >> 600000 550878b9000000600000 >> nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce018000000 >> 470000 531ce069000300470000 >> nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde8000000 >> 4c0000 53f659500004004c0000 >> nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf216000000 >> 510000 531bf265000100510000 >> nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a3222000000 >> 560000 531a3256000400560000 >> nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf000000 >> 5b0000 531949920000005b0000 >> nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a45000000 >> 0610000 5317a48a000100610000 >> o: ipaca >> nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389} >> 550878ab >> nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389} >> 00000000 >> nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389} >> 00000000 >> nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389} >> 00000000 >> nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389} >> 00000000 >> nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389} >> 00000000 >> nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389 >> } 00000000 >> >> -- and here is an example LDIF to remove the last record listed above - >> >> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config >> changetype: modify >> replace: nsds5task >> nsds5task: CLEANRUV97 > > That doesn't look right. It should look like: > > dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config > changetype: add > objectclass: top > objectclass: extensibleObject > replica-base-dn: dc=companyz,dc=com > replica-id: 97 > cn: clean 97 > > Be careful which RUV you remove. You only want to remove those that are > no longer active. Thanks for the additional spec on the LDIF, though I still don't understand how to run this. Is there somewhere you can point me to with example commands to run such LDIFs? -Kim > > rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
