On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin <[email protected]> wrote: > Thanks for the reply Rob. > > On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden <[email protected]> wrote: >> Kim Perrin wrote: >>> Hello all, >>> >>> For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) >>> environment. We've had 2 masters since the start. Several replicas >>> have had problems that required me to remove them. I’ve removed them >>> all (except the very last one) by running ‘ipa-server-install >>> --uninstall’ and then ipa-replica-manage clean-ruv’. The latest >>> replica I tried to remove failed on both commands. On further >>> inspection I see all the previous replicas have orphaned entries in >>> the ldap db. How do I remove all the entries? (I’ve listed the >>> entries below). Is this process safe (in what is currently a single >>> ipa server environment)? Note, I’ve seen the one of the necessary >>> LDIFs that can be ‘run’ to remove the entries -- I just don’t >>> understand how to run an ldif. >> >> You're skipping the step of ipa-replica-manage del <master-to-remove>? >> That should do most of this cleanup for you. > I did run 'ipa-replica-manage del <master-to-remove>' for all these as well. > > >> >> For the CA you use ipa-csreplica-manage. Unfortunately that utility >> lacks the RUV commands. >> >> rob >> >>> Relevant entries - >>> >>> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s >>> sub -b cn=config objectclass=nsds5replica >>> Enter LDAP Password: >>> dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config >>> cn: replica >>> nsDS5Flags: 1 >>> objectClass: top >>> objectClass: nsds5replica >>> objectClass: extensibleobject >>> nsDS5ReplicaType: 3 >>> nsDS5ReplicaRoot: dc=companyz,dc=com >>> nsds5ReplicaLegacyConsumer: off >>> nsDS5ReplicaId: 4 >>> nsDS5ReplicaBindDN: cn=replication manager,cn=config >>> nsDS5ReplicaBindDN: >>> krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=companyz,dc=com >>> nsDS5ReplicaBindDN: >>> krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=companyz,dc=com >>> nsDS5ReplicaBindDN: >>> krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=companyz,dc=com >>> nsDS5ReplicaBindDN: >>> krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=companyz,dc=com >>> nsState:: BAAAAAAAAABlZwhVAAAAAAAAAAAAAAAADgAAAAAAAAAFAAAAAAAAAA== >>> nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3 >>> nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com >>> nsds5ReplicaChangeCount: 682699 >>> nsds5replicareapactive: 0 >>> >>> kperrin@noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b >>> o=ipaca >>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >>> -p 7389 -h noc1-prd >>> Enter LDAP Password: >>> dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,o=ipaca >>> objectClass: top >>> objectClass: nsTombstone >>> objectClass: extensibleobject >>> nsds50ruv: {replicageneration} 5317a449000000600000 >>> nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a455000000 >>> 600000 550878b9000000600000 >>> nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce018000000 >>> 470000 531ce069000300470000 >>> nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde8000000 >>> 4c0000 53f659500004004c0000 >>> nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf216000000 >>> 510000 531bf265000100510000 >>> nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a3222000000 >>> 560000 531a3256000400560000 >>> nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf000000 >>> 5b0000 531949920000005b0000 >>> nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a45000000 >>> 0610000 5317a48a000100610000 >>> o: ipaca >>> nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389} >>> 550878ab >>> nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389} >>> 00000000 >>> nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389} >>> 00000000 >>> nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389} >>> 00000000 >>> nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389} >>> 00000000 >>> nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389} >>> 00000000 >>> nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389 >>> } 00000000 >>> >>> -- and here is an example LDIF to remove the last record listed above - >>> >>> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config >>> changetype: modify >>> replace: nsds5task >>> nsds5task: CLEANRUV97 >> >> That doesn't look right. It should look like: >> >> dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config >> changetype: add >> objectclass: top >> objectclass: extensibleObject >> replica-base-dn: dc=companyz,dc=com >> replica-id: 97 >> cn: clean 97 >> >> Be careful which RUV you remove. You only want to remove those that are >> no longer active. > Thanks for the additional spec on the LDIF, though I still don't > understand how to run this. Is there somewhere you can point me to > with example commands to run such LDIFs? I figured out how to enter the ldif changes.
> -Kim >> >> rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
