Hello Ian,
You could do:
`ipa-replica-manage del freeipa-dal.bpt.rocks --force --cleanup`
Then you may need to check again for the master with `ipa-replica-manage
list`. If it's not there anymore, check whether some RUVs are still in
place with `ipa-replica-manage list-ruv`.
The last command should get you RUVs on both CA and domain suffixes if
you're using FreeIPA >= 4.3.2 (hope I got the .z number right). If you
see that there's some RUVs left for the wrong host, try calling
`ipa-replica-manage clean-ruv <RUV-ID>` which should remove the RUV (no
matter the suffix - CA or domain - just give it the number and it should
work given FreeIPA >= 4.3.2 is used).
HTH,
Standa
On 03/16/2017 07:14 PM, Ian Harding wrote:
I've made some progress. But I have one zombie replication agreement to
kill, I just don't know the syntax.
freeipa-dal.bpt.rocks does not exist. I want all references to it to go
away.
How would I do that with ldapmodify?
Thanks!
[root@freeipa-sea slapd-BPT-ROCKS]# ldapsearch -D "cn=directory
manager" -w ... -b "o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
nscpentrywsi
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter:
(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))
# requesting: nscpentrywsi
#
# replica, o\3Dipaca, mapping tree, config
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nscpentrywsi: cn: replica
nscpentrywsi: createTimestamp: 20160814234939Z
nscpentrywsi: creatorsName: cn=directory manager
nscpentrywsi: modifiersName: cn=Multimaster Replication
Plugin,cn=plugins,cn=c
onfig
nscpentrywsi: modifyTimestamp: 20170316181544Z
nscpentrywsi: nsDS5Flags: 1
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
cloneAgreement1-freei
pa-sea.bpt.rocks-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-free
ipa-dal.bpt.rocks-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-seat
tlenfs.bpt.rocks-pki-tomcat,ou=csusers,cn=config
nscpentrywsi: nsDS5ReplicaId: 1065
nscpentrywsi: nsDS5ReplicaName: b21a1f1e-627911e6-93e6ef4b-69dcc2d1
nscpentrywsi: nsDS5ReplicaRoot: o=ipaca
nscpentrywsi: nsDS5ReplicaType: 3
nscpentrywsi: nsState::
KQQAAAAAAABO1spYAAAAAAAAAAAAAAAAKgAAAAAAAAAAAAAAAAAAAA
==
nscpentrywsi: nsds5replicabinddngroup: cn=replication
managers,cn=sysaccounts,
cn=etc,dc=bpt,dc=rocks
nscpentrywsi: nsds5replicabinddngroupcheckinterval: 60
nscpentrywsi: objectClass: top
nscpentrywsi: objectClass: nsDS5Replica
nscpentrywsi: objectClass: extensibleobject
nscpentrywsi: numSubordinates: 2
nscpentrywsi: nsds50ruv: {replicageneration} 57c291d9000004290000
nscpentrywsi: nsds50ruv: {replica 1065 ldap://freeipa-sea.bpt.rocks:389}
57f84
0bf000004290000 58cad667000004290000
nscpentrywsi: nsds50ruv: {replica 1290 ldap://seattlenfs.bpt.rocks:389}
nscpentrywsi: nsds50ruv: {replica 1295 ldap://freeipa-dal.bpt.rocks:389}
nscpentrywsi: nsds5agmtmaxcsn:
o=ipaca;cloneAgreement1-freeipa-sea.bpt.rocks-p
ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
nscpentrywsi: nsds5agmtmaxcsn:
o=ipaca;masterAgreement1-seattlenfs.bpt.rocks-p
ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
nscpentrywsi: nsruvReplicaLastModified: {replica 1065
ldap://freeipa-sea.bpt.r
ocks:389} 58cad63d
nscpentrywsi: nsruvReplicaLastModified: {replica 1290
ldap://seattlenfs.bpt.ro
cks:389} 00000000
nscpentrywsi: nsruvReplicaLastModified: {replica 1295
ldap://freeipa-dal.bpt.r
ocks:389} 00000000
nscpentrywsi: nsds5ReplicaChangeCount: 15993
nscpentrywsi: nsds5replicareapactive: 0
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage del
freeipa-dal.bpt.rocks --forceDirectory Manager password:
'freeipa-sea.bpt.rocks' has no replication agreement for
'freeipa-dal.bpt.rocks'
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
seattlenfs.bpt.rocks: master
freeipa-dal.bpt.rocks: master
freeipa-sea.bpt.rocks: master
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
freeipa-sea.bpt.rocks
seattlenfs.bpt.rocks: replica
[root@freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage list
Directory Manager password:
seattlenfs.bpt.rocks: master
freeipa-dal.bpt.rocks: CA not configured
freeipa-sea.bpt.rocks: master
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
