[Freeipa-devel] Replication Topology plugin issues

Oleg Fayans ofayans at redhat.com
Mon May 25 13:56:39 UTC 2015 

Hi,

Playing around with the replication topology plugin, I've noticed a
couple of issues:
1. around 50% of attempts to setup a replica of a freeipa master with
topology plugin enabled (domain level set to 1.0) end up with the
following error message in the stdoutput:

  [error] RuntimeError: One of the ldap service principals is missing.
Replication agreement cannot be converted.
Replication error message: Unable to acquire replicaLDAP error: No such
object

I am not sure whether the reason is in the Topology Plugin itself or in
some of the latest changes in upstream, though.

2. Whenever this happens, master retains the information about the new
topology segment, even despite the replica setup was unsuccessful. IMHO,
we should have a way to notify the master about replica setup
faiures/aborts so that the master would automatically erase the
corresponding freshly-created segments in such cases.

3. After this happens user is unable to delete the replication agreement
with the standard `ipa-replica-manage del` way:
$ ipa-replica-manage del replica1.pesen.net --force
Connection to 'replica1.pesen.net' failed: [Errno -2] Name or service
not known
Forcing removal of replica1.pesen.net
Skipping calculation to determine if one or more masters would be orphaned.
Deleting replication agreements between replica1.pesen.net and
newmaster.pesen.net
Failed to get list of agreements from 'replica1.pesen.net': [Errno -2]
Name or service not known
Forcing removal on 'newmaster.pesen.net'
Any DNA range on 'replica1.pesen.net' will be lost
There were issues removing a connection for replica1.pesen.net from
newmaster.pesen.net: Server is unwilling to perform: Entry is managed by
topology plugin.Deletion not allowed.
Failed to cleanup replica1.pesen.net entries: Not allowed on non-leaf entry
You may need to manually remove them from the tree
Failed to cleanup replica1.pesen.net DNS entries: no matching entry found
You may need to manually remove them from the tree

IIRC upon one of the early discussions with Ludwig, this is yet to be
implemented.

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

More information about the Freeipa-devel mailing list