[Freeipa-users] ipa replica failure
Andrew E. Bruno
aebruno2 at buffalo.edu
Wed Jul 1 21:34:24 UTC 2015
On Thu, Jun 25, 2015 at 05:40:23PM -0400, Andrew E. Bruno wrote:
> On Mon, Jun 22, 2015 at 12:49:01PM -0400, Rob Crittenden wrote:
> > >>
> > >>You aren't seeing a replication agreement. You're seeing the Replication
> > >>Update Vector (RUV).
> > >>
> > >>See http://directory.fedoraproject.org/docs/389ds/howto/howto-cleanruv.html
> > >>
> > >>You need to do something like:
> > >>
> > >># ldapmodify -D "cn=directory manager" -W -a
> > >>dn: cn=clean 97, cn=cleanallruv, cn=tasks, cn=config
> > >>objectclass: extensibleObject
> > >>replica-base-dn: o=ipaca
> > >>replica-id: 97
> > >>cn: clean 97
> > >>
> > >
> > >Great, thanks for the clarification.
> > >
> > >Curious what's the difference between running the ldapmodify above and
> > >ipa-replica-manage clean-ruv?
> > >
> >
> > Nothing, for the IPA data. This is a remanant from a CA replication
> > agreement and it was an oversight not to add similar RUV management options
> > to the ipa-careplica-manage tool.
> >
>
> I'm still seeing some inconsistencies. Forgive me if I'm mis-interpreting any
> of this output (still learning the ropes with FreeIPA here)..
>
> Just trying to wrap my head around the RUVs. Trying to follow the docs here:
> http://directory.fedoraproject.org/docs/389ds/howto/howto-cleanruv.html
>
> And after running the ldapsearch command to check for "obsolete masters"
> I'm not seeing the replica ID for the old replica we deleted (rep2):
>
>
> $ ldapsearch -xLLL -D "cn=directory manager" -W -s sub -b cn=config objectclass=nsds5replica
> Enter LDAP Password:
> dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config
> cn: replica
> nsDS5Flags: 1
> objectClass: nsds5replica
> objectClass: top
> objectClass: extensibleobject
> nsDS5ReplicaType: 3
> nsDS5ReplicaRoot: dc=ccr,dc=buffalo,dc=edu
> nsds5ReplicaLegacyConsumer: off
> nsDS5ReplicaId: 4
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsDS5ReplicaBindDN: krbprincipalname=ldap/rep2 at CCR.BUFFA
> LO.EDU,cn=services,cn=accounts,dc=ccr,dc=buffalo,dc=edu
> nsDS5ReplicaBindDN: krbprincipalname=ldap/rep3 at CCR.BUFFA
> LO.EDU,cn=services,cn=accounts,dc=ccr,dc=buffalo,dc=edu
> nsState:: BAAAAAAAAABIa4xVAAAAAAAAAAAAAAAAJAAAAAAAAAABAAAAAAAAAA==
> nsDS5ReplicaName: a0957886-df9c11e4-a351aa45-2e06257b
> nsds5ReplicaChangeCount: 1687559
> nsds5replicareapactive: 0
>
> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
> objectClass: top
> objectClass: nsDS5Replica
> objectClass: extensibleobject
> nsDS5ReplicaRoot: o=ipaca
> nsDS5ReplicaType: 3
> nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-rep2
> falo.edu-pki-tomcat,ou=csusers,cn=config
> nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-rep3
> falo.edu-pki-tomcat,ou=csusers,cn=config
> cn: replica
> nsDS5ReplicaId: 96
> nsDS5Flags: 1
> nsState:: YAAAAAAAAAAPa4xVAAAAAAkAAAAAAAAACgAAAAAAAAABAAAAAAAAAA==
> nsDS5ReplicaName: c458be8e-df9c11e4-a351aa45-2e06257b
> nsds5ReplicaChangeCount: 9480
> nsds5replicareapactive: 0
>
>
> I see:
>
> dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config)
> nsds5replicaid: 4
>
> and
>
> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
> nsDS5ReplicaId: 96
>
>
> In the above output I only see the old replica showing up under:
>
> nsDS5ReplicaBindDN: krbprincipalname=ldap/rep2 at CCR.BUFFA...
>
> According to the docs I need the nsds5replicaid for use in the CLEANALLRUV
> task?
>
> I also checked the RUV tombstone entry as per the docs:
>
> # ldapsearch -xLLL -D "cn=directory manager" -W -b dc=ccr,dc=buffalo,dc=edu '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
> Enter LDAP Password:
> dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config
> cn: replica
> nsDS5Flags: 1
> objectClass: nsds5replica
> objectClass: top
> objectClass: extensibleobject
> nsDS5ReplicaType: 3
> nsDS5ReplicaRoot: dc=ccr,dc=buffalo,dc=edu
> nsds5ReplicaLegacyConsumer: off
> nsDS5ReplicaId: 4
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsDS5ReplicaBindDN: krbprincipalname=ldap/rep2 at CCR.BUFFA
> LO.EDU,cn=services,cn=accounts,dc=ccr,dc=buffalo,dc=edu
> nsDS5ReplicaBindDN: krbprincipalname=ldap/rep3 at CCR.BUFFA
> LO.EDU,cn=services,cn=accounts,dc=ccr,dc=buffalo,dc=edu
> nsState:: BAAAAAAAAADycYxVAAAAAAAAAAAAAAAAJAAAAAAAAAABAAAAAAAAAA==
> nsDS5ReplicaName: a0957886-df9c11e4-a351aa45-2e06257b
> nsds50ruv: {replicageneration} 5527f711000000040000
> nsds50ruv: {replica 4 ldap://rep1:389} 5527f771000000040
> 000 558c7228000200040000
> nsds50ruv: {replica 5 ldap://rep3:389} 5537c773000000050
> 000 5582c7f6000600050000
> nsds5agmtmaxcsn: dc=ccr,dc=buffalo,dc=edu;meTorep3;rep3;389;5;558c572b000a00040000
> nsruvReplicaLastModified: {replica 4 ldap://rep1:389} 55
> 8c7204
> nsruvReplicaLastModified: {replica 5 ldap://rep3:389} 00
> 000000
> nsds5ReplicaChangeCount: 1689129
> nsds5replicareapactive: 0
>
> And only see nsds50ruv attributes for rep1, and rep3. However, still seeing
> rep2 in the nsDS5ReplicaBindDN.
>
> If I'm parsing this output correct, it appears RUVs for rep2 is already
> cleaned? If so, how come the nsDS5ReplicaBindDN still exist?
>
> Also, why is there a nsds50ruv attribute for rep2 listed when I run this query
> (but not the others above):
>
>
> $ ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=mapping tree,cn=config" objectClass=nsDS5ReplicationAgreement
>
> dn: cn=masterAgreement1-rep3-pki-tomcat,cn=replica,cn=o\
> 3Dipaca,cn=mapping tree,cn=config
>
> nsds50ruv: {replica 97 ldap://rep2:389} 5527f76000000061
> 0000 556f462b000400610000
>
>
>
> I'm likely missing something here..any help is greatly appreciated.
>
Just wanted to follow up ..
I was able to successfully remove the RUV for rep2. I had the wrong base
dn in my ldapsearch.
I verified the nsds50ruv ID by running this command:
$ ldapsearch -xLLL -D "cn=directory manager" -W -b o=ipaca
'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
Then ran the cleanallruv command (thanks Rob):
# ldapmodify -D "cn=directory manager" -W -a
dn: cn=clean 97, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: o=ipaca
replica-id: 97
cn: clean 97
That worked and cleaned the RUV. All seems well now.
Thanks again for all the help.
--Andrew
More information about the Freeipa-users
mailing list