[Freeipa-users] Can't remove all replica records from ldap

Tue Mar 17 22:49:59 UTC 2015

On 03/17/2015 06:27 PM, Kim Perrin wrote:
> On Tue, Mar 17, 2015 at 3:09 PM, Kim Perrin <kperrin at doctorondemand.com> wrote:
>> On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin <kperrin at doctorondemand.com> wrote:
>>> Thanks for the reply Rob.
>>>
>>> On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>>> Kim Perrin wrote:
>>>>> Hello all,
>>>>>
>>>>> For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42)
>>>>> environment. We've had 2 masters since the start.  Several replicas
>>>>> have had problems that required me to remove them. I’ve removed them
>>>>> all (except the very last one) by running  ‘ipa-server-install
>>>>> --uninstall’  and then  ipa-replica-manage clean-ruv’. The latest
>>>>> replica I tried to remove failed on both commands. On further
>>>>> inspection I see all the previous replicas have orphaned entries in
>>>>> the ldap db.  How do I remove all the entries? (I’ve listed the
>>>>> entries below). Is this process safe (in what is currently a single
>>>>> ipa server environment)? Note, I’ve seen the one of the necessary
>>>>> LDIFs that can be ‘run’ to remove the entries -- I just don’t
>>>>> understand how to run an ldif.
>>>> You're skipping the step of ipa-replica-manage del <master-to-remove>?
>>>> That should do most of this cleanup for you.
>>> I did run 'ipa-replica-manage del <master-to-remove>'  for all these as well.
>>>
>>>
>>>> For the CA you use ipa-csreplica-manage. Unfortunately that utility
>>>> lacks the RUV commands.
> On using the 'ipa-csreplica-manage' command to remove the CAs  - the
> del option failed with
> "Unable to delete replica noc3-prd.companyz.com: Can't contact LDAP server"
> And failed with the same response for a couple other listed servers as well.

Yes, you would have to clean it manually.

>>>> rob
>>>>
>>>>> Relevant entries -
>>>>>
>>>>> kperrin at noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -s
>>>>> sub -b cn=config objectclass=nsds5replica
>>>>> Enter LDAP Password:
>>>>> dn: cn=replica,cn=dc\3Dcompanyz\2Cdc\3Dcom,cn=mapping tree,cn=config
>>>>> cn: replica
>>>>> nsDS5Flags: 1
>>>>> objectClass: top
>>>>> objectClass: nsds5replica
>>>>> objectClass: extensibleobject
>>>>> nsDS5ReplicaType: 3
>>>>> nsDS5ReplicaRoot: dc=companyz,dc=com
>>>>> nsds5ReplicaLegacyConsumer: off
>>>>> nsDS5ReplicaId: 4
>>>>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>>>>> nsDS5ReplicaBindDN:
>>>>> krbprincipalname=ldap/noc2prd.companyz.com at COMPANYZ.COM,cn=services,cn=accounts,dc=companyz,dc=com
>>>>> nsDS5ReplicaBindDN:
>>>>> krbprincipalname=ldap/util1prd.companyz.com at COMPANYZ.COM,cn=services,cn=accounts,dc=companyz,dc=com
>>>>> nsDS5ReplicaBindDN:
>>>>> krbprincipalname=ldap/noc3prd.companyz.com at COMPANYZ.COM,cn=services,cn=accounts,dc=companyz,dc=com
>>>>> nsDS5ReplicaBindDN:
>>>>> krbprincipalname=ldap/noc4prd.companyz.com at COMPANYZ.COM,cn=services,cn=accounts,dc=companyz,dc=com
>>>>> nsState:: BAAAAAAAAABlZwhVAAAAAAAAAAAAAAAADgAAAAAAAAAFAAAAAAAAAA==
>>>>> nsDS5ReplicaName: 2767660e-9e5611e2-b7b6a070-c35ad5d3
>>>>> nsds5ReplicaAbortCleanRUV: 14:dc=companyz,dc=com
>>>>> nsds5ReplicaChangeCount: 682699
>>>>> nsds5replicareapactive: 0
>>>>>
>>>>> kperrin at noc1-prd:~# ldapsearch -xLLL -D "cn=directory manager" -W -b
>>>>> o=ipaca  '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
>>>>> -p 7389 -h noc1-prd
>>>>> Enter LDAP Password:
>>>>> dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,o=ipaca
>>>>> objectClass: top
>>>>> objectClass: nsTombstone
>>>>> objectClass: extensibleobject
>>>>> nsds50ruv: {replicageneration} 5317a449000000600000
>>>>> nsds50ruv: {replica 96 ldap://noc1-prd.companyz.com:7389} 5317a455000000
>>>>> 600000 550878b9000000600000
>>>>> nsds50ruv: {replica 71 ldap://noc2-prd.companyz.com:7389} 531ce018000000
>>>>> 470000 531ce069000300470000
>>>>> nsds50ruv: {replica 76 ldap://noc4-prd.companyz.com:7389} 531cdde8000000
>>>>> 4c0000 53f659500004004c0000
>>>>> nsds50ruv: {replica 81 ldap://noc2-prd.companyz.com:7389} 531bf216000000
>>>>> 510000 531bf265000100510000
>>>>> nsds50ruv: {replica 86 ldap://noc3-prd.companyz.com:7389} 531a3222000000
>>>>> 560000 531a3256000400560000
>>>>> nsds50ruv: {replica 91 ldap://noc2-prd.companyz.com:7389} 5317f7cf000000
>>>>> 5b0000 531949920000005b0000
>>>>> nsds50ruv: {replica 97 ldap://util1-prd.companyz.com:7389} 5317a45000000
>>>>> 0610000 5317a48a000100610000
>>>>> o: ipaca
>>>>> nsruvReplicaLastModified: {replica 96 ldap://noc1-prd.companyz.com:7389}
>>>>>   550878ab
>>>>> nsruvReplicaLastModified: {replica 71 ldap://noc2-prd.companyz.com:7389}
>>>>>   00000000
>>>>> nsruvReplicaLastModified: {replica 76 ldap://noc4-prd.companyz.com:7389}
>>>>>   00000000
>>>>> nsruvReplicaLastModified: {replica 81 ldap://noc2-prd.companyz.com:7389}
>>>>>   00000000
>>>>> nsruvReplicaLastModified: {replica 86 ldap://noc3-prd.companyz.com:7389}
>>>>>   00000000
>>>>> nsruvReplicaLastModified: {replica 91 ldap://noc2-prd.companyz.com:7389}
>>>>>   00000000
>>>>> nsruvReplicaLastModified: {replica 97 ldap://util1-prd.companyz.com:7389
>>>>> } 00000000
>>>>>
>>>>> -- and here is an example LDIF to remove the last record listed above -
>>>>>
>>>>> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
>>>>> changetype: modify
>>>>> replace: nsds5task
>>>>> nsds5task: CLEANRUV97
>>>> That doesn't look right. It should look like:
>>>>
>>>> dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config
>>>> changetype: add
>>>> objectclass: top
>>>> objectclass: extensibleObject
>>>> replica-base-dn: dc=companyz,dc=com
>>>> replica-id: 97
>>>> cn: clean 97
>>>>
>>>> Be careful which RUV you remove. You only want to remove those that are
>>>> no longer active.
>>> Thanks for the additional spec on the LDIF, though I still don't
>>> understand how to run this. Is there somewhere you can point me to
>>> with example commands to run such LDIFs?
>> I figured out how to enter the ldif changes.
>>
>>> -Kim
>>>> rob

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.