[Freeipa-users] Cleanly removing replication agreement
Dominik Korittki
d.korittki at mittwald.de
Thu Oct 8 15:47:12 UTC 2015
Hello folks,
i have two FreeIPA 3.3 Machines running on CentOS7: ipa01.internal and
ipa02.internal. Both have a CA installed.
Initially ipa02 is a replication from ipa01. Recently ipa01 had some
trouble while ipa02 was running fine (see "FreeIPA 3.3 performance
issues with many hosts" on this maillinglist).
So what i did was to uninstall ipa01 via "ipa-server-install
--uninstall" and recreated ipa01 as a replica of ipa02 via
"ipa-replica-install --setup-ca". Since then I was having trouble with
replication. It seems to be there is still some RUV information about
the old ipa01 in the database.
Well long story short: I want to completely delete ipa02 from the
replication agreement on host ipa01 to be able to re-add ipa02 later.
Currently the situation on ipa01 is as follows:
root at ipa01:~ > ipa-replica-manage list
Directory Manager password:
ipa01.internal: master
ipa02.internal: master
root at ipa01:~ > ipa-replica-manage list-ruv
Directory Manager password:
ipa01.internal:389: 6
ipa02.internal:389: 5
root at ipa01:~ > ipa-csreplica-manage list
Directory Manager password:
ipa01.internal: master
ipa02.internal: master
root at ipa01:~ > ldapsearch -D "cn=directory manager" -W -b "cn=mapping
tree,cn=config" 'objectClass=nsDS5ReplicationAgreement' nsds50ruv -LLL
Enter LDAP Password:
dn:
cn=cloneAgreement1-ipa01.internal-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=ma
pping tree,cn=config
nsds50ruv: {replicageneration} 54748540000000600000
nsds50ruv: {replica 97 ldap://ipa02.internal:389} 54748548000000610000
56139e1
8000200610000
nsds50ruv: {replica 1095 ldap://ipa01.internal:389} 56139e17000004470000
56139
e1e000204470000
nsds50ruv: {replica 96 ldap://ipa01.internal:389}
I'm a bit worried about the ldapsearch command. There is a nsds50ruv
attribute with value 1035. It appeared after I readded ipa01 into the
replication agreement. Do I need to get rid of it and if yes, how?
Another question is: ipa02 is not responsible anymore, so the
CLEANALLRUV Task started on ipa01 by "ipa-replica-manage del ..." would
not be able to connect to ipa02. According to 389ds documentation it
would stay active a long time trying to connect to the other host. Is
it save to abort the task via "ipa-replica-manage abort-clean-ruv ..."
after a while?
Thanks in advance!
Kind regards,
Dominik
More information about the Freeipa-users
mailing list