[Freeipa-users] Cleanly removing replication agreement

Dominik Korittki d.korittki at mittwald.de
Thu Oct 8 15:47:12 UTC 2015 

Hello folks,

i have two FreeIPA 3.3 Machines running on CentOS7: ipa01.internal and 
ipa02.internal. Both have a CA installed.
Initially ipa02 is a replication from ipa01. Recently ipa01 had some 
trouble while ipa02 was running fine (see "FreeIPA 3.3 performance 
issues with many hosts" on this maillinglist).

So what i did was to uninstall ipa01 via "ipa-server-install 
--uninstall" and recreated ipa01 as a replica of ipa02 via 
"ipa-replica-install --setup-ca". Since then I was having trouble with 
replication. It seems to be there is still some RUV information about 
the old ipa01 in the database.

Well long story short: I want to completely delete ipa02 from the 
replication agreement on host ipa01 to be able to re-add ipa02 later.

Currently the situation on ipa01 is as follows:

root at ipa01:~ > ipa-replica-manage list
Directory Manager password:

ipa01.internal: master
ipa02.internal: master

root at ipa01:~ > ipa-replica-manage list-ruv
Directory Manager password:

ipa01.internal:389: 6
ipa02.internal:389: 5

root at ipa01:~ > ipa-csreplica-manage list
Directory Manager password:

ipa01.internal: master
ipa02.internal: master

root at ipa01:~ > ldapsearch -D "cn=directory manager" -W -b "cn=mapping 
tree,cn=config" 'objectClass=nsDS5ReplicationAgreement' nsds50ruv -LLL
Enter LDAP Password:
dn: 
cn=cloneAgreement1-ipa01.internal-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=ma
  pping tree,cn=config
nsds50ruv: {replicageneration} 54748540000000600000
nsds50ruv: {replica 97 ldap://ipa02.internal:389} 54748548000000610000 
56139e1
  8000200610000
nsds50ruv: {replica 1095 ldap://ipa01.internal:389} 56139e17000004470000 
56139
  e1e000204470000
nsds50ruv: {replica 96 ldap://ipa01.internal:389}


I'm a bit worried about the ldapsearch command. There is a nsds50ruv 
attribute with value 1035. It appeared after I readded ipa01 into the 
replication agreement. Do I need to get rid of it and if yes, how?

Another question is: ipa02 is not responsible anymore, so the 
CLEANALLRUV Task started on ipa01 by "ipa-replica-manage del ..." would 
not be able to connect to ipa02. According to 389ds documentation it 
would stay active a long time trying to connect to the other host.  Is 
it save to abort the task via "ipa-replica-manage abort-clean-ruv ..." 
after a while?

Thanks in advance!


Kind regards,
Dominik

More information about the Freeipa-users mailing list