[Freeipa-users] FreeIPA 4.4 - Can't find topology segment, nsunique attribute

Ludwig Krispenz lkrispen at redhat.com
Thu Dec 22 09:10:40 UTC 2016 

Hi
On 12/22/2016 09:31 AM, Georgijs Radovs wrote:
> Hello everyone!
>
> Today, I've updated 2 FreeIPA servers from version 4.2 to version 4.4.
>
> Both of these servers are Masters and CAs, both are replicating 
> between each other.
>
> But, when I run
>
> *ipa topologysegment-find* to view replication agreements for *domain* 
> and *ca* suffixes
>
> it returns zero results.
>
> Web UI also does not show any agreements, but when I try to create a 
> replication agreement between both servers, I get error that agreement 
> already exists.
>
> Also, when viewing directory using ldap browser, I found these 
> containers:
>
> DN: 
> cn=ca+nsuniqueid=7252d047-c76611e6-a1fcaefe-5d4473a3,cn=topology,cn=ipa,cn=etc,dc=example,dc=com
>
> DN: 
> cn=domain+nsuniqueid=7252d000-c76611e6-a1fcaefe-5d4473a3,cn=topology,cn=ipa,cn=etc,dc=example,dc=com
>
> Both of them contain topology segments, which I'm trying to create, 
> but they do not show up anywhere.
this is unfortunatly the result of raising the domainlevel and creating 
segments while replication conflict entries exist.
In the next update we will prevent this by checking for conflicts before 
raising domainlevel.
>
> How do I remove nsuniqueid attribute or delete those containers?
not so simple, I'll try to sketch the options for cn=domain, the 
procedure for cn=ca is then the same.

So lets say you have:
cn=domain,cn=topology,cn=ipa,cn=etc,dc=example,dc=com
cn=domain+nsuniqueid=7252d000-c76611e6-a1fcaefe-5d4473a3,cn=topology,cn=ipa,cn=etc,dc=example,dc=com
cn=segment1,cn=domain+nsuniqueid=7252d000-c76611e6-a1fcaefe-5d4473a3,cn=topology,cn=ipa,cn=etc,dc=example,dc=com

and what you want is:
cn=domain,cn=topology,cn=ipa,cn=etc,dc=example,dc=com
cn=segment1,cn=domain,cn=topology,cn=ipa,cn=etc,dc=example,dc=com

unfortunately the segment is below the conflict entry. so you have two 
options:
- remove the "normal" entry and then rename the conflict entry, this 
will leave child parent relationship and the dn of the segment should be 
adjusted automatically

- move the segment to the "normal" entry (it could be rejected by the 
topology plugin, so you would have to disable it temporariliy on the 
server where you run this)
and then remove the "conflict" entry

-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander

More information about the Freeipa-users mailing list