[Freeipa-users] Can't create replica

German Parente gparente at redhat.com
Thu Dec 29 09:55:12 UTC 2016 

HI Jim,

it's normal to have an entry "cn=replica" under your mapping tree. That
does not mean that you are replicating.

It means the database is "enabled" for replication. And as it enabled, it
needs a "replicaid" in the topology that in your case is 40. You cannot
clean this id.
In ipa, main database and certificate database (ipaca backend) are enabled
for replication even if there's only one node in the topology.

Regarding the binddn's, the ones under "cn=replica" should be a superset of
the ones included in your future replication agreements if you add a new
node to the topology.

You could manually remove nsDS5ReplicaBindDN values if you consider they
are leftovers.

Thanks and regards,

German.


On Wed, Dec 28, 2016 at 10:20 PM, Jim Richard <jrichard at placeiq.com> wrote:

> This pretty much describes my issue:
>
> https://access.redhat.com/solutions/136993
>
> ipa-server.x86_64 3.0.0-50.el6.centos.3
>
> But it’s a little more complicated than that.
>
> My goal at this point is just to get to one master with no replication, no
> remnants of replication, no dangling this or that in either the the main
> LDAP or the CA instance.
>
> But, I think I’ve hosed it up pretty good, all things replication that is.
>
> So there is only one live server now, sso-109.nym1.placeiq.net
>
> But in going through the steps in that article I noticed something strange.
>
> Notice the ReplicaBindDN principalname in the first command, that server
> no longer exists
> And notice the the ID, 40. Then look at the output from the next command.
>
> ID 40 is actually sso-109, am I reading that right??
>
> and of course CLEANRUV40 gives "error 53 unwilling to perform” - which is
> expected ?? I think, maybe I don’t know :(
>
> So uh, how do I un-F… myself here?
>
> Can I like manually delete that replication instance 40?
>
> If I’m saying, I just want one master, no replicas (will of course create
> a replica once I’m sure my one master is squared away), should I be able to
> get the db to a state with no nsDS5Replica entries?
>
> [root at sso-109:(NYM) slapd-PKI-IPA]$ ldapsearch -xLLL -D "cn=directory
> manager" -W -s sub -b cn=config objectclass=nsds5replica
> Enter LDAP Password:
> dn: cn=replica,cn=dc\3Dplaceiq\2Cdc\3Dnet,cn=mapping tree,cn=config
> cn: replica
> nsDS5Flags: 1
> objectClass: top
> objectClass: nsds5replica
> objectClass: extensibleobject
> nsDS5ReplicaType: 3
> nsDS5ReplicaRoot: dc=placeiq,dc=net
> nsds5ReplicaLegacyConsumer: off
> nsDS5ReplicaId: 40
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsDS5ReplicaBindDN: krbprincipalname=ldap/sso-110.
> nym1.placeiq.net at PLACEIQ.NET
> <krbprincipalname=ldap/sso-110.nym1.placeiq.net at placeiq.net>
>  ,cn=services,cn=accounts,dc=placeiq,dc=net
> nsState:: KAAAAAAAAADkKWRYAAAAAAAAAAAAAAAADwAAAAAAAAASAAAAAAAAAA==
> nsDS5ReplicaName: 889b4308-86c311e6-95188dad-28da3cc2
> nsds5ReplicaChangeCount: 13615
> nsds5replicareapactive: 0
>
>
>
> [root at sso-109:(NYM) slapd-PKI-IPA]$ ldapsearch -xLLL -D "cn=directory
> manager" -W -b dc=placeiq,dc=net \
> >  '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(
> objectclass=nstombstone))'
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
> [root at sso-109:(NYM) slapd-PKI-IPA]$ ldapsearch -xLLL -D "cn=directory
> manager" -W -b dc=placeiq,dc=net  '(&(nsuniqueid=ffffffff-
> ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
> Enter LDAP Password:
> dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=placeiq,dc=net
> objectClass: top
> objectClass: nsTombstone
> objectClass: extensibleobject
> nsds50ruv: {replicageneration} 52b07d23000000040000
> nsds50ruv: {replica 40 ldap://sso-109.nym1.placeiq.net:389}
> 57ede5500007002800
>  00 58642aad000100280000
> dc: placeiq
> nsruvReplicaLastModified: {replica 40 ldap://sso-109.nym1.placeiq.net:389}
> 586
>  42a9e
>
>
>
>
>
>
>
>
>
> <http://www.placeiq.com/> <http://www.placeiq.com/>
> <http://www.placeiq.com/> Jim Richard <https://twitter.com/placeiq>
> <https://twitter.com/placeiq> <https://twitter.com/placeiq>
> <https://www.facebook.com/PlaceIQ> <https://www.facebook.com/PlaceIQ>
> <https://www.linkedin.com/company/placeiq>
> <https://www.linkedin.com/company/placeiq>
> SYSTEM ADMINISTRATOR III
> *(646) 338-8905 <%28646%29%20338-8905> *
> [image: PlaceIQ:Alibaba]
> <http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/>
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161229/3ececbb2/attachment.htm>

More information about the Freeipa-users mailing list