[Freeipa-users] Replica or no replica

Fri Oct 21 12:00:57 UTC 2016

Hello

After I have lost the entire IPA infrastructure (due to admin error:( ) I
have recreated one server that I had a ipa backup for and restored the
backup.

First problem I had were the replication agreements with the now missing
servers.
I have used ipa-replica-manage del --force --clean <replica name> for all
the replicas. It did not work without --force.

So now I have this:

ipa --version
VERSION: 4.3.1, API_VERSION: 2.164

root at de-fra-irx08-ldap01  ~#ipa-replica-manage list
de-fra-irx08-ldap01.ipa.XXXXXX: master

root at de-fra-irx08-ldap01  ~# ipa-replica-manage list-ruv
de-fra-irx08-ldap01.ipa.XXXXXX:389: 8

root at de-fra-irx08-ldap01  ~# ipa-csreplica-manage list
Directory Manager password:

de-fra-irx08-ldap01.ipa.XXXXXX: master

But I still get this in the error log:
NSMMReplicationPlugin -
agmt="cn=masterAgreement1-ro-buh-nx02-ldap01.ipa.XXXXXX-pki-tomcat"
(ro-buh-nx02-ldap01:389): Replication bind w
ith SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ()

root at de-fra-irx08-ldap01  ~# ldapsearch -D "cn=Directory Manager" -W -LLL
-x -b "cn=replica,cn=dc\3Dipa\2Cdc\3DXXXXXX,cn=mapping tree,cn=config"
Enter LDAP Password:
dn: cn=replica,cn=dc\3Dipa\2Cdc\3DXXXXXX,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN:
krbprincipalname=ldap/ro-buh-nx02-ldap01.ipa.XXXXXX at IPA.B
IGSTEP,cn=services,cn=accounts,dc=ipa,dc=XXXXXX
nsDS5ReplicaBindDN:
krbprincipalname=ldap/uk-rdg-evr01-ldap01.ipa.XXXXXX at IPA.
XXXXXX,cn=services,cn=accounts,dc=ipa,dc=XXXXXX
nsDS5ReplicaId: 8
nsDS5ReplicaName: b4848193-ef4611e5-8893afc8-cadb562e
nsDS5ReplicaRoot: dc=ipa,dc=XXXXXX
nsDS5ReplicaType: 3
nsState:: CAAAAAAAAAAU/glYAAAAAAAAAAAAAAAA2gQAAAAAAAAUAAAAAAAAAA==
nsds5ReplicaLegacyConsumer: off
nsds5replicabinddngroup: cn=replication
managers,cn=sysaccounts,cn=etc,dc=ipa,
dc=XXXXXX
nsds5replicabinddngroupcheckinterval: 60
objectClass: nsds5replica
objectClass: top
objectClass: extensibleobject
nsds5ReplicaChangeCount: 550
nsds5replicareapactive: 0

root at de-fra-irx08-ldap01  ~# ldapsearch -D "cn=Directory Manager" -W -LLL
-x -b
"cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,cn=o\3Dipaca
,cn=mapping tree,cn=config"
Enter LDAP Password:
dn:
cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,c
n=o\3Dipaca,cn=mapping tree,cn=config
cn: cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat
description: cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat
nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-de-fra-irx08-ldap0
1.ipa.XXXXXX-pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaBindMethod: Simple
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUTJPRE5rWXpkaVpDMWtPRFZpTTJJeg0KT0MxaFpHVm1aall5TUMwMk9HSTFOakExTVFBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTF1K2UyWFJybUwyL0
ZWVTYrdmFDVw==}cJhPqOxvyGaExF/h3IO9UA==
nsDS5ReplicaHost: ro-buh-nx02-ldap01.ipa.XXXXXX
nsDS5ReplicaPort: 389
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaTransportInfo: TLS
nsds50ruv: {replicageneration} 56efacec000000600000
nsds50ruv: {replica 96 ldap://ro-buh-nx02-ldap01.ipa.XXXXXX:389}
56efacf10000
00600000 580711f2000000600000
nsds50ruv: {replica 81 ldap://de-fra-irx08-ldap02.ipa.XXXXXX:389}
57163ff7000
000510000 575fedb7000000510000
nsds50ruv: {replica 86 ldap://de-fra-irx08-ldap01.ipa.XXXXXX:389}
56efbe5b000
000560000 57179149000000560000
nsds50ruv: {replica 91 ldap://uk-rdg-evr01-ldap02.ipa.XXXXXX:389}
56efb7c5000
0005b0000 56efb80a0012005b0000
nsds50ruv: {replica 97 ldap://uk-rdg-evr01-ldap01.ipa.XXXXXX:389}
56efacf7000
000610000 575ffeda000000610000
nsds50ruv: {replica 66} 575eb9f6000300420000 575eb9f6000300420000
nsds50ruv: {replica 71} 575eade7000e00470000 575eade7000e00470000
nsruvReplicaLastModified: {replica 96
ldap://ro-buh-nx02-ldap01.ipa.XXXXXX:38
9} 00000000
nsruvReplicaLastModified: {replica 81
ldap://de-fra-irx08-ldap02.ipa.XXXXXX:3
89} 00000000
nsruvReplicaLastModified: {replica 86
ldap://de-fra-irx08-ldap01.ipa.XXXXXX:3
89} 00000000
nsruvReplicaLastModified: {replica 91
ldap://uk-rdg-evr01-ldap02.ipa.XXXXXX:3
89} 00000000
nsruvReplicaLastModified: {replica 97
ldap://uk-rdg-evr01-ldap01.ipa.XXXXXX:3
89} 00000000
nsruvReplicaLastModified: {replica 66} 00000000
nsruvReplicaLastModified: {replica 71} 00000000
objectClass: top
objectClass: nsds5replicationagreement
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 19700101000000Z
nsds5replicaLastUpdateEnd: 19700101000000Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't
co
ntact LDAP server
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z

Is it safe to delete
cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping
tree,cn=config ?

Would this solve my problem?

Regards,
Gabriel Batir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161021/e13b5f77/attachment.htm>