[Freeipa-users] Replica or no replica
Rob Crittenden
rcritten at redhat.com
Fri Oct 21 13:17:30 UTC 2016
Gabriel Batir wrote:
> Hello
>
> After I have lost the entire IPA infrastructure (due to admin error:( )
> I have recreated one server that I had a ipa backup for and restored the
> backup.
>
> First problem I had were the replication agreements with the now missing
> servers.
> I have used ipa-replica-manage del --force --clean <replica name> for
> all the replicas. It did not work without --force.
>
> So now I have this:
>
> ipa --version
> VERSION: 4.3.1, API_VERSION: 2.164
>
> root at de-fra-irx08-ldap01 ~#ipa-replica-manage list
> de-fra-irx08-ldap01.ipa.XXXXXX: master
>
> root at de-fra-irx08-ldap01 ~# ipa-replica-manage list-ruv
> de-fra-irx08-ldap01.ipa.XXXXXX:389: 8
>
> root at de-fra-irx08-ldap01 ~# ipa-csreplica-manage list
> Directory Manager password:
>
> de-fra-irx08-ldap01.ipa.XXXXXX: master
>
> But I still get this in the error log:
> NSMMReplicationPlugin -
> agmt="cn=masterAgreement1-ro-buh-nx02-ldap01.ipa.XXXXXX-pki-tomcat"
> (ro-buh-nx02-ldap01:389): Replication bind w
> ith SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ()
>
>
> root at de-fra-irx08-ldap01 ~# ldapsearch -D "cn=Directory Manager" -W
> -LLL -x -b "cn=replica,cn=dc\3Dipa\2Cdc\3DXXXXXX,cn=mapping tree,cn=config"
> Enter LDAP Password:
> dn: cn=replica,cn=dc\3Dipa\2Cdc\3DXXXXXX,cn=mapping tree,cn=config
> cn: replica
> nsDS5Flags: 1
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsDS5ReplicaBindDN:
> krbprincipalname=ldap/ro-buh-nx02-ldap01.ipa.XXXXXX at IPA.B
> IGSTEP,cn=services,cn=accounts,dc=ipa,dc=XXXXXX
> nsDS5ReplicaBindDN:
> krbprincipalname=ldap/uk-rdg-evr01-ldap01.ipa.XXXXXX at IPA.
> XXXXXX,cn=services,cn=accounts,dc=ipa,dc=XXXXXX
> nsDS5ReplicaId: 8
> nsDS5ReplicaName: b4848193-ef4611e5-8893afc8-cadb562e
> nsDS5ReplicaRoot: dc=ipa,dc=XXXXXX
> nsDS5ReplicaType: 3
> nsState:: CAAAAAAAAAAU/glYAAAAAAAAAAAAAAAA2gQAAAAAAAAUAAAAAAAAAA==
> nsds5ReplicaLegacyConsumer: off
> nsds5replicabinddngroup: cn=replication
> managers,cn=sysaccounts,cn=etc,dc=ipa,
> dc=XXXXXX
> nsds5replicabinddngroupcheckinterval: 60
> objectClass: nsds5replica
> objectClass: top
> objectClass: extensibleobject
> nsds5ReplicaChangeCount: 550
> nsds5replicareapactive: 0
>
> root at de-fra-irx08-ldap01 ~# ldapsearch -D "cn=Directory Manager" -W
> -LLL -x -b
> "cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,cn=o\3Dipaca
> ,cn=mapping tree,cn=config"
> Enter LDAP Password:
> dn:
> cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,c
> n=o\3Dipaca,cn=mapping tree,cn=config
> cn: cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat
> description: cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat
> nsDS5ReplicaBindDN: cn=Replication Manager
> masterAgreement1-de-fra-irx08-ldap0
> 1.ipa.XXXXXX-pki-tomcat,ou=csusers,cn=config
> nsDS5ReplicaBindMethod: Simple
> nsDS5ReplicaCredentials:
> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
> RERBNEJDUTJPRE5rWXpkaVpDMWtPRFZpTTJJeg0KT0MxaFpHVm1aall5TUMwMk9HSTFOakExTVFBQ
>
> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTF1K2UyWFJybUwyL0
>
> ZWVTYrdmFDVw==}cJhPqOxvyGaExF/h3IO9UA==
> nsDS5ReplicaHost: ro-buh-nx02-ldap01.ipa.XXXXXX
> nsDS5ReplicaPort: 389
> nsDS5ReplicaRoot: o=ipaca
> nsDS5ReplicaTransportInfo: TLS
> nsds50ruv: {replicageneration} 56efacec000000600000
> nsds50ruv: {replica 96 ldap://ro-buh-nx02-ldap01.ipa.XXXXXX:389}
> 56efacf10000
> 00600000 580711f2000000600000
> nsds50ruv: {replica 81 ldap://de-fra-irx08-ldap02.ipa.XXXXXX:389}
> 57163ff7000
> 000510000 575fedb7000000510000
> nsds50ruv: {replica 86 ldap://de-fra-irx08-ldap01.ipa.XXXXXX:389}
> 56efbe5b000
> 000560000 57179149000000560000
> nsds50ruv: {replica 91 ldap://uk-rdg-evr01-ldap02.ipa.XXXXXX:389}
> 56efb7c5000
> 0005b0000 56efb80a0012005b0000
> nsds50ruv: {replica 97 ldap://uk-rdg-evr01-ldap01.ipa.XXXXXX:389}
> 56efacf7000
> 000610000 575ffeda000000610000
> nsds50ruv: {replica 66} 575eb9f6000300420000 575eb9f6000300420000
> nsds50ruv: {replica 71} 575eade7000e00470000 575eade7000e00470000
> nsruvReplicaLastModified: {replica 96
> ldap://ro-buh-nx02-ldap01.ipa.XXXXXX:38
> 9} 00000000
> nsruvReplicaLastModified: {replica 81
> ldap://de-fra-irx08-ldap02.ipa.XXXXXX:3
> 89} 00000000
> nsruvReplicaLastModified: {replica 86
> ldap://de-fra-irx08-ldap01.ipa.XXXXXX:3
> 89} 00000000
> nsruvReplicaLastModified: {replica 91
> ldap://uk-rdg-evr01-ldap02.ipa.XXXXXX:3
> 89} 00000000
> nsruvReplicaLastModified: {replica 97
> ldap://uk-rdg-evr01-ldap01.ipa.XXXXXX:3
> 89} 00000000
> nsruvReplicaLastModified: {replica 66} 00000000
> nsruvReplicaLastModified: {replica 71} 00000000
> objectClass: top
> objectClass: nsds5replicationagreement
> nsds5replicareapactive: 0
> nsds5replicaLastUpdateStart: 19700101000000Z
> nsds5replicaLastUpdateEnd: 19700101000000Z
> nsds5replicaChangesSentSinceStartup:
> nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error:
> Can't co
> ntact LDAP server
> nsds5replicaUpdateInProgress: FALSE
> nsds5replicaLastInitStart: 19700101000000Z
> nsds5replicaLastInitEnd: 19700101000000Z
>
>
> Is it safe to delete
> cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping
> tree,cn=config ?
>
> Would this solve my problem?
Yes. It looks like a CA replication agreement. Given that, as stated,
you have no other replicas it is safe to remove this.
rob
More information about the Freeipa-users
mailing list