[Freeipa-users] replicas removed, but incorrectly

Ludwig Krispenz lkrispen at redhat.com
Mon Sep 26 13:06:59 UTC 2016 

On 09/26/2016 02:56 PM, Natxo Asenjo wrote:
>
>
> On Mon, Sep 26, 2016 at 1:54 PM, Natxo Asenjo <natxo.asenjo at gmail.com 
> <mailto:natxo.asenjo at gmail.com>> wrote:
>
>
>
>
>     On Mon, Sep 26, 2016 at 1:50 PM, Ludwig Krispenz
>     <lkrispen at redhat.com <mailto:lkrispen at redhat.com>> wrote:
>
>
>         On 09/26/2016 01:36 PM, Natxo Asenjo wrote:
>>         And in my example, the replica id would be 66, 96, 71 and 97, correct?
>         no, I don't think so. you searched 2 times the same host "-h
>         kdc04.unix.iriszorg.nl <http://kdc04.unix.iriszorg.nl>".
>         you need to search on kdc03 to find the current replicaid of
>         kdc03 and you have to keep it.
>
>
>
>     yes, you are right :(
>
>      $ ldapsearch -Z -h kdc03.unix.iriszorg.nl
>     <http://kdc03.unix.iriszorg.nl> -D "cn=Directory Manager" -W -b
>     "o=ipaca"
>     "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
>     | grep "nsds50ruv\|nsDS5ReplicaId"
>     Enter LDAP Password:
>     nsDS5ReplicaId: 66
>     nsds50ruv: {replicageneration} 50c1015c000000600000
>     nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389
>     <http://kdc03.unix.iriszorg.nl:389>} 57e23f66000000420000
>     nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389
>     <http://kdc04.unix.iriszorg.nl:389>} 57e4d75a0000044700
>     nsds50ruv: {replica 96 ldap://kdc01.unix.iriszorg.nl:7389
>     <http://kdc01.unix.iriszorg.nl:7389>} 50c1016c00000060000
>     nsds50ruv: {replica 71 ldap://kdc03.unix.iriszorg.nl:389
>     <http://kdc03.unix.iriszorg.nl:389>} 57e140c7000000470000
>     nsds50ruv: {replica 97 ldap://kdc02.unix.iriszorg.nl:7389
>     <http://kdc02.unix.iriszorg.nl:7389>} 50c1016800000061000
>
>
>     so I need to keep 66 and 1095, and run the task on 96, 71 and 97,
>     it would seem.
>
>     Thanks for spotting my error.
>
>
>
> ok, so I have now run the commands against both ldap hosts (the kdc03 
> and the kdc04), and now I have this:
you need to run it only against one host, it will propagate itself to 
the other replicas, if it can - see below.
>
>  # ldapsearch -Z -h kdc04.unix.iriszorg.nl 
> <http://kdc04.unix.iriszorg.nl> -D "cn=Directory Manager" -W -b 
> "o=ipaca" 
> "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" 
> | grep "nsds50ruv\|nsDS5ReplicaId"
> Enter LDAP Password:
> nsDS5ReplicaId: 1095
> nsds50ruv: {replicageneration} 50c1015c000000600000
> nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389 
> <http://kdc04.unix.iriszorg.nl:389>} 57e4d75a0000044700
> nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389 
> <http://kdc03.unix.iriszorg.nl:389>} 57e23f66000000420000
>
> # ldapsearch -Z -h kdc03.unix.iriszorg.nl 
> <http://kdc03.unix.iriszorg.nl> -D "cn=Directory Manager" -W -b 
> "o=ipaca" 
> "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" 
> | grep "nsds50ruv\|nsDS5ReplicaId"
> Enter LDAP Password:
> nsDS5ReplicaId: 66
> nsds50ruv: {replicageneration} 50c1015c000000600000
> nsds50ruv: {replica 66 ldap://kdc03.unix.iriszorg.nl:389 
> <http://kdc03.unix.iriszorg.nl:389>} 57e23f66000000420000
> nsds50ruv: {replica 1095 ldap://kdc04.unix.iriszorg.nl:389 
> <http://kdc04.unix.iriszorg.nl:389>} 57e4d75a0000044700
> nsds50ruv: {replica 96 ldap://kdc01.unix.iriszorg.nl:7389 
> <http://kdc01.unix.iriszorg.nl:7389>} 50c1016c00000060000
> nsds50ruv: {replica 71 ldap://kdc03.unix.iriszorg.nl:389 
> <http://kdc03.unix.iriszorg.nl:389>} 57e140c7000000470000
> nsds50ruv: {replica 97 ldap://kdc02.unix.iriszorg.nl:7389 
> <http://kdc02.unix.iriszorg.nl:7389>} 50c1016800000061000
>
> so the command has not been successful in the kdc03. in the dirsrv 
> errors log  I see:
>
> [26/Sep/2016:14:50:54 +0200] NSMMReplicationPlugin - CleanAllRUV Task 
> (rid 71): Not all replicas online, retrying in 640 seconds...
this looks like there is still a replication agreement to one of the no 
longer existing servers.

can you search for "... -b "cn=config" 
"objectclass=nsds5replicationagreement"

and remove the ones no longer needed.
> [26/Sep/2016:14:51:00 +0200] slapi_ldap_bind - Error: could not send 
> startTLS request: error -1 (Can't contact LDAP server) errno 107 
> (Transport endpoint is not connected)
>
> but those replicas are gone (decommissioned). So how can I remove them?

>
>
> -- 
> regards,
> Natxo
>
>
>
>
>
> -- 
> --
> Groeten,
> natxo
>
>

-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160926/8b58b0b6/attachment.htm>

More information about the Freeipa-users mailing list