[Freeipa-users] Manual Cleanup

Standa Laznicka slaznick at redhat.com
Fri Mar 17 07:25:19 UTC 2017 

Hello Ian,

You could do:
`ipa-replica-manage del freeipa-dal.bpt.rocks --force --cleanup`

Then you may need to check again for the master with `ipa-replica-manage 
list`. If it's not there anymore, check whether some RUVs are still in 
place with `ipa-replica-manage list-ruv`.

The last command should get you RUVs on both CA and domain suffixes if 
you're using FreeIPA >= 4.3.2 (hope I got the .z number right). If you 
see that there's some RUVs left for the wrong host, try calling 
`ipa-replica-manage clean-ruv <RUV-ID>` which should remove the RUV (no 
matter the suffix - CA or domain - just give it the number and it should 
work given FreeIPA >= 4.3.2 is used).

HTH,
Standa

On 03/16/2017 07:14 PM, Ian Harding wrote:
> I've made some progress.  But I have one zombie replication agreement to
> kill, I just don't know the syntax.
>
> freeipa-dal.bpt.rocks does not exist.  I want all references to it to go
> away.
>
> How would I do that with ldapmodify?
>
> Thanks!
>
>
> [root at freeipa-sea slapd-BPT-ROCKS]# ldapsearch  -D "cn=directory
> manager" -w ... -b "o=ipaca"
> "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
> nscpentrywsi
> # extended LDIF
> #
> # LDAPv3
> # base <o=ipaca> with scope subtree
> # filter:
> (&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))
> # requesting: nscpentrywsi
> #
>
> # replica, o\3Dipaca, mapping tree, config
> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
> nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
> nscpentrywsi: cn: replica
> nscpentrywsi: createTimestamp: 20160814234939Z
> nscpentrywsi: creatorsName: cn=directory manager
> nscpentrywsi: modifiersName: cn=Multimaster Replication
> Plugin,cn=plugins,cn=c
>   onfig
> nscpentrywsi: modifyTimestamp: 20170316181544Z
> nscpentrywsi: nsDS5Flags: 1
> nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
> cloneAgreement1-freei
>   pa-sea.bpt.rocks-pki-tomcat,ou=csusers,cn=config
> nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
> masterAgreement1-free
>   ipa-dal.bpt.rocks-pki-tomcat,ou=csusers,cn=config
> nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
> masterAgreement1-seat
>   tlenfs.bpt.rocks-pki-tomcat,ou=csusers,cn=config
> nscpentrywsi: nsDS5ReplicaId: 1065
> nscpentrywsi: nsDS5ReplicaName: b21a1f1e-627911e6-93e6ef4b-69dcc2d1
> nscpentrywsi: nsDS5ReplicaRoot: o=ipaca
> nscpentrywsi: nsDS5ReplicaType: 3
> nscpentrywsi: nsState::
> KQQAAAAAAABO1spYAAAAAAAAAAAAAAAAKgAAAAAAAAAAAAAAAAAAAA
>   ==
> nscpentrywsi: nsds5replicabinddngroup: cn=replication
> managers,cn=sysaccounts,
>   cn=etc,dc=bpt,dc=rocks
> nscpentrywsi: nsds5replicabinddngroupcheckinterval: 60
> nscpentrywsi: objectClass: top
> nscpentrywsi: objectClass: nsDS5Replica
> nscpentrywsi: objectClass: extensibleobject
> nscpentrywsi: numSubordinates: 2
> nscpentrywsi: nsds50ruv: {replicageneration} 57c291d9000004290000
> nscpentrywsi: nsds50ruv: {replica 1065 ldap://freeipa-sea.bpt.rocks:389}
> 57f84
>   0bf000004290000 58cad667000004290000
> nscpentrywsi: nsds50ruv: {replica 1290 ldap://seattlenfs.bpt.rocks:389}
> nscpentrywsi: nsds50ruv: {replica 1295 ldap://freeipa-dal.bpt.rocks:389}
> nscpentrywsi: nsds5agmtmaxcsn:
> o=ipaca;cloneAgreement1-freeipa-sea.bpt.rocks-p
>   ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
> nscpentrywsi: nsds5agmtmaxcsn:
> o=ipaca;masterAgreement1-seattlenfs.bpt.rocks-p
>   ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
> nscpentrywsi: nsruvReplicaLastModified: {replica 1065
> ldap://freeipa-sea.bpt.r
>   ocks:389} 58cad63d
> nscpentrywsi: nsruvReplicaLastModified: {replica 1290
> ldap://seattlenfs.bpt.ro
>   cks:389} 00000000
> nscpentrywsi: nsruvReplicaLastModified: {replica 1295
> ldap://freeipa-dal.bpt.r
>   ocks:389} 00000000
> nscpentrywsi: nsds5ReplicaChangeCount: 15993
> nscpentrywsi: nsds5replicareapactive: 0
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root at freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage del
> freeipa-dal.bpt.rocks --forceDirectory Manager password:
>
> 'freeipa-sea.bpt.rocks' has no replication agreement for
> 'freeipa-dal.bpt.rocks'
> [root at freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
> seattlenfs.bpt.rocks: master
> freeipa-dal.bpt.rocks: master
> freeipa-sea.bpt.rocks: master
> [root at freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
> freeipa-sea.bpt.rocks
> seattlenfs.bpt.rocks: replica
> [root at freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage list
> Directory Manager password:
>
> seattlenfs.bpt.rocks: master
> freeipa-dal.bpt.rocks: CA not configured
> freeipa-sea.bpt.rocks: master
>

More information about the Freeipa-users mailing list