[Freeipa-users] Manual Cleanup

Petr Vobornik pvoborni at redhat.com
Fri Mar 17 17:22:36 UTC 2017 

On 03/16/2017 07:14 PM, Ian Harding wrote:
> I've made some progress.  But I have one zombie replication agreement to
> kill, I just don't know the syntax.

The output listed below is not replication agreement. But there is 
reference to RUV.

>
> freeipa-dal.bpt.rocks does not exist.  I want all references to it to go
> away.
>
> How would I do that with ldapmodify?

I wouldn't delete the entry below because 
cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config is a container for CA 
replication agreements and it should stay there. Btw, there should also 
be one for "domain" replication agreements.

But in general, you could use ldapdelete command.

If you want to investigate pure ldap data, then information about IPA 
masters is also stored in cn=masters,cn=ipa,cn=etc,dc=example,dc=test . 
This is the place where ipa server-find gets its info.

>
> Thanks!
>
>
> [root at freeipa-sea slapd-BPT-ROCKS]# ldapsearch  -D "cn=directory
> manager" -w ... -b "o=ipaca"
> "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
> nscpentrywsi
> # extended LDIF
> #
> # LDAPv3
> # base <o=ipaca> with scope subtree
> # filter:
> (&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))
> # requesting: nscpentrywsi
> #
>
> # replica, o\3Dipaca, mapping tree, config
> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
> nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
> nscpentrywsi: cn: replica
> nscpentrywsi: createTimestamp: 20160814234939Z
> nscpentrywsi: creatorsName: cn=directory manager
> nscpentrywsi: modifiersName: cn=Multimaster Replication
> Plugin,cn=plugins,cn=c
>  onfig
> nscpentrywsi: modifyTimestamp: 20170316181544Z
> nscpentrywsi: nsDS5Flags: 1
> nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
> cloneAgreement1-freei
>  pa-sea.bpt.rocks-pki-tomcat,ou=csusers,cn=config
> nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
> masterAgreement1-free
>  ipa-dal.bpt.rocks-pki-tomcat,ou=csusers,cn=config
> nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
> masterAgreement1-seat
>  tlenfs.bpt.rocks-pki-tomcat,ou=csusers,cn=config
> nscpentrywsi: nsDS5ReplicaId: 1065
> nscpentrywsi: nsDS5ReplicaName: b21a1f1e-627911e6-93e6ef4b-69dcc2d1
> nscpentrywsi: nsDS5ReplicaRoot: o=ipaca
> nscpentrywsi: nsDS5ReplicaType: 3
> nscpentrywsi: nsState::
> KQQAAAAAAABO1spYAAAAAAAAAAAAAAAAKgAAAAAAAAAAAAAAAAAAAA
>  ==
> nscpentrywsi: nsds5replicabinddngroup: cn=replication
> managers,cn=sysaccounts,
>  cn=etc,dc=bpt,dc=rocks
> nscpentrywsi: nsds5replicabinddngroupcheckinterval: 60
> nscpentrywsi: objectClass: top
> nscpentrywsi: objectClass: nsDS5Replica
> nscpentrywsi: objectClass: extensibleobject
> nscpentrywsi: numSubordinates: 2
> nscpentrywsi: nsds50ruv: {replicageneration} 57c291d9000004290000
> nscpentrywsi: nsds50ruv: {replica 1065 ldap://freeipa-sea.bpt.rocks:389}
> 57f84
>  0bf000004290000 58cad667000004290000
> nscpentrywsi: nsds50ruv: {replica 1290 ldap://seattlenfs.bpt.rocks:389}
> nscpentrywsi: nsds50ruv: {replica 1295 ldap://freeipa-dal.bpt.rocks:389}
> nscpentrywsi: nsds5agmtmaxcsn:
> o=ipaca;cloneAgreement1-freeipa-sea.bpt.rocks-p
>  ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
> nscpentrywsi: nsds5agmtmaxcsn:
> o=ipaca;masterAgreement1-seattlenfs.bpt.rocks-p
>  ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
> nscpentrywsi: nsruvReplicaLastModified: {replica 1065
> ldap://freeipa-sea.bpt.r
>  ocks:389} 58cad63d
> nscpentrywsi: nsruvReplicaLastModified: {replica 1290
> ldap://seattlenfs.bpt.ro
>  cks:389} 00000000
> nscpentrywsi: nsruvReplicaLastModified: {replica 1295
> ldap://freeipa-dal.bpt.r
>  ocks:389} 00000000
> nscpentrywsi: nsds5ReplicaChangeCount: 15993
> nscpentrywsi: nsds5replicareapactive: 0
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root at freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage del
> freeipa-dal.bpt.rocks --forceDirectory Manager password:
>
> 'freeipa-sea.bpt.rocks' has no replication agreement for
> 'freeipa-dal.bpt.rocks'
> [root at freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
> seattlenfs.bpt.rocks: master
> freeipa-dal.bpt.rocks: master
> freeipa-sea.bpt.rocks: master
> [root at freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
> freeipa-sea.bpt.rocks
> seattlenfs.bpt.rocks: replica
> [root at freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage list
> Directory Manager password:
>
> seattlenfs.bpt.rocks: master
> freeipa-dal.bpt.rocks: CA not configured
> freeipa-sea.bpt.rocks: master
>


-- 
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat, Inc.

More information about the Freeipa-users mailing list