[Freeipa-users] Manual Cleanup
Ian Harding
ianh at brownpapertickets.com
Sun Mar 19 06:31:00 UTC 2017
On 03/17/2017 12:25 AM, Standa Laznicka wrote:
> Hello Ian,
>
> You could do:
> `ipa-replica-manage del freeipa-dal.bpt.rocks --force --cleanup`
>
I have done this, it warns me that I should be careful, I say yes, and
it returns almost immediately. The master still shows up
[root at freeipa-sea ianh]# ipa-replica-manage del freeipa-dal.bpt.rocks
--force --cleanup
Cleaning a master is irreversible.
This should not normally be require, so use cautiously.
Continue to clean master? [no]: yes
> Then you may need to check again for the master with `ipa-replica-manage
> list`. If it's not there anymore, check whether some RUVs are still in
> place with `ipa-replica-manage list-ruv`.
>
> The last command should get you RUVs on both CA and domain suffixes if
> you're using FreeIPA >= 4.3.2 (hope I got the .z number right). If you
> see that there's some RUVs left for the wrong host, try calling
> `ipa-replica-manage clean-ruv <RUV-ID>` which should remove the RUV (no
> matter the suffix - CA or domain - just give it the number and it should
> work given FreeIPA >= 4.3.2 is used).
>
There aren't any dangling RUV that I can see but the 'master' record is
still there.
[root at freeipa-sea ianh]# ipa-replica-manage list
seattlenfs.bpt.rocks: master
freeipa-dal.bpt.rocks: master
freeipa-sea.bpt.rocks: master
[root at freeipa-sea ianh]# ipa-replica-manage list freeipa-sea.bpt.rocks
seattlenfs.bpt.rocks: replica
[root at freeipa-sea ianh]# ipa-replica-manage list seattlenfs.bpt.rocks
freeipa-sea.bpt.rocks: replica
[root at freeipa-sea ianh]# ipa-replica-manage list-ruv
Directory Manager password:
Replica Update Vectors:
freeipa-sea.bpt.rocks:389: 20
seattlenfs.bpt.rocks:389: 21
Certificate Server Replica Update Vectors:
freeipa-sea.bpt.rocks:389: 1065
seattlenfs.bpt.rocks:389: 1290
Thanks for your help, but I think I need some ldapdelete magic. Does
this mean anything to you?
I manually removed every reference to freeipa-dal from dse.ldif and
started the directory server
I still see this:
[root at freeipa-sea ianh]# ldapsearch -D "cn=directory manager" -W -b
cn=config | grep freeipa-dal
Enter LDAP Password:
nsslapd-referral: ldap://freeipa-dal.bpt.rocks:389/o%3Dipaca
I have to think it is stored somewhere else when the server is offline
in a database file and gets inserted into the DSE at startup?
I found a mess of references to freeipa-dal in this section. Is there a
way to make it go away?
[root at freeipa-sea ianh]# ldapsearch -D 'cn=Directory Manager' -W -b
'cn=masters,cn=ipa,cn=etc,dc=bpt,dc=rocks' | grep freeipa-dalEnter LDAP
Password:
# freeipa-dal.bpt.rocks + f0b9918f-6a5011e6-a4bad0d8-a4feaa1b, masters,
ipa, et
dn:
cn=freeipa-dal.bpt.rocks+nsuniqueid=f0b9918f-6a5011e6-a4bad0d8-a4feaa1b,cn
cn: freeipa-dal.bpt.rocks
# CA + 5148cf38-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks +
f0b9918f-6a
dn:
cn=CA+nsuniqueid=5148cf38-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.ro
# KDC + 5148cf40-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks +
f0b9918f-6
dn:
cn=KDC+nsuniqueid=5148cf40-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.r
# KPASSWD + 5148cf41-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks +
f0b991
dn:
cn=KPASSWD+nsuniqueid=5148cf41-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.b
# MEMCACHE + 5148cf42-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks
+ f0b99
dn:
cn=MEMCACHE+nsuniqueid=5148cf42-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.
# HTTP + 5148cf45-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks +
f0b9918f-
dn:
cn=HTTP+nsuniqueid=5148cf45-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.
# OTPD + 5148cf46-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks +
f0b9918f-
dn:
cn=OTPD+nsuniqueid=5148cf46-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.
# DNS + 9cfb790e-6a5111e6-a4bad0d8-a4feaa1b, freeipa-dal.bpt.rocks +
f0b9918f-6
dn:
cn=DNS+nsuniqueid=9cfb790e-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.r
# DNSKeySync + 9cfb791b-6a5111e6-a4bad0d8-a4feaa1b,
freeipa-dal.bpt.rocks + f0b
[root at freeipa-sea ianh]#
> HTH,
> Standa
>
> On 03/16/2017 07:14 PM, Ian Harding wrote:
>> I've made some progress. But I have one zombie replication agreement to
>> kill, I just don't know the syntax.
>>
>> freeipa-dal.bpt.rocks does not exist. I want all references to it to go
>> away.
>>
>> How would I do that with ldapmodify?
>>
>> Thanks!
>>
>>
>> [root at freeipa-sea slapd-BPT-ROCKS]# ldapsearch -D "cn=directory
>> manager" -w ... -b "o=ipaca"
>> "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
>>
>> nscpentrywsi
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <o=ipaca> with scope subtree
>> # filter:
>> (&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))
>>
>> # requesting: nscpentrywsi
>> #
>>
>> # replica, o\3Dipaca, mapping tree, config
>> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
>> nscpentrywsi: dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
>> nscpentrywsi: cn: replica
>> nscpentrywsi: createTimestamp: 20160814234939Z
>> nscpentrywsi: creatorsName: cn=directory manager
>> nscpentrywsi: modifiersName: cn=Multimaster Replication
>> Plugin,cn=plugins,cn=c
>> onfig
>> nscpentrywsi: modifyTimestamp: 20170316181544Z
>> nscpentrywsi: nsDS5Flags: 1
>> nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
>> cloneAgreement1-freei
>> pa-sea.bpt.rocks-pki-tomcat,ou=csusers,cn=config
>> nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
>> masterAgreement1-free
>> ipa-dal.bpt.rocks-pki-tomcat,ou=csusers,cn=config
>> nscpentrywsi: nsDS5ReplicaBindDN: cn=Replication Manager
>> masterAgreement1-seat
>> tlenfs.bpt.rocks-pki-tomcat,ou=csusers,cn=config
>> nscpentrywsi: nsDS5ReplicaId: 1065
>> nscpentrywsi: nsDS5ReplicaName: b21a1f1e-627911e6-93e6ef4b-69dcc2d1
>> nscpentrywsi: nsDS5ReplicaRoot: o=ipaca
>> nscpentrywsi: nsDS5ReplicaType: 3
>> nscpentrywsi: nsState::
>> KQQAAAAAAABO1spYAAAAAAAAAAAAAAAAKgAAAAAAAAAAAAAAAAAAAA
>> ==
>> nscpentrywsi: nsds5replicabinddngroup: cn=replication
>> managers,cn=sysaccounts,
>> cn=etc,dc=bpt,dc=rocks
>> nscpentrywsi: nsds5replicabinddngroupcheckinterval: 60
>> nscpentrywsi: objectClass: top
>> nscpentrywsi: objectClass: nsDS5Replica
>> nscpentrywsi: objectClass: extensibleobject
>> nscpentrywsi: numSubordinates: 2
>> nscpentrywsi: nsds50ruv: {replicageneration} 57c291d9000004290000
>> nscpentrywsi: nsds50ruv: {replica 1065 ldap://freeipa-sea.bpt.rocks:389}
>> 57f84
>> 0bf000004290000 58cad667000004290000
>> nscpentrywsi: nsds50ruv: {replica 1290 ldap://seattlenfs.bpt.rocks:389}
>> nscpentrywsi: nsds50ruv: {replica 1295 ldap://freeipa-dal.bpt.rocks:389}
>> nscpentrywsi: nsds5agmtmaxcsn:
>> o=ipaca;cloneAgreement1-freeipa-sea.bpt.rocks-p
>> ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
>> nscpentrywsi: nsds5agmtmaxcsn:
>> o=ipaca;masterAgreement1-seattlenfs.bpt.rocks-p
>> ki-tomcat;seattlenfs.bpt.rocks;389;unavailable
>> nscpentrywsi: nsruvReplicaLastModified: {replica 1065
>> ldap://freeipa-sea.bpt.r
>> ocks:389} 58cad63d
>> nscpentrywsi: nsruvReplicaLastModified: {replica 1290
>> ldap://seattlenfs.bpt.ro
>> cks:389} 00000000
>> nscpentrywsi: nsruvReplicaLastModified: {replica 1295
>> ldap://freeipa-dal.bpt.r
>> ocks:389} 00000000
>> nscpentrywsi: nsds5ReplicaChangeCount: 15993
>> nscpentrywsi: nsds5replicareapactive: 0
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>> [root at freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage del
>> freeipa-dal.bpt.rocks --forceDirectory Manager password:
>>
>> 'freeipa-sea.bpt.rocks' has no replication agreement for
>> 'freeipa-dal.bpt.rocks'
>> [root at freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
>> seattlenfs.bpt.rocks: master
>> freeipa-dal.bpt.rocks: master
>> freeipa-sea.bpt.rocks: master
>> [root at freeipa-sea slapd-BPT-ROCKS]# ipa-replica-manage list
>> freeipa-sea.bpt.rocks
>> seattlenfs.bpt.rocks: replica
>> [root at freeipa-sea slapd-BPT-ROCKS]# ipa-csreplica-manage list
>> Directory Manager password:
>>
>> seattlenfs.bpt.rocks: master
>> freeipa-dal.bpt.rocks: CA not configured
>> freeipa-sea.bpt.rocks: master
>>
>
--
Ian Harding
IT Director
Brown Paper Tickets
1-800-838-3006 ext 7186
http://www.brownpapertickets.com
More information about the Freeipa-users
mailing list