Petros Triantafyllidis wrote:Thanks for healthcheck Rob, In our setup (2 CentOS 7.7 servers, running ipa-server-4.6.5-11.el7.centos.3.x86_64) I get the output below when ipa-healthcheck runs at the replica. The output is identical at master too, except the first warning ("No DNA range defined. If no masters define a range then users and groups cannot be created."). How serious is my case? Any recommendation is highly appreciated. Thanks again, Petros [ { "source": "ipahealthcheck.ipa.dna", "kw": { "msg": "No DNA range defined. If no masters define a range then users and groups cannot be created.", "range_start": 0, "next_start": 0, "next_max": 0, "range_max": 0 }, "uuid": "f414f514-38b2-4381-a161-f43ea81ffbae", "duration": "0.578066", "when": "20191107160820Z", "check": "IPADNARangeCheck", "result": "WARNING" },This is just a heads-up. It means that this master doesn't have a DNA range. If your other master dies then you'll get the dreaded "ERROR: Operations error: Allocation of a new value for range failed". We don't allocate a range to every master because there are some users that have a LOT of masters and each time a range is allocated it splits in half. So it may be perfectly fine, hence the warning.
Do you recommend I set DNA range for my second server too? I will hardly have more than four servers in our environment and that only in a transition/upgrade phase.
[...]
{ "source": "ipahealthcheck.ds.replication", "kw": { "msg": "Replication conflict", "glue": false, "conflict": "namingConflict cn=certmap,dc=geo,dc=ss,dc=lan", "key": "cn=certmap+nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=lan" }, "uuid": "b9e9c71d-c97c-43be-806f-b37bdc3607c3", "duration": "0.005029", "when": "20191107160829Z", "check": "ReplicationConflictCheck", "result": "ERROR" },[ snip ] What you'll want to do is compare the conflict entry with the "real" entry to see if there are any differences. Chances are there aren't and the conflict entries can be deleted.
Assuming I have the following output:
ldapsearch -D
"cn=Directory Manager" -W "cn=certmap *"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=geo,dc=ss,dc=lan> (default) with scope subtree
# filter: cn=certmap *
# requesting: ALL
#
# certmap, geo.ss.lan
dn: cn=certmap,dc=geo,dc=ss,dc=lan
objectClass: top
objectClass: nsContainer
objectClass: ipaCertMapConfigObject
ipaCertMapPromptUsername: FALSE
cn: certmap
# certmaprules, certmap, geo.ss.lan
dn: cn=certmaprules,cn=certmap,dc=geo,dc=ss,dc=lan
objectClass: top
objectClass: nsContainer
cn: certmaprules
# certmap + ebb8b88e-a2c811e7-8f22c768-d7e7aa51, geo.ss.lan
dn:
cn=certmap+nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=
lan
objectClass: top
objectClass: nsContainer
objectClass: ipaCertMapConfigObject
ipaCertMapPromptUsername: FALSE
cn: certmap
# certmaprules + ebb8b8b7-a2c811e7-8f22c768-d7e7aa51, certmap +
ebb8b88e-a2c811
e7-8f22c768-d7e7aa51, geo.ss.lan
dn:
cn=certmaprules+nsuniqueid=ebb8b8b7-a2c811e7-8f22c768-d7e7aa51,cn=certmap+
nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=lan
objectClass: top
objectClass: nsContainer
cn: certmaprules
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
Am I safe to delete like this?
ldapdelete -D
"cn=Directory Manager" -W -x
"cn=certmap+nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=lan"
Thanks,
Petros
-- Dr. TRIANTAFYLLIDIS PETROS Aristotle University - Department of Geophysics, POBox 112, 54124 Thessaloniki,GREECE-TEL:+30-2310998585,FAX:2310991403