Thanks for your response Rob. Please see my questions inline.

On 11/7/19 6:48 PM, Rob Crittenden via FreeIPA-users wrote:
Petros Triantafyllidis wrote:
Thanks for healthcheck Rob,

In our setup (2 CentOS 7.7 servers, running
ipa-server-4.6.5-11.el7.centos.3.x86_64) I get the output below when
ipa-healthcheck runs at the replica. The output is identical at master
too, except the first warning ("No DNA range defined. If no masters
define a range then users and groups cannot be created."). How serious
is my case?
Any recommendation is highly appreciated.

Thanks again,
Petros

[
  {
    "source": "ipahealthcheck.ipa.dna",
    "kw": {
      "msg": "No DNA range defined. If no masters define a range then
users and groups cannot be created.",
      "range_start": 0,
      "next_start": 0,
      "next_max": 0,
      "range_max": 0
    },
    "uuid": "f414f514-38b2-4381-a161-f43ea81ffbae",
    "duration": "0.578066",
    "when": "20191107160820Z",
    "check": "IPADNARangeCheck",
    "result": "WARNING"
  },
This is just a heads-up. It means that this master doesn't have a DNA
range. If your other master dies then you'll get the dreaded "ERROR:
Operations error: Allocation of a new value for range failed".

We don't allocate a range to every master because there are some users
that have a LOT of masters and each time a range is allocated it splits
in half.

So it may be perfectly fine, hence the warning.

Do you recommend I set DNA range for my second server too? I will hardly have more than four servers in our environment and that only in a transition/upgrade phase.

[...]

  {
    "source": "ipahealthcheck.ds.replication",
    "kw": {
      "msg": "Replication conflict",
      "glue": false,
      "conflict": "namingConflict cn=certmap,dc=geo,dc=ss,dc=lan",
      "key":
"cn=certmap+nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=lan"
    },
    "uuid": "b9e9c71d-c97c-43be-806f-b37bdc3607c3",
    "duration": "0.005029",
    "when": "20191107160829Z",
    "check": "ReplicationConflictCheck",
    "result": "ERROR"
  },
[ snip ]

What you'll want to do is compare the conflict entry with the "real"
entry to see if there are any differences. Chances are there aren't and
the conflict entries can be deleted.

Assuming I have the following output:

ldapsearch -D "cn=Directory Manager" -W  "cn=certmap *"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=geo,dc=ss,dc=lan> (default) with scope subtree
# filter: cn=certmap *
# requesting: ALL
#

# certmap, geo.ss.lan
dn: cn=certmap,dc=geo,dc=ss,dc=lan
objectClass: top
objectClass: nsContainer
objectClass: ipaCertMapConfigObject
ipaCertMapPromptUsername: FALSE
cn: certmap

# certmaprules, certmap, geo.ss.lan
dn: cn=certmaprules,cn=certmap,dc=geo,dc=ss,dc=lan
objectClass: top
objectClass: nsContainer
cn: certmaprules

# certmap + ebb8b88e-a2c811e7-8f22c768-d7e7aa51, geo.ss.lan
dn: cn=certmap+nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=
 lan
objectClass: top
objectClass: nsContainer
objectClass: ipaCertMapConfigObject
ipaCertMapPromptUsername: FALSE
cn: certmap

# certmaprules + ebb8b8b7-a2c811e7-8f22c768-d7e7aa51, certmap + ebb8b88e-a2c811
 e7-8f22c768-d7e7aa51, geo.ss.lan
dn: cn=certmaprules+nsuniqueid=ebb8b8b7-a2c811e7-8f22c768-d7e7aa51,cn=certmap+
 nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=lan
objectClass: top
objectClass: nsContainer
cn: certmaprules

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4


Am I safe to delete like this?

ldapdelete -D "cn=Directory Manager" -W -x "cn=certmap+nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=lan"

Thanks,
Petros

-- 
Dr. TRIANTAFYLLIDIS PETROS
Aristotle University - Department of Geophysics, POBox 112,
54124 Thessaloniki,GREECE-TEL:+30-2310998585,FAX:2310991403