On Wed, Jun 23, 2021, at 2:13 PM, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
>>
>> [root@ipa2c7 ~]# ipa-replica-manage clean-ruv 5
>> Directory Manager password:
>>
>> unable to decode: {replica 13} 60b907570001000d0000 60b907570001000d0000
>> unable to decode: {replica 14} 60b923030002000e0000 60b923030002000e0000
>> unable to decode: {replica 21} 60cb27ed000600150000 60cb27ed000600150000
>> unable to decode: {replica 24} 60cc5b11000400180000 60cc5b11000400180000
>> unable to decode: {replica 17} 60be13a5000000110000 60be13c9000700110000
>> unable to decode: {replica 18} 60bf4aec000000120000 60c07065000200120000
>> unable to decode: {replica 5} 53722a35000000050000 5a11c065000000050000
>> Replica ID 5 not found
>>
>> I'd try interacting with the LDAP directly but I can't get an LDIF
>> using db2ldif either with dsctl or without it (because I don't have
>> dsctl and "yum provides */dsctl" returns no hits so I'm not sure
where
>> it comes from).
>
> Scratch this last; it was a permissions error when trying to write the
> output file. But I'm not sure that's going to help me remove these
> "unable to decode" replicas.
The RUV search uses this filter against your suffix (dc=our,dc=net):
'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))
nsds50ruv is the attribute which contains the replication information.
This gave me replica 26, but the ldapmodify doesn't seem to have cleaned it. Perhaps
because it looks like it's a replication agreement with itself?
[root@ipa2c7 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -s sub -b
"dc=our,dc=net"
'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
Enter LDAP Password:
dn: cn=replica,cn=dc\3Dour\2Cdc\3Dnet,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDnGroupCheckInterval: 2
nsDS5ReplicaId: 26
nsDS5ReplicaName: 2ce04b96-d02b11eb-ad3cb71e-5a893ec1
nsDS5ReplicaRoot: dc=our,dc=net
nsDS5ReplicaType: 3
nsState:: GgAAAAAAAABeXNRgAAAAAAAAAAAAAAAAAQMAAAAAAAACAAAAAAAAAA==
nsds5ReplicaBackoffMax: 3
nsds5ReplicaLegacyConsumer: off
nsds5ReplicaReleaseTimeout: 20
nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=wedg
eofli,dc=net
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsds5ReplicaCleanRUV: 4:60d21f1b000100040000:no:0
nsds50ruv: {replicageneration} 537228a6000000040000
nsds50ruv: {replica 26 ldap://ipa2c7.our.net:389} 60cc8b3c0002001a0000 60
d45f5f0001001a0000
nsruvReplicaLastModified: {replica 26 ldap://ipa2c7.our.net:389} 60d45c5e
nsds5ReplicaChangeCount: 14571
nsds5replicareapactive: 0
ldapmodify -x -D "cn=directory manager" -W <<EOF
dn: cn=replica,cn=dc\3Dour\2Cdc\3Dnet,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: CLEANRUV26
EOF
[root@ipa2c7 ~]# sleep 120
[root@ipa2c7 ~]# ipa-replica-manage list-ruv
Directory Manager password:
unable to decode: {replica 97} 60cb52d2000300610000 60cb5311000e00610000
Replica Update Vectors:
ipa2c7.our.net:389: 26
Certificate Server Replica Update Vectors:
ipa2c7.our.net:389: 91
ipa1.our.net:389: 96
[root@ipa2c7 ~]#
> In fact, it seems that ipa2c7 doesn't want to delete the
replica
> because it thinks is still has a replication agreement with ipa2, but
> none of the usual tools let me get in there and remove it.
>
> [root@ipa2c7 slapd-OUR-NET]# ipa-replica-manage del
ipa2.our.net
> Connection to 'ipa2.our.net' failed: cannot connect to
'ldaps://ipa2.our.net:636':
> Unable to delete replica 'ipa2.our.net'
> [root@ipa2c7 slapd-OUR-NET]# ipa server-del
ipa2.our.net
> Removing
ipa2.our.net from replication topology, please wait...
> ipa: ERROR:
ipa2.our.net: server not found
> [root@ipa2c7 slapd-OUR-NET]# [23/Jun/2021:11:37:18.017970634 +0000] -
ERR - NSMMReplicationPlugin - bind_and_check_pwp -
agmt="cn=meToipa2.our.net" (ipa2:389) - Replication bind with GSSAPI
auth failed: LDAP error -1 (Can't contact LDAP server) ()
> [23/Jun/2021:11:37:18.027255085 +0000] - NOTICE -
NSMMReplicationPlugin - CleanAllRUV Task (rid 5): Replica not online
(agmt="cn=meToipa2.our.net" (ipa2:389))
> [23/Jun/2021:11:37:18.028593839 +0000] - NOTICE -
NSMMReplicationPlugin - CleanAllRUV Task (rid 5): Not all replicas
online, retrying in 160 seconds...
>
> Is this, then, a case where I need to go back and use ldapdelete to
remove any entry that has a reference to
ipa2.our.net
You can try --force to have the iap-replica-manage delete work without
being able to contact the remote server. It may work if you're still at DL0.
--force didn't help much, but the cleanallruv.pl script seems to have helped, once I
found it. I fed it all the replica numbers above one by one and now I'm down to the
list above.
I've tried using that script and the ldapmodify command above on these replica IDs but
they're all stubbornly refusing to be deleted.
I'm considering biting the bullet and just starting over. I've got a dump of our
user list and our DNS, and can rebuild from that in about a day if I have to.