Howdy folks,
We also have a similar issue. Some servers in our IPA topology show ghost replicas and if comes down to an entry like the following for an old replica which no longer exists
$ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=DICOMP,dc=NET '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' Enter LDAP Password: dn: cn=replica,cn=dc\3Ddicomp\2Cdc\3Dnet,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDNGroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=dicomp,dc=net nsDS5ReplicaBindDnGroupCheckInterval: 60 nsDS5ReplicaId: 11 nsDS5ReplicaName: 13387f82-373b11eb-a1r2gff0-4sda870 nsDS5ReplicaRoot: dc=dicomp,dc=net nsDS5ReplicaType: 3 nsState:: CwAAAAAAAABzzalmAAAAAAAAAAAAAAAAUpEAAAAAAAALAAAAAAAAAA== nsds5ReplicaBackoffMax: 300 nsds5ReplicaLegacyConsumer: off nsds5ReplicaReleaseTimeout: 60 objectClass: top objectClass: nsds5replica objectClass: extensibleobject nsds50ruv: {replicageneration} 5fc9ab2e000000040000 nsds50ruv: {replica 11 ldap://camper26.dicomp.net:389} 5fcbf1fa0000000b0000 66aa5 edc0000000b0000 nsds50ruv: {replica 3 ldap://camper21.dicomp.net:389} 5fc9ab34000000030000 66aa53c e000100030000 nsds50ruv: {replica 5 ldap://camper23.dicomp.net:389} 5fc9b44b000000050000 66aa58 d0000000050000 nsds50ruv: {replica 10 ldap://camper24.dicomp.net:389} 5fc9c7650000000a0000 66aa5 3d10004000a0000 nsds50ruv: {replica 33 ldap://ipa.dicomp.net:389} 626998ac000100210000 66aa5af1 000100210000 nsds50ruv: {replica 45 ldap://az1-iparepl-01.dicomp.net:389} 629644dc0001002d00 00 66aa58960000002d0000 nsds50ruv: {replica 46 ldap://au1-compca-01.dicomp.net:389} 6297aca50002002e0000 66aa59130003002e0000 nsds50ruv: {replica 48 ldap://nz1-freeipa-backup.dicomp.net:389} 62c8635e000200 300000 66aa4991000800300000 nsds50ruv: {replica 56 ldap://in1-iparepl-01.dicomp.net:389} 667aa1b90001003800 00 66aa553d000000380000 nsds50ruv: {replica 57 ldap://camper27.dicomp.net:389} 667bac3f000100390000 66aa5 547000000390000 nsds50ruv: {replica 60 ldap://camper25.dicomp.net:389} 667cf5c50000003c0000 66aa5a e00000003c0000 nsds50ruv: {replica 63 ldap://camper22.dicomp.net:389} 667d3ec50001003f0000 66aa 5d720000003f0000 nsds50ruv: {replica 64 ldap://nz1-compca-01.dicomp.net:389} 668e3565000100400000 66aa5d7e000000400000 nsds5agmtmaxcsn: dc=dicomp,dc=net;camper26.dicomp.net-to-camper27.dicomp.net;camper27.dicomp.net;389;57;66aa55c00000000b0000 nsds5agmtmaxcsn: dc=dicomp,dc=net;camper26.dicomp.net-to-in1-iparepl-01.dicomp.net; in1-iparepl-01.dicomp.net;389;56;66aa55c00000000b0000 nsruvReplicaLastModified: {replica 11 ldap://camper26.dicomp.net:389} 66a9cd8a nsruvReplicaLastModified: {replica 3 ldap://camper21.dicomp.net:389} 66a9c27f nsruvReplicaLastModified: {replica 5 ldap://camper23.dicomp.net:389} 66a9c780 nsruvReplicaLastModified: {replica 10 ldap://camper24.dicomp.net:389} 66a9c281 nsruvReplicaLastModified: {replica 33 ldap://ipa.dicomp.net:389} 66a9c9a4 nsruvReplicaLastModified: {replica 45 ldap://az1-iparepl-01.dicomp.net:389} 66a 9c745 nsruvReplicaLastModified: {replica 46 ldap://au1-compca-01.dicomp.net:389} 66a9c 7c5 nsruvReplicaLastModified: {replica 48 ldap://nz1-freeipa-backup.dicomp.net:389} 66a9c306 nsruvReplicaLastModified: {replica 56 ldap://in1-iparepl-01.dicomp.net:389} 66a 9c3eb nsruvReplicaLastModified: {replica 57 ldap://camper27.dicomp.net:389} 66a9c3f5 nsruvReplicaLastModified: {replica 60 ldap://camper25.dicomp.net:389} 66a9c990 nsruvReplicaLastModified: {replica 63 ldap://camper22.dicomp.net:389} 66a9cc21 nsruvReplicaLastModified: {replica 64 ldap://nz1-compca-01.dicomp.net:389} 66a9c c63 nsruvReplicaLastModified: {replica 52} 66a9cd67 nsds5ReplicaChangeCount: 117369 nsds5replicareapactive: 0
This one nsruvReplicaLastModified: {replica 52} 66a9cd67
does not have an associated nsds50ruv associated with it so removal via other tool does not work.
Trying to remove them via an LDAP modify too fails with an error additional info: Deletion of nsruvReplicaLastModified attribute is not allowed
Any help on gettng these records to vanish is very much appreciated as its causing cipa to believe there are ghost replicas. Looking at the cipa code tells me that its looking for entries for replica without an associated LDAP url to count towards ghost replicas.
Thanks !