Nicholas Cross via FreeIPA-users wrote:
Ah got it! Wonderful.
The trick as to run the topologysegement-del on the same server it was on.
It seems i am moving forward with this now - thanks.
# # To remove the topology segment, which removed the replica agreement #
# # Show the bad replication agreement #
# ipa-replica-manage list -v `hostname` Directory Manager password:
bad_server.ad.companyx.fm: replica last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00 ipa003dc.ad.companyx.fm: replica last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2023-04-26 06:43:07+00:00 ipa005.ad.companyx.fm: replica last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2023-04-26 06:43:14+00:00 ipa007.ad.companyx.fm: replica last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2023-04-26 06:43:02+00:00
# # find the segment (domain or ca) # $ ipa topologysegment-find domain | grep etcd Segment name: ipa006.ad.companyx.fm-to-bad_server.ad.companyx.fm Right node: bad_server.ad.companyx.fm
# # delete that segment # $ ipa topologysegment-del domain ipa006.ad.companyx.fm-to-bad_server.ad.companyx.fm
Deleted segment "ipa006.ad.companyx.fm-to-bad_server.ad.companyx.fm"
# # check it has gone - tada! # $ ipa-replica-manage list -v `hostname` ipa: ERROR: Cannot open log file '/var/log/ipa/cli.log': [Errno 13] Permission denied: '/var/log/ipa/cli.log' ipa003dc.ad.companyx.fm: replica last update status: Error (0) Replica acquired successfully: Incremental update started last update ended: 1970-01-01 00:00:00+00:00 ipa005.ad.companyx.fm: replica last update status: Error (0) Replica acquired successfully: Incremental update started last update ended: 1970-01-01 00:00:00+00:00 ipa007.ad.companyx.fm: replica last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2023-04-26 06:46:08+00:00
# # Next up, removing the "LDAP Conflicts" but - "Removal of Segment disconnects topology.Deletion not allowed." #
$ ldapdelete cn=bad_server.ad.companyx.fm-to-ipa006.ad.companyx.fm+nsuniqueid=34b26c01-ceee11ed-9d1d82de-03f3a8a3,cn=ca,cn=topology,cn=ipa,cn=etc,dc=ad,dc=companyx,dc=fm SASL/GSSAPI authentication started SASL username: nicholas.cross@AD.companyx.FM SASL SSF: 256 SASL data security layer installed. ldap_delete: Server is unwilling to perform (53) additional info: Removal of Segment disconnects topology.Deletion not allowed.
# # I think this is the solution: https://access.redhat.com/solutions/5507711 # # Question1: during running the above RedHat solution, does this only disable the topology replication? and leaves all other dirsrv components running? #
# # After that - finally remove the Ghost Replicas - which was the original question. #
$ ldapsearch -D "cn=Directory Manager" -w $pass -Q -o ldif-wrap=no -LLL -b "dc=ad,dc=companyx,dc=fm" '(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))' dn: cn=replica,cn=dc\3Dad\2Cdc\3Dcompanyx\2Cdc\3Dfm,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDNGroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=ad,dc=companyx,dc=fm nsDS5ReplicaBindDnGroupCheckInterval: 60 nsDS5ReplicaId: 56 nsDS5ReplicaName: a6b5640c-ad3911ed-a50980fb-6203228c nsDS5ReplicaRoot: dc=ad,dc=companyx,dc=fm nsDS5ReplicaType: 3 nsState:: OAAAAAAAAABf0EhkAAAAAAAAAAAAAAAA7AAAAAAAAAAFAAAAAAAAAA== nsds5ReplicaBackoffMax: 300 nsds5ReplicaLegacyConsumer: off nsds5ReplicaReleaseTimeout: 60 objectClass: top objectClass: nsds5replica objectClass: extensibleobject nsds5ReplicaCleanRUV: 15:no:0:dc=ad,dc=companyx,dc=fm nsds5ReplicaCleanRUV: 24:no:0:dc=ad,dc=companyx,dc=fm nsds50ruv: {replicageneration} 5d9e2076000000040000 nsds50ruv: {replica 56 ldap://ipa006.ad.companyx.fm:389} 63ece66f000000380000 6448d15d000400380000 nsds50ruv: {replica 46 ldap://ipa005.ad.companyx.fm:389} 63dbcc200001002e0000 6448d115000e002e0000 nsds50ruv: {replica 48 ldap://ipa007.ad.companyx.fm:389} 63ea4e54000100300000 6448d115000700300000 nsds50ruv: {replica 58 ldap://ipa001dc.ad.companyx.fm:389} 643d03280001003a0000 6448ca410000003a0000 nsds50ruv: {replica 60 ldap://ipa002dc.ad.companyx.fm:389} 643d19680001003c0000 6448c9e40009003c0000 nsds50ruv: {replica 62 ldap://ipa003dc.ad.companyx.fm:389} 643d491e0001003e0000 6448cab40000003e0000 nsds5agmtmaxcsn: dc=ad,dc=companyx,dc=fm;ipa006.ad.companyx.fm-to-ipa003dc.ad.companyx.fm;ipa003dc.ad.companyx.fm;389;62;6448cf8e000800380000 nsds5agmtmaxcsn: dc=ad,dc=companyx,dc=fm;ipa006.ad.companyx.fm-to-ipa005.ad.companyx.fm;ipa005.ad.companyx.fm;389;46;6448cf8e000800380000 nsds5agmtmaxcsn: dc=ad,dc=companyx,dc=fm;ipa006.ad.companyx.fm-to-ipa007.ad.companyx.fm;ipa007.ad.companyx.fm;389;48;6448cf8e000800380000 nsruvReplicaLastModified: {replica 56 ldap://ipa006.ad.companyx.fm:389} 6448d071 nsruvReplicaLastModified: {replica 46 ldap://ipa005.ad.companyx.fm:389} 6448d02b nsruvReplicaLastModified: {replica 48 ldap://ipa007.ad.companyx.fm:389} 6448d02b nsruvReplicaLastModified: {replica 58 ldap://ipa001dc.ad.companyx.fm:389} 6448c956 nsruvReplicaLastModified: {replica 60 ldap://ipa002dc.ad.companyx.fm:389} 6448c8fb nsruvReplicaLastModified: {replica 62 ldap://ipa003dc.ad.companyx.fm:389} 6448c9c9 nsruvReplicaLastModified: {replica 25} 00000000 nsruvReplicaLastModified: {replica 23} 00000000 nsruvReplicaLastModified: {replica 40} 00000000 nsruvReplicaLastModified: {replica 12} 00000000 nsruvReplicaLastModified: {replica 21} 00000000 nsds5ReplicaChangeCount: 790081 nsds5replicareapactive: 0
# # Question2: How to remove these? from the above #
nsruvReplicaLastModified: {replica 25} 00000000 nsruvReplicaLastModified: {replica 23} 00000000 nsruvReplicaLastModified: {replica 40} 00000000 nsruvReplicaLastModified: {replica 12} 00000000 nsruvReplicaLastModified: {replica 21} 00000000
# this sort of thing doesn't seem to work.
dn: cn=clean 12,cn=cleanallruv,cn=tasks,cn=config changetype: add objectclass: top objectclass: extensibleObject replica-base-dn: dc=ad,dc=companyx,dc=fm replica-id: 12 cn: clean 12
You can try ipa-replica-manage clean-ruv <value> to try to remove specific values.
rob