Petros Triantafyllidis wrote:
Thanks for your response Rob. Please see my questions inline.
On 11/7/19 6:48 PM, Rob Crittenden via FreeIPA-users wrote:
> Petros Triantafyllidis wrote:
>> Thanks for healthcheck Rob,
>>
>> In our setup (2 CentOS 7.7 servers, running
>> ipa-server-4.6.5-11.el7.centos.3.x86_64) I get the output below when
>> ipa-healthcheck runs at the replica. The output is identical at master
>> too, except the first warning ("No DNA range defined. If no masters
>> define a range then users and groups cannot be created."). How serious
>> is my case?
>> Any recommendation is highly appreciated.
>>
>> Thanks again,
>> Petros
>>
>> [
>> {
>> "source": "ipahealthcheck.ipa.dna",
>> "kw": {
>> "msg": "No DNA range defined. If no masters define a range
then
>> users and groups cannot be created.",
>> "range_start": 0,
>> "next_start": 0,
>> "next_max": 0,
>> "range_max": 0
>> },
>> "uuid": "f414f514-38b2-4381-a161-f43ea81ffbae",
>> "duration": "0.578066",
>> "when": "20191107160820Z",
>> "check": "IPADNARangeCheck",
>> "result": "WARNING"
>> },
> This is just a heads-up. It means that this master doesn't have a DNA
> range. If your other master dies then you'll get the dreaded "ERROR:
> Operations error: Allocation of a new value for range failed".
>
> We don't allocate a range to every master because there are some users
> that have a LOT of masters and each time a range is allocated it splits
> in half.
>
> So it may be perfectly fine, hence the warning.
Do you recommend I set DNA range for my second server too? I will hardly
have more than four servers in our environment and that only in a
transition/upgrade phase.
It shouldn't hurt anything. All you need to do is add a user or group on
that master directly. It should see it has no range and get one for
itself automatically. This will let you avoid the pain of having to
recover the range if the original master ever goes down.
[...]
>> {
>> "source": "ipahealthcheck.ds.replication",
>> "kw": {
>> "msg": "Replication conflict",
>> "glue": false,
>> "conflict": "namingConflict
cn=certmap,dc=geo,dc=ss,dc=lan",
>> "key":
>>
"cn=certmap+nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=lan"
>> },
>> "uuid": "b9e9c71d-c97c-43be-806f-b37bdc3607c3",
>> "duration": "0.005029",
>> "when": "20191107160829Z",
>> "check": "ReplicationConflictCheck",
>> "result": "ERROR"
>> },
> [ snip ]
>
> What you'll want to do is compare the conflict entry with the "real"
> entry to see if there are any differences. Chances are there aren't and
> the conflict entries can be deleted.
Assuming I have the following output:
ldapsearch -D "cn=Directory Manager" -W "cn=certmap *"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=geo,dc=ss,dc=lan> (default) with scope subtree
# filter: cn=certmap *
# requesting: ALL
#
# certmap, geo.ss.lan
dn: cn=certmap,dc=geo,dc=ss,dc=lan
objectClass: top
objectClass: nsContainer
objectClass: ipaCertMapConfigObject
ipaCertMapPromptUsername: FALSE
cn: certmap
# certmaprules, certmap, geo.ss.lan
dn: cn=certmaprules,cn=certmap,dc=geo,dc=ss,dc=lan
objectClass: top
objectClass: nsContainer
cn: certmaprules
# certmap + ebb8b88e-a2c811e7-8f22c768-d7e7aa51, geo.ss.lan
dn:
cn=certmap+nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=
lan
objectClass: top
objectClass: nsContainer
objectClass: ipaCertMapConfigObject
ipaCertMapPromptUsername: FALSE
cn: certmap
# certmaprules + ebb8b8b7-a2c811e7-8f22c768-d7e7aa51, certmap +
ebb8b88e-a2c811
e7-8f22c768-d7e7aa51, geo.ss.lan
dn:
cn=certmaprules+nsuniqueid=ebb8b8b7-a2c811e7-8f22c768-d7e7aa51,cn=certmap+
nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=lan
objectClass: top
objectClass: nsContainer
cn: certmaprules
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
Am I safe to delete like this?
ldapdelete -D "cn=Directory Manager" -W -x
"cn=certmap+nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=lan"
Yes
rob
Thanks,
Petros
--
Dr. TRIANTAFYLLIDIS PETROS
Aristotle University - Department of Geophysics, POBox 112,
54124 Thessaloniki,GREECE-TEL:+30-2310998585,FAX:2310991403