How to remove replication agreements for Certificate Authority running on IPA?

Solution Unverified - Updated -

Issue

  • On the IPA masters

    # ipa-replica-manage list ipa01.example.com
ipa02.example.com: replica
ipa03.example.com: replica
ipa04.example.com: replica

#  ldapsearch -LLLQ -h ipa01.example.com -b cn=config '(objectclass=nsds5replicationagreement)' nsds5replicaLastUpdateStatus | perl -p00e 's/\r?\n //g'

dn: cn=meToipa02.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded

dn: cn=meToipa03.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded

dn: cn=meToipa04.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded

dn: cn=masterAgreement1-removedipa1.example.com-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't contact LDAP server

dn: cn=masterAgreement1-removedipa2.example.com-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't contact LDAP server

dn: cn=masterAgreement1-ipa02.example.com-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded

dn: cn=masterAgreement1-removedipa3.example.com-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nsds5replicaLastUpdateStatus: -1 Incremental update has failed and requires administrator actionLDAP error: Can't contact LDAP server

dn: cn=masterAgreement1-ipa03.example.com-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded

  • I would expect to see 3 dn's instead of 8

  • All 8 dn's do still exist and once were connected to the master
  • But not any more. On the 'slaves' the replica DN's matches the servers shown with ipa-replica-manage list

Environment

  • Red Hat Enterprise Linux (RHEL) 7.1
  • ipa-server-4.1.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.