How to remove replication agreements for Certificate Authority running on IPA?
Issue
-
On the IPA masters
# ipa-replica-manage list ipa01.example.com ipa02.example.com: replica ipa03.example.com: replica ipa04.example.com: replica # ldapsearch -LLLQ -h ipa01.example.com -b cn=config '(objectclass=nsds5replicationagreement)' nsds5replicaLastUpdateStatus | perl -p00e 's/\r?\n //g' dn: cn=meToipa02.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded dn: cn=meToipa03.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded dn: cn=meToipa04.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded dn: cn=masterAgreement1-removedipa1.example.com-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't contact LDAP server dn: cn=masterAgreement1-removedipa2.example.com-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't contact LDAP server dn: cn=masterAgreement1-ipa02.example.com-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded dn: cn=masterAgreement1-removedipa3.example.com-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: -1 Incremental update has failed and requires administrator actionLDAP error: Can't contact LDAP server dn: cn=masterAgreement1-ipa03.example.com-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded -
I would expect to see 3 dn's instead of 8
- All 8 dn's do still exist and once were connected to the master
- But not any more. On the 'slaves' the replica DN's matches the servers shown with ipa-replica-manage list
Environment
- Red Hat Enterprise Linux (RHEL) 7.1
- ipa-server-4.1.0
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
