After performing a usual Yum update's on multiple IPA servers (not at the same time,
one server reportedly started hanging), we started observing "LDAP Conflicts" in
multiple IPA replication servers:
az2-replica.noc.net
| LDAP Conflicts | 9 | FAIL |
mi2-replica.noc.net:
| LDAP Conflicts | 9 | FAIL |
mi1-replica.noc.net:
| LDAP Conflicts | 9 | FAIL |
az1-replica.noc.net:
| LDAP Conflicts | 10 | FAIL |
sg1-replicate.noc.net:
| LDAP Conflicts | 3 | FAIL |
sg2-replica.noc.net
| LDAP Conflicts | 3 | FAIL |
The "Replication status" while reports OK, we observe also flapping at times
between OK and FAIL too.
We have tried to follow on one of the replication servers:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
- by removing the orphan entry, however the replication broke completely on it (ipa
service couldn't start back up), requiring a full re-install of that specific
replica.
]$ sudo -u admin /home/admin/.local/bin/cipa -H localhost |grep "LDAP
Conflicts"
| LDAP Conflicts | 0 | OK |
$ dsconf -D "cn=Directory Manager" ldap://$(hostname) repl-conflict list-glue
"dc=noc,dc=net"
Enter password for cn=Directory Manager on
ldap://az1-replica.noc.net:
dn: cn=sg1-replica.noc.net,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net
cn:
sg1-replica.noc.net
ipaLocation: idnsname=singapore,cn=locations,cn=etc,dc=noc,dc=net
ipaMaxDomainLevel: 1
ipaMinDomainLevel: 1
ipaReplTopoManagedSuffix: dc=noc,dc=net
nsds5replconflict: deletedEntryHasChildren
objectClass: top
objectClass: nsContainer
objectClass: ipaReplTopoManagedServer
objectClass: ipaConfigObject
objectClass: ipaSupportedDomainLevelConfig
objectClass: ipalocationmember
objectClass: extensibleobject
objectClass: glue
$ ldapsearch -H ldaps://$(hostname) -W -D 'cn=Directory Manager'
'(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))' nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=noc,dc=net> (default) with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: nsds5ReplConflict
#
#
sg1-replica.noc.net + 039c4293-257f11ed-a255f732-cfd01100, masters, ipa, etc,
noc.net
dn:
cn=sg1-replica.noc.net+nsuniqueid=039c4293-257f11ed-a255f732-cfd01100,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net
nsds5ReplConflict: namingConflict (ADD)
cn=sg1-replica.noc.net,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net
# HTTP/mi1-replica.noc.net(a)noc.NET + 0264df8b-fca611ee-a3cba8b9-8a6b8039,services,
accounts,
noc.net
dn:
krbprincipalname=HTTP/mi1-replica.noc.net@NOC.NET+nsuniqueid=0264df8b-fca611ee-a3cba8b9-8a6b8039,cn=services,cn=accounts,dc=noc,dc=net
nsds5ReplConflict: namingConflict (ADD)
krbprincipalname=http/mi1-ipaca.noc.net(a)noc.net,cn=services,cn=accounts,dc=noc,dc=net
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
OR:
az1-replica.noc.net:/$ ldapsearch -H ldap://$(hostname) -D "cn=Directory
Manager" -W -b "dc=noc,dc=net"
"(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=noc,dc=net> with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: * nsds5ReplConflict
#
#
sg1-replica.noc.net + 039c4293-257f11ed-a255f732-cfd01100, masters, ipa,
etc,
noc.net
dn: cn=sg1-replica.noc.net+nsuniqueid=039c4293-257f11ed-a255f732-cfd01100
,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net
ipaLocation: idnsname=singapore,cn=locations,cn=etc,dc=noc,dc=net
objectClass: top
objectClass: nsContainer
objectClass: ipaReplTopoManagedServer
objectClass: ipaConfigObject
objectClass: ipaSupportedDomainLevelConfig
objectClass: ldapsubentry
objectClass: ipalocationmember
cn:
sg1-replica.noc.net
ipaReplTopoManagedSuffix: dc=noc,dc=net
ipaMinDomainLevel: 1
ipaMaxDomainLevel: 1
nsds5ReplConflict: namingConflict (ADD) cn=sg1-replica.noc.net,cn=masters
,cn=ipa,cn=etc,dc=noc,dc=net
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
We expect: | LDAP Conflicts | 0 | OK |
Running versions:
ipa-server-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64
ipa-client-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64
389-ds-base-1.4.3.37-2.module_el8.9.0+3710+3183c30a.alma.1.x86_64
krb5-server-1.18.2-26.el8_9.x86_64
The yum update happened from:
ipa-server-4.9.12-11.module_el8.9.0+3715+e4197dc9.alma.1.x86_64
to:
ipa-server-4.9.12-14.module_el8.9.0+3785+2238a12a.alma.1.x86_64
Please advise, how its best to resolve these "LDAP Conflicts".
How to remove, or retain if its the case?
Thanks,
Lee