Problem

The client, a company using FreeIPA for identity management, encountered issues when running the
ipa-healthcheck command. The system was returning errors related to non-existent servers,
which had been decommissioned as part of a recent infrastructure migration. These errors were causing the
ipa-healthcheck command to fail and reported old servers that no longer existed in the environment.

Process

The client faced the issues when the ipa-healthcheck command was flagging errors related to
non-existent servers (oldsrv3.my.domain.co.il and oldsrv8.my.domain.co.il).
Despite the migration, the old servers were still being referenced in the system, which caused health checks
to fail. The client needed to remove references to these old servers and ensure the system was properly
cleaned up to avoid any further errors.

Upon receiving the client’s request, the expert followed a structured approach to resolve the issue:

Step 1: Assessing the Replication and Server List

The expert started by checking the list of FreeIPA replicas to verify which servers were still part of the
replication configuration. Using the command ipa-replica-manage list, it was confirmed that only
the active servers were listed, and the old servers were not part of the current replication.

Step 2: Removing Old Server References

The expert identified that the old servers were still referenced within the FreeIPA configuration. To clean
this up, the following commands were issued to remove the obsolete servers from the replication configuration:

  • ipa-replica-manage del oldsrv3.my.domain.co.il
  • ipa-replica-manage del oldsrv8.my.domain.co.il

Step 3: Checking Certificates and Repositories

The expert performed checks to ensure that any certificates associated with the old servers had been removed.
The following commands were used to search for certificates tied to the non-existent servers:

  • ipa cert-find --host oldsrv3.my.domain.co.il
  • ipa cert-find --host oldsrv8.my.domain.co.il

No certificates were found, indicating that the server entries had been properly cleaned.

Step 4: Removing Host Entries and DNS Records

The expert proceeded to check if any host records for the old servers remained in FreeIPA. Using:

  • ipa host-del oldsrv3.my.domain.co.il
  • ipa host-del oldsrv8.my.domain.co.il

These actions confirmed that the hosts had been deleted. The expert also checked the DNS records to ensure no
leftover entries for the old servers existed by running the commands
ipa dnsrecord-find domain.co.il --name=oldsrv3 and
ipa dnsrecord-find domain.co.il --name=oldsrv8. The DNS records for the old servers were not found.

Step 5: Investigating PKI and LDAP Records

To ensure there were no residual records in the Public Key Infrastructure (PKI) and LDAP, the expert searched
for any lingering entries related to the decommissioned servers. The following commands were executed to locate
old files:

  • find / -name "ca-agent.p12"
  • find / -name "*.p12"

After identifying and removing outdated files, the expert checked the LDAP for replication conflicts:

  • ldapsearch -LLL -H ldaps://$(hostname) -W -D 'cn=Directory Manager' -b 'o=ipaca' '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))'

Any conflicts found were removed to ensure that no traces of the old servers remained in the LDAP records.

Step 6: Verifying the System Health

After performing all cleanup tasks, the expert re-ran the ipa-healthcheck command. No errors were
reported, and the health check passed successfully, indicating that the system was now free from references to
non-existent servers.

Solution:

After executing the steps outlined above, the issue with the ipa-healthcheck errors related to
non-existent servers was successfully resolved. The FreeIPA environment was cleaned of any obsolete server
references, and the system passed the health checks without further errors.

The client was pleased with the solution as the system was now operating without interruptions, and they no
longer received errors about non-existent servers during the health check process.

Conclusion:

This case demonstrates the importance of proper cleanup and configuration management after a server migration.
By systematically removing old server references from the FreeIPA configuration, clearing certificates, DNS
records, and checking LDAP entries, the expert was able to ensure a smooth transition and maintain the health
of the FreeIPA system.