[Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed

Ana Krivokapic akrivoka at redhat.com
Wed Jul 10 12:06:59 UTC 2013 

On 07/10/2013 01:33 PM, Tomas Babej wrote:
>
> On Monday 08 of July 2013 16:58:18 Ana Krivokapic wrote:
>
> > On 06/25/2013 05:28 PM, Ana Krivokapic wrote:
>
> > > On 06/24/2013 02:27 PM, Tomas Babej wrote:
>
> > >> On 06/11/2013 04:42 PM, Ade Lee wrote:
>
> > >> [snip]
>
> > >>> Just FYI, we plan to do a new release of pki-core today (pki-core-10.0.3-2)
>
> > >>> to address this issue.
>
> > >>>> --
>
> > >>>> Regards,
>
> > >>>>
>
> > >>>> Ana Krivokapic
>
> > >>>> Associate Software Engineer
>
> > >>>> FreeIPA team
>
> > >>>> Red Hat Inc.
>
> > >> Ok, so I tested the patch, since pki-core has the PkiExport command fixed
> now.
>
> > >>
>
> > >> I'm getting a little bit further now.
>
> > >>
>
> > >> [tbabej at vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
>
> > >> vm-129.idm.lab.eng.brq.redhat.com
>
> > >> Directory Manager (existing master) password:
>
> > >>
>
> > >> Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
>
> > >> vm-127.idm.lab.eng.brq.redhat.com
>
> > >> Constraint violation: Failed to update password
>
> > >>
>
> > >> With debug output, I get (snipped out irrelevant parts):
>
> > >>
>
> > >> Directory Manager (existing master) password:
>
> > >>
>
> > >> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
>
> > >> context.ldap2_57668944
>
> > >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
>
> > >> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
>
> > >> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x3700ab8>
>
> > >> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
>
> > >> context.ldap2_57668944
>
> > >> ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
>
> > >> ipa: DEBUG: Search failed: [Errno -2] Name or service not known
>
> > >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
>
> > >> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
> SchemaCache
>
> > >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
>
> > >> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
>
> > >> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4c704d0>
>
> > >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not logging
>
> > >> to a file
>
> > >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
>
> > >> ipa-replica-prepare was invoked with arguments
>
> > >> ['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
>
> > >> 'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin':
> None,
>
> > >> 'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file':
>
> > >> '/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None, 'password':
>
> > >> None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None,
>
> > >> 'pkinit_pin': None}
>
> > >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing
>
> > >> replica for vm-129.idm.lab.eng.brq.redhat.com from
>
> > >> vm-127.idm.lab.eng.brq.redhat.com
>
> > >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
>
> > >> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
> SchemaCache
>
> > >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
>
> > >> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
>
> > >> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x3700710>
>
> > >> ipa: DEBUG: Starting external process
>
> > >> ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
>
> > >> /tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
>
> > >> ipa: DEBUG: Process finished, return code=0
>
> > >> ipa: DEBUG: stdout=
>
> > >> ipa: DEBUG: stderr=
>
> > >> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
>
> > >> context.ldap2_139884970376144
>
> > >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
>
> > >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
>
> > >> return_value = self.run()
>
> > >> File
>
> > >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>
> > >> line 245, in run
>
> > >> self.copy_ds_certificate()
>
> > >> File
>
> > >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>
> > >> line 281, in copy_ds_certificate
>
> > >> self.update_pki_admin_password()
>
> > >> File
>
> > >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>
> > >> line 520, in update_pki_admin_password
>
> > >> ldap.modify_password(dn, self.dirman_password)
>
> > >> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line
>
> > >> 332, in modify_password
>
> > >> self.conn.passwd_s(dn, old_pass, new_pass)
>
> > >> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>
> > >> self.gen.throw(type, value, traceback)
>
> > >> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 919, in
>
> > >> error_handler
>
> > >> raise errors.DatabaseError(desc=desc, info=info)
>
> > >>
>
> > >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
>
> > >> ipa-replica-prepare command failed, exception: DatabaseError: Constraint
>
> > >> violation: Failed to update password
>
> > >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: Constraint
>
> > >> violation: Failed to update password
>
> > >>
>
> > >> Tomas
>
> > > It seems that this time the culprit is 389-ds-base packages. The password
> change
>
> > > is rejected when using the latest version of 389-ds-base
>
> > > (389-ds-base-1.3.1.2-1.fc19.x86_64). I tried testing it with a previous
> version
>
> > > (389-ds-base-1.3.0.5-1.fc19.x86_64) and it works.
>
> > >
>
> > > I open an upstream ticket for the 389 DS project:
>
> > > https://fedorahosted.org/389/ticket/47406.
>
> > >
>
> >
>
> > The password change rejection problem has been fixed in the new version of
>
> > 389-ds-base: 389-ds-base-1.3.1.3-1.fc19.
>
> >
>
> > --
>
> > Regards,
>
> >
>
> > Ana Krivokapic
>
> > Associate Software Engineer
>
> > FreeIPA team
>
> > Red Hat Inc.
>
> >
>
>  
>
> The patch now fixes the issue.
>
>  
>
> However, we need to bump the dependency in the specfile since now we require
>
> version 1.3.1.1.
>
>  
>
> Tomas
>

Thanks, updated patch is attached.

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130710/573a25a4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-akrivoka-0029-03-Make-sure-replication-works-after-DM-password-is-cha.patch
Type: text/x-patch
Size: 4855 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130710/573a25a4/attachment.bin>

More information about the Freeipa-devel mailing list