<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 12/19/2013 03:17 PM, Joe Mou wrote:<br> </div> <blockquote cite="mid:CA+KQ6oDcKghUi5FsqAhsQjkrdvQpH3Qjw4aZVUEje=JSaDf4TA@mail.gmail.com" type="cite"> <div dir="ltr"> <div class="gmail_extra"> <div class="gmail_quote">On Thu, Dec 19, 2013 at 10:01 AM, Rich Megginson <span dir="ltr"><<a moz-do-not-send="true" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <div> <div>On 12/19/2013 09:19 AM, Joe Mou wrote:<br> </div> <blockquote type="cite"> <div dir="ltr"> <div>Here are the results of that command:</div> <div><br> </div> <div>$ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=the,dc=flatiron,dc=com '(objectclass=ldapsubentry)'</div> <div>Enter LDAP Password: </div> <div>dn: cn=Password Policy,cn=accounts,dc=the,dc=flatiron,dc=com</div> <div>cn: Password Policy</div> <div>cosspecifier: memberOf</div> <div>cosAttribute: krbPwdPolicyReference override</div> <div>costemplatedn: cn=cosTemplates,cn=accounts,dc=the,dc=flatiron,dc=com</div> <div>objectClass: top</div> <div>objectClass: ldapsubentry</div> <div>objectClass: cosSuperDefinition</div> <div>objectClass: cosClassicDefinition</div> <div>description: Password Policy based on group membership</div> </div> </blockquote> <br> </div> Ok. Looks like IPA uses CoS for password policy based on group membership using the memberof attribute in each user's entry.<br> <br> I think we can temporarily disable this.<br> <br> First, save the above entry to a file e.g. pwpolicycos.ldif<br> <br> Next, ipactl restart<br> Just after the directory server is restarted, delete this entry:<br> ldapdelete -x -D "cn=directory manager" -W "cn=Password Policy,cn=accounts,dc=the,dc=flatiron,dc=com"<br> <br> Once everything is working again, add back the entry:<br> <br> ldapmodify -x -D "cn=directory manager" -W -a -f pwpolicycos.ldif</div> </blockquote> </div> <br> </div> <div class="gmail_extra">Thanks Rich, that partially worked. The replica gets unstuck and is able to service requests. But it looks like mutations are still not working completely correctly. For example if I do a `ipa user-add joe-test --first=joe --last=test` then that command hangs. At this point the directory server gets wedged, apparently similarly to before. However this time restarting the directory server unsticks it. Only certain operations seem to break, as updating a user's job title works fine. Backtraces are available: <a moz-do-not-send="true" href="http://p.flatiron.com/%7Ejmou/ipa/stacktrace.1387489013.txt" target="_blank">http://p.flatiron.com/~jmou/ipa/stacktrace.1387489013.txt</a><br> </div> <div class="gmail_extra"><br> </div> </div> </blockquote> <br> Please open a ticket at <a class="moz-txt-link-freetext" href="https://fedorahosted.org/389/newticket">https://fedorahosted.org/389/newticket</a> - you can attach stack traces to the ticket<br> <br> <blockquote cite="mid:CA+KQ6oDcKghUi5FsqAhsQjkrdvQpH3Qjw4aZVUEje=JSaDf4TA@mail.gmail.com" type="cite"> <div dir="ltr"> <div class="gmail_extra">Joe</div> </div> </blockquote> <br> </body> </html>