<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/19/2013 03:17 PM, Joe Mou wrote:<br>
</div>
<blockquote
cite="mid:CA+KQ6oDcKghUi5FsqAhsQjkrdvQpH3Qjw4aZVUEje=JSaDf4TA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Thu, Dec 19, 2013 at 10:01 AM,
Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>On 12/19/2013 09:19 AM, Joe Mou wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Here are the results of that command:</div>
<div><br>
</div>
<div>$ ldapsearch -xLLL -D "cn=directory manager"
-W -b dc=the,dc=flatiron,dc=com
'(objectclass=ldapsubentry)'</div>
<div>Enter LDAP Password: </div>
<div>dn: cn=Password
Policy,cn=accounts,dc=the,dc=flatiron,dc=com</div>
<div>cn: Password Policy</div>
<div>cosspecifier: memberOf</div>
<div>cosAttribute: krbPwdPolicyReference override</div>
<div>costemplatedn:
cn=cosTemplates,cn=accounts,dc=the,dc=flatiron,dc=com</div>
<div>objectClass: top</div>
<div>objectClass: ldapsubentry</div>
<div>objectClass: cosSuperDefinition</div>
<div>objectClass: cosClassicDefinition</div>
<div>description: Password Policy based on group
membership</div>
</div>
</blockquote>
<br>
</div>
Ok. Looks like IPA uses CoS for password policy based
on group membership using the memberof attribute in each
user's entry.<br>
<br>
I think we can temporarily disable this.<br>
<br>
First, save the above entry to a file e.g.
pwpolicycos.ldif<br>
<br>
Next, ipactl restart<br>
Just after the directory server is restarted, delete
this entry:<br>
ldapdelete -x -D "cn=directory manager" -W "cn=Password
Policy,cn=accounts,dc=the,dc=flatiron,dc=com"<br>
<br>
Once everything is working again, add back the entry:<br>
<br>
ldapmodify -x -D "cn=directory manager" -W -a -f
pwpolicycos.ldif</div>
</blockquote>
</div>
<br>
</div>
<div class="gmail_extra">Thanks Rich, that partially worked. The
replica gets unstuck and is able to service requests. But it
looks like mutations are still not working completely
correctly. For example if I do a `ipa user-add joe-test
--first=joe --last=test` then that command hangs. At this
point the directory server gets wedged, apparently similarly
to before. However this time restarting the directory server
unsticks it. Only certain operations seem to break, as
updating a user's job title works fine. Backtraces are
available: <a moz-do-not-send="true"
href="http://p.flatiron.com/%7Ejmou/ipa/stacktrace.1387489013.txt"
target="_blank">http://p.flatiron.com/~jmou/ipa/stacktrace.1387489013.txt</a><br>
</div>
<div class="gmail_extra"><br>
</div>
</div>
</blockquote>
<br>
Please open a ticket at <a class="moz-txt-link-freetext" href="https://fedorahosted.org/389/newticket">https://fedorahosted.org/389/newticket</a> - you
can attach stack traces to the ticket<br>
<br>
<blockquote
cite="mid:CA+KQ6oDcKghUi5FsqAhsQjkrdvQpH3Qjw4aZVUEje=JSaDf4TA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">Joe</div>
</div>
</blockquote>
<br>
</body>
</html>