<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/19/2013 09:19 AM, Joe Mou wrote:<br>
</div>
<blockquote
cite="mid:CA+KQ6oAGK5nAFNzwRq7s_T5r=040NW0v564aJSofVVZKjadmVg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Here are the results of that command:</div>
<div><br>
</div>
<div>$ ldapsearch -xLLL -D "cn=directory manager" -W -b
dc=the,dc=flatiron,dc=com '(objectclass=ldapsubentry)'</div>
<div>Enter LDAP Password: </div>
<div>dn: cn=Password
Policy,cn=accounts,dc=the,dc=flatiron,dc=com</div>
<div>cn: Password Policy</div>
<div>cosspecifier: memberOf</div>
<div>cosAttribute: krbPwdPolicyReference override</div>
<div>costemplatedn:
cn=cosTemplates,cn=accounts,dc=the,dc=flatiron,dc=com</div>
<div>objectClass: top</div>
<div>objectClass: ldapsubentry</div>
<div>objectClass: cosSuperDefinition</div>
<div>objectClass: cosClassicDefinition</div>
<div>description: Password Policy based on group membership</div>
</div>
</blockquote>
<br>
Ok. Looks like IPA uses CoS for password policy based on group
membership using the memberof attribute in each user's entry.<br>
<br>
I think we can temporarily disable this.<br>
<br>
First, save the above entry to a file e.g. pwpolicycos.ldif<br>
<br>
Next, ipactl restart<br>
Just after the directory server is restarted, delete this entry:<br>
ldapdelete -x -D "cn=directory manager" -W "cn=Password
Policy,cn=accounts,dc=the,dc=flatiron,dc=com"<br>
<br>
Once everything is working again, add back the entry:<br>
<br>
ldapmodify -x -D "cn=directory manager" -W -a -f pwpolicycos.ldif<br>
<blockquote
cite="mid:CA+KQ6oAGK5nAFNzwRq7s_T5r=040NW0v564aJSofVVZKjadmVg@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<br>
<br>
<div class="gmail_quote">On Thu, Dec 19, 2013 at 7:07 AM, Rich
Megginson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im">
<div>On 12/19/2013 02:19 AM, Joe Mou wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thanks for the speedy reply. I am
running on Fedora 19.
<div><br>
</div>
<div>
<div>$ rpm -q 389-ds-base</div>
<div>389-ds-base-1.3.1.16-1.fc19.x86_64</div>
</div>
<div>
<div>$ rpm -q nss </div>
<div>nss-3.15.3-1.fc19.x86_64</div>
</div>
</div>
</blockquote>
<br>
</div>
Not sure what's going on, but let's see if we can get it
"unstuck". It seems there is a conflict between the Class
of Service plugin and the Member Of plugin. I think we
may be able to disable the CoS plugin to allow the
deletion to proceed.<br>
<br>
Do the following search to see what CoS definitions there
are:<br>
ldapsearch -xLLL -D "cn=directory manager" -W -b
dc=the,dc=flatiron,dc=com '(objectclass=ldapsubentry)'
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div> </div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Dec 18, 2013 at
2:54 PM, Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<div>On 12/18/2013 12:43 PM, Joe Mou
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I have a broken IPA
replica that appears to be suffering
from a hung directory server. The
master seems to be working fine, but
LDAP requests to the replica hang
indefinitely. I attached gdb to
ns-slapd and suspect a deadlock in
cos_cache.c.
<div> <br>
</div>
<div>Thread 7 seems to be hung on an
LDAP delete for a user account
that we recently removed. Every
time the directory server is
started, it tries to issue this
delete, apparently to sync the
replica.</div>
<div> <br>
</div>
<div>I have been unsuccessful in
trying to remove the offending
replica because ipa-replica-manage
seems to need to make LDAP
requests against the replica. For
example:</div>
<div><br>
</div>
<div>$ ipa-replica-manage del <a
moz-do-not-send="true"
href="http://p-ipa-wd02.prod.the.flatiron.com"
target="_blank">p-ipa-wd02.prod.the.flatiron.com</a>
</div>
<div>^CConnection to '<a
moz-do-not-send="true"
href="http://p-ipa-wd02.prod.the.flatiron.com"
target="_blank">p-ipa-wd02.prod.the.flatiron.com</a>'
failed: Insufficient access:
SASL(0): successful result:</div>
<div>Unable to delete replica '<a
moz-do-not-send="true"
href="http://p-ipa-wd02.prod.the.flatiron.com"
target="_blank">p-ipa-wd02.prod.the.flatiron.com</a>'</div>
<div><br>
</div>
<div>^CTraceback (most recent call
last):</div>
<div> File
"/usr/sbin/ipa-replica-manage",
line 1252, in <module></div>
<div> main()</div>
<div>KeyboardInterrupt</div>
<div><br>
</div>
<div>Backtraces of the suspicious
threads and log excerpts are at <a
moz-do-not-send="true"
href="http://p.flatiron.com/%7Ejmou/ipa/"
target="_blank">http://p.flatiron.com/~jmou/ipa/</a> .
I was only able to install a
limited set of debugging symbols;
let me know if I can be of more
help.</div>
<div><br>
</div>
<div>Any help in fixing this replica
or even just removing it would be
greatly appreciated!</div>
</div>
</blockquote>
<br>
</div>
</div>
What is your platform? rpm -q 389-ds-base<br>
<br>
There were some hangs with rhel 6.4.z.
Please update to the latest 389-ds-base
(1.2.11.15-30 or later) and nss 3.15.3 or
later.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Joe</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>