<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Thanks for the reply Martin.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Turns out that there was no problem at all, a minor configuration mistake (nested a group inside the wrong parent) led us down a rabbit hole. Our failed upgrade happened on the same day our 1000th group was created. Using the LDAP browser plugin for Eclipse the default search query limit is 1000… It took a while to work that out, needless to say we all feel a little silly and a little wiser now :)</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div> <br> <div id="bloop_sign_1431800615283997184" class="bloop_sign"><div style="font-family:helvetica,arial;font-size:13px"><br></div><div style="font-family:helvetica,arial;font-size:13px"> <br>Will Sheldon<br></div><div style="font-family:helvetica,arial;font-size:13px"><br></div></div><p class="airmail_on" style="color:#000;">On May 14, 2015 at 1:44:15 AM, Martin Basti (<a href="mailto:mbasti@redhat.com">mbasti@redhat.com</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div bgcolor="#FFFFFF" text="#000000"><div></div><div> <title></title> <div class="moz-cite-prefix">On 14/05/15 01:50, Will Sheldon wrote:<br></div> <blockquote cite="mid:CAEYGU+JbM6FDJ2S9NwdjSFBLJ_og7VBZEknYCfWwD_6wjm2jRg@mail.gmail.com" type="cite"> <div dir="ltr"><br> Hello everyone :)<br> <br> We are seeing some strange behavior (created groups don't exist) and I really hope someone can lend some advice...<br> <br> We installed v 3.0 some time ago, and tried an upgrade to 3.3 which was aborted before completion, however I believe the schema was updated.<br> <br> Recently we attempted to upgrade to 4.1, but encountered some issues with the upgrade; replication failed :<br> <br> from the install log (before schema update, so server was running 3.3 schema):<br> <br> =======================><br> Done configuring ipa-otpd.<br> Applying LDAP updates<br> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure attribute "cn" not allowed<br> =======================<<br> <br> <br> After that we tried updating the schema, and we now get this error (we have log file captures for this):<br> <br> =======================><br> [24/35]: setting up initial replication<br> Starting replication, please wait until this has completed.<br> Update in progress, 131 seconds elapsed<br> Update in progress yet not in progress<br> <br> [<a moz-do-not-send="true" href="http://vanipa.foo.com">vanipa.foo.com</a>] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral]<br> <br> [error] RuntimeError: Failed to start replication<br> <br> Your system may be partly configured.<br> Run /usr/sbin/ipa-server-install --uninstall to clean up.<br> ========================<<br> <br> which seems to be referring to this bit of the log:<br> =======================><br> 2015-04-21T19:18:48Z DEBUG Traceback (most recent call last):<br> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation<br> run_step(full_msg, method)<br> =======================<<br> <br> <br> Since then we have a somewhat strange issue where new groups that are added using the web interface and ipa CLI command interface are created in the compat tree, but not in the cn=hostgroups,cn=accounts tree, even though ADD operations appear to complete successfully (slapd log output below)<br> <br> =======================><br> [13/May/2015:23:13:58 +0000] conn=7120402 op=4 ADD dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com"<br> <br> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 SRCH base="idnsName=net,idnsname=<a moz-do-not-send="true" href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 RESULT err=32 tag=101 nentries=0 etime=0<br> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 SRCH base="idnsName=<a moz-do-not-send="true" href="http://bar.net">bar.net</a>,idnsname=<a moz-do-not-send="true" href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 RESULT err=32 tag=101 nentries=0 etime=0<br> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 SRCH base="idnsName=<a moz-do-not-send="true" href="http://vanzbx.bar.net">vanzbx.bar.net</a>,idnsname=<a moz-do-not-send="true" href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 RESULT err=32 tag=101 nentries=0 etime=0<br> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 SRCH base="idnsName=net,idnsname=<a moz-do-not-send="true" href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 RESULT err=32 tag=101 nentries=0 etime=0<br> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 SRCH base="idnsName=<a moz-do-not-send="true" href="http://bar.net">bar.net</a>,idnsname=<a moz-do-not-send="true" href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 RESULT err=32 tag=101 nentries=0 etime=0<br> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 SRCH base="idnsName=<a moz-do-not-send="true" href="http://vanzbx.bar.net">vanzbx.bar.net</a>,idnsname=<a moz-do-not-send="true" href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 RESULT err=32 tag=101 nentries=0 etime=0<br> [13/May/2015:23:13:58 +0000] conn=7120402 op=4 RESULT err=0 tag=105 nentries=0 etime=0 csn=5553e3f8000100040000<br> =======================<<br> <br> <br> Which is consistent with the slapd log during the upgrade:<br> <br> [21/Apr/2015:19:18:43 +0000] NSACLPlugin - The ACL target cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist<br clear="all"> <br> --<br> <div class="gmail_signature"> <div dir="ltr"><br> Kind regards,<br> <br> Will Sheldon<br> <br></div> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br></blockquote> Hello,<br> <br> can you find in ipaserver-install.log more details about this error?<br> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure attribute "cn" not allowed<br> <br> Martin<br> <br> <br> <pre class="moz-signature" cols="72">-- Martin Basti </pre> </div></div></span></blockquote></body></html>