[Freeipa-users] (no subject)

Rob Crittenden rcritten at redhat.com
Wed Mar 21 21:20:10 UTC 2012 

Jimmy wrote:
> Since I needed to make sure I could recover from this if it ever
> happened again I went back to an old copy of the VM I'm going through
> everything I did on the original. To begin with, it does have the same
> issue, the cert won't renew. So I attempted to db2ldif and ldif2db all
> of the db's ***WITHOUT*** upgrading FreeIPA, and that didn't work.
> Different error than before when running , but I don't have it in
> front of me now, so I can't report it. One thing I did notice is that
> the exported ldif did not have the extra entries that prevented the
> ldif from importing right away last time.
>
> So I rolled back to the original database again, ran the freeipa
> upgrade from yum, and then exported the db's and now these entries
> show in the db that weren't there before:
>
> http://fpaste.org/jims/
>
> Any idea why the upgrade did this? The ldif2db fails with this error
> as long as those 2 entries are in the ldif:
>
> [21/Mar/2012:00:59:14 +0000] entryrdn-index - _entryrdn_insert_key:
> Same DN (dn: ou=profile,dc=abc,dc=xyz) is already in the entryrdn file
> with different ID 146.  Expected ID is 311.
> [21/Mar/2012:00:59:14 +0000] - import userRoot: Duplicated DN
> detected: "ou=profile,dc=abc,dc=xyz": Entry ID: (311)
>
> Sorry for bringing this back up, but it seems odd that the upgrade
> duplicates this entry.
>

Perhaps the database is already corrupted?

The entries are added by the upgrade process only if they can't already 
be found in the database. It does an ldapsearch against the dn and adds 
if it isn't already there. The fact that 389-ds allows the add indicates 
that it doesn't think the entry is there.

rob

> Jimmy
>
> On Tue, Mar 20, 2012 at 5:22 PM, Jimmy<g17jimmy at gmail.com>  wrote:
>> Cool thanks for the awesome help, y'all.
>>
>> On Tue, Mar 20, 2012 at 5:20 PM, Rob Crittenden<rcritten at redhat.com>  wrote:
>>> Jimmy wrote:
>>>>
>>>> I restarted certmonger and it seems to be working. Is there some way
>>>> to change the renewal interval so we can simulate this in the lab? I'd
>>>> like to see it go through a number of renewals to make sure we don't
>>>> keep having this problem.
>>>
>>>
>>> Glad you are up and running again. You can control the interval by tuning
>>> knobs in certmonger.conf(5). You want to modify ttls.
>>>
>>> rob

More information about the Freeipa-users mailing list