[Freeipa-users] IPA replica directory server hung
Joe Mou
joe at flatiron.com
Thu Dec 19 22:17:30 UTC 2013
On Thu, Dec 19, 2013 at 10:01 AM, Rich Megginson <rmeggins at redhat.com>wrote:
> On 12/19/2013 09:19 AM, Joe Mou wrote:
>
> Here are the results of that command:
>
> $ ldapsearch -xLLL -D "cn=directory manager" -W -b
> dc=the,dc=flatiron,dc=com '(objectclass=ldapsubentry)'
> Enter LDAP Password:
> dn: cn=Password Policy,cn=accounts,dc=the,dc=flatiron,dc=com
> cn: Password Policy
> cosspecifier: memberOf
> cosAttribute: krbPwdPolicyReference override
> costemplatedn: cn=cosTemplates,cn=accounts,dc=the,dc=flatiron,dc=com
> objectClass: top
> objectClass: ldapsubentry
> objectClass: cosSuperDefinition
> objectClass: cosClassicDefinition
> description: Password Policy based on group membership
>
>
> Ok. Looks like IPA uses CoS for password policy based on group membership
> using the memberof attribute in each user's entry.
>
> I think we can temporarily disable this.
>
> First, save the above entry to a file e.g. pwpolicycos.ldif
>
> Next, ipactl restart
> Just after the directory server is restarted, delete this entry:
> ldapdelete -x -D "cn=directory manager" -W "cn=Password
> Policy,cn=accounts,dc=the,dc=flatiron,dc=com"
>
> Once everything is working again, add back the entry:
>
> ldapmodify -x -D "cn=directory manager" -W -a -f pwpolicycos.ldif
>
Thanks Rich, that partially worked. The replica gets unstuck and is able to
service requests. But it looks like mutations are still not working
completely correctly. For example if I do a `ipa user-add joe-test
--first=joe --last=test` then that command hangs. At this point the
directory server gets wedged, apparently similarly to before. However this
time restarting the directory server unsticks it. Only certain operations
seem to break, as updating a user's job title works fine. Backtraces are
available: http://p.flatiron.com/~jmou/ipa/stacktrace.1387489013.txt
Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131219/de1d3103/attachment.htm>
More information about the Freeipa-users
mailing list