[Freeipa-users] IPA replica directory server hung

Rich Megginson rmeggins at redhat.com
Thu Dec 19 22:43:52 UTC 2013 

On 12/19/2013 03:17 PM, Joe Mou wrote:
> On Thu, Dec 19, 2013 at 10:01 AM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     On 12/19/2013 09:19 AM, Joe Mou wrote:
>>     Here are the results of that command:
>>
>>     $ ldapsearch -xLLL -D "cn=directory manager" -W -b
>>     dc=the,dc=flatiron,dc=com '(objectclass=ldapsubentry)'
>>     Enter LDAP Password:
>>     dn: cn=Password Policy,cn=accounts,dc=the,dc=flatiron,dc=com
>>     cn: Password Policy
>>     cosspecifier: memberOf
>>     cosAttribute: krbPwdPolicyReference override
>>     costemplatedn: cn=cosTemplates,cn=accounts,dc=the,dc=flatiron,dc=com
>>     objectClass: top
>>     objectClass: ldapsubentry
>>     objectClass: cosSuperDefinition
>>     objectClass: cosClassicDefinition
>>     description: Password Policy based on group membership
>
>     Ok.  Looks like IPA uses CoS for password policy based on group
>     membership using the memberof attribute in each user's entry.
>
>     I think we can temporarily disable this.
>
>     First, save the above entry to a file e.g. pwpolicycos.ldif
>
>     Next, ipactl restart
>     Just after the directory server is restarted, delete this entry:
>     ldapdelete -x -D "cn=directory manager" -W "cn=Password
>     Policy,cn=accounts,dc=the,dc=flatiron,dc=com"
>
>     Once everything is working again, add back the entry:
>
>     ldapmodify -x -D "cn=directory manager" -W -a -f pwpolicycos.ldif
>
>
> Thanks Rich, that partially worked. The replica gets unstuck and is 
> able to service requests. But it looks like mutations are still not 
> working completely correctly. For example if I do a `ipa user-add 
> joe-test --first=joe --last=test` then that command hangs. At this 
> point the directory server gets wedged, apparently similarly to 
> before. However this time restarting the directory server unsticks it. 
> Only certain operations seem to break, as updating a user's job title 
> works fine. Backtraces are available: 
> http://p.flatiron.com/~jmou/ipa/stacktrace.1387489013.txt 
> <http://p.flatiron.com/%7Ejmou/ipa/stacktrace.1387489013.txt>
>

Please open a ticket at https://fedorahosted.org/389/newticket - you can 
attach stack traces to the ticket

> Joe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131219/6934f25c/attachment.htm>

More information about the Freeipa-users mailing list