[Freeipa-users] IPA replica directory server hung

Joe Mou joe at flatiron.com
Fri Dec 20 01:14:29 UTC 2013 

Thanks for your help Rich.

The ticket is https://fedorahosted.org/389/ticket/47649


On Thu, Dec 19, 2013 at 2:43 PM, Rich Megginson <rmeggins at redhat.com> wrote:

>  On 12/19/2013 03:17 PM, Joe Mou wrote:
>
>  On Thu, Dec 19, 2013 at 10:01 AM, Rich Megginson <rmeggins at redhat.com>wrote:
>
>>  On 12/19/2013 09:19 AM, Joe Mou wrote:
>>
>>  Here are the results of that command:
>>
>>  $ ldapsearch -xLLL -D "cn=directory manager" -W -b
>> dc=the,dc=flatiron,dc=com '(objectclass=ldapsubentry)'
>> Enter LDAP Password:
>> dn: cn=Password Policy,cn=accounts,dc=the,dc=flatiron,dc=com
>> cn: Password Policy
>> cosspecifier: memberOf
>> cosAttribute: krbPwdPolicyReference override
>> costemplatedn: cn=cosTemplates,cn=accounts,dc=the,dc=flatiron,dc=com
>> objectClass: top
>> objectClass: ldapsubentry
>> objectClass: cosSuperDefinition
>> objectClass: cosClassicDefinition
>> description: Password Policy based on group membership
>>
>>
>>  Ok.  Looks like IPA uses CoS for password policy based on group
>> membership using the memberof attribute in each user's entry.
>>
>> I think we can temporarily disable this.
>>
>> First, save the above entry to a file e.g. pwpolicycos.ldif
>>
>> Next, ipactl restart
>> Just after the directory server is restarted, delete this entry:
>> ldapdelete -x -D "cn=directory manager" -W "cn=Password
>> Policy,cn=accounts,dc=the,dc=flatiron,dc=com"
>>
>> Once everything is working again, add back the entry:
>>
>> ldapmodify -x -D "cn=directory manager" -W -a -f pwpolicycos.ldif
>>
>
>  Thanks Rich, that partially worked. The replica gets unstuck and is able
> to service requests. But it looks like mutations are still not working
> completely correctly. For example if I do a `ipa user-add joe-test
> --first=joe --last=test` then that command hangs. At this point the
> directory server gets wedged, apparently similarly to before. However this
> time restarting the directory server unsticks it. Only certain operations
> seem to break, as updating a user's job title works fine. Backtraces are
> available: http://p.flatiron.com/~jmou/ipa/stacktrace.1387489013.txt
>
>
> Please open a ticket at https://fedorahosted.org/389/newticket - you can
> attach stack traces to the ticket
>
>  Joe
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131219/ab521a24/attachment.htm>

More information about the Freeipa-users mailing list