[Freeipa-users] Upgrading to 6.4 - additional information

Tue Feb 26 15:29:39 UTC 2013

On 02/21/2013 12:31 PM, Dmitri Pal wrote:
> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote:
>> On 02/21/2013 09:40 AM, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
>>>> On 02/21/2013 09:34 AM, Rob Crittenden wrote:
>>>>> Erinn Looney-Triggs wrote:
>>>>>> On 02/21/2013 09:07 AM, Rob Crittenden wrote:
>>>>>>> add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME
>>>>>>> 'ipaExternalMember'
>>>>>>> DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch
>>>>>>> ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
>>>>>>> X-ORIGIN 'IPA v3' )
>>>>>>> add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup'
>>>>>>> SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $$ memberOf $$
>>>>>>> description $$ owner) X-ORIGIN 'IPA v3' )
>>>>>> Well that fails as well, though in sort of a self inflicted way:
>>>>>>
>>>>>> 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command failed,
>>>>>> exception: DatabaseError: Server is unwilling to perform: Minimum SSF
>>>>>> not met. arguments: base="cn=config,cn=ldbm
>>>>>> database,cn=plugins,cn=config", scope=0, filterstr="(objectclass=*)"
>>>>>> 2013-02-21T16:24:30Z ERROR Unexpected error - see
>>>>>> /var/log/ipaupgrade.log for details:
>>>>>> DatabaseError: Server is unwilling to perform: Minimum SSF not met.
>>>>>> arguments: base="cn=config,cn=ldbm database,cn=plugins,cn=config",
>>>>>> scope=0, filterstr="(objectclass=*)"
>>>>>>
>>>>>>
>>>>>> Now this probably comes about because I set:
>>>>>> nsslapd-minssf: 56
>>>>>> For security.
>>>>>>
>>>>>> I can cange that back to the default and probably move past this,
>>>>>> but is
>>>>>> that a known issue? Is there another way around?
>>>>> As root try the --ldapi flag:
>>>>>
>>>>> # ipa-ldap-updater --ldapi /path/to/scheme.update
>>>>>
>>>>> rob
>>>>>
>>>> ERROR: LDAPUpdate: syntax error:
>>>>    dn is not defined in the update, data source=schema.update
>>>>
>>>> -Erinn
>>>>
>>> Sorry, add this to the top of your update file:
>>>
>>> dn: cn=schema
>>>
>>> rob
>> No worries! Thanks for the help, after a restart of IPA the web UI is
>> working again. I reckon this is something that needs to be fixed, does
>> opening a support case and pointing them to that bug help you folks out
>> with this in any way?
>
> This is a know defect. We just did not realize it would have such a
> bad impact on upgrade.
> Sorry, the errata is on the way.
>
> I would recommend everyone to not upgrade to 6.4 until the errata is
> shipped.
> We will notify you as soon as it goes out.
>
> Sorry again.
>

We did some research of this issue:
1) The upgrade works fine from 6.3 to 6.4 and the issue does not exhibit
itself
2) We have been able to reproduce it with the direct upgrade from 6.2 to 6.4
3) Since the expected upgrade part is 6.2 -> 6.3 -> 6.4 the question
comes up whether this fix is actually that urgent.
4) In the presence of the simple workaround we feel that it is not that
important to include this fix into the errata that we are working on.

Please let us know if you think that there is a problem with the plan above.

>> -Erinn
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130226/80e63a4a/attachment.htm>