[Freeipa-users] Upgrading to 6.4 - additional information

Tue Feb 26 17:05:25 UTC 2013

On 02/26/2013 10:29 AM, Dmitri Pal wrote:
> On 02/21/2013 12:31 PM, Dmitri Pal wrote:
>> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote:
>>> On 02/21/2013 09:40 AM, Rob Crittenden wrote:
>>>> Erinn Looney-Triggs wrote:
>>>>> On 02/21/2013 09:34 AM, Rob Crittenden wrote:
>>>>>> Erinn Looney-Triggs wrote:
>>>>>>> On 02/21/2013 09:07 AM, Rob Crittenden wrote:
>>>>>>>> add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME
>>>>>>>> 'ipaExternalMember'
>>>>>>>> DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch
>>>>>>>> ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
>>>>>>>> X-ORIGIN 'IPA v3' )
>>>>>>>> add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup'
>>>>>>>> SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $$ memberOf $$
>>>>>>>> description $$ owner) X-ORIGIN 'IPA v3' )
>>>>>>> Well that fails as well, though in sort of a self inflicted way:
>>>>>>>
>>>>>>> 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command failed,
>>>>>>> exception: DatabaseError: Server is unwilling to perform: Minimum SSF
>>>>>>> not met. arguments: base="cn=config,cn=ldbm
>>>>>>> database,cn=plugins,cn=config", scope=0, filterstr="(objectclass=*)"
>>>>>>> 2013-02-21T16:24:30Z ERROR Unexpected error - see
>>>>>>> /var/log/ipaupgrade.log for details:
>>>>>>> DatabaseError: Server is unwilling to perform: Minimum SSF not met.
>>>>>>> arguments: base="cn=config,cn=ldbm database,cn=plugins,cn=config",
>>>>>>> scope=0, filterstr="(objectclass=*)"
>>>>>>>
>>>>>>>
>>>>>>> Now this probably comes about because I set:
>>>>>>> nsslapd-minssf: 56
>>>>>>> For security.
>>>>>>>
>>>>>>> I can cange that back to the default and probably move past this,
>>>>>>> but is
>>>>>>> that a known issue? Is there another way around?
>>>>>> As root try the --ldapi flag:
>>>>>>
>>>>>> # ipa-ldap-updater --ldapi /path/to/scheme.update
>>>>>>
>>>>>> rob
>>>>>>
>>>>> ERROR: LDAPUpdate: syntax error:
>>>>>    dn is not defined in the update, data source=schema.update
>>>>>
>>>>> -Erinn
>>>>>
>>>> Sorry, add this to the top of your update file:
>>>>
>>>> dn: cn=schema
>>>>
>>>> rob
>>> No worries! Thanks for the help, after a restart of IPA the web UI is
>>> working again. I reckon this is something that needs to be fixed, does
>>> opening a support case and pointing them to that bug help you folks out
>>> with this in any way?
>>
>> This is a know defect. We just did not realize it would have such a
>> bad impact on upgrade.
>> Sorry, the errata is on the way.
>>
>> I would recommend everyone to not upgrade to 6.4 until the errata is
>> shipped.
>> We will notify you as soon as it goes out.
>>
>> Sorry again.
>>
> 
> We did some research of this issue:
> 1) The upgrade works fine from 6.3 to 6.4 and the issue does not exhibit
> itself
> 2) We have been able to reproduce it with the direct upgrade from 6.2 to 6.4
> 3) Since the expected upgrade part is 6.2 -> 6.3 -> 6.4 the question
> comes up whether this fix is actually that urgent.
> 4) In the presence of the simple workaround we feel that it is not that
> important to include this fix into the errata that we are working on.
> 
> Please let us know if you think that there is a problem with the plan above.
> 
> 

Well all I can tell you on this, is that mine was an upgrade from 6.3 to
6.4, so there is a case where it will fail going from 6.3 to 6.4, but
how applicable it is I can't say.

Otherwise, sure, sounds great to me.

-Erin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130226/2d02789b/attachment.sig>