[Freeipa-users] Upgrading to 6.4 - additional information

Tue Feb 26 17:08:59 UTC 2013

On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote:
> On 02/26/2013 10:29 AM, Dmitri Pal wrote:
>> On 02/21/2013 12:31 PM, Dmitri Pal wrote:
>>> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote:
>>>> On 02/21/2013 09:40 AM, Rob Crittenden wrote:
>>>>> Erinn Looney-Triggs wrote:
>>>>>> On 02/21/2013 09:34 AM, Rob Crittenden wrote:
>>>>>>> Erinn Looney-Triggs wrote:
>>>>>>>> On 02/21/2013 09:07 AM, Rob Crittenden wrote:
>>>>>>>>> add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 
>>>>>>>>> 'ipaExternalMember' DESC 'External Group Member
>>>>>>>>> Identifier' EQUALITY caseIgnoreMatch ORDERING
>>>>>>>>> caseIgnoreOrderingMatch SYNTAX
>>>>>>>>> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) 
>>>>>>>>> add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME
>>>>>>>>> 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY (
>>>>>>>>> ipaExternalMember $$ memberOf $$ description $$ owner)
>>>>>>>>> X-ORIGIN 'IPA v3' )
>>>>>>>> Well that fails as well, though in sort of a self inflicted
>>>>>>>> way:
>>>>>>>> 
>>>>>>>> 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command
>>>>>>>> failed, exception: DatabaseError: Server is unwilling to
>>>>>>>> perform: Minimum SSF not met. arguments:
>>>>>>>> base="cn=config,cn=ldbm database,cn=plugins,cn=config",
>>>>>>>> scope=0, filterstr="(objectclass=*)" 2013-02-21T16:24:30Z
>>>>>>>> ERROR Unexpected error - see /var/log/ipaupgrade.log for
>>>>>>>> details: DatabaseError: Server is unwilling to perform:
>>>>>>>> Minimum SSF not met. arguments: base="cn=config,cn=ldbm
>>>>>>>> database,cn=plugins,cn=config", scope=0,
>>>>>>>> filterstr="(objectclass=*)"
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Now this probably comes about because I set: nsslapd-minssf:
>>>>>>>> 56 For security.
>>>>>>>> 
>>>>>>>> I can cange that back to the default and probably move past
>>>>>>>> this, but is that a known issue? Is there another way
>>>>>>>> around?
>>>>>>> As root try the --ldapi flag:
>>>>>>> 
>>>>>>> # ipa-ldap-updater --ldapi /path/to/scheme.update
>>>>>>> 
>>>>>>> rob
>>>>>>> 
>>>>>> ERROR: LDAPUpdate: syntax error: dn is not defined in the
>>>>>> update, data source=schema.update
>>>>>> 
>>>>>> -Erinn
>>>>>> 
>>>>> Sorry, add this to the top of your update file:
>>>>> 
>>>>> dn: cn=schema
>>>>> 
>>>>> rob
>>>> No worries! Thanks for the help, after a restart of IPA the web UI
>>>> is working again. I reckon this is something that needs to be fixed,
>>>> does opening a support case and pointing them to that bug help you
>>>> folks out with this in any way?
>>> 
>>> This is a know defect. We just did not realize it would have such a 
>>> bad impact on upgrade. Sorry, the errata is on the way.
>>> 
>>> I would recommend everyone to not upgrade to 6.4 until the errata is 
>>> shipped. We will notify you as soon as it goes out.
>>> 
>>> Sorry again.
>>> 
>> 
>> We did some research of this issue: 1) The upgrade works fine from 6.3
>> to 6.4 and the issue does not exhibit itself 2) We have been able to
>> reproduce it with the direct upgrade from 6.2 to 6.4 3) Since the
>> expected upgrade part is 6.2 -> 6.3 -> 6.4 the question comes up whether
>> this fix is actually that urgent. 4) In the presence of the simple
>> workaround we feel that it is not that important to include this fix
>> into the errata that we are working on.
>> 
>> Please let us know if you think that there is a problem with the plan
>> above.
>> 
>> 
> 
> Well all I can tell you on this, is that mine was an upgrade from 6.3 to 
> 6.4, so there is a case where it will fail going from 6.3 to 6.4, but how
> applicable it is I can't say.

Hi Erinn,

Is 6.3 the original RHEL version where IPA server was installed? Or was IPA
installed on RHEL-6.2 and then you upgraded RHEL to 6.3?

Thank you,
Martin