[Freeipa-users] Upgrading to 6.4 - additional information

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Tue Feb 26 17:10:33 UTC 2013 

On 02/26/2013 12:08 PM, Martin Kosek wrote:
> On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote:
>> On 02/26/2013 10:29 AM, Dmitri Pal wrote:
>>> On 02/21/2013 12:31 PM, Dmitri Pal wrote:
>>>> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote:
>>>>> On 02/21/2013 09:40 AM, Rob Crittenden wrote:
>>>>>> Erinn Looney-Triggs wrote:
>>>>>>> On 02/21/2013 09:34 AM, Rob Crittenden wrote:
>>>>>>>> Erinn Looney-Triggs wrote:
>>>>>>>>> On 02/21/2013 09:07 AM, Rob Crittenden wrote:
>>>>>>>>>> add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 
>>>>>>>>>> 'ipaExternalMember' DESC 'External Group Member
>>>>>>>>>> Identifier' EQUALITY caseIgnoreMatch ORDERING
>>>>>>>>>> caseIgnoreOrderingMatch SYNTAX
>>>>>>>>>> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) 
>>>>>>>>>> add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME
>>>>>>>>>> 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY (
>>>>>>>>>> ipaExternalMember $$ memberOf $$ description $$ owner)
>>>>>>>>>> X-ORIGIN 'IPA v3' )
>>>>>>>>> Well that fails as well, though in sort of a self inflicted
>>>>>>>>> way:
>>>>>>>>>
>>>>>>>>> 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command
>>>>>>>>> failed, exception: DatabaseError: Server is unwilling to
>>>>>>>>> perform: Minimum SSF not met. arguments:
>>>>>>>>> base="cn=config,cn=ldbm database,cn=plugins,cn=config",
>>>>>>>>> scope=0, filterstr="(objectclass=*)" 2013-02-21T16:24:30Z
>>>>>>>>> ERROR Unexpected error - see /var/log/ipaupgrade.log for
>>>>>>>>> details: DatabaseError: Server is unwilling to perform:
>>>>>>>>> Minimum SSF not met. arguments: base="cn=config,cn=ldbm
>>>>>>>>> database,cn=plugins,cn=config", scope=0,
>>>>>>>>> filterstr="(objectclass=*)"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Now this probably comes about because I set: nsslapd-minssf:
>>>>>>>>> 56 For security.
>>>>>>>>>
>>>>>>>>> I can cange that back to the default and probably move past
>>>>>>>>> this, but is that a known issue? Is there another way
>>>>>>>>> around?
>>>>>>>> As root try the --ldapi flag:
>>>>>>>>
>>>>>>>> # ipa-ldap-updater --ldapi /path/to/scheme.update
>>>>>>>>
>>>>>>>> rob
>>>>>>>>
>>>>>>> ERROR: LDAPUpdate: syntax error: dn is not defined in the
>>>>>>> update, data source=schema.update
>>>>>>>
>>>>>>> -Erinn
>>>>>>>
>>>>>> Sorry, add this to the top of your update file:
>>>>>>
>>>>>> dn: cn=schema
>>>>>>
>>>>>> rob
>>>>> No worries! Thanks for the help, after a restart of IPA the web UI
>>>>> is working again. I reckon this is something that needs to be fixed,
>>>>> does opening a support case and pointing them to that bug help you
>>>>> folks out with this in any way?
>>>>
>>>> This is a know defect. We just did not realize it would have such a 
>>>> bad impact on upgrade. Sorry, the errata is on the way.
>>>>
>>>> I would recommend everyone to not upgrade to 6.4 until the errata is 
>>>> shipped. We will notify you as soon as it goes out.
>>>>
>>>> Sorry again.
>>>>
>>>
>>> We did some research of this issue: 1) The upgrade works fine from 6.3
>>> to 6.4 and the issue does not exhibit itself 2) We have been able to
>>> reproduce it with the direct upgrade from 6.2 to 6.4 3) Since the
>>> expected upgrade part is 6.2 -> 6.3 -> 6.4 the question comes up whether
>>> this fix is actually that urgent. 4) In the presence of the simple
>>> workaround we feel that it is not that important to include this fix
>>> into the errata that we are working on.
>>>
>>> Please let us know if you think that there is a problem with the plan
>>> above.
>>>
>>>
>>
>> Well all I can tell you on this, is that mine was an upgrade from 6.3 to 
>> 6.4, so there is a case where it will fail going from 6.3 to 6.4, but how
>> applicable it is I can't say.
> 
> Hi Erinn,
> 
> Is 6.3 the original RHEL version where IPA server was installed? Or was IPA
> installed on RHEL-6.2 and then you upgraded RHEL to 6.3?
> 
> Thank you,
> Martin
> 

These systems have gone through all the point releases from 6 on up I
believe.

-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130226/6f3c2f92/attachment.sig>

More information about the Freeipa-users mailing list