[Freeipa-users] Upgrading to 6.4 - additional information

Tue Feb 26 18:05:23 UTC 2013

On 02/26/2013 06:10 PM, Erinn Looney-Triggs wrote:
> On 02/26/2013 12:08 PM, Martin Kosek wrote:
>> On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote:
>>> On 02/26/2013 10:29 AM, Dmitri Pal wrote:
>>>> On 02/21/2013 12:31 PM, Dmitri Pal wrote:
>>>>> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote:
>>>>>> On 02/21/2013 09:40 AM, Rob Crittenden wrote:
>>>>>>> Erinn Looney-Triggs wrote:
>>>>>>>> On 02/21/2013 09:34 AM, Rob Crittenden wrote:
>>>>>>>>> Erinn Looney-Triggs wrote:
>>>>>>>>>> On 02/21/2013 09:07 AM, Rob Crittenden wrote:
>>>>>>>>>>> add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME
>>>>>>>>>>> 'ipaExternalMember' DESC 'External Group Member
>>>>>>>>>>> Identifier' EQUALITY caseIgnoreMatch ORDERING
>>>>>>>>>>> caseIgnoreOrderingMatch SYNTAX
>>>>>>>>>>> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
>>>>>>>>>>> add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME
>>>>>>>>>>> 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY (
>>>>>>>>>>> ipaExternalMember $$ memberOf $$ description $$ owner)
>>>>>>>>>>> X-ORIGIN 'IPA v3' )
>>>>>>>>>> Well that fails as well, though in sort of a self inflicted
>>>>>>>>>> way:
>>>>>>>>>>
>>>>>>>>>> 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command
>>>>>>>>>> failed, exception: DatabaseError: Server is unwilling to
>>>>>>>>>> perform: Minimum SSF not met. arguments:
>>>>>>>>>> base="cn=config,cn=ldbm database,cn=plugins,cn=config",
>>>>>>>>>> scope=0, filterstr="(objectclass=*)" 2013-02-21T16:24:30Z
>>>>>>>>>> ERROR Unexpected error - see /var/log/ipaupgrade.log for
>>>>>>>>>> details: DatabaseError: Server is unwilling to perform:
>>>>>>>>>> Minimum SSF not met. arguments: base="cn=config,cn=ldbm
>>>>>>>>>> database,cn=plugins,cn=config", scope=0,
>>>>>>>>>> filterstr="(objectclass=*)"
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Now this probably comes about because I set: nsslapd-minssf:
>>>>>>>>>> 56 For security.
>>>>>>>>>>
>>>>>>>>>> I can cange that back to the default and probably move past
>>>>>>>>>> this, but is that a known issue? Is there another way
>>>>>>>>>> around?
>>>>>>>>> As root try the --ldapi flag:
>>>>>>>>>
>>>>>>>>> # ipa-ldap-updater --ldapi /path/to/scheme.update
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>>
>>>>>>>> ERROR: LDAPUpdate: syntax error: dn is not defined in the
>>>>>>>> update, data source=schema.update
>>>>>>>>
>>>>>>>> -Erinn
>>>>>>>>
>>>>>>> Sorry, add this to the top of your update file:
>>>>>>>
>>>>>>> dn: cn=schema
>>>>>>>
>>>>>>> rob
>>>>>> No worries! Thanks for the help, after a restart of IPA the web UI
>>>>>> is working again. I reckon this is something that needs to be fixed,
>>>>>> does opening a support case and pointing them to that bug help you
>>>>>> folks out with this in any way?
>>>>>
>>>>> This is a know defect. We just did not realize it would have such a
>>>>> bad impact on upgrade. Sorry, the errata is on the way.
>>>>>
>>>>> I would recommend everyone to not upgrade to 6.4 until the errata is
>>>>> shipped. We will notify you as soon as it goes out.
>>>>>
>>>>> Sorry again.
>>>>>
>>>>
>>>> We did some research of this issue: 1) The upgrade works fine from 6.3
>>>> to 6.4 and the issue does not exhibit itself 2) We have been able to
>>>> reproduce it with the direct upgrade from 6.2 to 6.4 3) Since the
>>>> expected upgrade part is 6.2 -> 6.3 -> 6.4 the question comes up whether
>>>> this fix is actually that urgent. 4) In the presence of the simple
>>>> workaround we feel that it is not that important to include this fix
>>>> into the errata that we are working on.
>>>>
>>>> Please let us know if you think that there is a problem with the plan
>>>> above.
>>>>
>>>>
>>>
>>> Well all I can tell you on this, is that mine was an upgrade from 6.3 to
>>> 6.4, so there is a case where it will fail going from 6.3 to 6.4, but how
>>> applicable it is I can't say.
>>
>> Hi Erinn,
>>
>> Is 6.3 the original RHEL version where IPA server was installed? Or was IPA
>> installed on RHEL-6.2 and then you upgraded RHEL to 6.3?
>>
>> Thank you,
>> Martin
>>
>
> These systems have gone through all the point releases from 6 on up I
> believe.
>
> -Erinn
>

Ok, then this use case is also covered by the upcoming 6.4 fix. I just wanted 
to check that.

Thanks,
Martin