[Freeipa-users] Upgrading to 6.4 - additional information

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Tue Feb 26 18:13:31 UTC 2013 

On 02/26/2013 01:05 PM, Martin Kosek wrote:
> On 02/26/2013 06:10 PM, Erinn Looney-Triggs wrote:
>> On 02/26/2013 12:08 PM, Martin Kosek wrote:
>>> On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote:
>>>> On 02/26/2013 10:29 AM, Dmitri Pal wrote:
>>>>> On 02/21/2013 12:31 PM, Dmitri Pal wrote:
>>>>>> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote:
>>>>>>> On 02/21/2013 09:40 AM, Rob Crittenden wrote:
>>>>>>>> Erinn Looney-Triggs wrote:
>>>>>>>>> On 02/21/2013 09:34 AM, Rob Crittenden wrote:
>>>>>>>>>> Erinn Looney-Triggs wrote:
>>>>>>>>>>> On 02/21/2013 09:07 AM, Rob Crittenden wrote:
>>>>>>>>>>>> add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME
>>>>>>>>>>>> 'ipaExternalMember' DESC 'External Group Member
>>>>>>>>>>>> Identifier' EQUALITY caseIgnoreMatch ORDERING
>>>>>>>>>>>> caseIgnoreOrderingMatch SYNTAX
>>>>>>>>>>>> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
>>>>>>>>>>>> add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME
>>>>>>>>>>>> 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY (
>>>>>>>>>>>> ipaExternalMember $$ memberOf $$ description $$ owner)
>>>>>>>>>>>> X-ORIGIN 'IPA v3' )
>>>>>>>>>>> Well that fails as well, though in sort of a self inflicted
>>>>>>>>>>> way:
>>>>>>>>>>>
>>>>>>>>>>> 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command
>>>>>>>>>>> failed, exception: DatabaseError: Server is unwilling to
>>>>>>>>>>> perform: Minimum SSF not met. arguments:
>>>>>>>>>>> base="cn=config,cn=ldbm database,cn=plugins,cn=config",
>>>>>>>>>>> scope=0, filterstr="(objectclass=*)" 2013-02-21T16:24:30Z
>>>>>>>>>>> ERROR Unexpected error - see /var/log/ipaupgrade.log for
>>>>>>>>>>> details: DatabaseError: Server is unwilling to perform:
>>>>>>>>>>> Minimum SSF not met. arguments: base="cn=config,cn=ldbm
>>>>>>>>>>> database,cn=plugins,cn=config", scope=0,
>>>>>>>>>>> filterstr="(objectclass=*)"
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Now this probably comes about because I set: nsslapd-minssf:
>>>>>>>>>>> 56 For security.
>>>>>>>>>>>
>>>>>>>>>>> I can cange that back to the default and probably move past
>>>>>>>>>>> this, but is that a known issue? Is there another way
>>>>>>>>>>> around?
>>>>>>>>>> As root try the --ldapi flag:
>>>>>>>>>>
>>>>>>>>>> # ipa-ldap-updater --ldapi /path/to/scheme.update
>>>>>>>>>>
>>>>>>>>>> rob
>>>>>>>>>>
>>>>>>>>> ERROR: LDAPUpdate: syntax error: dn is not defined in the
>>>>>>>>> update, data source=schema.update
>>>>>>>>>
>>>>>>>>> -Erinn
>>>>>>>>>
>>>>>>>> Sorry, add this to the top of your update file:
>>>>>>>>
>>>>>>>> dn: cn=schema
>>>>>>>>
>>>>>>>> rob
>>>>>>> No worries! Thanks for the help, after a restart of IPA the web UI
>>>>>>> is working again. I reckon this is something that needs to be fixed,
>>>>>>> does opening a support case and pointing them to that bug help you
>>>>>>> folks out with this in any way?
>>>>>>
>>>>>> This is a know defect. We just did not realize it would have such a
>>>>>> bad impact on upgrade. Sorry, the errata is on the way.
>>>>>>
>>>>>> I would recommend everyone to not upgrade to 6.4 until the errata is
>>>>>> shipped. We will notify you as soon as it goes out.
>>>>>>
>>>>>> Sorry again.
>>>>>>
>>>>>
>>>>> We did some research of this issue: 1) The upgrade works fine from 6.3
>>>>> to 6.4 and the issue does not exhibit itself 2) We have been able to
>>>>> reproduce it with the direct upgrade from 6.2 to 6.4 3) Since the
>>>>> expected upgrade part is 6.2 -> 6.3 -> 6.4 the question comes up
>>>>> whether
>>>>> this fix is actually that urgent. 4) In the presence of the simple
>>>>> workaround we feel that it is not that important to include this fix
>>>>> into the errata that we are working on.
>>>>>
>>>>> Please let us know if you think that there is a problem with the plan
>>>>> above.
>>>>>
>>>>>
>>>>
>>>> Well all I can tell you on this, is that mine was an upgrade from
>>>> 6.3 to
>>>> 6.4, so there is a case where it will fail going from 6.3 to 6.4,
>>>> but how
>>>> applicable it is I can't say.
>>>
>>> Hi Erinn,
>>>
>>> Is 6.3 the original RHEL version where IPA server was installed? Or
>>> was IPA
>>> installed on RHEL-6.2 and then you upgraded RHEL to 6.3?
>>>
>>> Thank you,
>>> Martin
>>>
>>
>> These systems have gone through all the point releases from 6 on up I
>> believe.
>>
>> -Erinn
>>
> 
> Ok, then this use case is also covered by the upcoming 6.4 fix. I just
> wanted to check that.
> 
> Thanks,
> Martin

Sounds good, and thanks for fixing that.

-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130226/b07e9333/attachment.sig>

More information about the Freeipa-users mailing list