[Freeipa-users] ERROR Update failed: Object class violation: attribute "ipaSELinuxUserMapOrder" not allowed
Rob Crittenden
rcritten at redhat.com
Tue May 7 21:51:09 UTC 2013
John Blaut wrote:
> Hi
>
> We found out recently that an IPA server which we upgraded some time ago
> from EL6.2/IPA 2.1 to EL6.3/IPA 2.2, reported the following errors:
>
> ERROR Update failed: Object class violation: attribute
> "ipaSELinuxUserMapOrder" not allowed
> ERROR Upgrade failed with attribute "idnsAllowQuery" not allowed
>
> The latter error we resolved by applying the patch found @
> https://fedorahosted.org/freeipa/ticket/2440 (in fact we used this fix
> on another server in the past).
>
> Unfortunately we do not have a solution for the first error (related to
> ipaSELinuxUserMapOrder). Any ideas?
>
> We do have plans to upgrade the mentioned server to EL 6.4 / IPA 3.0,
> but I doubt this would be safe to do before we resolve the above error
> first.
Updating might be fine, but it shouldn't be too hard to fix first.
I'd start by getting the current schema:
ldapsearch -x -b cn=schema objectclasses attributetypes > /path/to/some/file
See if ipaSELinuxUserMapOrder is defined as an attributeType.
It looks like there is an error in the update file that adds this
attribute, so it may not be there. Look in
/usr/share/ipa/updates/10-selinuxusermap.update and you'll see this line
duplicated:
X-ORIGIN 'IPA v3')
If so, I'd try to remove the extra line and run:
ipa-ldap-updater /usr/share/ipa/updates/10-selinuxusermap.update
That should fix it.
rob
More information about the Freeipa-users
mailing list