[Freeipa-users] ERROR Update failed: Object class violation: attribute "ipaSELinuxUserMapOrder" not allowed

Rob Crittenden rcritten at redhat.com
Wed May 8 02:32:43 UTC 2013 

John Blaut wrote:
> Hi
>
> Thanks for the feedback.
>
> It seems the attributeType was already there. Nevertheless I tried your
> suggested fix but I did not help.
>
> ipa config-show and likewise the UI does not show SELinux related settings.

Ok, can you send me the output of:

ipa-ldap-updater -d /usr/share/ipa/updates/10-selinuxusermap.update

It is going to be long and ugly.

rob

 >
>
> Regards
>
> John
>
>
> On Tue, May 7, 2013 at 11:51 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     John Blaut wrote:
>
>         Hi
>
>         We found out recently that an IPA server which we upgraded some
>         time ago
>         from EL6.2/IPA 2.1 to EL6.3/IPA 2.2, reported the following errors:
>
>         ERROR Update failed: Object class violation: attribute
>         "ipaSELinuxUserMapOrder" not allowed
>         ERROR Upgrade failed with attribute "idnsAllowQuery" not allowed
>
>         The latter error we resolved by applying the patch found @
>         https://fedorahosted.org/__freeipa/ticket/2440
>         <https://fedorahosted.org/freeipa/ticket/2440> (in fact we used
>         this fix
>         on another server in the past).
>
>         Unfortunately we do not have a solution for the first error
>         (related to
>         ipaSELinuxUserMapOrder). Any ideas?
>
>         We do have plans to upgrade the mentioned server to EL 6.4 / IPA
>         3.0,
>         but I doubt this would be safe to do before we resolve the above
>         error
>         first.
>
>
>     Updating might be fine, but it shouldn't be too hard to fix first.
>
>     I'd start by getting the current schema:
>
>     ldapsearch -x -b cn=schema objectclasses attributetypes >
>     /path/to/some/file
>
>     See if ipaSELinuxUserMapOrder is defined as an attributeType.
>
>     It looks like there is an error in the update file that adds this
>     attribute, so it may not be there. Look in
>     /usr/share/ipa/updates/10-__selinuxusermap.update and you'll see
>     this line duplicated:
>
>           X-ORIGIN 'IPA v3')
>
>     If so, I'd try to remove the extra line and run:
>
>     ipa-ldap-updater /usr/share/ipa/updates/10-__selinuxusermap.update
>
>     That should fix it.
>
>     rob
>
>

More information about the Freeipa-users mailing list