[Freeipa-users] Upgrading freeipa server from f18 to f20

Martin Kosek mkosek at redhat.com
Thu Jan 9 13:55:04 UTC 2014 

On 01/09/2014 12:22 PM, Thomas Sailer wrote:
> Here's the corresponding log (from another attempt, thus the differing
> timestamps) of the server slapd:
> 
> [09/Jan/2014:12:19:35 +0100] conn=375 fd=73 slot=73 connection from a.b.c.d to
> e.f.g.h
> [09/Jan/2014:12:19:35 +0100] conn=375 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
> name="startTLS"
> [09/Jan/2014:12:19:35 +0100] conn=375 op=0 RESULT err=0 tag=120 nentries=0 etime=0
> [09/Jan/2014:12:19:35 +0100] conn=375 SSL 256-bit AES
> [09/Jan/2014:12:19:35 +0100] conn=375 op=1 BIND dn="cn=Directory Manager"
> method=128 version=3
> [09/Jan/2014:12:19:35 +0100] conn=375 op=1 RESULT err=0 tag=97 nentries=0
> etime=0 dn="cn=directory manager"
> [09/Jan/2014:12:19:35 +0100] conn=375 op=2 SRCH base="cn=config,cn=ldbm
> database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)"
> attrs="nsslapd-directory"
> [09/Jan/2014:12:19:35 +0100] conn=375 op=2 RESULT err=0 tag=101 nentries=1 etime=0
> [09/Jan/2014:12:19:35 +0100] conn=375 op=3 SRCH base="cn=schema" scope=0
> filter="(objectClass=*)" attrs="attributeTypes objectClasses"
> [09/Jan/2014:12:19:36 +0100] conn=375 op=3 RESULT err=0 tag=101 nentries=1 etime=1
> [09/Jan/2014:12:19:36 +0100] conn=375 op=4 SRCH
> base="cn=replication,cn=etc,dc=axsem,dc=com" scope=0 filter="(objectClass=*)"
> attrs=ALL
> [09/Jan/2014:12:19:36 +0100] conn=375 op=4 RESULT err=0 tag=101 nentries=1 etime=0
> [09/Jan/2014:12:19:36 +0100] conn=375 op=5 MOD
> dn="cn=replication,cn=etc,dc=xxxx,dc=com"
> [09/Jan/2014:12:19:36 +0100] conn=375 op=5 RESULT err=0 tag=103 nentries=0
> etime=0 csn=52ce8617000000040000
> [09/Jan/2014:12:19:36 +0100] conn=375 op=6 SRCH
> base="cn=replica,cn=dc\3Dxxxx\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0
> filter="(objectClass=*)" attrs=ALL
> [09/Jan/2014:12:19:36 +0100] conn=375 op=6 RESULT err=0 tag=101 nentries=1 etime=0
> [09/Jan/2014:12:19:36 +0100] conn=375 op=7 ADD dn="cn=replication
> manager,cn=config"
> [09/Jan/2014:12:19:36 +0100] conn=375 op=7 RESULT err=19 tag=105 nentries=0
> etime=0
> [09/Jan/2014:12:19:36 +0100] conn=375 op=8 UNBIND
> [09/Jan/2014:12:19:36 +0100] conn=375 op=8 fd=73 closed - U1
> 
> I don't have cn=replication manager,cn=config, should I?

You don't. This temporary user is automatically created by ipa-replica-install
to bootstrap the replication agreements. It should be deleted afterwards.

> 
> When I manually try to create this entry like this (ldapvi syntax), I get:
> 
> add cn=replication manager,cn=config
> objectClass: inetorgperson
> objectClass: person
> objectClass: top
> cn: replication manager
> sn: RM
> userPassword: password
> passwordExpirationTime: 20380119031407Z
> 
> ldap_add: Constraint violation (19)
>         additional info: pre-hashed passwords are not valid
> 
> Why is that?

I really wonder why you get this error (maybe because of the downgrade?), I did
not see such case yet. It is hitting a check in our password plugin which needs
user passwords in clear text to be able to properly check them.

In your case, password should be the DM password and it is given for
ipa-replica-install in clear. You could, however, try temporarily switching:

ipa config-mod --enable-migration=1

on the master machine to disable this check and see if the installation
continues or not.

Martin

More information about the Freeipa-users mailing list