[Freeipa-users] Failed to start pki-tomcatd Service
Alexandre Ellert
ellertalexandre at gmail.com
Wed Jul 22 14:53:40 UTC 2015
> Le 20 juil. 2015 à 17:17, Alexander Bokovoy <abokovoy at redhat.com> a écrit :
>
> On Mon, 20 Jul 2015, Alexandre Ellert wrote:
>>
>>> Can you please show output from
>>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema
>>
>> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
>
> This is original 'dc' definition:
>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: (
>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
>
> This is the offending one:
>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: (
>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
>
>> In 00core.ldif, I have :
>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
>> EQUALITY caseIgnoreIA5Match
>> SUBSTR caseIgnoreIA5SubstringsMatch
>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>> SINGLE-VALUE
>> X-ORIGIN 'RFC 4519'
>> X-DEPRECATED 'domaincomponent' )
> If you look into 99user.ldif, you'll see the wrong definition there.
>
> 99user.ldif accumulates definitions coming from replication or updates.
> You can check other IPA masters, do they have 'dc' attribute defined in
> a wrong way?
I have a second IPA master and here is the occurence of ‘ domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema :
In 00core.ldif :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'RFC 4519'
X-DEPRECATED 'domaincomponent’ )
In 99user.ldif :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI
GIN ( 'RFC 2247' 'user defined' ) )
This two definition are exactly the same on both IPA masters.
I don’t understand what is wrong in 99user.ldif ? How can I correct with the good definition ?
>
>> As far as I remember, the only modification I made was to disable
>> read-only access without authentication. I don’t need any other
>> special customization.
> Something brought the wrong definition into your IPA masters.
> May be someone tried to add support for some old application?
Nobody else never have access read/write to the IPA servers. I’m the only admin.
More information about the Freeipa-users
mailing list