[Freeipa-users] Failed to start pki-tomcatd Service

Alexandre Ellert ellertalexandre at gmail.com
Wed Jul 22 14:53:40 UTC 2015 

> Le 20 juil. 2015 à 17:17, Alexander Bokovoy <abokovoy at redhat.com> a écrit :
> 
> On Mon, 20 Jul 2015, Alexandre Ellert wrote:
>> 
>>> Can you please show output from
>>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema
>> 
>> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
> 
> This is original 'dc' definition:
>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: (
>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
> 
> This is the offending one:
>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: (
>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
> 
>> In 00core.ldif, I have :
>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
>> EQUALITY caseIgnoreIA5Match
>> SUBSTR caseIgnoreIA5SubstringsMatch
>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>> SINGLE-VALUE
>> X-ORIGIN 'RFC 4519'
>> X-DEPRECATED 'domaincomponent' )
> If you look into 99user.ldif, you'll see the wrong definition there.
> 
> 99user.ldif accumulates definitions coming from replication or updates.
> You can check other IPA masters, do they have 'dc' attribute defined in
> a wrong way?

I have a second IPA master and here is the occurence of ‘ domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema :
In 00core.ldif :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
  EQUALITY caseIgnoreIA5Match
  SUBSTR caseIgnoreIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE
  X-ORIGIN 'RFC 4519'
  X-DEPRECATED 'domaincomponent’ )
In 99user.ldif :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
 ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
 oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI
 GIN ( 'RFC 2247' 'user defined' ) )

This two definition are exactly the same on both IPA masters.

I don’t understand what is wrong in 99user.ldif ? How can I correct with the good definition ?

> 
>> As far as I remember, the only modification I made was to disable
>> read-only access without authentication.  I don’t need any other
>> special customization.
> Something brought the wrong definition into your IPA masters.
> May be someone tried to add support for some old application?

Nobody else never have access read/write to the IPA servers. I’m the only admin.

More information about the Freeipa-users mailing list