[Freeipa-users] Failed to start pki-tomcatd Service

Alexander Bokovoy abokovoy at redhat.com
Wed Jul 22 15:43:39 UTC 2015 

On Wed, 22 Jul 2015, Alexandre Ellert wrote:
>
>> Le 22 juil. 2015 à 17:09, Alexander Bokovoy <abokovoy at redhat.com> a écrit :
>>
>> On Wed, 22 Jul 2015, Alexandre Ellert wrote:
>>>
>>>> Le 20 juil. 2015 à 17:17, Alexander Bokovoy <abokovoy at redhat.com> a écrit :
>>>>
>>>> On Mon, 20 Jul 2015, Alexandre Ellert wrote:
>>>>>
>>>>>> Can you please show output from
>>>>>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema
>>>>>
>>>>> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
>>>>
>>>> This is original 'dc' definition:
>>>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: (
>>>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
>>>>
>>>> This is the offending one:
>>>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: (
>>>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
>>>>
>>>>> In 00core.ldif, I have :
>>>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
>>>>> EQUALITY caseIgnoreIA5Match
>>>>> SUBSTR caseIgnoreIA5SubstringsMatch
>>>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>>>>> SINGLE-VALUE
>>>>> X-ORIGIN 'RFC 4519'
>>>>> X-DEPRECATED 'domaincomponent' )
>>>> If you look into 99user.ldif, you'll see the wrong definition there.
>>>>
>>>> 99user.ldif accumulates definitions coming from replication or updates.
>>>> You can check other IPA masters, do they have 'dc' attribute defined in
>>>> a wrong way?
>>>
>>> I have a second IPA master and here is the occurence of ‘ domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema :
>>> In 00core.ldif :
>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
>>> EQUALITY caseIgnoreIA5Match
>>> SUBSTR caseIgnoreIA5SubstringsMatch
>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>>> SINGLE-VALUE
>>> X-ORIGIN 'RFC 4519'
>>> X-DEPRECATED 'domaincomponent’ )
>>> In 99user.ldif :
>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
>>> ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
>>> oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI
>>> GIN ( 'RFC 2247' 'user defined' ) )
>>>
>>> This two definition are exactly the same on both IPA masters.
>>>
>>> I don’t understand what is wrong in 99user.ldif ? How can I correct with the good definition ?
>> The correct definition is in the 00core.ldif. The one in 99user.ldif is
>> wrong.
>>
>> I think you can remove it from 99user.ldif on both servers but you need
>> to shut down dirsrv instances on both to do that.
>> --
>> / Alexander Bokovoy
>
>I shut down IPA on both servers (ipactl stop) and removed this section in 99user.ldif :
>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
>>  ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
>>  oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI
>>  GIN ( 'RFC 2247' 'user defined' ) )
>
>But still have the same behavior (pki-tomcatd don’t start, same errors
>in logs). Do you have another idea ?
We need to find out where the definition comes from.

Can you give me output of
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
from both servers?

With correct setup IPA 4.x should show:
/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )

I.e. there are two lines -- in the default schema and in the IPA
instance schema. 
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list