[Freeipa-users] Failed to start pki-tomcatd Service

Alexandre Ellert ellertalexandre at gmail.com
Wed Jul 22 16:00:18 UTC 2015 

> Le 22 juil. 2015 à 17:43, Alexander Bokovoy <abokovoy at redhat.com> a écrit :
> 
> On Wed, 22 Jul 2015, Alexandre Ellert wrote:
>> 
>>> Le 22 juil. 2015 à 17:09, Alexander Bokovoy <abokovoy at redhat.com> a écrit :
>>> 
>>> On Wed, 22 Jul 2015, Alexandre Ellert wrote:
>>>> 
>>>>> Le 20 juil. 2015 à 17:17, Alexander Bokovoy <abokovoy at redhat.com> a écrit :
>>>>> 
>>>>> On Mon, 20 Jul 2015, Alexandre Ellert wrote:
>>>>>> 
>>>>>>> Can you please show output from
>>>>>>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema
>>>>>> 
>>>>>> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
>>>>> 
>>>>> This is original 'dc' definition:
>>>>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: (
>>>>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
>>>>> 
>>>>> This is the offending one:
>>>>>> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: (
>>>>>> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
>>>>> 
>>>>>> In 00core.ldif, I have :
>>>>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
>>>>>> EQUALITY caseIgnoreIA5Match
>>>>>> SUBSTR caseIgnoreIA5SubstringsMatch
>>>>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>>>>>> SINGLE-VALUE
>>>>>> X-ORIGIN 'RFC 4519'
>>>>>> X-DEPRECATED 'domaincomponent' )
>>>>> If you look into 99user.ldif, you'll see the wrong definition there.
>>>>> 
>>>>> 99user.ldif accumulates definitions coming from replication or updates.
>>>>> You can check other IPA masters, do they have 'dc' attribute defined in
>>>>> a wrong way?
>>>> 
>>>> I have a second IPA master and here is the occurence of ‘ domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema :
>>>> In 00core.ldif :
>>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
>>>> EQUALITY caseIgnoreIA5Match
>>>> SUBSTR caseIgnoreIA5SubstringsMatch
>>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>>>> SINGLE-VALUE
>>>> X-ORIGIN 'RFC 4519'
>>>> X-DEPRECATED 'domaincomponent’ )
>>>> In 99user.ldif :
>>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
>>>> ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
>>>> oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI
>>>> GIN ( 'RFC 2247' 'user defined' ) )
>>>> 
>>>> This two definition are exactly the same on both IPA masters.
>>>> 
>>>> I don’t understand what is wrong in 99user.ldif ? How can I correct with the good definition ?
>>> The correct definition is in the 00core.ldif. The one in 99user.ldif is
>>> wrong.
>>> 
>>> I think you can remove it from 99user.ldif on both servers but you need
>>> to shut down dirsrv instances on both to do that.
>>> --
>>> / Alexander Bokovoy
>> 
>> I shut down IPA on both servers (ipactl stop) and removed this section in 99user.ldif :
>>> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
>>> ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
>>> oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI
>>> GIN ( 'RFC 2247' 'user defined' ) )
>> 
>> But still have the same behavior (pki-tomcatd don’t start, same errors
>> in logs). Do you have another idea ?
> We need to find out where the definition comes from.
> 
> Can you give me output of
> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
> from both servers?

Server 1:
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )

Server 2 :
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )

> 
> With correct setup IPA 4.x should show:
> /etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
> /etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
> 
> I.e. there are two lines -- in the default schema and in the IPA
> instance schema. — 

Seems to be good ?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150722/536eec42/attachment.htm>

More information about the Freeipa-users mailing list