[Freeipa-users] Problems with failed upgrade: groups are not created
Will Sheldon
mail at willsheldon.com
Sat May 16 18:29:31 UTC 2015
Thanks for the reply Martin.
Turns out that there was no problem at all, a minor configuration mistake (nested a group inside the wrong parent) led us down a rabbit hole. Our failed upgrade happened on the same day our 1000th group was created. Using the LDAP browser plugin for Eclipse the default search query limit is 1000… It took a while to work that out, needless to say we all feel a little silly and a little wiser now :)
Will Sheldon
On May 14, 2015 at 1:44:15 AM, Martin Basti (mbasti at redhat.com) wrote:
On 14/05/15 01:50, Will Sheldon wrote:
Hello everyone :)
We are seeing some strange behavior (created groups don't exist) and I really hope someone can lend some advice...
We installed v 3.0 some time ago, and tried an upgrade to 3.3 which was aborted before completion, however I believe the schema was updated.
Recently we attempted to upgrade to 4.1, but encountered some issues with the upgrade; replication failed :
from the install log (before schema update, so server was running 3.3 schema):
=======================>
Done configuring ipa-otpd.
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure attribute "cn" not allowed
=======================<
After that we tried updating the schema, and we now get this error (we have log file captures for this):
=======================>
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 131 seconds elapsed
Update in progress yet not in progress
[vanipa.foo.com] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
========================<
which seems to be referring to this bit of the log:
=======================>
2015-04-21T19:18:48Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
run_step(full_msg, method)
=======================<
Since then we have a somewhat strange issue where new groups that are added using the web interface and ipa CLI command interface are created in the compat tree, but not in the cn=hostgroups,cn=accounts tree, even though ADD operations appear to complete successfully (slapd log output below)
=======================>
[13/May/2015:23:13:58 +0000] conn=7120402 op=4 ADD dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com"
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 SRCH base="idnsName=net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 RESULT err=32 tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 SRCH base="idnsName=bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 RESULT err=32 tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 SRCH base="idnsName=vanzbx.bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 RESULT err=32 tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 SRCH base="idnsName=net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 RESULT err=32 tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 SRCH base="idnsName=bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 RESULT err=32 tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 SRCH base="idnsName=vanzbx.bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 RESULT err=32 tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=7120402 op=4 RESULT err=0 tag=105 nentries=0 etime=0 csn=5553e3f8000100040000
=======================<
Which is consistent with the slapd log during the upgrade:
[21/Apr/2015:19:18:43 +0000] NSACLPlugin - The ACL target cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist
--
Kind regards,
Will Sheldon
Hello,
can you find in ipaserver-install.log more details about this error?
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure attribute "cn" not allowed
Martin
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150516/9795810d/attachment.htm>
More information about the Freeipa-users
mailing list