[Freeipa-users] Problems with failed upgrade: groups are not created

Will Sheldon mail at willsheldon.com
Sat May 16 18:29:31 UTC 2015 

Thanks for the reply Martin.

Turns out that there was no problem at all, a minor configuration mistake (nested a group inside the wrong parent) led us down a rabbit hole. Our failed upgrade happened on the same day our 1000th group was created. Using the LDAP browser plugin for Eclipse the default search query limit is 1000… It took a while to work that out, needless to say we all feel a little silly and a little wiser now :)



 
Will Sheldon

On May 14, 2015 at 1:44:15 AM, Martin Basti (mbasti at redhat.com) wrote:

On 14/05/15 01:50, Will Sheldon wrote:

Hello everyone :)

We are seeing some strange behavior (created groups don't exist) and I really hope someone can lend some advice...

We installed v 3.0 some time ago, and tried an upgrade to 3.3 which was aborted before completion, however I believe the schema was updated.

Recently we attempted to upgrade to 4.1, but encountered some issues with the upgrade; replication failed :

from the install log (before schema update, so server was running 3.3 schema):

=======================>
Done configuring ipa-otpd.
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure attribute "cn" not allowed
=======================<


After that we tried updating the schema, and we now get this error (we have log file captures for this):

=======================>
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 131 seconds elapsed
Update in progress yet not in progress

[vanipa.foo.com] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral]

  [error] RuntimeError: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
========================<

which seems to be referring to this bit of the log:
=======================>
2015-04-21T19:18:48Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
    run_step(full_msg, method)
=======================<


Since then we have a somewhat strange issue where new groups that are added using the web interface and ipa CLI command interface are created in the compat tree, but not in the cn=hostgroups,cn=accounts tree, even though ADD operations appear to complete successfully (slapd log output below)

=======================>
[13/May/2015:23:13:58 +0000] conn=7120402 op=4 ADD dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com"

[13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 SRCH base="idnsName=net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 RESULT err=32 tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 SRCH base="idnsName=bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 RESULT err=32 tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 SRCH base="idnsName=vanzbx.bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 RESULT err=32 tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 SRCH base="idnsName=net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 RESULT err=32 tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 SRCH base="idnsName=bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 RESULT err=32 tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 SRCH base="idnsName=vanzbx.bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 RESULT err=32 tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=7120402 op=4 RESULT err=0 tag=105 nentries=0 etime=0 csn=5553e3f8000100040000
=======================<


Which is consistent with the slapd log during the upgrade:

[21/Apr/2015:19:18:43 +0000] NSACLPlugin - The ACL target cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist

--

Kind regards,

Will Sheldon



Hello,

can you find in ipaserver-install.log more details about this error?
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure attribute "cn" not allowed

Martin


--  
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150516/9795810d/attachment.htm>

More information about the Freeipa-users mailing list