[Freeipa-users] ipa ERROR on user-add after RHEL 7 yum update

Alexander Bokovoy abokovoy at redhat.com
Wed Apr 20 16:10:18 UTC 2016 

On Wed, 20 Apr 2016, Daryl Fonseca-Holt wrote:
>After doing a yum update on April 14 we are experiencing this error on an ipa
>user-add:
>     ipa: ERROR: missing attribute "nisMapName" required by object class
>     "nisMap"
>The /var/log/ipaupgrade.log is too large to attach but I didn't see any obvious
>errors in it.
>
>After the update the versions are:
>     ipa-server-4.2.0-15.el7_2.6.1.x86_64
>     389-ds-base-1.3.4.0-29
>The dirsrv instance log has this error:
>     [19/Apr/2016:09:48:44 -0500] - Entry
>     "uid=testuser,cn=users,cn=accounts,dc=uofmt1" missing attribute
>     "nisMapName" required by object class "nisMap"
Default user object classes do not include nisMap object class. Did you
add that yourself?

>Looking at the schema for the instance the attribute seems to be there:
>     cd /etc/dirsrv/slapd-UOFMT1/schema
>     grep nisMapName *
>     10rfc2307.ldif:attributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
>     DESC 'Standard LDAP attribute type' SYNTAX
>     1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2307' )
>     10rfc2307.ldif:objectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject'
>     DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( cn $
>     nisMapEntry $ nisMapName ) MAY ( description ) X-ORIGIN 'RFC 2307' )
>     10rfc2307.ldif:objectClasses: ( 1.3.6.1.1.1.2.13 NAME 'nisMap' DESC
>     'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( nisMapName )
>     MAY ( description ) X-ORIGIN 'RFC 2307' )
>     99user.ldif: lass' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $
>     nisMapName ) MAY descripti
>     99user.ldif: s' SUP top STRUCTURAL MUST nisMapName MAY description X-
>     ORIGIN ( 'RFC 2307' '
>     99user.ldif:attributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' DESC
>     'Standard LDAP attri
>I've attached the dirsrv instance 10rfc2307.ldif and 99user.ldif. It doesn't
>make sense that 99user.ldif has an nisMap objectclass in it. Or is this
>something the upgrade it trying to override?
99user.ldif accumulates all schema changes that come through replication
or via updates. 

Can you show full entry for uid=testuser (filter userPassword field) and also output of

$ ipa config-show --all|grep objectclass
  Default group objectclasses: top, ipaobject, groupofnames, ipausergroup, nestedgroup
  Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, organizationalperson, krbticketpolicyaux, krbprincipalaux, inetuser, posixaccount
  objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig, ipaUserAuthTypeClass

>
>Since this IPA server was first installed these updates have been applied:
>     grep 'IPA version' /var/log/ipaupgrade.log
>     2016-02-02T15:47:48Z DEBUG IPA version 4.2.0-15.el7_2.3
>     2016-03-25T19:21:18Z DEBUG IPA version 4.2.0-15.el7_2.6
>     2016-03-25T19:33:21Z DEBUG IPA version 4.2.0-15.el7_2.6
>     2016-03-25T19:42:23Z DEBUG IPA version 4.2.0-15.el7_2.6
>     2016-04-14T15:47:31Z DEBUG IPA version 4.2.0-15.el7_2.6.1
>     2016-04-14T15:56:50Z DEBUG IPA version 4.2.0-15.el7_2.6.1
>     2016-04-14T16:12:58Z DEBUG IPA version 4.2.0-15.el7_2.6.1
>     2016-04-14T16:22:07Z DEBUG IPA version 4.2.0-15.el7_2.6.1
Difference between -15.el7_2.6 and -15.el7_2.6.1 is a rebuild against
updated Samba version.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list