[Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors
Martin Basti
mbasti at redhat.com
Thu Oct 13 20:57:48 UTC 2016
On 13.10.2016 22:23, John Popowitch wrote:
> Ok, so I'm looking at fixing the conflicts for ' System: Modify Certificate Profile'.
> I ran this on each server:
> ldapsearch -Y GSSAPI -b 'dc=aws,dc=cappex,dc=com' "cn=*Modify Certificate Profile*" \* nsds5ReplConflict
>
> And now to make things interesting, this query has different results on each server.
> Server #1:
> # System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per
> missions, pbac, aws.cappex.com
> dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895
> f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
> member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=
> privileges,cn=pbac,dc=aws,dc=cappex,dc=com
> ipaPermTargetFilter: (objectclass=ipacertprofile)
> ipaPermRight: write
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Modify Certificate Profile
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> ipaPermDefaultAttr: description
> ipaPermDefaultAttr: ipacertprofilestoreissued
> ipaPermDefaultAttr: cn
> ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com
> nsds5ReplConflict: namingConflict cn=System: Modify Certificate Profile,cn=per
> missions,cn=pbac,dc=aws,dc=cappex,dc=com
>
> Server #2:
> # System: Modify Certificate Profile, permissions, pbac, aws.cappex.com
> dn: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws,dc=cap
> pex,dc=com
> ipaPermTargetFilter: (objectclass=ipacertprofile)
> ipaPermRight: write
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Modify Certificate Profile
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=aws,dc=cappex,dc=com
> ipaPermDefaultAttr: description
> ipaPermDefaultAttr: ipacertprofilestoreissued
> ipaPermDefaultAttr: cn
> ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com
>
> # System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per
> missions, pbac, aws.cappex.com
> dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895
> f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
> member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=
> privileges,cn=pbac,dc=aws,dc=cappex,dc=com
> ipaPermTargetFilter: (objectclass=ipacertprofile)
> ipaPermRight: write
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Modify Certificate Profile
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> ipaPermDefaultAttr: description
> ipaPermDefaultAttr: ipacertprofilestoreissued
> ipaPermDefaultAttr: cn
> ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com
> nsds5ReplConflict: namingConflict cn=system: modify certificate profile,cn=per
> missions,cn=pbac,dc=aws,dc=cappex,dc=com
>
> Server #3:
> # System: Modify Certificate Profile, permissions, pbac, aws.cappex.com
> dn: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws,dc=cap
> pex,dc=com
> member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=
> privileges,cn=pbac,dc=aws,dc=cappex,dc=com
> ipaPermTargetFilter: (objectclass=ipacertprofile)
> ipaPermRight: write
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Modify Certificate Profile
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> ipaPermDefaultAttr: description
> ipaPermDefaultAttr: ipacertprofilestoreissued
> ipaPermDefaultAttr: cn
> ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com
>
> I realize that this is a horrible state of replication.
> My question is, what happens if I modify or delete an entry on one server that doesn't exist on another?
> Thanks.
> -John
>
You can remove them on all servers because it is replicated, so the one
correct (you chose) will be replicated everywhere, IIRC the conflicting
entries are not replicated, they has just local validity, so you must
remove those Conflict marks (see dirsrv docs I posted) and then it will
be replicated
Probably you can remove all System: <something> permissions which have
replication conflict, ipa-server-upgrade will recreate those entries.
However you must fix the "privilege" entries manually (like CA
Administrator)
Please fix all conflicts before running ipa-server-upgrade, otherwise it
may fail randomly
Martin
More information about the Freeipa-users
mailing list