<div dir="ltr"> Hello everyone :) We are seeing some strange behavior (created groups don't exist) and I really hope someone can lend some advice... We installed v 3.0 some time ago, and tried an upgrade to 3.3 which was aborted before completion, however I believe the schema was updated. Recently we attempted to upgrade to 4.1, but encountered some issues with the upgrade; replication failed : from the install log (before schema update, so server was running 3.3 schema): =======================> Done configuring ipa-otpd. Applying LDAP updates ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure attribute "cn" not allowed =======================< After that we tried updating the schema, and we now get this error (we have log file captures for this): =======================> [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 131 seconds elapsed Update in progress yet not in progress [<a href="http://vanipa.foo.com">vanipa.foo.com</a>] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ========================< which seems to be referring to this bit of the log: =======================> 2015-04-21T19:18:48Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) =======================< Since then we have a somewhat strange issue where new groups that are added using the web interface and ipa CLI command interface are created in the compat tree, but not in the cn=hostgroups,cn=accounts tree, even though ADD operations appear to complete successfully (slapd log output below) =======================> [13/May/2015:23:13:58 +0000] conn=7120402 op=4 ADD dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com" [13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 SRCH base="idnsName=net,idnsname=<a href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL [13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 RESULT err=32 tag=101 nentries=0 etime=0 [13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 SRCH base="idnsName=<a href="http://bar.net">bar.net</a>,idnsname=<a href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL [13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 RESULT err=32 tag=101 nentries=0 etime=0 [13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 SRCH base="idnsName=<a href="http://vanzbx.bar.net">vanzbx.bar.net</a>,idnsname=<a href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL [13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 RESULT err=32 tag=101 nentries=0 etime=0 [13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 SRCH base="idnsName=net,idnsname=<a href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL [13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 RESULT err=32 tag=101 nentries=0 etime=0 [13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 SRCH base="idnsName=<a href="http://bar.net">bar.net</a>,idnsname=<a href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL [13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 RESULT err=32 tag=101 nentries=0 etime=0 [13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 SRCH base="idnsName=<a href="http://vanzbx.bar.net">vanzbx.bar.net</a>,idnsname=<a href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com" scope=0 filter="(objectClass=idnsRecord)" attrs=ALL [13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 RESULT err=32 tag=101 nentries=0 etime=0 [13/May/2015:23:13:58 +0000] conn=7120402 op=4 RESULT err=0 tag=105 nentries=0 etime=0 csn=5553e3f8000100040000 =======================< Which is consistent with the slapd log during the upgrade: [21/Apr/2015:19:18:43 +0000] NSACLPlugin - The ACL target cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist -- <div class="gmail_signature"><div dir="ltr"> Kind regards, Will Sheldon </div></div> </div>