<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 14/05/15 01:50, Will Sheldon wrote:<br>
</div>
<blockquote
cite="mid:CAEYGU+JbM6FDJ2S9NwdjSFBLJ_og7VBZEknYCfWwD_6wjm2jRg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
Hello everyone :)<br>
<br>
We are seeing some strange behavior (created groups don't exist)
and I really hope someone can lend some advice...<br>
<br>
We installed v 3.0 some time ago, and tried an upgrade to 3.3
which was aborted before completion, however I believe the
schema was updated.<br>
<br>
Recently we attempted to upgrade to 4.1, but encountered some
issues with the upgrade; replication failed :<br>
<br>
from the install log (before schema update, so server was
running 3.3 schema):<br>
<br>
=======================><br>
Done configuring ipa-otpd.<br>
Applying LDAP updates<br>
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add
failure attribute "cn" not allowed<br>
=======================<<br>
<br>
<br>
After that we tried updating the schema, and we now get this
error (we have log file captures for this):<br>
<br>
=======================><br>
[24/35]: setting up initial replication<br>
Starting replication, please wait until this has completed.<br>
Update in progress, 131 seconds elapsed<br>
Update in progress yet not in progress<br>
<br>
[<a moz-do-not-send="true" href="http://vanipa.foo.com">vanipa.foo.com</a>]
reports: Update failed! Status: [10 Total update abortedLDAP
error: Referral]<br>
<br>
[error] RuntimeError: Failed to start replication<br>
<br>
Your system may be partly configured.<br>
Run /usr/sbin/ipa-server-install --uninstall to clean up.<br>
========================<<br>
<br>
which seems to be referring to this bit of the log:<br>
=======================><br>
2015-04-21T19:18:48Z DEBUG Traceback (most recent call last):<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation<br>
run_step(full_msg, method)<br>
=======================<<br>
<br>
<br>
Since then we have a somewhat strange issue where new groups
that are added using the web interface and ipa CLI command
interface are created in the compat tree, but not in the
cn=hostgroups,cn=accounts tree, even though ADD operations
appear to complete successfully (slapd log output below)<br>
<br>
=======================><br>
[13/May/2015:23:13:58 +0000] conn=7120402 op=4 ADD
dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com"<br>
<br>
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 SRCH
base="idnsName=net,idnsname=<a moz-do-not-send="true"
href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com"
scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br>
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 RESULT
err=32 tag=101 nentries=0 etime=0<br>
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 SRCH
base="idnsName=<a moz-do-not-send="true" href="http://bar.net">bar.net</a>,idnsname=<a
moz-do-not-send="true" href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com"
scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br>
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 RESULT
err=32 tag=101 nentries=0 etime=0<br>
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 SRCH
base="idnsName=<a moz-do-not-send="true"
href="http://vanzbx.bar.net">vanzbx.bar.net</a>,idnsname=<a
moz-do-not-send="true" href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com"
scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br>
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 RESULT
err=32 tag=101 nentries=0 etime=0<br>
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 SRCH
base="idnsName=net,idnsname=<a moz-do-not-send="true"
href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com"
scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br>
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 RESULT
err=32 tag=101 nentries=0 etime=0<br>
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 SRCH
base="idnsName=<a moz-do-not-send="true" href="http://bar.net">bar.net</a>,idnsname=<a
moz-do-not-send="true" href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com"
scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br>
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 RESULT
err=32 tag=101 nentries=0 etime=0<br>
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 SRCH
base="idnsName=<a moz-do-not-send="true"
href="http://vanzbx.bar.net">vanzbx.bar.net</a>,idnsname=<a
moz-do-not-send="true" href="http://bar.net">bar.net</a>,cn=dns,dc=foo,dc=com"
scope=0 filter="(objectClass=idnsRecord)" attrs=ALL<br>
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 RESULT
err=32 tag=101 nentries=0 etime=0<br>
[13/May/2015:23:13:58 +0000] conn=7120402 op=4 RESULT err=0
tag=105 nentries=0 etime=0 csn=5553e3f8000100040000<br>
=======================<<br>
<br>
<br>
Which is consistent with the slapd log during the upgrade:<br>
<br>
[21/Apr/2015:19:18:43 +0000] NSACLPlugin - The ACL target
cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist<br
clear="all">
<br>
-- <br>
<div class="gmail_signature">
<div dir="ltr"><br>
Kind regards,<br>
<br>
Will Sheldon<br>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Hello,<br>
<br>
can you find in ipaserver-install.log more details about this error?<br>
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure
attribute "cn" not allowed<br>
<br>
Martin<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>