Index task need to be run for both index updates and new indexes,
otherwise some current values may not be indexed and could cause
issues when searching LDAP (like fqdn did).

https://fedorahosted.org/freeipa/ticket/3253

---

This patch should be the only patch in the upcoming FreeIPA 2.2.2 bug fix
release (unless we want to backport more patches to 2.2 line). It should fix a
severe issue when SSSD was no longer able to authenticate users against the
update 2.2.1 FreeIPA server.

I specifically updated all index updates (even when the index definition is
already in LDAP) to make sure we fix any index that where the upgrade failed
previously due to this bug. FreeIPA 3.0+ packages already contains a patch
(2ecfe571faf9291eab7ffacea2a1e94d5be0d689) to run index task for really
new/updated indexes only, but I would not backport that patch due to messed
fqdn index in 2.2.1.

After the patch, 2.2.0 (2.2.1) -> 2.2.2 upgrade procedure should create all
required indexes, including fqdn index:

# rpm -Uvh --force ~/freeipa-2-2-0/dist/rpms/freeipa-*
Preparing...                ########################################### [100%]
   1:freeipa-python         ########################################### [ 17%]
   2:freeipa-client         ########################################### [ 33%]
   3:freeipa-admintools     ########################################### [ 50%]
   4:freeipa-server         ########################################### [ 67%]
ipa: INFO: /usr/share/ipa/html/krb.js exists, skipping install of Firefox 
extension
   5:freeipa-server-selinux ########################################### [ 83%]
   6:freeipa-debuginfo      ########################################### [100%]

# grep "Creating task to index" /var/log/ipaupgrade.log
2012-11-13T16:06:35Z INFO Creating task to index attribute: memberuid
2012-11-13T16:06:41Z INFO Creating task to index attribute: memberOf
2012-11-13T16:06:47Z INFO Creating task to index attribute: memberHost
2012-11-13T16:06:53Z INFO Creating task to index attribute: memberUser
2012-11-13T16:06:59Z INFO Creating task to index attribute: fqdn    <<<<<<
2012-11-13T16:07:05Z INFO Creating task to index attribute: ntUniqueId
2012-11-13T16:07:11Z INFO Creating task to index attribute: ntUserDomainId

Martin
From 5781483a30a87a52cb4f9e98ca95708f8d3f14c3 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 13 Nov 2012 17:14:13 +0100
Subject: [PATCH] Run index task for new indexes

Index task need to be run for both index updates and new indexes,
otherwise some current values may not be indexed and could cause
issues when searching LDAP (like fqdn did).

https://fedorahosted.org/freeipa/ticket/3253
---
 ipaserver/install/ldapupdate.py | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 90b3691a8595f952f9064d5cccb2523bd08426be..036a5e108718a754ec5cbfa2164976aac3880e94 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -678,13 +678,16 @@ class LDAPUpdate:
                 root_logger.error("Update failed: %s", e)
                 updated = False
 
-            if ("cn=index" in entry.dn and
-                "cn=userRoot" in entry.dn):
-                taskid = self.create_index_task(entry.cn)
-                self.monitor_index_task(taskid)
-
             if updated:
                 self.modified = True
+
+        # Always run the index task for both new and updated indexes
+        # See https://fedorahosted.org/freeipa/ticket/3253 for related issue
+        if entry.dn.endswith('cn=index,cn=userRoot,cn=ldbm database,'
+                             'cn=plugins,cn=config'):
+            taskid = self.create_index_task(entry.cn)
+            self.monitor_index_task(taskid)
+
         return
 
     def __delete_record(self, updates):
-- 
1.7.11.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to