This fixes issue with the remove statement, which causes LDAP error, when the updater is trying to remove value from nonexistent entry.

Reproducer: apply my patch mbasti-0256, install the IPA server without the DNS subsystem.

Patch attached.

Martin Basti

From 0b23dd82c194809dfae0d541172751d6e4999143 Mon Sep 17 00:00:00 2001
From: Martin Basti <>
Date: Mon, 25 May 2015 14:57:04 +0200
Subject: [PATCH] Server Upgrade: fix remove statement

If value does not exists then do not update entry. Otherwise, together with
nonexistent entry, the LDAP decode error will be raised.
 ipaserver/install/ | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/ b/ipaserver/install/
index 2f5bcc748eb546b4dad7e1aeeb7a2882a40d8d35..5fca37695f1da76b76f7c545fe8d1a5dccab90cb 100644
--- a/ipaserver/install/
+++ b/ipaserver/install/
@@ -648,9 +648,10 @@ class LDAPUpdate:
                 except ValueError:
                     self.warning("remove: '%s' not in %s", update_value, attr)
-                    pass
-                entry[attr] = entry_values
-                self.debug('remove: updated value %s', safe_output(attr, entry_values))
+                else:
+                    entry[attr] = entry_values
+                    self.debug('remove: updated value %s', safe_output(
+                        attr, entry_values))
             elif action == 'add':
                 self.debug("add: '%s' to %s, current value %s", safe_output(attr, update_value), attr, safe_output(attr, entry_values))
                 # Remove it, ignoring errors so we can blindly add it later

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to