Hi Eric, I am not very familiar with the 389ds migration procedure from BDB to LMDB but in the dse.ldif one can see that the migration has happened and the server should already be using lmdb:
dn: cn=config,cn=ldbm database,cn=plugins,cn=config cn: config modifiersName: cn=server,cn=plugins,cn=config modifyTimestamp: 20250808231416Z *nsslapd-backend-implement: mdb* ... The journal points to an invalid entry starting with cn=usercertificate,cn=index,cn=userroot,cn=l... On a fresh install this entry looks like: dn: cn=userCertificate,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=con fig cn: userCertificate createTimestamp: 20251219092748Z creatorsName: cn=Directory Manager modifiersName: cn=Directory Manager modifyTimestamp: 20251219092748Z nsIndexType: eq nsIndexType: pres nsSystemIndex: false *objectClass: nsIndex* *objectClass: top* but in your dse.ldif it is missing the nsIndex objectclass: dn: cn=usercertificate,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=c onfig cn: userCertificate createTimestamp: 20200724163749Z creatorsName: cn=Directory Manager modifiersName: cn=Directory Manager modifyTimestamp: 20200724163749Z nsIndexType: eq nsIndexType: pres nsSystemIndex: false *objectClass: top* Try adding the missing objectclass (stop ipa, edit dse.ldif, start ipa with ipactl start) and let us know how it went. flo On Thu, Dec 18, 2025 at 12:48 AM Eric Ashley <[email protected]> wrote: > Hi Florence, > > It exists in the file as "dn: cn=schema > compatibility,cm=plugins,cn=config". Is there a case sensitive test > occurring somewhere? > > I think the errors are occurring on the entries that still include > "cn=ldbm". I think they should be "cn=mdb" now, but I'm not sure. Should I > change them as such? > > I've attached ipaupgrade.log and the journal entries for the failure. > dse.ldif is too large for the list, so it's available here: > https://drive.proton.me/urls/2CMCHCM520#PUqS5gw5wemZ > > Best regards, > Eric > > > Dec 17, 2025, 18:41 by [email protected]: > > > Hi Florence, > > > > It exists in the file as "dn: cn=schema > compatibility,cm=plugins,cn=config". Is there a case sensitive test > occurring somewhere? > > > > I think the errors are occurring on the entries that still include > "cn=ldbm". I think they should be "cn=mdb" now, but I'm not sure. Should I > change them as such? > > > > I've attached dse.ldif, ipaupgrade.log and the journal entries for the > failure. > > > > Best regards, > > Eric > > > > Dec 17, 2025, 04:37 by [email protected]: > > > >> Hi, > >> > >> in the file /etc/dirsrv/slapd-IPA-EXAMPLE-COM/dse.ldif, do you have an > entry with "dn: cn=Schema Compatibility,cn=plugins,cn=config" ? > >> Could you post the content of /var/log/ipaupgrade.log and dse.ldif? > >> > >> flo > >> > >> On Mon, Dec 15, 2025 at 10:16 PM Eric Ashley via FreeIPA-users <>> > [email protected]>> > wrote: > >> > >>> This is a follow-on to the thread titled: "Re: [Freeipa-users] FreeIP > 4.12.5-2-fc42 missing dse.ldif" > >>> > >>> After dsctl was updated to guard against the double close of the bdb > source database, I now get the following error when trying to start IPA. > >>> > >>> ``` > >>> # ipactl start > >>> IPA version error: data needs to be upgraded (expected version > '4.12.5-3.fc43', current version '4.12.5-3.fc42') > >>> Automatically running upgrade, for details see /var/log/ipaupgrade.log > >>> Be patient, this may take a few minutes. > >>> Automatic upgrade failed: DN: cn=Schema > Compatibility,cn=plugins,cn=config does not exists or haven't been updated > >>> Upgrade failed with '' > >>> DN: cn=Schema Compatibility,cn=plugins,cn=config does not exists or > haven't been updated > >>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. > >>> ('IPA upgrade failed.', 1) > >>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for > more information > >>> > >>> See the upgrade log for more details and/or run > /usr/sbin/ipa-server-upgrade again > >>> Aborting ipactl > >>> ``` > >>> I had to manually touch empty files in > /var/lib/dirsrv/slapd-IPA-EXAMPLE-COM/ldif/ to get dsctl to complete > correctly(ish): __dblib-changelog.ldif, __dblib-ipaca.ldif and > __dblib-userroot.ldif. Nothing was actually written into any of these file, > but with them extant it did complete without error. > >>> I'm still receiving this error now, with the latest versions of all > F43 updates code: > >>> > >>> ``` > >>> 2025-12-15T20:30:35Z ERROR Upgrade failed with '' > >>> 2025-12-15T20:30:35Z ERROR DN: cn=Schema > Compatibility,cn=plugins,cn=config does not exists or haven't been updated > >>> 2025-12-15T20:30:35Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > >>> ```Of course, the only reference I can see to this error was a fix 7 > years ago. How do I get my IPA back online? > >>> > >>> Best regards, > >>> Eric > >>> -- > >>> _______________________________________________ > >>> FreeIPA-users mailing list -- >>> [email protected] > >>> To unsubscribe send an email to >>> > [email protected] > >>> Fedora Code of Conduct: >>> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>> List Guidelines: >>> > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>> List Archives: >>> > https://lists.fedorahosted.org/archives/list/[email protected] > >>> Do not reply to spam, report it: >>> > https://pagure.io/fedora-infrastructure/new_issue > >>> > > > > > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
