Hi Eric, to debug further, you can force start the IPA services: ipactl start --ignore-service-failures --skip-version-check
Then check what happens with the call topologysuffix_find: kinit admin ipa topologysuffix-find You may get more details with the command. flo On Mon, Dec 22, 2025 at 11:46 AM Florence Blanc-Renaud <[email protected]> wrote: > > > On Fri, Dec 19, 2025 at 9:43 PM Eric Ashley <[email protected]> wrote: > >> Hi Florence, >> >> There's still something amiss in dse.ldif. The errors look like something >> related to replication topology, which I don't have. The reported runtime >> error is still literally ''. >> >> I've attached the new ipaupgrade.log and journal entries. >> >> I'm guessing that over all the years I've been upgrading this server, >> some entry is not present that should be or is missing some property value. >> Best regards, >> Eric >> Dec 19, 2025, 04:42 by [email protected]: >> >> > Hi Eric, >> > >> > I am not very familiar with the 389ds migration procedure from BDB to >> LMDB but in the dse.ldif one can see that the migration has happened and >> the server should already be using lmdb: >> > >> > dn: cn=config,cn=ldbm database,cn=plugins,cn=config >> > cn: config >> > modifiersName: cn=server,cn=plugins,cn=config >> > modifyTimestamp: 20250808231416Z >> > nsslapd-backend-implement: mdb >> > ... >> > >> > The journal points to an invalid entry starting >> with cn=usercertificate,cn=index,cn=userroot,cn=l... >> > On a fresh install this entry looks like: >> > dn: cn=userCertificate,cn=index,cn=userRoot,cn=ldbm >> database,cn=plugins,cn=con >> > fig >> > cn: userCertificate >> > createTimestamp: 20251219092748Z >> > creatorsName: cn=Directory Manager >> > modifiersName: cn=Directory Manager >> > modifyTimestamp: 20251219092748Z >> > nsIndexType: eq >> > nsIndexType: pres >> > nsSystemIndex: false >> > objectClass: nsIndex >> > objectClass: top >> > but in your dse.ldif it is missing the nsIndex objectclass: >> > dn: cn=usercertificate,cn=index,cn=userroot,cn=ldbm >> database,cn=plugins,cn=c >> > onfig >> > cn: userCertificate >> > createTimestamp: 20200724163749Z >> > creatorsName: cn=Directory Manager >> > modifiersName: cn=Directory Manager >> > modifyTimestamp: 20200724163749Z >> > nsIndexType: eq >> > nsIndexType: pres >> > nsSystemIndex: false >> > objectClass: top >> > >> > Try adding the missing objectclass (stop ipa, edit dse.ldif, start ipa >> with ipactl start) and let us know how it went. >> > flo >> > >> > On Thu, Dec 18, 2025 at 12:48 AM Eric Ashley <> [email protected]> > >> wrote: >> > >> >> Hi Florence, >> >> >> >> It exists in the file as "dn: cn=schema >> compatibility,cm=plugins,cn=config". Is there a case sensitive test >> occurring somewhere? >> >> >> >> I think the errors are occurring on the entries that still include >> "cn=ldbm". I think they should be "cn=mdb" now, but I'm not sure. Should I >> change them as such? >> >> >> >> I've attached ipaupgrade.log and the journal entries for the failure. >> dse.ldif is too large for the list, so it's available here: >> >> https://drive.proton.me/urls/2CMCHCM520#PUqS5gw5wemZ >> >> >> >> Best regards, >> >> Eric >> >> >> >> >> >> Dec 17, 2025, 18:41 by >> [email protected]>> : >> >> >> >> > Hi Florence, >> >> > >> >> > It exists in the file as "dn: cn=schema >> compatibility,cm=plugins,cn=config". Is there a case sensitive test >> occurring somewhere? >> >> > >> >> > I think the errors are occurring on the entries that still include >> "cn=ldbm". I think they should be "cn=mdb" now, but I'm not sure. Should I >> change them as such? >> >> > >> >> > I've attached dse.ldif, ipaupgrade.log and the journal entries for >> the failure. >> >> > >> >> > Best regards, >> >> > Eric >> >> > >> >> > Dec 17, 2025, 04:37 by >> [email protected]>> : >> >> > >> >> >> Hi, >> >> >> >> >> >> in the file /etc/dirsrv/slapd-IPA-EXAMPLE-COM/dse.ldif, do you >> have an entry with "dn: cn=Schema Compatibility,cn=plugins,cn=config" ? >> >> >> Could you post the content of /var/log/ipaupgrade.log and dse.ldif? >> >> >> >> >> >> flo >> >> >> >> >> >> On Mon, Dec 15, 2025 at 10:16 PM Eric Ashley via FreeIPA-users <>> >> >> [email protected]>> >> > wrote: >> >> >> >> >> >>> This is a follow-on to the thread titled: "Re: [Freeipa-users] >> FreeIP 4.12.5-2-fc42 missing dse.ldif" >> >> >>> >> >> >>> After dsctl was updated to guard against the double close of the >> bdb source database, I now get the following error when trying to start IPA. >> >> >>> >> >> >>> ``` >> >> >>> # ipactl start >> >> >>> IPA version error: data needs to be upgraded (expected version >> '4.12.5-3.fc43', current version '4.12.5-3.fc42') >> >> >>> Automatically running upgrade, for details see >> /var/log/ipaupgrade.log >> >> >>> Be patient, this may take a few minutes. >> >> >>> Automatic upgrade failed: DN: cn=Schema >> Compatibility,cn=plugins,cn=config does not exists or haven't been updated >> >> >>> Upgrade failed with '' >> >> >>> DN: cn=Schema Compatibility,cn=plugins,cn=config does not exists >> or haven't been updated >> >> >>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and >> run command ipa-server-upgrade manually. >> >> >>> ('IPA upgrade failed.', 1) >> >> >>> The ipa-server-upgrade command failed. See >> /var/log/ipaupgrade.log for more information >> >> >>> >> >> >>> See the upgrade log for more details and/or run >> /usr/sbin/ipa-server-upgrade again >> >> >>> Aborting ipactl >> >> >>> ``` >> >> >>> I had to manually touch empty files in >> /var/lib/dirsrv/slapd-IPA-EXAMPLE-COM/ldif/ to get dsctl to complete >> correctly(ish): __dblib-changelog.ldif, __dblib-ipaca.ldif and >> __dblib-userroot.ldif. Nothing was actually written into any of these file, >> but with them extant it did complete without error. >> >> >>> I'm still receiving this error now, with the latest versions of >> all F43 updates code: >> >> >>> >> >> >>> ``` >> >> >>> 2025-12-15T20:30:35Z ERROR Upgrade failed with '' >> >> >>> 2025-12-15T20:30:35Z ERROR DN: cn=Schema >> Compatibility,cn=plugins,cn=config does not exists or haven't been updated >> >> >>> 2025-12-15T20:30:35Z ERROR IPA server upgrade failed: Inspect >> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >> >> >>> ```Of course, the only reference I can see to this error was a >> fix 7 years ago. How do I get my IPA back online? >> >> >>> >> >> >>> Best regards, >> >> >>> Eric >> >> >>> -- >> >> >>> _______________________________________________ >> >> >>> FreeIPA-users mailing list -- >>> >> >> [email protected] >> >> >>> To unsubscribe send an email to >>> >> >> [email protected] >> >> >>> Fedora Code of Conduct: >>> >> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> >> >>> List Guidelines: >>> >> >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> >> >>> List Archives: >>> >> >> https://lists.fedorahosted.org/archives/list/[email protected] >> >> >>> Do not reply to spam, report it: >>> >> >> https://pagure.io/fedora-infrastructure/new_issue >> >> >>> >> >> > >> >> > >> >> >> >>
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
