Jimmy wrote:
Since I needed to make sure I could recover from this if it ever
happened again I went back to an old copy of the VM I'm going through
everything I did on the original. To begin with, it does have the same
issue, the cert won't renew. So I attempted to db2ldif and ldif2db all
of the db's ***WITHOUT*** upgrading FreeIPA, and that didn't work.
Different error than before when running , but I don't have it in
front of me now, so I can't report it. One thing I did notice is that
the exported ldif did not have the extra entries that prevented the
ldif from importing right away last time.

So I rolled back to the original database again, ran the freeipa
upgrade from yum, and then exported the db's and now these entries
show in the db that weren't there before:


Any idea why the upgrade did this? The ldif2db fails with this error
as long as those 2 entries are in the ldif:

[21/Mar/2012:00:59:14 +0000] entryrdn-index - _entryrdn_insert_key:
Same DN (dn: ou=profile,dc=abc,dc=xyz) is already in the entryrdn file
with different ID 146.  Expected ID is 311.
[21/Mar/2012:00:59:14 +0000] - import userRoot: Duplicated DN
detected: "ou=profile,dc=abc,dc=xyz": Entry ID: (311)

Sorry for bringing this back up, but it seems odd that the upgrade
duplicates this entry.

Perhaps the database is already corrupted?

The entries are added by the upgrade process only if they can't already be found in the database. It does an ldapsearch against the dn and adds if it isn't already there. The fact that 389-ds allows the add indicates that it doesn't think the entry is there.



On Tue, Mar 20, 2012 at 5:22 PM, Jimmy<g17ji...@gmail.com>  wrote:
Cool thanks for the awesome help, y'all.

On Tue, Mar 20, 2012 at 5:20 PM, Rob Crittenden<rcrit...@redhat.com>  wrote:
Jimmy wrote:

I restarted certmonger and it seems to be working. Is there some way
to change the renewal interval so we can simulate this in the lab? I'd
like to see it go through a number of renewals to make sure we don't
keep having this problem.

Glad you are up and running again. You can control the interval by tuning
knobs in certmonger.conf(5). You want to modify ttls.


Freeipa-users mailing list

Reply via email to