On 02/26/2013 01:05 PM, Martin Kosek wrote: > On 02/26/2013 06:10 PM, Erinn Looney-Triggs wrote: >> On 02/26/2013 12:08 PM, Martin Kosek wrote: >>> On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: >>>> On 02/26/2013 10:29 AM, Dmitri Pal wrote: >>>>> On 02/21/2013 12:31 PM, Dmitri Pal wrote: >>>>>> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: >>>>>>> On 02/21/2013 09:40 AM, Rob Crittenden wrote: >>>>>>>> Erinn Looney-Triggs wrote: >>>>>>>>> On 02/21/2013 09:34 AM, Rob Crittenden wrote: >>>>>>>>>> Erinn Looney-Triggs wrote: >>>>>>>>>>> On 02/21/2013 09:07 AM, Rob Crittenden wrote: >>>>>>>>>>>> add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME >>>>>>>>>>>> 'ipaExternalMember' DESC 'External Group Member >>>>>>>>>>>> Identifier' EQUALITY caseIgnoreMatch ORDERING >>>>>>>>>>>> caseIgnoreOrderingMatch SYNTAX >>>>>>>>>>>> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) >>>>>>>>>>>> add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME >>>>>>>>>>>> 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( >>>>>>>>>>>> ipaExternalMember $$ memberOf $$ description $$ owner) >>>>>>>>>>>> X-ORIGIN 'IPA v3' ) >>>>>>>>>>> Well that fails as well, though in sort of a self inflicted >>>>>>>>>>> way: >>>>>>>>>>> >>>>>>>>>>> 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command >>>>>>>>>>> failed, exception: DatabaseError: Server is unwilling to >>>>>>>>>>> perform: Minimum SSF not met. arguments: >>>>>>>>>>> base="cn=config,cn=ldbm database,cn=plugins,cn=config", >>>>>>>>>>> scope=0, filterstr="(objectclass=*)" 2013-02-21T16:24:30Z >>>>>>>>>>> ERROR Unexpected error - see /var/log/ipaupgrade.log for >>>>>>>>>>> details: DatabaseError: Server is unwilling to perform: >>>>>>>>>>> Minimum SSF not met. arguments: base="cn=config,cn=ldbm >>>>>>>>>>> database,cn=plugins,cn=config", scope=0, >>>>>>>>>>> filterstr="(objectclass=*)" >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Now this probably comes about because I set: nsslapd-minssf: >>>>>>>>>>> 56 For security. >>>>>>>>>>> >>>>>>>>>>> I can cange that back to the default and probably move past >>>>>>>>>>> this, but is that a known issue? Is there another way >>>>>>>>>>> around? >>>>>>>>>> As root try the --ldapi flag: >>>>>>>>>> >>>>>>>>>> # ipa-ldap-updater --ldapi /path/to/scheme.update >>>>>>>>>> >>>>>>>>>> rob >>>>>>>>>> >>>>>>>>> ERROR: LDAPUpdate: syntax error: dn is not defined in the >>>>>>>>> update, data source=schema.update >>>>>>>>> >>>>>>>>> -Erinn >>>>>>>>> >>>>>>>> Sorry, add this to the top of your update file: >>>>>>>> >>>>>>>> dn: cn=schema >>>>>>>> >>>>>>>> rob >>>>>>> No worries! Thanks for the help, after a restart of IPA the web UI >>>>>>> is working again. I reckon this is something that needs to be fixed, >>>>>>> does opening a support case and pointing them to that bug help you >>>>>>> folks out with this in any way? >>>>>> >>>>>> This is a know defect. We just did not realize it would have such a >>>>>> bad impact on upgrade. Sorry, the errata is on the way. >>>>>> >>>>>> I would recommend everyone to not upgrade to 6.4 until the errata is >>>>>> shipped. We will notify you as soon as it goes out. >>>>>> >>>>>> Sorry again. >>>>>> >>>>> >>>>> We did some research of this issue: 1) The upgrade works fine from 6.3 >>>>> to 6.4 and the issue does not exhibit itself 2) We have been able to >>>>> reproduce it with the direct upgrade from 6.2 to 6.4 3) Since the >>>>> expected upgrade part is 6.2 -> 6.3 -> 6.4 the question comes up >>>>> whether >>>>> this fix is actually that urgent. 4) In the presence of the simple >>>>> workaround we feel that it is not that important to include this fix >>>>> into the errata that we are working on. >>>>> >>>>> Please let us know if you think that there is a problem with the plan >>>>> above. >>>>> >>>>> >>>> >>>> Well all I can tell you on this, is that mine was an upgrade from >>>> 6.3 to >>>> 6.4, so there is a case where it will fail going from 6.3 to 6.4, >>>> but how >>>> applicable it is I can't say. >>> >>> Hi Erinn, >>> >>> Is 6.3 the original RHEL version where IPA server was installed? Or >>> was IPA >>> installed on RHEL-6.2 and then you upgraded RHEL to 6.3? >>> >>> Thank you, >>> Martin >>> >> >> These systems have gone through all the point releases from 6 on up I >> believe. >> >> -Erinn >> > > Ok, then this use case is also covered by the upcoming 6.4 fix. I just > wanted to check that. > > Thanks, > Martin
Sounds good, and thanks for fixing that. -Erinn
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users