Hi Thanks for the feedback.
It seems the attributeType was already there. Nevertheless I tried your suggested fix but I did not help. ipa config-show and likewise the UI does not show SELinux related settings. Regards John On Tue, May 7, 2013 at 11:51 PM, Rob Crittenden <[email protected]> wrote: > John Blaut wrote: > >> Hi >> >> We found out recently that an IPA server which we upgraded some time ago >> from EL6.2/IPA 2.1 to EL6.3/IPA 2.2, reported the following errors: >> >> ERROR Update failed: Object class violation: attribute >> "ipaSELinuxUserMapOrder" not allowed >> ERROR Upgrade failed with attribute "idnsAllowQuery" not allowed >> >> The latter error we resolved by applying the patch found @ >> https://fedorahosted.org/**freeipa/ticket/2440<https://fedorahosted.org/freeipa/ticket/2440>(in >> fact we used this fix >> on another server in the past). >> >> Unfortunately we do not have a solution for the first error (related to >> ipaSELinuxUserMapOrder). Any ideas? >> >> We do have plans to upgrade the mentioned server to EL 6.4 / IPA 3.0, >> but I doubt this would be safe to do before we resolve the above error >> first. >> > > Updating might be fine, but it shouldn't be too hard to fix first. > > I'd start by getting the current schema: > > ldapsearch -x -b cn=schema objectclasses attributetypes > > /path/to/some/file > > See if ipaSELinuxUserMapOrder is defined as an attributeType. > > It looks like there is an error in the update file that adds this > attribute, so it may not be there. Look in > /usr/share/ipa/updates/10-**selinuxusermap.update > and you'll see this line duplicated: > > X-ORIGIN 'IPA v3') > > If so, I'd try to remove the extra line and run: > > ipa-ldap-updater /usr/share/ipa/updates/10-**selinuxusermap.update > > That should fix it. > > rob >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
