Thanks for the feedback.

It seems the attributeType was already there. Nevertheless I tried your
suggested fix but I did not help.

ipa config-show and likewise the UI does not show SELinux related settings.



On Tue, May 7, 2013 at 11:51 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> John Blaut wrote:
>> Hi
>> We found out recently that an IPA server which we upgraded some time ago
>> from EL6.2/IPA 2.1 to EL6.3/IPA 2.2, reported the following errors:
>> ERROR Update failed: Object class violation: attribute
>> "ipaSELinuxUserMapOrder" not allowed
>> ERROR Upgrade failed with attribute "idnsAllowQuery" not allowed
>> The latter error we resolved by applying the patch found @
>> https://fedorahosted.org/**freeipa/ticket/2440<https://fedorahosted.org/freeipa/ticket/2440>(in
>>  fact we used this fix
>> on another server in the past).
>> Unfortunately we do not have a solution for the first error (related to
>> ipaSELinuxUserMapOrder). Any ideas?
>> We do have plans to upgrade the mentioned server to EL 6.4 / IPA 3.0,
>> but I doubt this would be safe to do before we resolve the above error
>> first.
> Updating might be fine, but it shouldn't be too hard to fix first.
> I'd start by getting the current schema:
> ldapsearch -x -b cn=schema objectclasses attributetypes >
> /path/to/some/file
> See if ipaSELinuxUserMapOrder is defined as an attributeType.
> It looks like there is an error in the update file that adds this
> attribute, so it may not be there. Look in 
> /usr/share/ipa/updates/10-**selinuxusermap.update
> and you'll see this line duplicated:
>      X-ORIGIN 'IPA v3')
> If so, I'd try to remove the extra line and run:
> ipa-ldap-updater /usr/share/ipa/updates/10-**selinuxusermap.update
> That should fix it.
> rob
Freeipa-users mailing list

Reply via email to