John Blaut wrote:
Hi

Thanks for the feedback.

It seems the attributeType was already there. Nevertheless I tried your
suggested fix but I did not help.

ipa config-show and likewise the UI does not show SELinux related settings.

Ok, can you send me the output of:

ipa-ldap-updater -d /usr/share/ipa/updates/10-selinuxusermap.update

It is going to be long and ugly.

rob

>

Regards

John


On Tue, May 7, 2013 at 11:51 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    John Blaut wrote:

        Hi

        We found out recently that an IPA server which we upgraded some
        time ago
        from EL6.2/IPA 2.1 to EL6.3/IPA 2.2, reported the following errors:

        ERROR Update failed: Object class violation: attribute
        "ipaSELinuxUserMapOrder" not allowed
        ERROR Upgrade failed with attribute "idnsAllowQuery" not allowed

        The latter error we resolved by applying the patch found @
        https://fedorahosted.org/__freeipa/ticket/2440
        <https://fedorahosted.org/freeipa/ticket/2440> (in fact we used
        this fix
        on another server in the past).

        Unfortunately we do not have a solution for the first error
        (related to
        ipaSELinuxUserMapOrder). Any ideas?

        We do have plans to upgrade the mentioned server to EL 6.4 / IPA
        3.0,
        but I doubt this would be safe to do before we resolve the above
        error
        first.


    Updating might be fine, but it shouldn't be too hard to fix first.

    I'd start by getting the current schema:

    ldapsearch -x -b cn=schema objectclasses attributetypes >
    /path/to/some/file

    See if ipaSELinuxUserMapOrder is defined as an attributeType.

    It looks like there is an error in the update file that adds this
    attribute, so it may not be there. Look in
    /usr/share/ipa/updates/10-__selinuxusermap.update and you'll see
    this line duplicated:

          X-ORIGIN 'IPA v3')

    If so, I'd try to remove the extra line and run:

    ipa-ldap-updater /usr/share/ipa/updates/10-__selinuxusermap.update

    That should fix it.

    rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to