John Blaut wrote:
Hi
Thanks for the feedback.
It seems the attributeType was already there. Nevertheless I tried your
suggested fix but I did not help.
ipa config-show and likewise the UI does not show SELinux related settings.
Ok, can you send me the output of:
ipa-ldap-updater -d /usr/share/ipa/updates/10-selinuxusermap.update
It is going to be long and ugly.
rob
>
Regards
John
On Tue, May 7, 2013 at 11:51 PM, Rob Crittenden <[email protected]
<mailto:[email protected]>> wrote:
John Blaut wrote:
Hi
We found out recently that an IPA server which we upgraded some
time ago
from EL6.2/IPA 2.1 to EL6.3/IPA 2.2, reported the following errors:
ERROR Update failed: Object class violation: attribute
"ipaSELinuxUserMapOrder" not allowed
ERROR Upgrade failed with attribute "idnsAllowQuery" not allowed
The latter error we resolved by applying the patch found @
https://fedorahosted.org/__freeipa/ticket/2440
<https://fedorahosted.org/freeipa/ticket/2440> (in fact we used
this fix
on another server in the past).
Unfortunately we do not have a solution for the first error
(related to
ipaSELinuxUserMapOrder). Any ideas?
We do have plans to upgrade the mentioned server to EL 6.4 / IPA
3.0,
but I doubt this would be safe to do before we resolve the above
error
first.
Updating might be fine, but it shouldn't be too hard to fix first.
I'd start by getting the current schema:
ldapsearch -x -b cn=schema objectclasses attributetypes >
/path/to/some/file
See if ipaSELinuxUserMapOrder is defined as an attributeType.
It looks like there is an error in the update file that adds this
attribute, so it may not be there. Look in
/usr/share/ipa/updates/10-__selinuxusermap.update and you'll see
this line duplicated:
X-ORIGIN 'IPA v3')
If so, I'd try to remove the extra line and run:
ipa-ldap-updater /usr/share/ipa/updates/10-__selinuxusermap.update
That should fix it.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
