On 12/19/2013 03:17 PM, Joe Mou wrote:
On Thu, Dec 19, 2013 at 10:01 AM, Rich Megginson <rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> wrote:
On 12/19/2013 09:19 AM, Joe Mou wrote:
Here are the results of that command:
$ ldapsearch -xLLL -D "cn=directory manager" -W -b
dc=the,dc=flatiron,dc=com '(objectclass=ldapsubentry)'
Enter LDAP Password:
dn: cn=Password Policy,cn=accounts,dc=the,dc=flatiron,dc=com
cn: Password Policy
cosspecifier: memberOf
cosAttribute: krbPwdPolicyReference override
costemplatedn: cn=cosTemplates,cn=accounts,dc=the,dc=flatiron,dc=com
objectClass: top
objectClass: ldapsubentry
objectClass: cosSuperDefinition
objectClass: cosClassicDefinition
description: Password Policy based on group membership
Ok. Looks like IPA uses CoS for password policy based on group
membership using the memberof attribute in each user's entry.
I think we can temporarily disable this.
First, save the above entry to a file e.g. pwpolicycos.ldif
Next, ipactl restart
Just after the directory server is restarted, delete this entry:
ldapdelete -x -D "cn=directory manager" -W "cn=Password
Policy,cn=accounts,dc=the,dc=flatiron,dc=com"
Once everything is working again, add back the entry:
ldapmodify -x -D "cn=directory manager" -W -a -f pwpolicycos.ldif
Thanks Rich, that partially worked. The replica gets unstuck and is
able to service requests. But it looks like mutations are still not
working completely correctly. For example if I do a `ipa user-add
joe-test --first=joe --last=test` then that command hangs. At this
point the directory server gets wedged, apparently similarly to
before. However this time restarting the directory server unsticks it.
Only certain operations seem to break, as updating a user's job title
works fine. Backtraces are available:
http://p.flatiron.com/~jmou/ipa/stacktrace.1387489013.txt
<http://p.flatiron.com/%7Ejmou/ipa/stacktrace.1387489013.txt>
Please open a ticket at https://fedorahosted.org/389/newticket - you can
attach stack traces to the ticket
Joe
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users