On 12/19/2013 03:17 PM, Joe Mou wrote:
On Thu, Dec 19, 2013 at 10:01 AM, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    On 12/19/2013 09:19 AM, Joe Mou wrote:
    Here are the results of that command:

    $ ldapsearch -xLLL -D "cn=directory manager" -W -b
    dc=the,dc=flatiron,dc=com '(objectclass=ldapsubentry)'
    Enter LDAP Password:
    dn: cn=Password Policy,cn=accounts,dc=the,dc=flatiron,dc=com
    cn: Password Policy
    cosspecifier: memberOf
    cosAttribute: krbPwdPolicyReference override
    costemplatedn: cn=cosTemplates,cn=accounts,dc=the,dc=flatiron,dc=com
    objectClass: top
    objectClass: ldapsubentry
    objectClass: cosSuperDefinition
    objectClass: cosClassicDefinition
    description: Password Policy based on group membership

    Ok.  Looks like IPA uses CoS for password policy based on group
    membership using the memberof attribute in each user's entry.

    I think we can temporarily disable this.

    First, save the above entry to a file e.g. pwpolicycos.ldif

    Next, ipactl restart
    Just after the directory server is restarted, delete this entry:
    ldapdelete -x -D "cn=directory manager" -W "cn=Password

    Once everything is working again, add back the entry:

    ldapmodify -x -D "cn=directory manager" -W -a -f pwpolicycos.ldif

Thanks Rich, that partially worked. The replica gets unstuck and is able to service requests. But it looks like mutations are still not working completely correctly. For example if I do a `ipa user-add joe-test --first=joe --last=test` then that command hangs. At this point the directory server gets wedged, apparently similarly to before. However this time restarting the directory server unsticks it. Only certain operations seem to break, as updating a user's job title works fine. Backtraces are available: http://p.flatiron.com/~jmou/ipa/stacktrace.1387489013.txt <http://p.flatiron.com/%7Ejmou/ipa/stacktrace.1387489013.txt>

Please open a ticket at https://fedorahosted.org/389/newticket - you can attach stack traces to the ticket


Freeipa-users mailing list

Reply via email to