Thanks for your help Rich. The ticket is https://fedorahosted.org/389/ticket/47649
On Thu, Dec 19, 2013 at 2:43 PM, Rich Megginson <[email protected]> wrote: > On 12/19/2013 03:17 PM, Joe Mou wrote: > > On Thu, Dec 19, 2013 at 10:01 AM, Rich Megginson <[email protected]>wrote: > >> On 12/19/2013 09:19 AM, Joe Mou wrote: >> >> Here are the results of that command: >> >> $ ldapsearch -xLLL -D "cn=directory manager" -W -b >> dc=the,dc=flatiron,dc=com '(objectclass=ldapsubentry)' >> Enter LDAP Password: >> dn: cn=Password Policy,cn=accounts,dc=the,dc=flatiron,dc=com >> cn: Password Policy >> cosspecifier: memberOf >> cosAttribute: krbPwdPolicyReference override >> costemplatedn: cn=cosTemplates,cn=accounts,dc=the,dc=flatiron,dc=com >> objectClass: top >> objectClass: ldapsubentry >> objectClass: cosSuperDefinition >> objectClass: cosClassicDefinition >> description: Password Policy based on group membership >> >> >> Ok. Looks like IPA uses CoS for password policy based on group >> membership using the memberof attribute in each user's entry. >> >> I think we can temporarily disable this. >> >> First, save the above entry to a file e.g. pwpolicycos.ldif >> >> Next, ipactl restart >> Just after the directory server is restarted, delete this entry: >> ldapdelete -x -D "cn=directory manager" -W "cn=Password >> Policy,cn=accounts,dc=the,dc=flatiron,dc=com" >> >> Once everything is working again, add back the entry: >> >> ldapmodify -x -D "cn=directory manager" -W -a -f pwpolicycos.ldif >> > > Thanks Rich, that partially worked. The replica gets unstuck and is able > to service requests. But it looks like mutations are still not working > completely correctly. For example if I do a `ipa user-add joe-test > --first=joe --last=test` then that command hangs. At this point the > directory server gets wedged, apparently similarly to before. However this > time restarting the directory server unsticks it. Only certain operations > seem to break, as updating a user's job title works fine. Backtraces are > available: http://p.flatiron.com/~jmou/ipa/stacktrace.1387489013.txt > > > Please open a ticket at https://fedorahosted.org/389/newticket - you can > attach stack traces to the ticket > > Joe > > >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
