Thanks for the reply Martin.

Turns out that there was no problem at all, a minor configuration mistake 
(nested a group inside the wrong parent) led us down a rabbit hole. Our failed 
upgrade happened on the same day our 1000th group was created. Using the LDAP 
browser plugin for Eclipse the default search query limit is 1000… It took a 
while to work that out, needless to say we all feel a little silly and a little 
wiser now :)



 
Will Sheldon

On May 14, 2015 at 1:44:15 AM, Martin Basti (mba...@redhat.com) wrote:

On 14/05/15 01:50, Will Sheldon wrote:

Hello everyone :)

We are seeing some strange behavior (created groups don't exist) and I really 
hope someone can lend some advice...

We installed v 3.0 some time ago, and tried an upgrade to 3.3 which was aborted 
before completion, however I believe the schema was updated.

Recently we attempted to upgrade to 4.1, but encountered some issues with the 
upgrade; replication failed :

from the install log (before schema update, so server was running 3.3 schema):

=======================>
Done configuring ipa-otpd.
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure attribute 
"cn" not allowed
=======================<


After that we tried updating the schema, and we now get this error (we have log 
file captures for this):

=======================>
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 131 seconds elapsed
Update in progress yet not in progress

[vanipa.foo.com] reports: Update failed! Status: [10 Total update abortedLDAP 
error: Referral]

  [error] RuntimeError: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
========================<

which seems to be referring to this bit of the log:
=======================>
2015-04-21T19:18:48Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
382, in start_creation
    run_step(full_msg, method)
=======================<


Since then we have a somewhat strange issue where new groups that are added 
using the web interface and ipa CLI command interface are created in the compat 
tree, but not in the cn=hostgroups,cn=accounts tree, even though ADD operations 
appear to complete successfully (slapd log output below)

=======================>
[13/May/2015:23:13:58 +0000] conn=7120402 op=4 ADD 
dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com"

[13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 SRCH 
base="idnsName=net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 RESULT err=32 tag=101 
nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 SRCH 
base="idnsName=bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 RESULT err=32 tag=101 
nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 SRCH 
base="idnsName=vanzbx.bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 RESULT err=32 tag=101 
nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 SRCH 
base="idnsName=net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 RESULT err=32 tag=101 
nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 SRCH 
base="idnsName=bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 RESULT err=32 tag=101 
nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 SRCH 
base="idnsName=vanzbx.bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 RESULT err=32 tag=101 
nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=7120402 op=4 RESULT err=0 tag=105 nentries=0 
etime=0 csn=5553e3f8000100040000
=======================<


Which is consistent with the slapd log during the upgrade:

[21/Apr/2015:19:18:43 +0000] NSACLPlugin - The ACL target 
cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist

--

Kind regards,

Will Sheldon



Hello,

can you find in ipaserver-install.log more details about this error?
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure attribute 
"cn" not allowed

Martin


--  
Martin Basti
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to