Thomas Sailer wrote:
Hello everyone.

I upgraded a freeipa server from fedora 20 to fedora 22. It mostly
worked ok, but there are a few issues:

- pki-tomcat didn't start after the upgrade, and that in turn made
ipa-upgradeconfig fail, because /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
had the wrong owner (root).

- ipa-ldap-updater stumbles over two problems:
   - Pre schema upgrade failed
   - when trying to modify cn=encryption,cn=config, it stumbles over
allowWeakCipher not allowed

Does anyone know how to fix this? Is the pre schema upgrade failure
spurious? what bits am I missing about the allowWeakCipher issue?

I think the issue was that the upgrade was done in a chroot, so systemd couldn't start 389-ds. I'm guessing, but I'll bet the "No such file or directory" is the ldapi socket.

You can safely re-run the upgrade scripts:

# /usr/sbin/ipa-ldap-updater --upgrade
# /usr/sbin/ipa-upgradeconfig

I'd re-run those and see if the errors change, or hopefully, go away completely.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to