Thomas Sailer wrote:
I have now managed to upgrade the replica as well.

I stumbled over a few additional problems:

1) whenever a user becomes member of a group with +nsuniqueid= in its
name, the user can no longer login. The reason is that ldb_dn_validate
doesn't like the + character, thus returns false, which causes
get_ipa_groupname to return EINVAL, which causes the loop in
hbac_eval_user_element to abort and return an error.

This seems to be quite draconian. Does it have to be like this? If so it
would be nice if a clearer error message would be left somewhere more
obvious than sssd -d 0xffff...

An entry with nsuniqueid is a replication conflict entry. You want to resolve this.

See https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html

2) I cannot change ssh keys, neither in the web gui nor on the cli.

# ipa -vv user-mod myuserid --sshpubkey= --all
ipa: INFO: trying https://xxxxxserver.xxxxx.com/ipa/json
ipa: INFO: Request: {
     "id": 0,
     "method": "ping",
     "params": [
         [],
         {}
     ]
}
ipa: INFO: Response: {
     "error": null,
     "id": 0,
     "principal": "ad...@xxxxx.com",
     "result": {
         "messages": [
             {
                 "code": 13001,
                 "message": "API Version number was not sent, forward
compatibility not guaranteed. Assuming server's API version, 2.114",
                 "name": "VersionMissing",
                 "type": "warning"
             }
         ],
         "summary": "IPA server version 4.1.4. API version 2.114"
     },
     "version": "4.1.4"
}
ipa: INFO: Forwarding 'user_mod' to json server
'https://xxxxxserver.xxxxx.com/ipa/json'
ipa: INFO: Request: {
     "id": 0,
     "method": "user_mod",
     "params": [
         [
             "t.sailer"
         ],
         {
             "all": true,
             "ipasshpubkey": null,
             "no_members": false,
             "random": false,
             "raw": false,
             "rights": false,
             "version": "2.114"
         }
     ]
}
ipa: INFO: Response: {
     "error": {
         "code": 4203,
         "message": "Type or value exists: ",
         "name": "DatabaseError"
     },
     "id": 0,
     "principal": "ad...@xxxxx.com",
     "result": null,
     "version": "4.1.4"
}
ipa: ERROR: Type or value exists:

I cannot find any more information in /var/log/httpd/error_log. But I
can change the SSH keys directly talking to slapd...

Hmm, curious. What is the current state of the entry? The 389-ds access log might have more details (though I'm stretching here).

3) Is
[global]
debug=True
in /etc/ipa/ipa.conf supposed to change /var/log/httpd/error_log output?
I cannot see any change...

No, there is no /etc/ipa/ipa.conf.

You can create /etc/ipa/server.conf to only change configuration for the server, or /etc/ipa/client.conf to only change configuration for the client.

default.conf is loaded first, then server/client.conf is loaded and changes override the default.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to