On 6/15/15 6:36 AM, Rob Crittenden wrote:
Good morning and happy Monday,
I have a strange problem. Wondering if anyone has seen this before in
trying to run an ipa migrate-ds?
ipa: ERROR: The search criteria was not specific enough. Expected 1 and
The migration worked previously, but now, in order to try and update
some missing accounts that were added, now it no longer works and
generates this error. I can't find anyway to get verbose information to
found out what it is finding "2" of?
Usually means there is a replication conflict entry. You may be able
to get more details on what failed by looking at the LDAP access log
of both LDAP servers, though I guess I'd expect this happened locally
on the IPA box.
I found the problem, but now when trying to re-init from a good server
using ipa-replica-manage re-initialize, I get:
TLS error -8172:Peer's certificate issuer has been marked as not trusted
by the user.
But how does THIS happen??
I don't know, I'd be curious to know if you can tell more context around
where it failed (it may be opaque, or at least you'd have to dig
carefully through both access logs to find it).
The first thing that happens is the agreement is looked up on both
sides, the both sides are enabled, then a force sync is done, then
replication is reinitialized. It could blow up at any point.
Given that it sounds like you are deploying multiple IPA installations,
potentially with the same realm name, is it possible that you
reinitialized from a master unknown to the server (e.g. in a different
That or the 389-ds NSS database on one side or another was modified
somehow. It must have worked at one time because TLS is used for
replication during the installation.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project