On 07/20/2015 05:17 PM, Alexander Bokovoy wrote:
On Mon, 20 Jul 2015, Alexandre Ellert wrote:
Can you please show output from
fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema
# fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
This is original 'dc' definition:
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
This is the offending one:
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
In 00core.ldif, I have :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc'
X-ORIGIN 'RFC 4519'
X-DEPRECATED 'domaincomponent' )
If you look into 99user.ldif, you'll see the wrong definition there.
99user.ldif accumulates definitions coming from replication or updates.
You can check other IPA masters, do they have 'dc' attribute defined in
a wrong way?
As far as I remember, the only modification I made was to disable
read-only access without authentication. I don’t need any other
Something brought the wrong definition into your IPA masters.
May be someone tried to add support for some old application?
Probably caused by migration from 6.6 to 7.x. See
https://bugzilla.redhat.com/show_bug.cgi?id=1220788 Usually it doesn't
cause any issue but looks scary.
I'd try to isolate entries from DS, CA, maybe also krb5kdc logs around
the time the following CA error happened (could be new start).
[30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException
Internal Database Error encountered: Could not connect to LDAP server
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project