On 07/20/2015 05:17 PM, Alexander Bokovoy wrote:
On Mon, 20 Jul 2015, Alexandre Ellert wrote:

Can you please show output from
fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema

# fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema

This is original 'dc' definition:
/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: (
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )

This is the offending one:
/etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: (
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D

In 00core.ldif, I have :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc'
'domaincomponent' )
 EQUALITY caseIgnoreIA5Match
 SUBSTR caseIgnoreIA5SubstringsMatch
 X-ORIGIN 'RFC 4519'
 X-DEPRECATED 'domaincomponent' )
If you look into 99user.ldif, you'll see the wrong definition there.

99user.ldif accumulates definitions coming from replication or updates.
You can check other IPA masters, do they have 'dc' attribute defined in
a wrong way?

As far as I remember, the only modification I made was to disable
read-only access without authentication.  I don’t need any other
special customization.
Something brought the wrong definition into your IPA masters.
May be someone tried to add support for some old application?

Probably caused by migration from 6.6 to 7.x. See https://bugzilla.redhat.com/show_bug.cgi?id=1220788 Usually it doesn't cause any issue but looks scary.

I'd try to isolate entries from DS, CA, maybe also krb5kdc logs around the time the following CA error happened (could be new start).

[30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException
Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.org

Petr Vobornik

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to