On Wed, 22 Jul 2015, Alexandre Ellert wrote:

Le 22 juil. 2015 à 17:09, Alexander Bokovoy <aboko...@redhat.com> a écrit :

On Wed, 22 Jul 2015, Alexandre Ellert wrote:

Le 20 juil. 2015 à 17:17, Alexander Bokovoy <aboko...@redhat.com> a écrit :

On Mon, 20 Jul 2015, Alexandre Ellert wrote:

Can you please show output from
fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema

# fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema

This is original 'dc' definition:
/etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: (
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )

This is the offending one:
/etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: (
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D

In 00core.ldif, I have :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'RFC 4519'
X-DEPRECATED 'domaincomponent' )
If you look into 99user.ldif, you'll see the wrong definition there.

99user.ldif accumulates definitions coming from replication or updates.
You can check other IPA masters, do they have 'dc' attribute defined in
a wrong way?

I have a second IPA master and here is the occurence of ‘ domaincomponent' in 
/etc/dirsrv/slapd-NUMEEZY-FR/schema :
In 00core.ldif :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'RFC 4519'
X-DEPRECATED 'domaincomponent’ )
In 99user.ldif :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI
GIN ( 'RFC 2247' 'user defined' ) )

This two definition are exactly the same on both IPA masters.

I don’t understand what is wrong in 99user.ldif ? How can I correct with the 
good definition ?
The correct definition is in the 00core.ldif. The one in 99user.ldif is
wrong.

I think you can remove it from 99user.ldif on both servers but you need
to shut down dirsrv instances on both to do that.
--
/ Alexander Bokovoy

I shut down IPA on both servers (ipactl stop) and removed this section in 
99user.ldif :
attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D
 ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn
 oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI
 GIN ( 'RFC 2247' 'user defined' ) )

But still have the same behavior (pki-tomcatd don’t start, same errors
in logs). Do you have another idea ?
We need to find out where the definition comes from.

Can you give me output of
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
from both servers?

With correct setup IPA 4.x should show:
/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25 
NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-EXAMPLE-COM/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )

I.e. there are two lines -- in the default schema and in the IPA
instance schema. --
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to