It doesn't look like there are any entries.

# ldapsearch -x -b 'cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com' -s base aci
# extended LDIF
#
# LDAPv3
# base <cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: aci
#

# certprofiles, ca, aws.cappex.com
dn: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So how would one remove the 'Modify Certificate Profile' managed permission 
from LDAP?


From: Martin Basti [mailto:mba...@redhat.com]
Sent: Tuesday, October 11, 2016 11:18 AM
To: John Popowitch; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run 
ipa-server-upgrade, but has errors


Here you have example

kinit admin

ldapsearch -Y GSSAPI -b 'cn=certprofiles,cn=ca,dc=<your>,dc=<suffix>' -s base 
aci

On 11.10.2016 17:48, John Popowitch wrote:
Thanks, Martin.
But I'm afraid you've gone beyond my level of LDAP knowledge.
How would I check for that ACI?
-John

From: Martin Basti [mailto:mba...@redhat.com]
Sent: Tuesday, October 11, 2016 10:38 AM
To: John Popowitch; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run 
ipa-server-upgrade, but has errors




On 11.10.2016 17:21, John Popowitch wrote:
I agree that is weird.
Several of the other managed permissions are updated successfully and they are 
very similar.
Yes, I can try to remove the permission manually.
Is there any risk in corrupting or breaking the system?
This is, I believe, one of three IPA servers in a multi-master replication.
And we run our production website (basically our company) off of these servers.
Assuming it's safe enough to do, could I delete that permission via the UI or 
does it need to be directly via LDAP?

Upgrade will re-create permission.

You have to directly using LDAP as Directory Manager

Also please check in: cn=certprofiles,cn=ca,$SUFFIX

if you have this ACI there

aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfil
 ter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Mod
 ify Certificate Profile";allow (write) groupdn = 
"ldap:///cn=System<ldap://cn=System>: Modify C
 ertificate Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab
 ,dc=eng,dc=brq,dc=redhat,dc=com";)

This may also cause an issue, so if removing of permission itself did not help 
(or permission does not exist) you may need to remove this ACI

Martin




From: Martin Basti [mailto:mba...@redhat.com]
Sent: Tuesday, October 11, 2016 9:47 AM
To: John Popowitch; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run 
ipa-server-upgrade, but has errors


That's weird because the code is checking if a permission exists before it 
tries to add a new one

Can you try to remove 'System: Modify Certificate Profile' manually from LDAP 
and re-run ipa-server-upgrade?



On 11.10.2016 15:53, John Popowitch wrote:
2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify 
Certificate Profile
2016-10-10T19:51:38Z DEBUG Destroyed connection context.ldap2_82077392
2016-10-10T19:51:38Z ERROR Upgrade failed with This entry already exists
2016-10-10T19:51:38Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", 
line 306, in __upgrade
    self.modified = (ld.update(self.files) or self.modified)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 
905, in update
    self._run_updates(all_updates)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 
877, in _run_updates
    self._run_update_plugin(update['plugin'])
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 
852, in _run_update_plugin
    restart_ds, updates = self.api.Updater[plugin_name]()
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1400, in 
__call__
    return self.execute(**options)
 File 
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py",
 line 433, in execute
    anonymous_read_aci)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py",
 line 529, in update_permission
    ldap.add_entry(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1428, in 
add_entry
    self.conn.add_s(str(entry.dn), attrs.items())
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 938, in 
error_handler
    raise errors.DuplicateEntry()
DuplicateEntry: This entry already exists

2016-10-10T19:51:38Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
418, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
408, in run_step
    method()
 File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", 
line 314, in __upgrade
    raise RuntimeError(e)
RuntimeError: This entry already exists

2016-10-10T19:51:38Z DEBUG   [error] RuntimeError: This entry already exists
2016-10-10T19:51:38Z DEBUG   [cleanup]: stopping directory server
2016-10-10T19:51:38Z DEBUG Starting external process
2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' 
'dirsrv@AWS-CAPPEX-COM.service<mailto:dirsrv@AWS-CAPPEX-COM.service>'
2016-10-10T19:51:40Z DEBUG Process finished, return code=0
2016-10-10T19:51:40Z DEBUG stdout=
2016-10-10T19:51:40Z DEBUG stderr=
2016-10-10T19:51:40Z DEBUG   duration: 1 seconds
2016-10-10T19:51:40Z DEBUG   [cleanup]: restoring configuration
2016-10-10T19:51:40Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG Saving StateFile to 
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG Saving StateFile to 
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG   duration: 0 seconds
2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect 
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-10-10T19:51:40Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
line 50, in run
    raise admintool.ScriptError(str(e))

2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, exception: 
ScriptError: ('IPA upgrade failed.', 1)
2016-10-10T19:51:40Z ERROR ('IPA upgrade failed.', 1)



From: Martin Basti [mailto:mba...@redhat.com]
Sent: Tuesday, October 11, 2016 1:53 AM
To: John Popowitch; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run 
ipa-server-upgrade, but has errors




On 10.10.2016 23:30, John Popowitch wrote:
Hello FreeIPA community.
I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2.
I had to reboot one of the servers and now IPA won't run saying, "Upgrade 
required: please run ipa-server-upgrade command."
But when I run ipa-server-upgrade I get an error:
ipa: ERROR: Upgrade failed with This entry already exists
When I run it in debug mode the last action before the error is:
ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions:
 DEBUG: Updating managed permission: System: Modify Certificate Profile
It appears that several of the other managed permissions are processed 
successfully.
When I look in the UI on one of the other servers it appears that this 
permission exists under IPA Server -> Role Based Access Control -> Permissions.
I'm not familiar with FreeIPA so any help would be greatly appreciated.
Thanks in advance.
-John







Hello,

can you post the related part of ipaupgrade.log here?

Martin



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to