Re: [Freeipa-users] Upgrading to 6.4 - additional information
On 02/26/2013 04:29 PM, Dmitri Pal wrote: On 02/21/2013 12:31 PM, Dmitri Pal wrote: On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: On 02/21/2013 09:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:34 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:07 AM, Rob Crittenden wrote: add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember' DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $$ memberOf $$ description $$ owner) X-ORIGIN 'IPA v3' ) Well that fails as well, though in sort of a self inflicted way: 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command failed, exception: DatabaseError: Server is unwilling to perform: Minimum SSF not met. arguments: base=cn=config,cn=ldbm database,cn=plugins,cn=config, scope=0, filterstr=(objectclass=*) 2013-02-21T16:24:30Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: DatabaseError: Server is unwilling to perform: Minimum SSF not met. arguments: base=cn=config,cn=ldbm database,cn=plugins,cn=config, scope=0, filterstr=(objectclass=*) Now this probably comes about because I set: nsslapd-minssf: 56 For security. I can cange that back to the default and probably move past this, but is that a known issue? Is there another way around? As root try the --ldapi flag: # ipa-ldap-updater --ldapi /path/to/scheme.update rob ERROR: LDAPUpdate: syntax error: dn is not defined in the update, data source=schema.update -Erinn Sorry, add this to the top of your update file: dn: cn=schema rob No worries! Thanks for the help, after a restart of IPA the web UI is working again. I reckon this is something that needs to be fixed, does opening a support case and pointing them to that bug help you folks out with this in any way? This is a know defect. We just did not realize it would have such a bad impact on upgrade. Sorry, the errata is on the way. I would recommend everyone to not upgrade to 6.4 until the errata is shipped. We will notify you as soon as it goes out. Sorry again. I would like to clarify the impact, we have found out it is broader than currently stated: We did some research of this issue: 1) The upgrade works fine from 6.3 to 6.4 and the issue does not exhibit itself 2) We have been able to reproduce it with the direct upgrade from 6.2 to 6.4 3) Since the expected upgrade part is 6.2 - 6.3 - 6.4 the question comes up whether this fix is actually that urgent. This issue also affects both upgrade paths (6.2 - 6.4 and 6.2 - 6.3 - 6.4). This makes the fix urgent and it should be fixed in 6.4 too. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrading to 6.4 - additional information
On 02/26/2013 10:29 AM, Dmitri Pal wrote: On 02/21/2013 12:31 PM, Dmitri Pal wrote: On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: On 02/21/2013 09:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:34 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:07 AM, Rob Crittenden wrote: add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember' DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $$ memberOf $$ description $$ owner) X-ORIGIN 'IPA v3' ) Well that fails as well, though in sort of a self inflicted way: 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command failed, exception: DatabaseError: Server is unwilling to perform: Minimum SSF not met. arguments: base=cn=config,cn=ldbm database,cn=plugins,cn=config, scope=0, filterstr=(objectclass=*) 2013-02-21T16:24:30Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: DatabaseError: Server is unwilling to perform: Minimum SSF not met. arguments: base=cn=config,cn=ldbm database,cn=plugins,cn=config, scope=0, filterstr=(objectclass=*) Now this probably comes about because I set: nsslapd-minssf: 56 For security. I can cange that back to the default and probably move past this, but is that a known issue? Is there another way around? As root try the --ldapi flag: # ipa-ldap-updater --ldapi /path/to/scheme.update rob ERROR: LDAPUpdate: syntax error: dn is not defined in the update, data source=schema.update -Erinn Sorry, add this to the top of your update file: dn: cn=schema rob No worries! Thanks for the help, after a restart of IPA the web UI is working again. I reckon this is something that needs to be fixed, does opening a support case and pointing them to that bug help you folks out with this in any way? This is a know defect. We just did not realize it would have such a bad impact on upgrade. Sorry, the errata is on the way. I would recommend everyone to not upgrade to 6.4 until the errata is shipped. We will notify you as soon as it goes out. Sorry again. We did some research of this issue: 1) The upgrade works fine from 6.3 to 6.4 and the issue does not exhibit itself 2) We have been able to reproduce it with the direct upgrade from 6.2 to 6.4 3) Since the expected upgrade part is 6.2 - 6.3 - 6.4 the question comes up whether this fix is actually that urgent. 4) In the presence of the simple workaround we feel that it is not that important to include this fix into the errata that we are working on. Please let us know if you think that there is a problem with the plan above. Well all I can tell you on this, is that mine was an upgrade from 6.3 to 6.4, so there is a case where it will fail going from 6.3 to 6.4, but how applicable it is I can't say. Otherwise, sure, sounds great to me. -Erin signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrading to 6.4 - additional information
On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: On 02/26/2013 10:29 AM, Dmitri Pal wrote: On 02/21/2013 12:31 PM, Dmitri Pal wrote: On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: On 02/21/2013 09:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:34 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:07 AM, Rob Crittenden wrote: add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember' DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $$ memberOf $$ description $$ owner) X-ORIGIN 'IPA v3' ) Well that fails as well, though in sort of a self inflicted way: 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command failed, exception: DatabaseError: Server is unwilling to perform: Minimum SSF not met. arguments: base=cn=config,cn=ldbm database,cn=plugins,cn=config, scope=0, filterstr=(objectclass=*) 2013-02-21T16:24:30Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: DatabaseError: Server is unwilling to perform: Minimum SSF not met. arguments: base=cn=config,cn=ldbm database,cn=plugins,cn=config, scope=0, filterstr=(objectclass=*) Now this probably comes about because I set: nsslapd-minssf: 56 For security. I can cange that back to the default and probably move past this, but is that a known issue? Is there another way around? As root try the --ldapi flag: # ipa-ldap-updater --ldapi /path/to/scheme.update rob ERROR: LDAPUpdate: syntax error: dn is not defined in the update, data source=schema.update -Erinn Sorry, add this to the top of your update file: dn: cn=schema rob No worries! Thanks for the help, after a restart of IPA the web UI is working again. I reckon this is something that needs to be fixed, does opening a support case and pointing them to that bug help you folks out with this in any way? This is a know defect. We just did not realize it would have such a bad impact on upgrade. Sorry, the errata is on the way. I would recommend everyone to not upgrade to 6.4 until the errata is shipped. We will notify you as soon as it goes out. Sorry again. We did some research of this issue: 1) The upgrade works fine from 6.3 to 6.4 and the issue does not exhibit itself 2) We have been able to reproduce it with the direct upgrade from 6.2 to 6.4 3) Since the expected upgrade part is 6.2 - 6.3 - 6.4 the question comes up whether this fix is actually that urgent. 4) In the presence of the simple workaround we feel that it is not that important to include this fix into the errata that we are working on. Please let us know if you think that there is a problem with the plan above. Well all I can tell you on this, is that mine was an upgrade from 6.3 to 6.4, so there is a case where it will fail going from 6.3 to 6.4, but how applicable it is I can't say. Hi Erinn, Is 6.3 the original RHEL version where IPA server was installed? Or was IPA installed on RHEL-6.2 and then you upgraded RHEL to 6.3? Thank you, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrading to 6.4 - additional information
On 02/26/2013 12:08 PM, Martin Kosek wrote: On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: On 02/26/2013 10:29 AM, Dmitri Pal wrote: On 02/21/2013 12:31 PM, Dmitri Pal wrote: On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: On 02/21/2013 09:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:34 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:07 AM, Rob Crittenden wrote: add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember' DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $$ memberOf $$ description $$ owner) X-ORIGIN 'IPA v3' ) Well that fails as well, though in sort of a self inflicted way: 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command failed, exception: DatabaseError: Server is unwilling to perform: Minimum SSF not met. arguments: base=cn=config,cn=ldbm database,cn=plugins,cn=config, scope=0, filterstr=(objectclass=*) 2013-02-21T16:24:30Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: DatabaseError: Server is unwilling to perform: Minimum SSF not met. arguments: base=cn=config,cn=ldbm database,cn=plugins,cn=config, scope=0, filterstr=(objectclass=*) Now this probably comes about because I set: nsslapd-minssf: 56 For security. I can cange that back to the default and probably move past this, but is that a known issue? Is there another way around? As root try the --ldapi flag: # ipa-ldap-updater --ldapi /path/to/scheme.update rob ERROR: LDAPUpdate: syntax error: dn is not defined in the update, data source=schema.update -Erinn Sorry, add this to the top of your update file: dn: cn=schema rob No worries! Thanks for the help, after a restart of IPA the web UI is working again. I reckon this is something that needs to be fixed, does opening a support case and pointing them to that bug help you folks out with this in any way? This is a know defect. We just did not realize it would have such a bad impact on upgrade. Sorry, the errata is on the way. I would recommend everyone to not upgrade to 6.4 until the errata is shipped. We will notify you as soon as it goes out. Sorry again. We did some research of this issue: 1) The upgrade works fine from 6.3 to 6.4 and the issue does not exhibit itself 2) We have been able to reproduce it with the direct upgrade from 6.2 to 6.4 3) Since the expected upgrade part is 6.2 - 6.3 - 6.4 the question comes up whether this fix is actually that urgent. 4) In the presence of the simple workaround we feel that it is not that important to include this fix into the errata that we are working on. Please let us know if you think that there is a problem with the plan above. Well all I can tell you on this, is that mine was an upgrade from 6.3 to 6.4, so there is a case where it will fail going from 6.3 to 6.4, but how applicable it is I can't say. Hi Erinn, Is 6.3 the original RHEL version where IPA server was installed? Or was IPA installed on RHEL-6.2 and then you upgraded RHEL to 6.3? Thank you, Martin These systems have gone through all the point releases from 6 on up I believe. -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrading to 6.4 - additional information
On 02/26/2013 06:10 PM, Erinn Looney-Triggs wrote: On 02/26/2013 12:08 PM, Martin Kosek wrote: On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: On 02/26/2013 10:29 AM, Dmitri Pal wrote: On 02/21/2013 12:31 PM, Dmitri Pal wrote: On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: On 02/21/2013 09:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:34 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:07 AM, Rob Crittenden wrote: add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember' DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $$ memberOf $$ description $$ owner) X-ORIGIN 'IPA v3' ) Well that fails as well, though in sort of a self inflicted way: 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command failed, exception: DatabaseError: Server is unwilling to perform: Minimum SSF not met. arguments: base=cn=config,cn=ldbm database,cn=plugins,cn=config, scope=0, filterstr=(objectclass=*) 2013-02-21T16:24:30Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: DatabaseError: Server is unwilling to perform: Minimum SSF not met. arguments: base=cn=config,cn=ldbm database,cn=plugins,cn=config, scope=0, filterstr=(objectclass=*) Now this probably comes about because I set: nsslapd-minssf: 56 For security. I can cange that back to the default and probably move past this, but is that a known issue? Is there another way around? As root try the --ldapi flag: # ipa-ldap-updater --ldapi /path/to/scheme.update rob ERROR: LDAPUpdate: syntax error: dn is not defined in the update, data source=schema.update -Erinn Sorry, add this to the top of your update file: dn: cn=schema rob No worries! Thanks for the help, after a restart of IPA the web UI is working again. I reckon this is something that needs to be fixed, does opening a support case and pointing them to that bug help you folks out with this in any way? This is a know defect. We just did not realize it would have such a bad impact on upgrade. Sorry, the errata is on the way. I would recommend everyone to not upgrade to 6.4 until the errata is shipped. We will notify you as soon as it goes out. Sorry again. We did some research of this issue: 1) The upgrade works fine from 6.3 to 6.4 and the issue does not exhibit itself 2) We have been able to reproduce it with the direct upgrade from 6.2 to 6.4 3) Since the expected upgrade part is 6.2 - 6.3 - 6.4 the question comes up whether this fix is actually that urgent. 4) In the presence of the simple workaround we feel that it is not that important to include this fix into the errata that we are working on. Please let us know if you think that there is a problem with the plan above. Well all I can tell you on this, is that mine was an upgrade from 6.3 to 6.4, so there is a case where it will fail going from 6.3 to 6.4, but how applicable it is I can't say. Hi Erinn, Is 6.3 the original RHEL version where IPA server was installed? Or was IPA installed on RHEL-6.2 and then you upgraded RHEL to 6.3? Thank you, Martin These systems have gone through all the point releases from 6 on up I believe. -Erinn Ok, then this use case is also covered by the upcoming 6.4 fix. I just wanted to check that. Thanks, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
