On Mon, 2012-11-12 at 09:51 -0600, Anthony Messina wrote: > On Monday, November 12, 2012 09:17:17 AM Anthony Messina wrote: > > > > I also find that when I do a manual ldapsearch for the non-upgraded > > > > clients as > > > > > > > > > follows: > > > > > > > > > > > > ldapsearch -x -D "cn=directory manager" -W -b > > > > cn=accounts,dc=messinet,dc=com "(&(objectClass=ipaHost)(fqdn=*))" dn > > > > > > > > > > > > > > > > the non-upgraded clients DO NOT appear in the list, but if I do the > > > > following: > > > > > > > > > > > > ldapsearch -x -D "cn=directory manager" -W -b > > > > cn=accounts,dc=messinet,dc=com "(&(objectClass=ipaHost))" dn > > > > > > > > > > > > > > > > the non-upgraded clients DO appear in the list. Somehow the addition of > > > > the fqdn=* in the filter "(&(objectClass=ipaHost)(fqdn=*))" prevents > > > > them from being displayed. > > > > > > > > > > > > > > > > There were no errors on any of the servers or clients during the > > > > upgrade. > > > > > > > > > > > > > > > > Your help is appreciated. I've tried to get this corrected all day > > > > without success. > > > > > > > > > > > > > > > > Thanks in advance. -A > > > > > > > > > > > > Hi, > > > > > > > > > > > > the SSSD depends on the fqdn attribute being present for the access > > > control mechanism. Also, the SSSD searches the directory anonymously, so > > > in order to get the same results, you should simply search the directory > > > with anonymous bind. > > > Can you check on the server how the host entries look like? > > > > > > > > > > > > For example: > > > ipa host-show ds.messinet.com --all --raw > > > > > > > > > > > > Is the FQDN attribute present in the directory at all? > > > > Yes it is present. The entry seems to appear similar to other > > entries. I'm wondering if for some reason it wasn't indexed (I don't know > > much about indexing), but only the hosts that are re-enrolled after the > > update are displayed with the above search. I'm thinking this may be > > related to > > http://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-2-2&id=ce11a7c0e > > 22ee8f70e14c43419f20be70176fe8c > > > > Is there a way to re-index the fqdn attribute? > > While this may be a red herring, I also do not find in my ipaupgrade.log any > attempt to re-index the fqdn attribute. These are the only entries for which > tasks are created. > > 2012-11-11T13:25:39Z INFO Creating task to index attribute: memberuid > 2012-11-11T13:25:45Z INFO Creating task to index attribute: memberOf > 2012-11-11T13:25:51Z INFO Creating task to index attribute: memberHost > 2012-11-11T13:25:57Z INFO Creating task to index attribute: memberUser > 2012-11-11T13:26:03Z INFO Creating task to index attribute: ntUniqueId > 2012-11-11T13:26:09Z INFO Creating task to index attribute: ntUserDomainId
Seem like it may be the issue. Can you open a ticket on this ? Rich, do you have a quick pointer for recreating the fqdn index ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
