On 02/26/2013 12:08 PM, Martin Kosek wrote: > On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: >> On 02/26/2013 10:29 AM, Dmitri Pal wrote: >>> On 02/21/2013 12:31 PM, Dmitri Pal wrote: >>>> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: >>>>> On 02/21/2013 09:40 AM, Rob Crittenden wrote: >>>>>> Erinn Looney-Triggs wrote: >>>>>>> On 02/21/2013 09:34 AM, Rob Crittenden wrote: >>>>>>>> Erinn Looney-Triggs wrote: >>>>>>>>> On 02/21/2013 09:07 AM, Rob Crittenden wrote: >>>>>>>>>> add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME >>>>>>>>>> 'ipaExternalMember' DESC 'External Group Member >>>>>>>>>> Identifier' EQUALITY caseIgnoreMatch ORDERING >>>>>>>>>> caseIgnoreOrderingMatch SYNTAX >>>>>>>>>> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) >>>>>>>>>> add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME >>>>>>>>>> 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( >>>>>>>>>> ipaExternalMember $$ memberOf $$ description $$ owner) >>>>>>>>>> X-ORIGIN 'IPA v3' ) >>>>>>>>> Well that fails as well, though in sort of a self inflicted >>>>>>>>> way: >>>>>>>>> >>>>>>>>> 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command >>>>>>>>> failed, exception: DatabaseError: Server is unwilling to >>>>>>>>> perform: Minimum SSF not met. arguments: >>>>>>>>> base="cn=config,cn=ldbm database,cn=plugins,cn=config", >>>>>>>>> scope=0, filterstr="(objectclass=*)" 2013-02-21T16:24:30Z >>>>>>>>> ERROR Unexpected error - see /var/log/ipaupgrade.log for >>>>>>>>> details: DatabaseError: Server is unwilling to perform: >>>>>>>>> Minimum SSF not met. arguments: base="cn=config,cn=ldbm >>>>>>>>> database,cn=plugins,cn=config", scope=0, >>>>>>>>> filterstr="(objectclass=*)" >>>>>>>>> >>>>>>>>> >>>>>>>>> Now this probably comes about because I set: nsslapd-minssf: >>>>>>>>> 56 For security. >>>>>>>>> >>>>>>>>> I can cange that back to the default and probably move past >>>>>>>>> this, but is that a known issue? Is there another way >>>>>>>>> around? >>>>>>>> As root try the --ldapi flag: >>>>>>>> >>>>>>>> # ipa-ldap-updater --ldapi /path/to/scheme.update >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>> ERROR: LDAPUpdate: syntax error: dn is not defined in the >>>>>>> update, data source=schema.update >>>>>>> >>>>>>> -Erinn >>>>>>> >>>>>> Sorry, add this to the top of your update file: >>>>>> >>>>>> dn: cn=schema >>>>>> >>>>>> rob >>>>> No worries! Thanks for the help, after a restart of IPA the web UI >>>>> is working again. I reckon this is something that needs to be fixed, >>>>> does opening a support case and pointing them to that bug help you >>>>> folks out with this in any way? >>>> >>>> This is a know defect. We just did not realize it would have such a >>>> bad impact on upgrade. Sorry, the errata is on the way. >>>> >>>> I would recommend everyone to not upgrade to 6.4 until the errata is >>>> shipped. We will notify you as soon as it goes out. >>>> >>>> Sorry again. >>>> >>> >>> We did some research of this issue: 1) The upgrade works fine from 6.3 >>> to 6.4 and the issue does not exhibit itself 2) We have been able to >>> reproduce it with the direct upgrade from 6.2 to 6.4 3) Since the >>> expected upgrade part is 6.2 -> 6.3 -> 6.4 the question comes up whether >>> this fix is actually that urgent. 4) In the presence of the simple >>> workaround we feel that it is not that important to include this fix >>> into the errata that we are working on. >>> >>> Please let us know if you think that there is a problem with the plan >>> above. >>> >>> >> >> Well all I can tell you on this, is that mine was an upgrade from 6.3 to >> 6.4, so there is a case where it will fail going from 6.3 to 6.4, but how >> applicable it is I can't say. > > Hi Erinn, > > Is 6.3 the original RHEL version where IPA server was installed? Or was IPA > installed on RHEL-6.2 and then you upgraded RHEL to 6.3? > > Thank you, > Martin >
These systems have gone through all the point releases from 6 on up I believe. -Erinn
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
