On Wed, 2014-06-11 at 13:30 -0400, Simo Sorce wrote: > On Wed, 2014-06-11 at 19:08 +0200, Petr Viktorin wrote: > > On 06/11/2014 06:58 PM, Simo Sorce wrote: > > > On Wed, 2014-06-11 at 18:48 +0200, Petr Viktorin wrote: > > >> On 06/11/2014 06:45 PM, Simo Sorce wrote: > > >>> On Wed, 2014-06-11 at 12:36 -0400, Nathaniel McCallum wrote: > > >>>> On Wed, 2014-06-11 at 08:47 -0400, Simo Sorce wrote: > > >> > > >>>> > > >>>> Do the installed schema files have ipatokenHOTP? Did you dump the > > >>>> schema > > >>>> from 389DS to see if this object class is present? > > >>> > > >>> They are not. The schema files in /usr/share/ipa do have the > > >>> objectclasses, but the server schema has not been updated (or the update > > >>> failed). > > >> > > >> Can you check /var/log/ipaupgrade.log to see why the upgrade failed? Or > > >> send it and I can check. > > > > > > Uhmm it failed because I previously had one of the getkeytab attributes > > > in the server but we later changed its OID when the feature was > > > deferred... sigh ... > > > > Yeah, that would be a problem. > > > > > I now have removed the offending attributes by turning off dirsrv and > > > manually removing them from 99user.ldif, but running ipa-ldap-updater > > > does not seem to do try to add the missing schema ... > > > > Are you saying there's nothing about schema in the log? > > Not for following ipa-ldap-update runs ... they seem to actually fail > with a timeout ... investigating.
Nevermind, I re-run ipa-ldap-updater and this time it is trying (but it found another of the old attributes I hadn't deleted. I don't know why previous attempts at running ipa-ldap-updater failed, but I did reboot the machine since ... so maybe there was something wonky about DS. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
