On 10/18/19 2:44 PM, Joseph, Matthew via FreeIPA-users wrote:
Hello,
I’m currently running into an issue when trying to do the
ipa-replica-install.
I did the ipa-replica-prepare command and copied the replica gpg file to
the new replica server and run the following command to do the install
Ipa-replica-install –setup-ca –setup-dns –no-forwarders
/var/lib/ipa/replica-info-server.domain.ca.gpg
I get the following error part way through the process;
DatabaseError: Server is unwilling to perform: modification of attribute
nsds5replicaleasetimeout is not allowed in replica entry
I looked at the log and saw the following’
DEBUG The ipa-replica-install command failed, exception: DatabaseError:
Server is unwilling to perform: Modification of attribute
nsds5replicaleasetimeout is not allowed in replica entry
ERROR Server is unwilling to perform: modification of attribute
nsds5replicaleasetimeout is not allowed in replica entry
I did a search and could not find the nsds5replicaleasetimeoute entry in
LDAP.
Is this something I can add myself? Or is there something else that
needs to be done? I don’t see much information on this error when searching.
Hi,
your issue looks similar to https://pagure.io/freeipa/issue/7796.
I had a replica before and removed it so I’m not quite sure what is
going on with this.
The only difference I can see between the 2 replica’s is this new one is
running a slightly newer version of RHEL, IPA and 389.
Master Server information:
RHEL 7.1
IPA version 4.1.0-18
389-ds 1.3.3.1-13
Can you check first if the attribute nsds5replicaleasetimeout is
properly defined on your master?
# ldapsearch -D "cn=directory manager" -W -x -b cn=schema attributetypes
| grep -i nsds5ReplicaReleaseTimeout
This command should return the attribute type definition. If it's not
the case, then you need to run copy-schema-to-ca.py on the master as
described in
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrate-6-to-7#migrate-6-7-schema-update-script,
then create the replica file. This will add the attribute definition to
the schema on the server.
If the command returns the attr definition, please upload the full
ipa-replica-install log (/var/log/ipa-replica-install..log) and the
access log from the server (var/log/dirsrv/slapd-DOMAIN/access) as it
will show which entry failed to be updated.
flo
Replica Server Information:
RHEL 7.7
IPA Version 4.6.5-11
389-ds 1.3.9.1-18
Thanks,
Matt
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
