Hi,
the error looks similar to https://github.com/389ds/389-ds-base/issues/4872.
The CentOS 8 Streams master probably has a version of 389ds that doesn't
contain the fix, and has entryuuid plugin enabled (that generates an
entryuuid attribute). The schema failed to be replicated to the CentOS 7
server, and the entryuuid attribute present in the entry causes replication
issues.
Which versions are installed on the other replicas? You may have to disable
the entryuuid plugin or update 389ds.
flo
On Mon, Nov 22, 2021 at 3:30 PM Kees Bakker via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Hi,
>
> On my Centos 7 master there was this error message
>
> [19/Nov/2021:11:16:11.863597190 +0100] - ERR - oc_check_allowed_sv - Entry
> "ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
> -- attribute "entryuuid" not allowed
> [19/Nov/2021:11:16:26.331298112 +0100] - ERR - oc_check_allowed_sv - Entry
> "ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
> -- attribute "entryuuid" not allowed
> [19/Nov/2021:11:16:45.264647201 +0100] - ERR - oc_check_allowed_sv - Entry
> "ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
> -- attribute "entryuuid" not allowed
>
> The sudorule was add via the web-GUI on a Centos 8stream master.
>
> The replication more or less succeeded, besides this error message.
> However,
> * checkipaconsistency reports "LDAP Conflicts" (the Centos 7 master has
> count 1, the other masters have count 0)
> * ipa-healthcheck reports an error too
>
> [
> {
> "source": "ipahealthcheck.ds.replication",
> "kw": {
> "msg": "Replication conflict",
> "glue": false,
> "conflict": "Schema violation",
> "key":
> "ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=ghs,dc=nl"
> },
> "uuid": "01d364fc-e48e-44bd-9ea8-63db1e800788",
> "duration": "0.001689",
> "when": "20211122070012Z",
> "check": "ReplicationConflictCheck",
> "result": "ERROR"
> }
> ]
>
> Any advise how to get rid of the error messages would be greatly
> appreciated.
> --
> Kees
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
