Hi,
On Sun, Oct 19, 2025 at 10:14 AM Alex Corcoles via FreeIPA-users <
[email protected]> wrote:
> Hi!
>
> I run a 2-node FreeIPA server on an EL9 clone. I got some automatic
> updates 4 hours ago:
>
> 2025-10-18T06:09:24+0000 SUBDEBUG Upgrade:
> pki-jackson-core-2.19.1-1.el9_6.noarch
> 2025-10-18T06:09:24+0000 SUBDEBUG Upgrade:
> pki-jackson-annotations-2.19.1-1.el9_6.noarch
> 2025-10-18T06:09:24+0000 SUBDEBUG Upgrade:
> pki-jackson-databind-2.19.1-1.el9_6.noarch
> 2025-10-18T06:09:24+0000 SUBDEBUG Upgrade:
> pki-jackson-module-jaxb-annotations-2.19.1-1.el9_6.noarch
> 2025-10-18T06:09:24+0000 SUBDEBUG Upgrade:
> pki-jackson-jaxrs-providers-2.19.1-1.el9_6.noarch
> 2025-10-18T06:09:24+0000 SUBDEBUG Upgrade:
> 389-ds-base-libs-2.6.1-12.el9_6.x86_64
> 2025-10-18T06:09:24+0000 SUBDEBUG Upgrade:
> python3-lib389-2.6.1-12.el9_6.noarch
> 2025-10-18T06:09:24+0000 SUBDEBUG Upgrade:
> 389-ds-base-2.6.1-12.el9_6.x86_64
> 2025-10-18T06:09:39+0000 SUBDEBUG Upgrade:
> libssh-config-0.10.4-15.el9_6.noarch
> 2025-10-18T06:09:39+0000 SUBDEBUG Upgrade: libssh-0.10.4-15.el9_6.x86_64
> 2025-10-18T06:09:39+0000 SUBDEBUG Upgrade:
> pki-jackson-jaxrs-json-provider-2.19.1-1.el9_6.noarch
> 2025-10-18T06:09:39+0000 SUBDEBUG Upgrade:
> kernel-headers-5.14.0-570.52.1.el9_6.x86_64
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgrade:
> iputils-20210202-11.el9_6.3.x86_64
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgrade:
> vim-minimal-2:8.2.2637-22.el9_6.1.x86_64
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> 389-ds-base-2.6.1-11.el9_6.x86_64
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> pki-jackson-jaxrs-json-provider-2.14.1-2.el9.noarch
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> pki-jackson-module-jaxb-annotations-2.14.1-2.el9.noarch
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> pki-jackson-jaxrs-providers-2.14.1-2.el9.noarch
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> pki-jackson-databind-2.14.1-2.el9.noarch
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded: libssh-0.10.4-13.el9.x86_64
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> libssh-config-0.10.4-13.el9.noarch
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> pki-jackson-annotations-2.14.1-1.el9.noarch
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> pki-jackson-core-2.14.1-2.el9.noarch
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> python3-lib389-2.6.1-11.el9_6.noarch
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> kernel-headers-5.14.0-570.49.1.el9_6.x86_64
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> 389-ds-base-libs-2.6.1-11.el9_6.x86_64
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> iputils-20210202-11.el9_6.1.x86_64
> 2025-10-18T06:09:40+0000 SUBDEBUG Upgraded:
> vim-minimal-2:8.2.2637-22.el9_6.x86_64
>
> , and now IPA healthcheck is complaining in both nodes:
>
> [alex@ipa9 ~]$ sudo ipa-healthcheck
> [sudo] password for alex:
> [
> {
> "source": "ipahealthcheck.ds.backends",
> "check": "BackendsCheck",
> "result": "CRITICAL",
> "uuid": "c356f22a-dda3-466f-9d29-a17b0f7d69ac",
> "when": "20251019080916Z",
> "duration": "0.168095",
> "kw": {
> "key": "DSBLE0007",
> "items": [
> "cn=changelog"
> ],
> "msg": "System indexes are essential for proper directory server
> operation. Missing or\nincorrectly configured system indexes can lead to
> poor search performance, replication\nissues, and other operational
> problems.\n\nThe following system indexes should be present with correct
> configuration:\n- entryrdn: index type 'subtree'\n- parentId: index type
> 'eq' with matching rule 'integerOrderingMatch'\n- ancestorId: index type
> 'eq' with matching rule 'integerOrderingMatch'\n- objectClass: index type
> 'eq'\n- aci: index type 'pres'\n- nscpEntryDN: index type 'eq'\n-
> nsUniqueId: index type 'eq'\n- nsds5ReplConflict: index types 'eq',
> 'pres'\n- nsCertSubjectDN: index type 'eq'\n- numsubordinates: index type
> 'pres'\n- nsTombstoneCSN: index type 'eq'\n- targetuniqueid: index type
> 'eq'\n- changeNumber: index type 'eq' with matching rule
> 'integerOrderingMatch'\n- entryusn: index type 'eq' with matching rule
> 'integerOrderingMatch'\n\nCurrent discrepancies:\n- Index parentId missing
> matching rule: integerOrderingMatch\n- Unable to check index ancestorId: No
> object exists given the filter criteria: ancestorId
> (&(&(objectclass=nsIndex))(|(cn=ancestorId)))\n"
> }
> },
> {
> "source": "ipahealthcheck.ds.backends",
> "check": "BackendsCheck",
> "result": "CRITICAL",
> "uuid": "63ce8a2d-61d6-4c10-8565-4bf90b7487ff",
> "when": "20251019080916Z",
> "duration": "0.168103",
> "kw": {
> "key": "DSBLE0007",
> "items": [
> "o=ipaca"
> ],
> "msg": "System indexes are essential for proper directory server
> operation. Missing or\nincorrectly configured system indexes can lead to
> poor search performance, replication\nissues, and other operational
> problems.\n\nThe following system indexes should be present with correct
> configuration:\n- entryrdn: index type 'subtree'\n- parentId: index type
> 'eq' with matching rule 'integerOrderingMatch'\n- ancestorId: index type
> 'eq' with matching rule 'integerOrderingMatch'\n- objectClass: index type
> 'eq'\n- aci: index type 'pres'\n- nscpEntryDN: index type 'eq'\n-
> nsUniqueId: index type 'eq'\n- nsds5ReplConflict: index types 'eq',
> 'pres'\n- nsCertSubjectDN: index type 'eq'\n- numsubordinates: index type
> 'pres'\n- nsTombstoneCSN: index type 'eq'\n- targetuniqueid: index type
> 'eq'\n- entryusn: index type 'eq' with matching rule
> 'integerOrderingMatch'\n\nCurrent discrepancies:\n- Index parentId missing
> matching rule: integerOrderingMatch\n- Unable to check index ancestorId: No
> object exists given the filter criteria: ancestorId
> (&(&(objectclass=nsIndex))(|(cn=ancestorId)))\n"
> }
> },
> {
> "source": "ipahealthcheck.ds.backends",
> "check": "BackendsCheck",
> "result": "CRITICAL",
> "uuid": "cbf48511-496d-4924-8157-9e1507b35dc1",
> "when": "20251019080916Z",
> "duration": "0.168104",
> "kw": {
> "key": "DSBLE0007",
> "items": [
> "dc=ipa,dc=pdp7,dc=net"
> ],
> "msg": "System indexes are essential for proper directory server
> operation. Missing or\nincorrectly configured system indexes can lead to
> poor search performance, replication\nissues, and other operational
> problems.\n\nThe following system indexes should be present with correct
> configuration:\n- entryrdn: index type 'subtree'\n- parentId: index type
> 'eq' with matching rule 'integerOrderingMatch'\n- ancestorId: index type
> 'eq' with matching rule 'integerOrderingMatch'\n- objectClass: index type
> 'eq'\n- aci: index type 'pres'\n- nscpEntryDN: index type 'eq'\n-
> nsUniqueId: index type 'eq'\n- nsds5ReplConflict: index types 'eq',
> 'pres'\n- nsCertSubjectDN: index type 'eq'\n- numsubordinates: index type
> 'pres'\n- nsTombstoneCSN: index type 'eq'\n- targetuniqueid: index type
> 'eq'\n- entryusn: index type 'eq' with matching rule
> 'integerOrderingMatch'\n\nCurrent discrepancies:\n- Index parentId missing
> matching rule: integerOrderingMatch\n- Unable to check index ancestorId: No
> object exists given the filter criteria: ancestorId
> (&(&(objectclass=nsIndex))(|(cn=ancestorId)))\n"
> }
> }
> ]
>
> Is there a procedure that needs to be run for this update?
>
This is a known issue introduced by 389-ds update, please follow
https://github.com/389ds/389-ds-base/issues/7032 for the status.
No fix yet but there is an upstream PR:
https://github.com/389ds/389-ds-base/pull/7036/files.
flo
> Cheers,
>
> Álex
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
