On 02/26/2013 04:29 PM, Dmitri Pal wrote: > On 02/21/2013 12:31 PM, Dmitri Pal wrote: >> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: >>> On 02/21/2013 09:40 AM, Rob Crittenden wrote: >>>> Erinn Looney-Triggs wrote: >>>>> On 02/21/2013 09:34 AM, Rob Crittenden wrote: >>>>>> Erinn Looney-Triggs wrote: >>>>>>> On 02/21/2013 09:07 AM, Rob Crittenden wrote: >>>>>>>> add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME >>>>>>>> 'ipaExternalMember' >>>>>>>> DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch >>>>>>>> ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 >>>>>>>> X-ORIGIN 'IPA v3' ) >>>>>>>> add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' >>>>>>>> SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $$ memberOf $$ >>>>>>>> description $$ owner) X-ORIGIN 'IPA v3' ) >>>>>>> Well that fails as well, though in sort of a self inflicted way: >>>>>>> >>>>>>> 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command failed, >>>>>>> exception: DatabaseError: Server is unwilling to perform: Minimum SSF >>>>>>> not met. arguments: base="cn=config,cn=ldbm >>>>>>> database,cn=plugins,cn=config", scope=0, filterstr="(objectclass=*)" >>>>>>> 2013-02-21T16:24:30Z ERROR Unexpected error - see >>>>>>> /var/log/ipaupgrade.log for details: >>>>>>> DatabaseError: Server is unwilling to perform: Minimum SSF not met. >>>>>>> arguments: base="cn=config,cn=ldbm database,cn=plugins,cn=config", >>>>>>> scope=0, filterstr="(objectclass=*)" >>>>>>> >>>>>>> >>>>>>> Now this probably comes about because I set: >>>>>>> nsslapd-minssf: 56 >>>>>>> For security. >>>>>>> >>>>>>> I can cange that back to the default and probably move past this, >>>>>>> but is >>>>>>> that a known issue? Is there another way around? >>>>>> As root try the --ldapi flag: >>>>>> >>>>>> # ipa-ldap-updater --ldapi /path/to/scheme.update >>>>>> >>>>>> rob >>>>>> >>>>> ERROR: LDAPUpdate: syntax error: >>>>> dn is not defined in the update, data source=schema.update >>>>> >>>>> -Erinn >>>>> >>>> Sorry, add this to the top of your update file: >>>> >>>> dn: cn=schema >>>> >>>> rob >>> No worries! Thanks for the help, after a restart of IPA the web UI is >>> working again. I reckon this is something that needs to be fixed, does >>> opening a support case and pointing them to that bug help you folks out >>> with this in any way? >> >> This is a know defect. We just did not realize it would have such a bad >> impact on upgrade. >> Sorry, the errata is on the way. >> >> I would recommend everyone to not upgrade to 6.4 until the errata is shipped. >> We will notify you as soon as it goes out. >> >> Sorry again. >> >
I would like to clarify the impact, we have found out it is broader than currently stated: > We did some research of this issue: > 1) The upgrade works fine from 6.3 to 6.4 and the issue does not exhibit > itself > 2) We have been able to reproduce it with the direct upgrade from 6.2 to 6.4 > 3) Since the expected upgrade part is 6.2 -> 6.3 -> 6.4 the question comes up > whether this fix is actually that urgent. This issue also affects both upgrade paths (6.2 -> 6.4 and 6.2 -> 6.3 -> 6.4). This makes the fix urgent and it should be fixed in 6.4 too. Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
