On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: > On 02/26/2013 10:29 AM, Dmitri Pal wrote: >> On 02/21/2013 12:31 PM, Dmitri Pal wrote: >>> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: >>>> On 02/21/2013 09:40 AM, Rob Crittenden wrote: >>>>> Erinn Looney-Triggs wrote: >>>>>> On 02/21/2013 09:34 AM, Rob Crittenden wrote: >>>>>>> Erinn Looney-Triggs wrote: >>>>>>>> On 02/21/2013 09:07 AM, Rob Crittenden wrote: >>>>>>>>> add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME >>>>>>>>> 'ipaExternalMember' DESC 'External Group Member >>>>>>>>> Identifier' EQUALITY caseIgnoreMatch ORDERING >>>>>>>>> caseIgnoreOrderingMatch SYNTAX >>>>>>>>> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) >>>>>>>>> add:objectClasses: (2.16.840.1.113730.3.8.12.1 NAME >>>>>>>>> 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( >>>>>>>>> ipaExternalMember $$ memberOf $$ description $$ owner) >>>>>>>>> X-ORIGIN 'IPA v3' ) >>>>>>>> Well that fails as well, though in sort of a self inflicted >>>>>>>> way: >>>>>>>> >>>>>>>> 2013-02-21T16:24:30Z INFO The ipa-ldap-updater command >>>>>>>> failed, exception: DatabaseError: Server is unwilling to >>>>>>>> perform: Minimum SSF not met. arguments: >>>>>>>> base="cn=config,cn=ldbm database,cn=plugins,cn=config", >>>>>>>> scope=0, filterstr="(objectclass=*)" 2013-02-21T16:24:30Z >>>>>>>> ERROR Unexpected error - see /var/log/ipaupgrade.log for >>>>>>>> details: DatabaseError: Server is unwilling to perform: >>>>>>>> Minimum SSF not met. arguments: base="cn=config,cn=ldbm >>>>>>>> database,cn=plugins,cn=config", scope=0, >>>>>>>> filterstr="(objectclass=*)" >>>>>>>> >>>>>>>> >>>>>>>> Now this probably comes about because I set: nsslapd-minssf: >>>>>>>> 56 For security. >>>>>>>> >>>>>>>> I can cange that back to the default and probably move past >>>>>>>> this, but is that a known issue? Is there another way >>>>>>>> around? >>>>>>> As root try the --ldapi flag: >>>>>>> >>>>>>> # ipa-ldap-updater --ldapi /path/to/scheme.update >>>>>>> >>>>>>> rob >>>>>>> >>>>>> ERROR: LDAPUpdate: syntax error: dn is not defined in the >>>>>> update, data source=schema.update >>>>>> >>>>>> -Erinn >>>>>> >>>>> Sorry, add this to the top of your update file: >>>>> >>>>> dn: cn=schema >>>>> >>>>> rob >>>> No worries! Thanks for the help, after a restart of IPA the web UI >>>> is working again. I reckon this is something that needs to be fixed, >>>> does opening a support case and pointing them to that bug help you >>>> folks out with this in any way? >>> >>> This is a know defect. We just did not realize it would have such a >>> bad impact on upgrade. Sorry, the errata is on the way. >>> >>> I would recommend everyone to not upgrade to 6.4 until the errata is >>> shipped. We will notify you as soon as it goes out. >>> >>> Sorry again. >>> >> >> We did some research of this issue: 1) The upgrade works fine from 6.3 >> to 6.4 and the issue does not exhibit itself 2) We have been able to >> reproduce it with the direct upgrade from 6.2 to 6.4 3) Since the >> expected upgrade part is 6.2 -> 6.3 -> 6.4 the question comes up whether >> this fix is actually that urgent. 4) In the presence of the simple >> workaround we feel that it is not that important to include this fix >> into the errata that we are working on. >> >> Please let us know if you think that there is a problem with the plan >> above. >> >> > > Well all I can tell you on this, is that mine was an upgrade from 6.3 to > 6.4, so there is a case where it will fail going from 6.3 to 6.4, but how > applicable it is I can't say.
Hi Erinn, Is 6.3 the original RHEL version where IPA server was installed? Or was IPA installed on RHEL-6.2 and then you upgraded RHEL to 6.3? Thank you, Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users