Makes sense. What is the solution here? I have the latest 389-ds installed but still getting "allowWeakCipher" error - how to I get around that?
-M On 10/30/14, 11:12 AM, Martin Basti wrote: > On 24/10/14 05:17, Michael Lasevich wrote: >> While upgrading from 4.0.1. to 4.1 on fedora 20 got following on one >> of the two boxes: >> >> Upgrade failed with attribute "allowWeakCipher" not allowed >> IPA upgrade failed. >> Unexpected error >> DuplicateEntry: This entry already exists >> > > Named errors are caused by cascade effect, if ldap schema and entry > updates failed, there is misconfigured DS plugin which is responsible > to keep DNSSEC keys DN unique, what causes duplication errors. > DuplicateEntry exception is fatal, so dnskeysyncd installation will > not continue, > what causes there are not appropriate permissions for token database, > and named-pkcs11 can't read tokens. >> >> >> It seems the ipa no longer starts up after this. The replica server >> seems to have had same error,but it runs just fine. >> >> From digging around, it appears that there are a number of GSS errors >> in dirsrv and bind fails with something like: >> >> named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token >> e919db16-6329-406c-6ae4-120ad68508c4 >> named-pkcs11[2212]: sha1.c:92: fatal error: >> named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, >> isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void *)0), >> 0) == 0) failed >> >> Any help would be appreciated >> >> >> -M >> >> >> > > > -- > Martin Basti
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
