Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

Thu, 13 Oct 2016 14:02:25 -0700 


On 13.10.2016 22:23, John Popowitch wrote:

Ok, so I'm looking at fixing the conflicts for ' System: Modify Certificate 
Profile'.
I ran this on each server:
ldapsearch -Y GSSAPI -b 'dc=aws,dc=cappex,dc=com' "cn=*Modify Certificate 
Profile*" \* nsds5ReplConflict

And now to make things interesting, this query has different results on each 
server.
Server #1:
# System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per
  missions, pbac, aws.cappex.com
dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895
  f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=
  privileges,cn=pbac,dc=aws,dc=cappex,dc=com
ipaPermTargetFilter: (objectclass=ipacertprofile)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Certificate Profile
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacertprofilestoreissued
ipaPermDefaultAttr: cn
ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com
nsds5ReplConflict: namingConflict cn=System: Modify Certificate Profile,cn=per
  missions,cn=pbac,dc=aws,dc=cappex,dc=com

Server #2:
# System: Modify Certificate Profile, permissions, pbac, aws.cappex.com
dn: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws,dc=cap
  pex,dc=com
ipaPermTargetFilter: (objectclass=ipacertprofile)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Certificate Profile
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=aws,dc=cappex,dc=com
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacertprofilestoreissued
ipaPermDefaultAttr: cn
ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com

# System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per
  missions, pbac, aws.cappex.com
dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895
  f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com
member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=
  privileges,cn=pbac,dc=aws,dc=cappex,dc=com
ipaPermTargetFilter: (objectclass=ipacertprofile)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Certificate Profile
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacertprofilestoreissued
ipaPermDefaultAttr: cn
ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com
nsds5ReplConflict: namingConflict cn=system: modify certificate profile,cn=per
  missions,cn=pbac,dc=aws,dc=cappex,dc=com

Server #3:
# System: Modify Certificate Profile, permissions, pbac, aws.cappex.com
dn: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws,dc=cap
  pex,dc=com
member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=
  privileges,cn=pbac,dc=aws,dc=cappex,dc=com
ipaPermTargetFilter: (objectclass=ipacertprofile)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Certificate Profile
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacertprofilestoreissued
ipaPermDefaultAttr: cn
ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com

I realize that this is a horrible state of replication.
My question is, what happens if I modify or delete an entry on one server that 
doesn't exist on another?
Thanks.
-John




You can remove them on all servers because it is replicated, so the one 
correct (you chose) will be replicated everywhere, IIRC the conflicting 
entries are not replicated, they has just local validity, so you must 
remove those Conflict marks (see dirsrv docs I posted) and then it will 
be replicated



Probably you can remove all System: <something> permissions which have 
replication conflict,  ipa-server-upgrade will recreate those entries. 
However you must fix the "privilege" entries manually (like CA 
Administrator)



Please fix all conflicts before running ipa-server-upgrade, otherwise it 
may fail randomly


Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





























					Reply via email to