subject:"\[Freeipa\-users\] Problems with failed upgrade\: groups are not created"

[Freeipa-users] Problems with failed upgrade: groups are not created

2015-05-13 Thread Will Sheldon

Hello everyone :)

We are seeing some strange behavior (created groups don't exist) and I
really hope someone can lend some advice...

We installed v 3.0 some time ago, and tried an upgrade to 3.3 which was
aborted before completion, however I believe the schema was updated.

Recently we attempted to upgrade to 4.1, but encountered some issues with
the upgrade; replication failed :

from the install log (before schema update, so server was running 3.3
schema):

===>
Done configuring ipa-otpd.
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERRORAdd failure attribute
"cn" not allowed
===<


After that we tried updating the schema, and we now get this error (we have
log file captures for this):

===>
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 131 seconds elapsed
Update in progress yet not in progress

[vanipa.foo.com] reports: Update failed! Status: [10 Total update
abortedLDAP error: Referral]

  [error] RuntimeError: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
<

which seems to be referring to this bit of the log:
===>
2015-04-21T19:18:48Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
===<


Since then we have a somewhat strange issue where new groups that are added
using the web interface and ipa CLI command interface are created in the
compat tree, but not in the cn=hostgroups,cn=accounts tree, even though ADD
operations appear to complete successfully (slapd log output below)

===>
[13/May/2015:23:13:58 +] conn=7120402 op=4 ADD
dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com"

[13/May/2015:23:13:58 +] conn=2616653 op=3660217 SRCH
base="idnsName=net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660217 RESULT err=32 tag=101
nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660218 SRCH base="idnsName=
bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660218 RESULT err=32 tag=101
nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660219 SRCH base="idnsName=
vanzbx.bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660219 RESULT err=32 tag=101
nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660220 SRCH
base="idnsName=net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660220 RESULT err=32 tag=101
nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660221 SRCH base="idnsName=
bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660221 RESULT err=32 tag=101
nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660222 SRCH base="idnsName=
vanzbx.bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660222 RESULT err=32 tag=101
nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=7120402 op=4 RESULT err=0 tag=105
nentries=0 etime=0 csn=5553e3f800010004
===<


Which is consistent with the slapd log during the upgrade:

[21/Apr/2015:19:18:43 +] NSACLPlugin - The ACL target
cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist

-- 

Kind regards,

Will Sheldon
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problems with failed upgrade: groups are not created

2015-05-14 Thread Martin Basti


On 14/05/15 01:50, Will Sheldon wrote:


Hello everyone :)

We are seeing some strange behavior (created groups don't exist) and I 
really hope someone can lend some advice...


We installed v 3.0 some time ago, and tried an upgrade to 3.3 which 
was aborted before completion, however I believe the schema was updated.


Recently we attempted to upgrade to 4.1, but encountered some issues 
with the upgrade; replication failed :


from the install log (before schema update, so server was running 3.3 
schema):


===>
Done configuring ipa-otpd.
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERRORAdd failure 
attribute "cn" not allowed

===<


After that we tried updating the schema, and we now get this error (we 
have log file captures for this):


===>
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 131 seconds elapsed
Update in progress yet not in progress

[vanipa.foo.com ] reports: Update failed! 
Status: [10 Total update abortedLDAP error: Referral]


  [error] RuntimeError: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
<

which seems to be referring to this bit of the log:
===>
2015-04-21T19:18:48Z DEBUG Traceback (most recent call last):
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
382, in start_creation

run_step(full_msg, method)
===<


Since then we have a somewhat strange issue where new groups that are 
added using the web interface and ipa CLI command interface are 
created in the compat tree, but not in the cn=hostgroups,cn=accounts 
tree, even though ADD operations appear to complete successfully 
(slapd log output below)


===>
[13/May/2015:23:13:58 +] conn=7120402 op=4 ADD 
dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com"


[13/May/2015:23:13:58 +] conn=2616653 op=3660217 SRCH 
base="idnsName=net,idnsname=bar.net 
,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660217 RESULT err=32 
tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660218 SRCH 
base="idnsName=bar.net ,idnsname=bar.net 
,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660218 RESULT err=32 
tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660219 SRCH 
base="idnsName=vanzbx.bar.net ,idnsname=bar.net 
,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660219 RESULT err=32 
tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660220 SRCH 
base="idnsName=net,idnsname=bar.net 
,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660220 RESULT err=32 
tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660221 SRCH 
base="idnsName=bar.net ,idnsname=bar.net 
,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660221 RESULT err=32 
tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660222 SRCH 
base="idnsName=vanzbx.bar.net ,idnsname=bar.net 
,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660222 RESULT err=32 
tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=7120402 op=4 RESULT err=0 tag=105 
nentries=0 etime=0 csn=5553e3f800010004

===<


Which is consistent with the slapd log during the upgrade:

[21/Apr/2015:19:18:43 +] NSACLPlugin - The ACL target 
cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist


--

Kind regards,

Will Sheldon




Hello,

can you find in ipaserver-install.log more details about this error?
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERRORAdd failure 
attribute "cn" not allowed


Martin


--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problems with failed upgrade: groups are not created

2015-05-16 Thread Will Sheldon


Thanks for the reply Martin.

Turns out that there was no problem at all, a minor configuration mistake 
(nested a group inside the wrong parent) led us down a rabbit hole. Our failed 
upgrade happened on the same day our 1000th group was created. Using the LDAP 
browser plugin for Eclipse the default search query limit is 1000… It took a 
while to work that out, needless to say we all feel a little silly and a little 
wiser now :)



 
Will Sheldon

On May 14, 2015 at 1:44:15 AM, Martin Basti (mba...@redhat.com) wrote:

On 14/05/15 01:50, Will Sheldon wrote:

Hello everyone :)

We are seeing some strange behavior (created groups don't exist) and I really 
hope someone can lend some advice...

We installed v 3.0 some time ago, and tried an upgrade to 3.3 which was aborted 
before completion, however I believe the schema was updated.

Recently we attempted to upgrade to 4.1, but encountered some issues with the 
upgrade; replication failed :

from the install log (before schema update, so server was running 3.3 schema):

===>
Done configuring ipa-otpd.
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure attribute 
"cn" not allowed
===<


After that we tried updating the schema, and we now get this error (we have log 
file captures for this):

===>
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 131 seconds elapsed
Update in progress yet not in progress

[vanipa.foo.com] reports: Update failed! Status: [10 Total update abortedLDAP 
error: Referral]

  [error] RuntimeError: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
<

which seems to be referring to this bit of the log:
===>
2015-04-21T19:18:48Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
382, in start_creation
    run_step(full_msg, method)
===<


Since then we have a somewhat strange issue where new groups that are added 
using the web interface and ipa CLI command interface are created in the compat 
tree, but not in the cn=hostgroups,cn=accounts tree, even though ADD operations 
appear to complete successfully (slapd log output below)

===>
[13/May/2015:23:13:58 +] conn=7120402 op=4 ADD 
dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com"

[13/May/2015:23:13:58 +] conn=2616653 op=3660217 SRCH 
base="idnsName=net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660217 RESULT err=32 tag=101 
nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660218 SRCH 
base="idnsName=bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660218 RESULT err=32 tag=101 
nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660219 SRCH 
base="idnsName=vanzbx.bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660219 RESULT err=32 tag=101 
nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660220 SRCH 
base="idnsName=net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660220 RESULT err=32 tag=101 
nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660221 SRCH 
base="idnsName=bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660221 RESULT err=32 tag=101 
nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=2616653 op=3660222 SRCH 
base="idnsName=vanzbx.bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +] conn=2616653 op=3660222 RESULT err=32 tag=101 
nentries=0 etime=0
[13/May/2015:23:13:58 +] conn=7120402 op=4 RESULT err=0 tag=105 nentries=0 
etime=0 csn=5553e3f800010004
===<


Which is consistent with the slapd log during the upgrade:

[21/Apr/2015:19:18:43 +] NSACLPlugin - The ACL target 
cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist

--

Kind regards,

Will Sheldon



Hello,

can you find in ipaserver-install.log more details about this error?
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure attribute 
"cn" not allowed

Martin


--  
Martin Basti
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Problems with failed upgrade: groups are not created

Re: [Freeipa-users] Problems with failed upgrade: groups are not created

Re: [Freeipa-users] Problems with failed upgrade: groups are not created

3 matches

Site Navigation

Mail list logo

Footer information