#3314 Cannot install an IPA Replica server with PKI-CA/Dogtag from a master with a large CRL
Closed: Fixed None Opened 11 years ago by jraquino.

There is a DIRSRV variable set during the PKI install: nsslapd-maxbersize. This variable is -not- dynamically initialized. Because of this, a restart is required for it to take effect.

When building a replica from a PKI-CA master with a large CRL, the installation fails during the replication phase :

Configuring certificate server: Estimated time 3 minutes 30 seconds
[1/13]: creating certificate server user
[2/13]: creating pki-ca instance
[3/13]: configuring certificate server instance

/var/log/dirsrv/slapd-PKI-CA/error:

[17/Dec/2012:15:50:22 -0800] - ERROR bulk import abandoned
[17/Dec/2012:15:50:22 -0800] - import ipaca: Aborting all Import threads...
[17/Dec/2012:15:50:33 -0800] - import ipaca: Import threads aborted.
[17/Dec/2012:15:50:33 -0800] - import ipaca: Closing files...
[17/Dec/2012:15:50:33 -0800] - import ipaca: Import failed.
[17/Dec/2012:15:50:33 -0800] - process_bulk_import_op: NULL target sdn

/var/log/dirsrv/slapd-PKI-CA/access:

[17/Dec/2012:15:50:22 -0800] conn=15 op=-1 fd=73 closed error 34 (Numerical result out of range) - B


This bug has a 1 line workaround / fix:

ipaserver/install/cainstance.py: In the [slapd] stanza of "INF_TEMPLATE" variable, the ldif containing the max limit increase need only be declared.

ConfigFile = /usr/share/pki/ca/conf/database.ldif

This will cause the directory the variable defined during initialization and will not require a restart to take effect.

The same file is later called by the installation process but this way, it ensures that the change is made before replication attempts have begun.

Metadata Update from @jraquino:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0.2

7 years ago

Login to comment on this ticket.

Metadata