#4622 Operation failing during ipa-upgrade
Closed: Fixed None Opened 9 years ago by dkupka.

Steps to reproduce (on F20):

Build freeipa from ipa-4-0 branch
# dnf install freeipa-server-3.3.5 -y
# ipa-server-install -a Secret123 -p Secret123 -r `domainname -d | tr '[:lower:]' '[:upper:]'`
# dnf copr enable mkosek/freeipa -y
# dnf copr enable vakwetu/dogtag -y
# dnf update freeipa-{server,client,admintools,python}-4.0.0GIT*.rpm -y

Errors are show during upgrade:

...
Update failed
Add failure
...

And can be found in ipaupgrade.log (full log attached):

2014-10-07T00:46:54Z ERROR Update failed: Operations error:
...
2014-10-07T00:47:02Z ERROR Add failure

Is it related to #4586? CCing Ludwig.

We will need to fix in 4.0.x anyway.

No, don't think it has anything to do with 4586, it is in the upgrade of the referential integrity plugin config entry:
2014-10-07T00:46:54Z DEBUG [(1, u'nsslapd-pluginarg16', None), (1, u'nsslapd-pluginarg7', None), (1, u'nsslapd-pluginarg9', None), (1, u'nsslapd-pluginarg8', None), (1, u'nsslapd-pluginarg11', None), (1, u'nsslapd-pluginarg10', None), (1, u'nsslapd-pluginarg13', None), (1, u'nsslapd-pluginarg12', None), (1, u'nsslapd-pluginarg17', None), (1, u'nsslapd-pluginarg15', None), (2, u'referint-membership-attr', ['sourcehost', 'memberallowcmd', 'memberdenycmd', 'memberuser', 'managedby', 'manager', 'memberservice', 'ipasudorunas', 'ipasudorunasgroup', 'secretary', 'memberhost', 'ipatokenradiusconfiglink']), (1, u'nsslapd-pluginarg14', None)]
2014-10-07T00:46:54Z DEBUG Live 1, updated 1
2014-10-07T00:46:54Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': 'Operations error'}
2014-10-07T00:46:54Z ERROR Update failed: Operations error:

There was a change moving from pluginArgN to membership attr, maybe it is related to that change

for better reading

2014-10-07T00:46:54Z DEBUG [(1, u'nsslapd-pluginarg16', None), (1, u'nsslapd-pluginarg7', None), (1, u'nsslapd-pluginarg9', None), (1, u'nsslapd-pluginarg8', None), (1, u'nsslapd-pluginarg11', None), (1, u'nsslapd-pluginarg10', None), (1, u'nsslapd-pluginarg13', None), (1, u'nsslapd-pluginarg12', None), (1, u'nsslapd-pluginarg17', None), (1, u'nsslapd-pluginarg15', None), (2, u'referint-membership-attr', ['sourcehost', 'memberallowcmd', 'memberdenycmd', 'memberuser', 'managedby', 'manager', 'memberservice', 'ipasudorunas', 'ipasudorunasgroup', 'secretary', 'memberhost', 'ipatokenradiusconfiglink']), (1, u'nsslapd-pluginarg14', None)] 
2014-10-07T00:46:54Z DEBUG Live 1, updated 1 
2014-10-07T00:46:54Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': 'Operations error'}
2014-10-07T00:46:54Z ERROR Update failed: Operations error:

I got same on ipa-4-1 upgrade (4-1 to newer 4-1)

2014-11-04T09:39:12Z DEBUG [(1, u'nsslapd-pluginarg16', None), (1, u'nsslapd-pluginarg7', None), (1, u'nsslapd-pluginarg9', None), (1, u'nsslapd-pluginarg8', None), (1, u'nsslapd-pluginarg11', None), (1, u'nsslapd-pluginarg10', None), (1, u'nsslapd-pluginarg13', None), (1, u'nsslapd-pluginarg12', None), (1, u'nsslapd-pluginarg17', None), (1, u'nsslapd-pluginarg15', None), (2, u'referint-membership-attr', ['sourcehost', 'memberallowcmd', 'ipaassignedidview', 'memberuser', 'memberdenycmd', 'managedby', 'manager', 'memberservice', 'ipasudorunas', 'ipasudorunasgroup', 'secretary', 'memberhost', 'ipatokenradiusconfiglink']), (1, u'nsslapd-pluginarg14', None)]
2014-11-04T09:39:12Z DEBUG Live 1, updated 1
2014-11-04T09:39:13Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': 'Operations error'}
2014-11-04T09:39:13Z ERROR Update failed: Operations error:

do you have anything in the DS error log, could you provide the plugin config in the dse.ldif ?

error log:

[04/Nov/2014:10:39:09 +0100] - slapd started.  Listening on /var/run/slapd-IPA-EXAMPLE-COM.socket for LDAPI requests
[04/Nov/2014:10:39:12 +0100] referint-plugin - Plugin configuration is missing referint-update-delay
[04/Nov/2014:10:39:13 +0100] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ...
[04/Nov/2014:10:39:13 +0100] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ...
[04/Nov/2014:10:39:13 +0100] ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry.
[04/Nov/2014:10:39:13 +0100] ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry.
[04/Nov/2014:10:39:13 +0100] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 2 max work q stack size 2
[04/Nov/2014:10:39:13 +0100] - slapd shutting down - waiting for 1 thread to terminate
[04/Nov/2014:10:39:13 +0100] - slapd shutting down - closing down internal subsystems and plugins

Access log:

[04/Nov/2014:10:39:13 +0100] conn=11 op=144 SRCH base="cn=Automember Readers,cn=privileges,cn=pbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=144 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=145 SRCH base="cn=Delegation Administrator,cn=privileges,cn=pbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=145 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=146 SRCH base="cn=Hostgroup,cn=automember,cn=etc,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=146 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=147 SRCH base="cn=Sudo Administrator,cn=privileges,cn=pbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=147 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=148 SRCH base="cn=IT Security Specialist,cn=roles,cn=accounts,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=148 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=149 SRCH base="cn=Netgroups Administrators,cn=privileges,cn=pbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=149 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=150 SRCH base="cn=RBAC Readers,cn=privileges,cn=pbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=150 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=151 SRCH base="cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=151 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=152 SRCH base="cn=Security Architect,cn=roles,cn=accounts,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=152 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=153 SRCH base="cn=Host Administrators,cn=privileges,cn=pbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=153 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=154 SRCH base="cn=request certificate different host,cn=virtual operations,cn=etc,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=154 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=155 SRCH base="cn=certificate remove hold,cn=virtual operations,cn=etc,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=155 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=156 SRCH base="cn=Group Administrators,cn=privileges,cn=pbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=156 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=157 SRCH base="cn=aclResources,o=ipaca" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=157 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=158 SRCH base="cn=7-bit check,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=158 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=159 SRCH base="cn=Update Role memberOf 1415093948,cn=memberof task,cn=tasks,cn=config" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=159 RESULT err=32 tag=101 nentries=0 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=160 ADD dn="cn=Update Role memberOf 1415093948,cn=memberof task,cn=tasks,cn=config"
[04/Nov/2014:10:39:13 +0100] conn=11 op=161 SRCH base="nis-domain=ipa.example.com+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=162 SRCH base="cn=Update PBAC memberOf 1415093948,cn=memberof task,cn=tasks,cn=config" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=161 RESULT err=32 tag=101 nentries=0 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=163 ADD dn="cn=Update PBAC memberOf 1415093948,cn=memberof task,cn=tasks,cn=config"
[04/Nov/2014:10:39:13 +0100] conn=11 op=162 RESULT err=32 tag=101 nentries=0 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=160 RESULT err=0 tag=105 nentries=0 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=164 SRCH base="nis-domain=ipa.example.com+nis-map=ethers.byname,cn=NIS Server,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=165 ADD dn="nis-domain=ipa.example.com+nis-map=ethers.byname,cn=NIS Server,cn=plugins,cn=config"
[04/Nov/2014:10:39:13 +0100] conn=11 op=164 RESULT err=32 tag=101 nentries=0 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=165 RESULT err=32 tag=105 nentries=0 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=163 RESULT err=0 tag=105 nentries=0 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=166 SRCH base="nis-domain=ipa.example.com+nis-map=ethers.byaddr,cn=NIS Server,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=166 RESULT err=32 tag=101 nentries=0 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=167 ADD dn="nis-domain=ipa.example.com+nis-map=ethers.byaddr,cn=NIS Server,cn=plugins,cn=config"
[04/Nov/2014:10:39:13 +0100] conn=11 op=167 RESULT err=32 tag=105 nentries=0 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=168 SRCH base="cn=ipaConfig,cn=etc,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=168 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=169 SRCH base="cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=169 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=170 SRCH base="cn=gssftp,cn=hbacservices,cn=hbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=170 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=171 SRCH base="cn=global_policy,cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=171 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=172 SRCH base="cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=172 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=173 SRCH base="cn=crond,cn=hbacservices,cn=hbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=173 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=174 SRCH base="cn=vsftpd,cn=hbacservices,cn=hbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=174 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=175 SRCH base="cn=editors,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=175 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=176 SRCH base="cn=ftp,cn=hbacservicegroups,cn=hbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=176 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=177 SRCH base="cn=proftpd,cn=hbacservices,cn=hbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=177 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=178 SRCH base="cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=178 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=179 SRCH base="cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=179 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=180 SRCH base="dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=180 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=181 SRCH base="cn=IPA Range-Check,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=181 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=182 SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=182 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=183 SRCH base="cn=trusts,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=183 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=184 SRCH base="cn=ranges,cn=etc,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=184 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=185 SRCH base="cn=ipaConfig,cn=etc,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=185 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=186 SRCH base="cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=186 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=187 SRCH base="cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=187 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=188 SRCH base="cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=188 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=189 SRCH base="cn=trust admins,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=189 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=190 SRCH base="cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=190 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=191 SRCH base="cn=views,cn=accounts,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=11 op=191 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=11 op=192 UNBIND
[04/Nov/2014:10:39:13 +0100] conn=11 op=192 fd=66 closed - U1
[04/Nov/2014:10:39:13 +0100] conn=12 fd=65 slot=65 connection from local to /var/run/slapd-IPA-EXAMPLE-COM.socket
[04/Nov/2014:10:39:13 +0100] conn=12 AUTOBIND dn="cn=Directory Manager"
[04/Nov/2014:10:39:13 +0100] conn=12 op=0 BIND dn="cn=Directory Manager" method=sasl version=3 mech=EXTERNAL
[04/Nov/2014:10:39:13 +0100] conn=12 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=Directory Manager"
[04/Nov/2014:10:39:13 +0100] conn=13 fd=66 slot=66 connection from local to /var/run/slapd-IPA-EXAMPLE-COM.socket
[04/Nov/2014:10:39:13 +0100] conn=13 AUTOBIND dn="cn=Directory Manager"
[04/Nov/2014:10:39:13 +0100] conn=13 op=0 BIND dn="cn=Directory Manager" method=sasl version=3 mech=EXTERNAL
[04/Nov/2014:10:39:13 +0100] conn=13 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=Directory Manager"
[04/Nov/2014:10:39:13 +0100] conn=13 op=1 UNBIND
[04/Nov/2014:10:39:13 +0100] conn=13 op=1 fd=66 closed - U1
[04/Nov/2014:10:39:13 +0100] conn=12 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[04/Nov/2014:10:39:13 +0100] conn=12 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=2 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses"
[04/Nov/2014:10:39:13 +0100] conn=12 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=3 SRCH base="cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com" scope=2 filter="(&(cn=CA)(ipaConfigString=caRenewalMaster))" attrs=ALL
[04/Nov/2014:10:39:13 +0100] conn=12 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=4 SRCH base="cn=ranges,cn=etc,dc=ipa,dc=example,dc=com" scope=2 filter="(objectClass=ipaDomainIDRange)" attrs=ALL
[04/Nov/2014:10:39:13 +0100] conn=12 op=4 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=5 SRCH base="cn=ADTRUST,cn=master.ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[04/Nov/2014:10:39:13 +0100] conn=12 op=5 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=6 SRCH base="cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[04/Nov/2014:10:39:13 +0100] conn=12 op=6 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=7 SRCH base="cn=dns,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[04/Nov/2014:10:39:13 +0100] conn=12 op=7 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=8 SRCH base="krbprincipalname=DNS/master.ipa.example.com@IPA.EXAMPLE.COM,cn=services,cn=accounts,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="nsTimeLimit nsSizeLimit nsLookThroughLimit nsIdleTimeout"
[04/Nov/2014:10:39:13 +0100] conn=12 op=8 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=9 SRCH base="cn=dns,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[04/Nov/2014:10:39:13 +0100] conn=12 op=9 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=10 SRCH base="cn=dns,dc=ipa,dc=example,dc=com" scope=1 filter="(&(objectClass=top)(objectClass=idnsrecord)(objectClass=idnszone))" attrs="sSHFPRecord hiprecord spfrecord tkeyrecord idnsForwardPolicy nSEC3PARAMRecord idnsAllowTransfer idnsSOAretry idnsSOArefresh nSECRecord aRecord tarecord dhcidrecord kXRecord tsigrecord * pTRRecord idnsForwarders idnsAllowQuery idnsName aFSDBRecord aplrecord nAPTRRecord idnsZoneActive nsec3record nSRecord LocRecord TLSARecord SigRecord idnsSOAminimum rprecord aAAARecord ipseckeyrecord rRSIGRecord DLVRecord idnsSOAmName idnsSOAexpire idnsSecInlineSigning cNAMERecord certRecord idnsSOAserial sRVRecord dNameRecord dSRecord tXTRecord mXRecord a6Record KeyRecord idnsSOArName dnskeyrecord aci"
[04/Nov/2014:10:39:13 +0100] conn=12 op=10 RESULT err=0 tag=101 nentries=3 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=11 SRCH base="cn=ranges,cn=etc,dc=ipa,dc=example,dc=com" scope=2 filter="(&(objectClass=ipaIDrange)(!(ipaRangeType=*)))" attrs="objectClass"
[04/Nov/2014:10:39:13 +0100] conn=12 op=11 RESULT err=0 tag=101 nentries=0 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=12 SRCH base="cn=ipaConfig,cn=etc,dc=ipa,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaKrbAuthzData"
[04/Nov/2014:10:39:13 +0100] conn=12 op=12 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=13 SRCH base="cn=services,cn=accounts,dc=ipa,dc=example,dc=com" scope=2 filter="(&(objectClass=krbprincipal)(objectClass=ipaservice)(!(objectClass=ipakrbprincipal)))" attrs="objectClass krbPrincipalName"
[04/Nov/2014:10:39:13 +0100] conn=12 op=13 RESULT err=0 tag=101 nentries=0 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=14 SRCH base="cn=config" scope=2 filter="(&(objectClass=nsslapdplugin)(nsslapd-pluginPath=libattr-unique-plugin)(nsslapd-pluginInitfunc=NSUniqueAttr_Init)(!(nsslapd-pluginEnabled=off))(|(uniqueness-attribute-name=uid)(nsslapd-plugarg0=uid)))" attrs="* aci"
[04/Nov/2014:10:39:13 +0100] conn=12 op=14 RESULT err=0 tag=101 nentries=1 etime=0
[04/Nov/2014:10:39:13 +0100] conn=12 op=15 MOD dn="cn=uid uniqueness,cn=plugins,cn=config"
[04/Nov/2014:10:39:13 +0100] conn=12 op=16 UNBIND
[04/Nov/2014:10:39:13 +0100] conn=12 op=16 fd=65 closed - U1
[04/Nov/2014:10:39:13 +0100] conn=12 op=15 RESULT err=0 tag=103 nentries=0 etime=0

I don't know how you did get into this state, but can explain why it is failing.

The key is: referint-plugin - Plugin configuration is missing referint-update-delay

The configuration of the referint plugin and the way ipa handles it both have changed over time.

Originally the referint used the "standard" plugin configuration by providing config attra as: nsslapd-pluginarg0, nsslapd-pluginarg1,....
where each nr had a specific meaning. The attrs used to define membership-attrs were the highest numbers and could be extended. This was used by IPA adding nsslapd-pluginarg7,....17, or so.

At some point, DS introduced a new plugin configuration using more meaningful atr names like: referint-update-delay, referint-membership-attr,....
BUT: It did not handle or allow mixed mode, so if a "new" attrname is detected it expects all config attrs to be in the new form.
This was addressed by a fix in IPA upgrade to set referint-membership-attr instead of nsslapd-pluginarg7,.... because the DS was using the new form.

Now in your environment you have all config in the "old" format and when only changing referint-membership-attr the result is a mixed mode, which leads to the error.

What to do: I think the upgrade script has to detect if the refereint config is in "old" or "new" mode and and handle it different, or always set all config in new mode

the latest IPA Fix was in ticket 4537

The 'Add failure' error is reported and solved separately in ticket #4680.

ipa-4-0:

  • 9a9eccb Fix upgrade referint plugin

ipa-4-1:

  • 65624c9 Fix upgrade referint plugin

master:

  • f62c784 Fix upgrade referint plugin

Metadata Update from @dkupka:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.0.4

7 years ago

Login to comment on this ticket.

Metadata