#6508 ipa-ca-install on promoted replica hangs on creating a temporary CA admin
Closed: Fixed None Opened 7 years ago by mbabinsk.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1397439

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Created attachment 1222747
Replica install log

Creating bug for this issue (https://fedorahosted.org/freeipa/ticket/5412) , as
I do not see one referenced on it.

The customer ended up working with Martin Babinsky to resolve their issue.

Martin provided the following LDIF's for me to try once the ipa-replica-install
issue got stuck and it resolved their issue:

== on IPA master:

dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
changetype: modify
add: nsDS5ReplicaBindDNGroup
nsDS5ReplicaBindDNGroup: cn=replication
managers,cn=sysaccounts,cn=etc,dc=example,dc=com

dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: modify
add: member
member: krbprincipalname=ldap/replica.example.com@EXAMPLE.
COM,cn=services,cn=accounts,dc=example,dc=com

== on IPA replica:

dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
changetype: modify
add: nsDS5ReplicaBindDN
nsDS5ReplicaBindDNGroup: cn=replication
managers,cn=sysaccounts,cn=etc,dc=example=com

dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: modify
add: member
member: krbprincipalname=ldap/master.example.com@EXAMPLE.
COM,cn=services,cn=accounts,dc=example,dc=com

The actual issue and workaround are summarized here:

After debugging the issue in my test environment with Thierry Bordaz and Ludwig Krispenz, we found out that the root cause is a missing 'nsds5replicabinddngroupcheckinterval' attribute on 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry. Without this attribute the replication plugin does not check for the current members of the 'cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX' groupand so does not recognize and denies updates made by them.

A workaround is to modify the relevant entry in '/usr/share/ipa/ca-topology.uldif' file:

"""
<SNIP>

dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config                          
onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
add: nsds5replicabinddngroupcheckinterval: 60 <-- insert this line
"""

Then run `ipa-ldap-updater /usr/share/ipa/ca-topology.uldif` and then try reinstalling the replica. The process has to be repeated to all CA replicas that were upgraded.

Steps to reproduce the issue:

1.) install 4.2 or 4.3 domain level 0 master and CA replica

2.) Upgrade (sequentially) master and replica to 4.4

3.) raise domain level to 1

4.) Try to set up another CA replica against existing one

Alternatively (shorter one):

1.) install 4.3 master and CA replica in domain level 0

2.) raise domain level to 1

3.) try to set up new CA replica against the old ones

In both cases, expected result is that CA replica is installed and functional

Actual result is that CA installation gets stuck indefinitely on creating temporary CA admin

master:

  • 73d0d03 upgrade: add replica bind DN group check interval to CA topology config
  • 266b9d9 replication: ensure bind DN group check interval is set on replica config

ipa-4-4 will follow

ipa-4-4:

  • 8c6a10c upgrade: add replica bind DN group check interval to CA topology config
  • 9502ee5 replication: ensure bind DN group check interval is set on replica config

Commit 266b9d9 probably causes upgrade issues on first server

2016-12-07T12:09:16Z DEBUG Executing upgrade plugin: update_ca_topology
2016-12-07T12:09:16Z DEBUG raw: update_ca_topology
....

2016-12-07T12:09:18Z DEBUG New entry: cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config
2016-12-07T12:09:18Z DEBUG ---------------------------------------------
2016-12-07T12:09:18Z DEBUG Initial value
2016-12-07T12:09:18Z DEBUG dn: cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config
2016-12-07T12:09:18Z DEBUG onlyifexist: 'cn=replication managers,cn=sysaccounts,cn=etc,dc=dom-028,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to nsds5replicabinddngroup, current value []
2016-12-07T12:09:18Z DEBUG add: '60' to nsds5replicabinddngroupcheckinterval, current value []
2016-12-07T12:09:18Z DEBUG add: updated value ['60']
2016-12-07T12:09:18Z DEBUG ---------------------------------------------
2016-12-07T12:09:18Z DEBUG Final value after applying updates
2016-12-07T12:09:18Z DEBUG dn: cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config
2016-12-07T12:09:18Z DEBUG nsds5replicabinddngroupcheckinterval:
2016-12-07T12:09:18Z DEBUG      60
2016-12-07T12:09:18Z ERROR Add failure missing required attribute "objectclass"

object does not exists, but there is add statement in upgrade file which tries to create an entry without objectclass and it fails

master:

  • 6086a6d Revert "upgrade: add replica bind DN group check interval to CA topology config"
  • 6d0e450 add missing attribute to ipaca replica during CA topology update

ipa-4-4:

  • 0ae9cd7 Revert "upgrade: add replica bind DN group check interval to CA topology config"
  • b0acb23 add missing attribute to ipaca replica during CA topology update

Metadata Update from @mbabinsk:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.4.3

7 years ago

Login to comment on this ticket.

Metadata