Upgrade ipa 3.3.5 -> 4.1.0
2014-11-04T02:07:54Z INFO New entry: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com 2014-11-04T02:07:54Z DEBUG --------------------------------------------- 2014-11-04T02:07:54Z DEBUG Initial value 2014-11-04T02:07:54Z DEBUG dn: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com 2014-11-04T02:07:54Z DEBUG objectClass: 2014-11-04T02:07:54Z DEBUG top 2014-11-04T02:07:54Z DEBUG groupofnames 2014-11-04T02:07:54Z DEBUG nestedgroup 2014-11-04T02:07:54Z DEBUG member: 2014-11-04T02:07:54Z DEBUG cn=adtrust agents,cn=sysaccounts,cn=etc,dc=example,dc=com 2014-11-04T02:07:54Z DEBUG cn: 2014-11-04T02:07:54Z DEBUG ADTrust Agents 2014-11-04T02:07:54Z DEBUG description: 2014-11-04T02:07:54Z DEBUG System accounts able to access trust information 2014-11-04T02:07:54Z DEBUG --------------------------------------------- 2014-11-04T02:07:54Z DEBUG Final value after applying updates 2014-11-04T02:07:54Z DEBUG dn: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com 2014-11-04T02:07:54Z DEBUG objectClass: 2014-11-04T02:07:54Z DEBUG top 2014-11-04T02:07:54Z DEBUG groupofnames 2014-11-04T02:07:54Z DEBUG nestedgroup 2014-11-04T02:07:54Z DEBUG member: 2014-11-04T02:07:54Z DEBUG cn=adtrust agents,cn=sysaccounts,cn=etc,dc=example,dc=com 2014-11-04T02:07:54Z DEBUG cn: 2014-11-04T02:07:54Z DEBUG ADTrust Agents 2014-11-04T02:07:54Z DEBUG description: 2014-11-04T02:07:54Z DEBUG System accounts able to access trust information 2014-11-04T02:07:54Z ERROR Add failure
dirsrv access log
[03/Nov/2014:21:07:54 -0500] conn=11 op=233 SRCH base="cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses" [03/Nov/2014:21:07:54 -0500] conn=11 op=233 RESULT err=32 tag=101 nentries=0 etime=0 [03/Nov/2014:21:07:54 -0500] conn=11 op=234 ADD dn="cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com"
dirsrv error log
[03/Nov/2014:21:07:54 -0500] - Entry "cn=adtrust agents,cn=sysaccounts,cn=etc,dc=example,dc=com" -- attribute "memberOf" not allowed [03/Nov/2014:21:07:54 -0500] memberof-plugin - memberof_postop_add: failed to add dn(cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com), error (65)
Error 65 = Objectclass violation
To reproduce is required to have applied patch fixing #4670
I accidentally copy/paste access log without last line
[03/Nov/2014:21:07:54 -0500] conn=11 op=233 SRCH base="cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses" [03/Nov/2014:21:07:54 -0500] conn=11 op=233 RESULT err=32 tag=101 nentries=0 etime=0 [03/Nov/2014:21:07:54 -0500] conn=11 op=234 ADD dn="cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com" [03/Nov/2014:21:07:54 -0500] conn=11 op=234 RESULT err=65 tag=105 nentries=0 etime=0
This bug could be caused by #4622
My guess is that
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX add: objectClass: nestedgroup default: objectClass: GroupOfNames default: objectClass: top default: cn: adtrust agents
is done after
dn: cn=ADTrust Agents,cn=privileges,cn=pbac,$SUFFIX default: objectClass: top default: objectClass: groupofnames default: objectClass: nestedgroup default: cn: ADTrust Agents default: description: System accounts able to access trust information default: member: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
and the nestedgroup objectclass is missing. You need to make sure the
nestedgroup
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX add: objectClass: nestedgroup
is done first.
All 4.1 upgrade issues need to be fixed.
FreeIPA 4.1.1 was released.
Bug is also in 4.0.x.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1161128 (Red Hat Enterprise Linux 7)
master:
ipa-4-1:
ipa-4-0:
Metadata Update from @mbasti: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.0.4
Login to comment on this ticket.