#5346 ipa-kra-install: fails to apply updates
Closed: Fixed None Opened 8 years ago by mbasti.

How to reproduce:
1. install master
1. install kra on master
1. ipa-replica-prepare
1. install replica (without CA)
1. ipa-ca-install
1. ipa-kra-install

Result of ipa-kra-install on replica:

# ipa-kra-install /root/ipatests/replica-info.gpg -p Secret123 -U

===================================================================
This program will setup Dogtag KRA for the FreeIPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
[1/7]: configuring KRA instance
[2/7]: restarting KRA
[3/7]: configure certmonger for renewals
[4/7]: configure certificate renewals
[5/7]: configure HTTP to proxy connections
[6/7]: add vault container
[7/7]: apply LDAP updates
Failed to load vault.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpcuO7cy' '-H' 'ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp74Y4AY'' returned non-zero exit status 68
Done configuring KRA server (pki-tomcatd).
Restarting the directory and KRA servers
Restarting the directory server
The ipa-kra-install command was successful

It blows up at adding KRA container:

2015-10-06T19:39:40Z DEBUG   [6/7]: add vault container
2015-10-06T19:39:40Z DEBUG Starting external process
2015-10-06T19:39:40Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpZM0et9' '-H' 'ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpq0gJZ0'
2015-10-06T19:39:40Z DEBUG Process finished, return code=68
2015-10-06T19:39:40Z DEBUG stdout=add objectClass:
        top
        nsContainer
add cn:
        kra
adding new entry "cn=kra,dc=ipa,dc=test"


2015-10-06T19:39:40Z DEBUG stderr=ldap_initialize( ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket/??base )
ldap_add: Already exists (68)

2015-10-06T19:39:40Z CRITICAL Failed to load vault.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpZM0et9' '-H' 'ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket' '-x' '-D' 'cn=Director
y Manager' '-y' '/tmp/tmpq0gJZ0'' returned non-zero exit status 68
2015-10-06T19:39:40Z DEBUG   duration: 0 seconds

This is caused by ipa-kra-install trying to add the container unconditionally, even if the container already exists (it resides in the replicated part of the tree). Fix is to try to add the container only if it does not exist.

FreeIPA 4.2.3 was released, moving to next bug fixing milestone.

master:

  • 4d59a71 suppress errors arising from adding existing LDAP entries during KRA install

ipa-4-2:

  • f2a7a3e suppress errors arising from adding existing LDAP entries during KRA install

Metadata Update from @mbasti:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.2.4

7 years ago

Login to comment on this ticket.

Metadata