#5524 Upgrade error: Add failure missing required attribute "objectclass"
Closed: Fixed None Opened 8 years ago by dkupka.

Steps to reproduce:

# dnf install -y freeipa-{server,client,admintools,python}
# ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.TEST -U
build current master (4.2.90.tshash)
# dnf upgrade ./freeipa-{server,client,admintools,python}-4.2.90.tshash

Output:

  Upgrading   : freeipa-python-4.2.90.201512080712GITcac756b-0.fc23.x86_64                                                                                                                                                               1/8 
  Upgrading   : freeipa-client-4.2.90.201512080712GITcac756b-0.fc23.x86_64                                                                                                                                                               2/8 
Could not load host key: /etc/ssh/ssh_host_dsa_key
  Upgrading   : freeipa-admintools-4.2.90.201512080712GITcac756b-0.fc23.x86_64                                                                                                                                                           3/8 
  Upgrading   : freeipa-server-4.2.90.201512080712GITcac756b-0.fc23.x86_64                                                                                                                                                               4/8 
  Cleanup     : freeipa-server-4.2.3-1.1.fc23.x86_64                                                                                                                                                                                     5/8 
  Cleanup     : freeipa-admintools-4.2.3-1.1.fc23.x86_64                                                                                                                                                                                 6/8 
  Cleanup     : freeipa-client-4.2.3-1.1.fc23.x86_64                                                                                                                                                                                     7/8 
  Cleanup     : freeipa-python-4.2.3-1.1.fc23.x86_64                                                                                                                                                                                     8/8 
Add failure missing required attribute "objectclass"
  Verifying   : freeipa-admintools-4.2.90.201512080712GITcac756b-0.fc23.x86_64                                                                                                                                                           1/8 
  Verifying   : freeipa-client-4.2.90.201512080712GITcac756b-0.fc23.x86_64                                                                                                                                                               2/8 
  Verifying   : freeipa-python-4.2.90.201512080712GITcac756b-0.fc23.x86_64                                                                                                                                                               3/8 
  Verifying   : freeipa-server-4.2.90.201512080712GITcac756b-0.fc23.x86_64                                                                                                                                                               4/8 
  Verifying   : freeipa-server-4.2.3-1.1.fc23.x86_64                                                                                                                                                                                     5/8 
  Verifying   : freeipa-admintools-4.2.3-1.1.fc23.x86_64                                                                                                                                                                                 6/8 
  Verifying   : freeipa-client-4.2.3-1.1.fc23.x86_64                                                                                                                                                                                     7/8 
  Verifying   : freeipa-python-4.2.3-1.1.fc23.x86_64                                                                                                                                                                                     8/8

Relevant part of log:

2015-12-08T07:52:16Z DEBUG New entry: cn=custodia,cn=ipa,cn=etc,dc=example,dc=test
2015-12-08T07:52:16Z DEBUG ---------------------------------------------
2015-12-08T07:52:16Z DEBUG Initial value
2015-12-08T07:52:16Z DEBUG dn: cn=custodia,cn=ipa,cn=etc,dc=example,dc=test
2015-12-08T07:52:16Z DEBUG add: '(target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)' to aci, current value []
2015-12-08T07:52:16Z DEBUG add: updated value ['(target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)']
2015-12-08T07:52:16Z DEBUG add: '(target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)' to aci, current value ['(target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)']
2015-12-08T07:52:16Z DEBUG add: updated value ['(target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)', '(target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)']
2015-12-08T07:52:16Z DEBUG ---------------------------------------------
2015-12-08T07:52:16Z DEBUG Final value after applying updates
2015-12-08T07:52:16Z DEBUG dn: cn=custodia,cn=ipa,cn=etc,dc=example,dc=test
2015-12-08T07:52:16Z DEBUG aci:
2015-12-08T07:52:16Z DEBUG      (target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)
2015-12-08T07:52:16Z DEBUG      (target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)
2015-12-08T07:52:16Z ERROR Add failure missing required attribute "objectclass"
2015-12-08T07:52:16Z DEBUG Parsing update file '/usr/share/ipa/updates/20-dna.update'
2015-12-08T07:52:16Z DEBUG Updating existing entry: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
2015-12-08T07:52:16Z DEBUG ---------------------------------------------

I can see the relevance of the issue in the ticket, however I have been so far unable to reproduce it during upgrade from IPA 4.2.3-1.

I was able to reproduce the issue every time and the patch fixes it for me.

master:

  • e130d35 add ACIs for custodia container to its parent during IPA upgrade

Metadata Update from @dkupka:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.3

7 years ago

Login to comment on this ticket.

Metadata