Using ipa-ldap-updater to replace an attribute value (in this case nsslapd-cachememsize) gives an unexpected error message.
# Change value nsslapd-cachememsize dn: cn=changelog,cn=ldbm database,cn=plugins,cn=config replace:nsslapd-cachememsize:2097152::33554432
ipa-ldap-updater change-nsslapd-cachememsize.update
An error message shows up
Unexpected error - see /var/log/ipaupgrade.log for details: ObjectclassViolation: cannot add a value to single valued attribute nsslapd-cachememsize. The ipa-ldap-updater command failed. See /var/log/ipaupgrade.log for more information
Some success message is expected
This is on Ubuntu 16.04
# dpkg -l 'freeipa*' Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-========================-=================-=================-===================================================== ii freeipa-admintools 4.3.1-0ubuntu1 all FreeIPA centralized identity framework -- admintools ii freeipa-client 4.3.1-0ubuntu1 amd64 FreeIPA centralized identity framework -- client ii freeipa-common 4.3.1-0ubuntu1 all FreeIPA centralized identity framework -- common file ii freeipa-server 4.3.1-0ubuntu1 amd64 FreeIPA centralized identity framework -- server ii freeipa-server-dns 4.3.1-0ubuntu1 all FreeIPA centralized identity framework -- IPA DNS int ii freeipa-server-trust-ad 4.3.1-0ubuntu1 amd64 FreeIPA centralized identity framework -- AD trust in
Attached is /var/log/ipaupgrade.log <img alt="ipaupgrade.log" src="/freeipa/issue/raw/07a79f6b96fe28d2f0380b92cf4ab68c96fd77b1b7f45fcf85a58bc5ca78cef4-ipaupgrade.log" />
It fails because it cannot determine that it is a single-valued attribute so rather than doing a REPLACE generate_modlist does an ADD and DELETE.
self.conn.get_attribute_single_value(name) returns None.
We have a few choices: - Let this go. Without schema there isn't much we can do - Log within get_attribute_single_value() when an object is not found in schema, but this could potentially spam logs - Log within the update when we get no attribute information back
I favor the third option.
May be for a common use case like editing cn=config assume single-value?
cn=config
Talked to @mreynolds about this. There are some attributes in cn=config that are multivalued, like nsindextype so treating it globally as single-valued won't work (I love the idea though).
He checked and the db backend is all single-valued so we can add a special case for any dn containing cn=ldbm database,cn=plugins,cn=config (would catch both cn=config and cn=UserRoot).
Talked to @mreynolds about this. There are some attributes in cn=config that are multivalued, like nsindextype so treating it globally as single-valued won't work (I love the idea though). He checked and the db backend is all single-valued so we can add a special case for any dn containing cn=ldbm database,cn=plugins,cn=config (would catch both cn=config and cn=UserRoot).
That is true for one-level below cn=ldbm database,cn=plugins,cn=config, but these are the index entries I was referring to, and they are further down in that config tree:
dn: cn=sn,cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: nsIndex cn: sn nsSystemIndex: false nsIndexType: pres nsIndexType: eq nsIndexType: sub
Something I am missing is why ADD/DEL fails and could be changed with REPLACE. If the attribute is single-value, any combinaison of ADD/DEL should succeed if the final result is a single value.
Metadata Update from @abiagion: - Issue set to the milestone: FreeIPA 4.7.1
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.2 (was: FreeIPA 4.7.1)
FreeIPA 4.7.1 has been released, moving to FreeIPA 4.7.2 milestone
Login to comment on this ticket.