All the nightly tests using the copr repo @389ds/389-ds-base-nightly failed during ipa server installation. See PR #668 with for instance the test test_commands: report:
test_commands
RUN ['ipa-server-install', '-n', 'ipa.test', '-r', 'IPA.TEST', '-p', 'Secret.123', '-a', 'Secret.123', '--domain-level=1', '--dirsrv-config-file', '/ipatests/ipatests_dse.ldif', '-U', '--setup-dns', '--forwarder', '192.168.122.1', '--auto-reverse'] Checking DNS domain ipa.test., please wait ... Reverse record for IP address 192.168.122.58 already exists Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Attempting to sync time with chronyc. Process chronyc waitsync failed to sync time! The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.10.0.dev This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure the KDC to enable PKINIT Warning: skipping DNS resolution of host master.ipa.test Checking DNS forwarders, please wait ... The IPA Master Server will be configured with: Hostname: master.ipa.test IP address(es): 192.168.122.58 Domain name: ipa.test Realm name: IPA.TEST The CA will be configured with: Subject DN: CN=Certificate Authority,O=IPA.TEST Subject base: O=IPA.TEST Chaining: self-signed BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Forward policy: only Reverse zone(s): No reverse zone Disabled p11-kit-proxy Using default chrony configuration. Warning: IPA was unable to sync time with chrony! Time synchronization is required for IPA to work correctly Configuring directory server (dirsrv). Estimated time: 30 seconds [1/44]: creating directory server instance Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network. [2/44]: tune ldbm plugin [3/44]: stopping directory server [4/44]: updating configuration in dse.ldif [5/44]: starting directory server [6/44]: adding default schema [7/44]: enabling memberof plugin [8/44]: enabling winsync plugin [9/44]: configure password logging [10/44]: configuring replication version plugin [11/44]: enabling IPA enrollment plugin [12/44]: configuring uniqueness plugin [13/44]: configuring uuid plugin [14/44]: configuring modrdn plugin [15/44]: configuring DNS plugin [16/44]: enabling entryUSN plugin [17/44]: configuring lockout plugin [18/44]: configuring topology plugin [19/44]: creating indices [20/44]: enabling referential integrity plugin [21/44]: configuring certmap.conf [22/44]: configure new location for managed entries [23/44]: configure dirsrv ccache and keytab [24/44]: enabling SASL mapping fallback [25/44]: restarting directory server [26/44]: adding sasl mappings to the directory [27/44]: adding default layout [28/44]: adding delegation layout [29/44]: creating container for managed entries [30/44]: configuring user private groups [31/44]: configuring netgroups from hostgroups [32/44]: creating default Sudo bind user [33/44]: creating default Auto Member layout [34/44]: adding range check plugin [35/44]: creating default HBAC rule allow_all [36/44]: adding entries for topology management [37/44]: initializing group membership [38/44]: adding master entry [39/44]: initializing domain level [40/44]: configuring Posix uid/gid generation [41/44]: adding replication acis [42/44]: activating sidgen plugin [43/44]: activating extdom plugin [44/44]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs Failed to load default-aci.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpue6kga89', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 21: 'ldap_initialize( ldapi://%2Frun%2Fslapd-IPA-TEST.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_modify: Invalid syntax (21)\n\tadditional info: ACL Syntax Error(-5):(targetfilter = \\22(objectClass=ipaGuiConfig)\\22)(targetattr != \\22aci\\22)(version 3.0;acl \\22Admins can change GUI config\\22; allow (read, search, compare, write) groupdn = \\22ldap:///cn=admins,cn=groups,cn=accounts,dc=ipa,dc=test\\22;)\n\n') [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpue6kga89', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 21: 'ldap_initialize( ldapi://%2Frun%2Fslapd-IPA-TEST.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_modify: Invalid syntax (21)\n\tadditional info: ACL Syntax Error(-5):(targetfilter = \\22(objectClass=ipaGuiConfig)\\22)(targetattr != \\22aci\\22)(version 3.0;acl \\22Admins can change GUI config\\22; allow (read, search, compare, write) groupdn = \\22ldap:///cn=admins,cn=groups,cn=accounts,dc=ipa,dc=test\\22;)\n\n') CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpue6kga89', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 21: 'ldap_initialize( ldapi://%2Frun%2Fslapd-IPA-TEST.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_modify: Invalid syntax (21)\n\tadditional info: ACL Syntax Error(-5):(targetfilter = \\22(objectClass=ipaGuiConfig)\\22)(targetattr != \\22aci\\22)(version 3.0;acl \\22Admins can change GUI config\\22; allow (read, search, compare, write) groupdn = \\22ldap:///cn=admins,cn=groups,cn=accounts,dc=ipa,dc=test\\22;)\n\n') The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Exit code: 1
389ds error log shows:
[24/Jan/2021:00:30:47.858190668 +0000] - ERR - NSACLPlugin - aclutil_print_err - ACL Syntax Error(-5):(targetfilter = \22(objectClass=ipaGuiConfig)\22)(targetattr != \22aci\22)(version 3.0;acl \22Admins can change GUI config\22; allow (read, search, compare, write) groupdn = \22ldap:///cn=admins,cn=groups,cn=accounts,dc=ipa,dc=test\22;)
Companion issue on 389ds side: https://github.com/389ds/389-ds-base/issues/4565
Metadata Update from @frenaud: - Issue tagged with: tracker
The issue happened because a copr build was done from a personal branch instead of the master 389-ds branch. Not reproduced with latest build, the ticket can be closed.
Metadata Update from @frenaud: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.