Hi Thierry,
It was not sufficient to modify 03entryuuid.ldif. I'm still getting the attribute
"entryuuid" not allowed error on the Centos 7 system.
Do I need to disable the entryUUID plugin? If so, how do I do that?
-- Kees
On 23-11-2021 10:29, Thierry Bordaz wrote:
Hi Kees,
The missing fix #4872 is pretty small [1]. Initial definition of entryuuid required a
syntax/MR that was not available with previous versions, so it broke schema replication in
mixed topology.
A easy workaround is to stop 1.4.3.23 instance, edit
/usr/share/dirsrv/schema/03entryuuid.ldif on 1.4.3.23 installations and restart the
server. A dummy update on 1.4.3.23 will trigger the replication of the schema definition
of 'entryuuid' and then CentOS 7 instance will be able to manage entryuuid
attribute.
Regards
theirry
[1]
https://github.com/389ds/389-ds-base/commit/bce941ec3cdf77eaf4bc3ea744f1d...
On 11/23/21 10:17 AM, Kees Bakker via FreeIPA-users wrote:
> So, I have 1.4.3.23. A change was made in 1.4.3.26 (commit f370a281b8, Issue 4872).
> The latest in Centos 8 Stream is 1.4.3.23-10
>
> That leaves me with the following questions.
>
> 1. What do I need to do to disable the entryUUID plugin?
> 2. What do I need to do to fix the current LDAP conflict?
> 3. Do I really need 389-ds-base 1.4.3.26 or later (if I manage to disable the
entryUUID plugin)?
> -- Kees
>
> On 22-11-2021 20:04, Kees Bakker via FreeIPA-users wrote:
>> On Centos 7
>>
>> 389-ds-base-snmp-1.3.9.1-13.el7_7.x86_64
>> 389-ds-base-libs-1.3.9.1-13.el7_7.x86_64
>> 389-ds-base-1.3.9.1-13.el7_7.x86_64
>> 389-ds-base-debuginfo-1.3.9.1-13.el7_7.x86_64
>>
>> On Centos 8 Stream
>>
>> 389-ds-base-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
>> python3-lib389-1.4.3.23-7.module_el8.5.0+889+90e0384f.noarch
>> 389-ds-base-libs-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
>> -- Kees
>>
>> On 22-11-2021 18:39, Florence Blanc-Renaud wrote:
>>> Hi,
>>>
>>> the error looks similar to
https://github.com/389ds/389-ds-base/issues/4872
<
https://github.com/389ds/389-ds-base/issues/4872>.
>>> The CentOS 8 Streams master probably has a version of 389ds that doesn't
contain the fix, and has entryuuid plugin enabled (that generates an entryuuid attribute).
The schema failed to be replicated to the CentOS 7 server, and the entryuuid attribute
present in the entry causes replication issues.
>>>
>>> Which versions are installed on the other replicas? You may have to disable
the entryuuid plugin or update 389ds.
>>> flo
>>>
>>>
>>> On Mon, Nov 22, 2021 at 3:30 PM Kees Bakker via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>>
>>> Hi,
>>>
>>> On my Centos 7 master there was this error message
>>>
>>> [19/Nov/2021:11:16:11.863597190 +0100] - ERR - oc_check_allowed_sv -
Entry
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
-- attribute "entryuuid" not allowed
>>> [19/Nov/2021:11:16:26.331298112 +0100] - ERR - oc_check_allowed_sv -
Entry
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
-- attribute "entryuuid" not allowed
>>> [19/Nov/2021:11:16:45.264647201 +0100] - ERR - oc_check_allowed_sv -
Entry
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
-- attribute "entryuuid" not allowed
>>>
>>> The sudorule was add via the web-GUI on a Centos 8stream master.
>>>
>>> The replication more or less succeeded, besides this error message.
However,
>>> * checkipaconsistency reports "LDAP Conflicts" (the Centos 7
master has count 1, the other masters have count 0)
>>> * ipa-healthcheck reports an error too
>>>
>>> [
>>> {
>>> "source": "ipahealthcheck.ds.replication",
>>> "kw": {
>>> "msg": "Replication conflict",
>>> "glue": false,
>>> "conflict": "Schema violation",
>>> "key":
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=ghs,dc=nl"
>>> },
>>> "uuid": "01d364fc-e48e-44bd-9ea8-63db1e800788",
>>> "duration": "0.001689",
>>> "when": "20211122070012Z",
>>> "check": "ReplicationConflictCheck",
>>> "result": "ERROR"
>>> }
>>> ]
>>>
>>> Any advise how to get rid of the error messages would be greatly
appreciated.
>>> --
>>> Kees
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
<
https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
<
https://fedoraproject.org/wiki/Mailing_list_guidelines>
>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure <
https://pagure.io/fedora-infrastructure>
>>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List
Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists...
>> Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
>
>
> _______________________________________________
> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List
Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists...
> Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure