On 12/2/18 7:10 PM, Mitchell Smith via FreeIPA-users wrote:
Hi list,
I wanted to repost this issue with a more appropriate subject line, in
case anyone has come across this issue before and has a work around.
To provide some context, I have two FreeIPA instances running FreeIPA
4.3.1 on Ubuntu 16.04 LTS.
I want to migrate to FreeIPA 4.5.4 running on CentOS 7.
I have a way to migrate by dumping all the users out with ldapsearch
and adding them to the new instance with ldapadd but it is a bit messy
and will result in all users having to reset their password, as it
won't let me add in already encrypted passwords.
My initial thought was to add the new instance as a replica and then
eventually retire the old one.
I ran in to some problems with the ‘ipa-replica-install’ command though.
I was able to join as a client no problem, but when I went to run
‘ipa-replica-install’ it failed while configuring the directory server
component.
[25/42]: restarting directory server
[26/42]: creating DS keytab
[27/42]: ignore time skew for initial replication
[28/42]: setting up initial replication
[error] DatabaseError: Server is unwilling to perform: modification
of attribute nsds5replicareleasetimeout is not allowed in replica
entry
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
I thought this might have something to do with differences between
4.3.1 and 4.5.4 but I wasn’t entirely sure.
If there is a work around for this issue, it would be a significantly
easier transition to the new FreeIPA instance.
Cheers,
Mitch
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Hi,
I already saw this type of issue, but with older releases of FreeIPA. It
could happen with 389-ds versions < 1.3 (see
https://pagure.io/freeipa/c/2563f6f59454b73373c5ef4117afc76984146187).
Which version of 389-ds is installed on your machines?
# rpm -qa | grep 389
Is the attribute nsds5replicareleasetimeout defined in the schema? You
can check on each master with:
# ldapsearch -x -h $MASTER -b cn=schema -s base -o ldif-wrap=no -LLL
attributetypes| grep -i nsds5replicareleasetimeout
If the attribute is properly defined in the schema, the command should
output 2 lines:
- one for the attribute definition, with attributetypes: (... NAME
'nsds5ReplicaReleaseTimeout' ...)
- one for the objectclass definition using this attribute, with
objectclasses: (... NAME 'nsDS5Replica' ... MAY (...
nsds5ReplicaReleaseTimeout ...) ...)
flo