Hi Kees,
Indeed this problem may have raised because in intermediate centos
builds (without #4872 fix) we delivered a wrong attribute definition.
ATM we need to get the 'entryuuid' definition on Centos7.
I guess it is not present there. You may check with 'ldapsearch -D "DM"
-b "cn=schema" -o ldif-wrap=no -LLL attributetypes |grep -i entryuuid
I see two options:
* Do a dummy update of the schema (add a dummy attributetype) on
Centos8, so that it contains a nsschemaCSN that is recent. Then next
replication session, the new definition will be learned by Centos7.
* stop centos7 instance, copy the content of 03entryuuid.ldif into the
99users.ldif of the instance, start the instance
regards
thierry
On 11/23/21 4:12 PM, Kees Bakker wrote:
Hi Thierry,
It was not sufficient to modify 03entryuuid.ldif. I'm still getting
the attribute "entryuuid" not allowed error on the Centos 7 system.
Do I need to disable the entryUUID plugin? If so, how do I do that?
-- Kees
On 23-11-2021 10:29, Thierry Bordaz wrote:
> Hi Kees,
>
> The missing fix #4872 is pretty small [1]. Initial definition of
> entryuuid required a syntax/MR that was not available with previous
> versions, so it broke schema replication in mixed topology.
>
> A easy workaround is to stop 1.4.3.23 instance, edit
> /usr/share/dirsrv/schema/03entryuuid.ldif on 1.4.3.23 installations
> and restart the server. A dummy update on 1.4.3.23 will trigger the
> replication of the schema definition of 'entryuuid' and then CentOS 7
> instance will be able to manage entryuuid attribute.
>
> Regards
> theirry
>
>
> [1]
>
https://github.com/389ds/389-ds-base/commit/bce941ec3cdf77eaf4bc3ea744f1d...
>
> On 11/23/21 10:17 AM, Kees Bakker via FreeIPA-users wrote:
>> So, I have 1.4.3.23. A change was made in 1.4.3.26 (commit
>> f370a281b8, Issue 4872).
>> The latest in Centos 8 Stream is 1.4.3.23-10
>>
>> That leaves me with the following questions.
>>
>> 1. What do I need to do to disable the entryUUID plugin?
>> 2. What do I need to do to fix the current LDAP conflict?
>> 3. Do I really need 389-ds-base 1.4.3.26 or later (if I manage to
>> disable the entryUUID plugin)?
>> -- Kees
>>
>> On 22-11-2021 20:04, Kees Bakker via FreeIPA-users wrote:
>>> On Centos 7
>>>
>>> 389-ds-base-snmp-1.3.9.1-13.el7_7.x86_64
>>> 389-ds-base-libs-1.3.9.1-13.el7_7.x86_64
>>> 389-ds-base-1.3.9.1-13.el7_7.x86_64
>>> 389-ds-base-debuginfo-1.3.9.1-13.el7_7.x86_64
>>>
>>> On Centos 8 Stream
>>>
>>> 389-ds-base-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
>>> python3-lib389-1.4.3.23-7.module_el8.5.0+889+90e0384f.noarch
>>> 389-ds-base-libs-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
>>> -- Kees
>>>
>>> On 22-11-2021 18:39, Florence Blanc-Renaud wrote:
>>>> Hi,
>>>>
>>>> the error looks similar to
>>>>
https://github.com/389ds/389-ds-base/issues/4872
>>>> <
https://github.com/389ds/389-ds-base/issues/4872>.
>>>> The CentOS 8 Streams master probably has a version of 389ds that
>>>> doesn't contain the fix, and has entryuuid plugin enabled (that
>>>> generates an entryuuid attribute). The schema failed to be
>>>> replicated to the CentOS 7 server, and the entryuuid attribute
>>>> present in the entry causes replication issues.
>>>>
>>>> Which versions are installed on the other replicas? You may have
>>>> to disable the entryuuid plugin or update 389ds.
>>>> flo
>>>>
>>>>
>>>> On Mon, Nov 22, 2021 at 3:30 PM Kees Bakker via FreeIPA-users
>>>> <freeipa-users(a)lists.fedorahosted.org
>>>> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> On my Centos 7 master there was this error message
>>>>
>>>> [19/Nov/2021:11:16:11.863597190 +0100] - ERR -
>>>> oc_check_allowed_sv - Entry
>>>>
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
>>>> -- attribute "entryuuid" not allowed
>>>> [19/Nov/2021:11:16:26.331298112 +0100] - ERR -
>>>> oc_check_allowed_sv - Entry
>>>>
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
>>>> -- attribute "entryuuid" not allowed
>>>> [19/Nov/2021:11:16:45.264647201 +0100] - ERR -
>>>> oc_check_allowed_sv - Entry
>>>>
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
>>>> -- attribute "entryuuid" not allowed
>>>>
>>>> The sudorule was add via the web-GUI on a Centos 8stream master.
>>>>
>>>> The replication more or less succeeded, besides this error
>>>> message. However,
>>>> * checkipaconsistency reports "LDAP Conflicts" (the Centos
7
>>>> master has count 1, the other masters have count 0)
>>>> * ipa-healthcheck reports an error too
>>>>
>>>> [
>>>> {
>>>> "source": "ipahealthcheck.ds.replication",
>>>> "kw": {
>>>> "msg": "Replication conflict",
>>>> "glue": false,
>>>> "conflict": "Schema violation",
>>>> "key":
>>>>
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=ghs,dc=nl"
>>>> },
>>>> "uuid":
"01d364fc-e48e-44bd-9ea8-63db1e800788",
>>>> "duration": "0.001689",
>>>> "when": "20211122070012Z",
>>>> "check": "ReplicationConflictCheck",
>>>> "result": "ERROR"
>>>> }
>>>> ]
>>>>
>>>> Any advise how to get rid of the error messages would be
>>>> greatly appreciated.
>>>> --
>>>> Kees
>>>> _______________________________________________
>>>> FreeIPA-users mailing list --
>>>> freeipa-users(a)lists.fedorahosted.org
>>>> <mailto:freeipa-users@lists.fedorahosted.org>
>>>> To unsubscribe send an email to
>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>>>> Fedora Code of Conduct:
>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>
<
https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
>>>> List Guidelines:
>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> <
https://fedoraproject.org/wiki/Mailing_list_guidelines>
>>>> List Archives:
>>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>> Do not reply to spam on the list, report it:
>>>>
https://pagure.io/fedora-infrastructure
>>>> <
https://pagure.io/fedora-infrastructure>
>>>>
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List
Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists...
>>> Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List
Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists...
>> Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure