Hi Kees,
The missing fix #4872 is pretty small [1]. Initial definition of
entryuuid required a syntax/MR that was not available with previous
versions, so it broke schema replication in mixed topology.
A easy workaround is to stop 1.4.3.23 instance, edit
/usr/share/dirsrv/schema/03entryuuid.ldif on 1.4.3.23 installations and
restart the server. A dummy update on 1.4.3.23 will trigger the
replication of the schema definition of 'entryuuid' and then CentOS 7
instance will be able to manage entryuuid attribute.
Regards
theirry
[1]
So, I have 1.4.3.23. A change was made in 1.4.3.26 (commit
f370a281b8,
Issue 4872).
The latest in Centos 8 Stream is 1.4.3.23-10
That leaves me with the following questions.
1. What do I need to do to disable the entryUUID plugin?
2. What do I need to do to fix the current LDAP conflict?
3. Do I really need 389-ds-base 1.4.3.26 or later (if I manage to
disable the entryUUID plugin)?
-- Kees
On 22-11-2021 20:04, Kees Bakker via FreeIPA-users wrote:
> On Centos 7
>
> 389-ds-base-snmp-1.3.9.1-13.el7_7.x86_64
> 389-ds-base-libs-1.3.9.1-13.el7_7.x86_64
> 389-ds-base-1.3.9.1-13.el7_7.x86_64
> 389-ds-base-debuginfo-1.3.9.1-13.el7_7.x86_64
>
> On Centos 8 Stream
>
> 389-ds-base-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
> python3-lib389-1.4.3.23-7.module_el8.5.0+889+90e0384f.noarch
> 389-ds-base-libs-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
> -- Kees
>
> On 22-11-2021 18:39, Florence Blanc-Renaud wrote:
>> Hi,
>>
>> the error looks similar to
>>
https://github.com/389ds/389-ds-base/issues/4872
>> <
https://github.com/389ds/389-ds-base/issues/4872>.
>> The CentOS 8 Streams master probably has a version of 389ds that
>> doesn't contain the fix, and has entryuuid plugin enabled (that
>> generates an entryuuid attribute). The schema failed to be
>> replicated to the CentOS 7 server, and the entryuuid attribute
>> present in the entry causes replication issues.
>>
>> Which versions are installed on the other replicas? You may have to
>> disable the entryuuid plugin or update 389ds.
>> flo
>>
>>
>> On Mon, Nov 22, 2021 at 3:30 PM Kees Bakker via FreeIPA-users
>> <freeipa-users(a)lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>
>> Hi,
>>
>> On my Centos 7 master there was this error message
>>
>> [19/Nov/2021:11:16:11.863597190 +0100] - ERR -
>> oc_check_allowed_sv - Entry
>>
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
>> -- attribute "entryuuid" not allowed
>> [19/Nov/2021:11:16:26.331298112 +0100] - ERR -
>> oc_check_allowed_sv - Entry
>>
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
>> -- attribute "entryuuid" not allowed
>> [19/Nov/2021:11:16:45.264647201 +0100] - ERR -
>> oc_check_allowed_sv - Entry
>>
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
>> -- attribute "entryuuid" not allowed
>>
>> The sudorule was add via the web-GUI on a Centos 8stream master.
>>
>> The replication more or less succeeded, besides this error
>> message. However,
>> * checkipaconsistency reports "LDAP Conflicts" (the Centos 7
>> master has count 1, the other masters have count 0)
>> * ipa-healthcheck reports an error too
>>
>> [
>> {
>> "source": "ipahealthcheck.ds.replication",
>> "kw": {
>> "msg": "Replication conflict",
>> "glue": false,
>> "conflict": "Schema violation",
>> "key":
>>
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=ghs,dc=nl"
>> },
>> "uuid": "01d364fc-e48e-44bd-9ea8-63db1e800788",
>> "duration": "0.001689",
>> "when": "20211122070012Z",
>> "check": "ReplicationConflictCheck",
>> "result": "ERROR"
>> }
>> ]
>>
>> Any advise how to get rid of the error messages would be greatly
>> appreciated.
>> --
>> Kees
>> _______________________________________________
>> FreeIPA-users mailing list --
>> freeipa-users(a)lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> <
https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
>> List Guidelines:
>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> <
https://fedoraproject.org/wiki/Mailing_list_guidelines>
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam on the list, report it:
>>
https://pagure.io/fedora-infrastructure
>> <
https://pagure.io/fedora-infrastructure>
>>
>
>
> _______________________________________________
> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List
Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists...
> Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure