Hi list,
I wanted to repost this issue with a more appropriate subject line, in case anyone has come across this issue before and has a work around.
To provide some context, I have two FreeIPA instances running FreeIPA 4.3.1 on Ubuntu 16.04 LTS.
I want to migrate to FreeIPA 4.5.4 running on CentOS 7.
I have a way to migrate by dumping all the users out with ldapsearch and adding them to the new instance with ldapadd but it is a bit messy and will result in all users having to reset their password, as it won't let me add in already encrypted passwords.
My initial thought was to add the new instance as a replica and then eventually retire the old one.
I ran in to some problems with the ‘ipa-replica-install’ command though.
I was able to join as a client no problem, but when I went to run ‘ipa-replica-install’ it failed while configuring the directory server component.
[25/42]: restarting directory server [26/42]: creating DS keytab [27/42]: ignore time skew for initial replication [28/42]: setting up initial replication [error] DatabaseError: Server is unwilling to perform: modification of attribute nsds5replicareleasetimeout is not allowed in replica entry Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
I thought this might have something to do with differences between 4.3.1 and 4.5.4 but I wasn’t entirely sure.
If there is a work around for this issue, it would be a significantly easier transition to the new FreeIPA instance.
Cheers,
Mitch
On 12/2/18 7:10 PM, Mitchell Smith via FreeIPA-users wrote:
Hi list,
I wanted to repost this issue with a more appropriate subject line, in case anyone has come across this issue before and has a work around.
To provide some context, I have two FreeIPA instances running FreeIPA 4.3.1 on Ubuntu 16.04 LTS.
I want to migrate to FreeIPA 4.5.4 running on CentOS 7.
I have a way to migrate by dumping all the users out with ldapsearch and adding them to the new instance with ldapadd but it is a bit messy and will result in all users having to reset their password, as it won't let me add in already encrypted passwords.
My initial thought was to add the new instance as a replica and then eventually retire the old one.
I ran in to some problems with the ‘ipa-replica-install’ command though.
I was able to join as a client no problem, but when I went to run ‘ipa-replica-install’ it failed while configuring the directory server component.
[25/42]: restarting directory server [26/42]: creating DS keytab [27/42]: ignore time skew for initial replication [28/42]: setting up initial replication [error] DatabaseError: Server is unwilling to perform: modification of attribute nsds5replicareleasetimeout is not allowed in replica entry Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
I thought this might have something to do with differences between 4.3.1 and 4.5.4 but I wasn’t entirely sure.
If there is a work around for this issue, it would be a significantly easier transition to the new FreeIPA instance.
Cheers,
Mitch _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
I already saw this type of issue, but with older releases of FreeIPA. It could happen with 389-ds versions < 1.3 (see https://pagure.io/freeipa/c/2563f6f59454b73373c5ef4117afc76984146187).
Which version of 389-ds is installed on your machines? # rpm -qa | grep 389
Is the attribute nsds5replicareleasetimeout defined in the schema? You can check on each master with: # ldapsearch -x -h $MASTER -b cn=schema -s base -o ldif-wrap=no -LLL attributetypes| grep -i nsds5replicareleasetimeout
If the attribute is properly defined in the schema, the command should output 2 lines: - one for the attribute definition, with attributetypes: (... NAME 'nsds5ReplicaReleaseTimeout' ...) - one for the objectclass definition using this attribute, with objectclasses: (... NAME 'nsDS5Replica' ... MAY (... nsds5ReplicaReleaseTimeout ...) ...)
flo
Hi,
On Dec 3, 2018, at 6:59 PM, Florence Blanc-Renaud flo@redhat.com wrote: I already saw this type of issue, but with older releases of FreeIPA. It could happen with 389-ds versions < 1.3 (see https://pagure.io/freeipa/c/2563f6f59454b73373c5ef4117afc76984146187).
Which version of 389-ds is installed on your machines? # rpm -qa | grep 389
$ dpkg --list | grep "389" ii 389-ds-base 1.3.4.9-1 amd64 389 Directory Server suite - server ii 389-ds-base-libs 1.3.4.9-1 amd64 389 Directory Server suite - libraries ii slapi-nis 0.55-1 amd64 NIS Server and Schema Compatibility plugins for 389 Directory Server
Is the attribute nsds5replicareleasetimeout defined in the schema? You can check on each master with: # ldapsearch -x -h $MASTER -b cn=schema -s base -o ldif-wrap=no -LLL attributetypes| grep -i nsds5replicareleasetimeout
If the attribute is properly defined in the schema, the command should output 2 lines:
- one for the attribute definition, with attributetypes: (... NAME 'nsds5ReplicaReleaseTimeout' ...)
- one for the objectclass definition using this attribute, with objectclasses: (... NAME 'nsDS5Replica' ... MAY (... nsds5ReplicaReleaseTimeout ...) …)
No, I don’t get any search results at all.
Can you anticipate any issues with me modifying the schema and adding these attributes back in?
Thanks,
Mitch
Hi,
I have the same issue with freeipa 4.3.1 on ubuntu 16.04 and freeipa 4.8.6 on ubuntu 20.20 (packages from ubuntu 19.10).
Have you solved this issue?
On 8/19/20 11:53 AM, Denis Nazarov via FreeIPA-users wrote:
Hi,
I have the same issue with freeipa 4.3.1 on ubuntu 16.04 and freeipa 4.8.6 on ubuntu 20.20 (packages from ubuntu 19.10).
Have you solved this issue?
Hi,
I assume you are referring to this email thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
What is the 389-ds version on your master and on your replica?
flo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org