Hi Thierry,
That worked. I choose the second option, add entryuuid to the Centos 7 system.
ipa-healthcheck is happy now and so is checkipaconsistency.
Thanks for the help.
-- Kees
On 23-11-2021 17:17, Thierry Bordaz wrote:
Hi Kees,
Indeed this problem may have raised because in intermediate centos builds (without #4872
fix) we delivered a wrong attribute definition.
ATM we need to get the 'entryuuid' definition on Centos7.
I guess it is not present there. You may check with 'ldapsearch -D "DM" -b
"cn=schema" -o ldif-wrap=no -LLL attributetypes |grep -i entryuuid
I see two options:
* Do a dummy update of the schema (add a dummy attributetype) on Centos8, so that it
contains a nsschemaCSN that is recent. Then next replication session, the new definition
will be learned by Centos7.
* stop centos7 instance, copy the content of 03entryuuid.ldif into the 99users.ldif of
the instance, start the instance
regards
thierry
On 11/23/21 4:12 PM, Kees Bakker wrote:
> Hi Thierry,
>
> It was not sufficient to modify 03entryuuid.ldif. I'm still getting the attribute
"entryuuid" not allowed error on the Centos 7 system.
>
> Do I need to disable the entryUUID plugin? If so, how do I do that?
> -- Kees
>
> On 23-11-2021 10:29, Thierry Bordaz wrote:
>> Hi Kees,
>>
>> The missing fix #4872 is pretty small [1]. Initial definition of entryuuid
required a syntax/MR that was not available with previous versions, so it broke schema
replication in mixed topology.
>>
>> A easy workaround is to stop 1.4.3.23 instance, edit
/usr/share/dirsrv/schema/03entryuuid.ldif on 1.4.3.23 installations and restart the
server. A dummy update on 1.4.3.23 will trigger the replication of the schema definition
of 'entryuuid' and then CentOS 7 instance will be able to manage entryuuid
attribute.
>>
>> Regards
>> theirry
>>
>>
>> [1]
https://github.com/389ds/389-ds-base/commit/bce941ec3cdf77eaf4bc3ea744f1d...
>>
>> On 11/23/21 10:17 AM, Kees Bakker via FreeIPA-users wrote:
>>> So, I have 1.4.3.23. A change was made in 1.4.3.26 (commit f370a281b8, Issue
4872).
>>> The latest in Centos 8 Stream is 1.4.3.23-10
>>>
>>> That leaves me with the following questions.
>>>
>>> 1. What do I need to do to disable the entryUUID plugin?
>>> 2. What do I need to do to fix the current LDAP conflict?
>>> 3. Do I really need 389-ds-base 1.4.3.26 or later (if I manage to disable the
entryUUID plugin)?
>>> -- Kees
>>>
>>> On 22-11-2021 20:04, Kees Bakker via FreeIPA-users wrote:
>>>> On Centos 7
>>>>
>>>> 389-ds-base-snmp-1.3.9.1-13.el7_7.x86_64
>>>> 389-ds-base-libs-1.3.9.1-13.el7_7.x86_64
>>>> 389-ds-base-1.3.9.1-13.el7_7.x86_64
>>>> 389-ds-base-debuginfo-1.3.9.1-13.el7_7.x86_64
>>>>
>>>> On Centos 8 Stream
>>>>
>>>> 389-ds-base-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
>>>> python3-lib389-1.4.3.23-7.module_el8.5.0+889+90e0384f.noarch
>>>> 389-ds-base-libs-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
>>>> -- Kees
>>>>
>>>> On 22-11-2021 18:39, Florence Blanc-Renaud wrote:
>>>>> Hi,
>>>>>
>>>>> the error looks similar to
https://github.com/389ds/389-ds-base/issues/4872
<
https://github.com/389ds/389-ds-base/issues/4872>.
>>>>> The CentOS 8 Streams master probably has a version of 389ds that
doesn't contain the fix, and has entryuuid plugin enabled (that generates an entryuuid
attribute). The schema failed to be replicated to the CentOS 7 server, and the entryuuid
attribute present in the entry causes replication issues.
>>>>>
>>>>> Which versions are installed on the other replicas? You may have to
disable the entryuuid plugin or update 389ds.
>>>>> flo
>>>>>
>>>>>
>>>>> On Mon, Nov 22, 2021 at 3:30 PM Kees Bakker via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> On my Centos 7 master there was this error message
>>>>>
>>>>> [19/Nov/2021:11:16:11.863597190 +0100] - ERR -
oc_check_allowed_sv - Entry
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
-- attribute "entryuuid" not allowed
>>>>> [19/Nov/2021:11:16:26.331298112 +0100] - ERR -
oc_check_allowed_sv - Entry
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
-- attribute "entryuuid" not allowed
>>>>> [19/Nov/2021:11:16:45.264647201 +0100] - ERR -
oc_check_allowed_sv - Entry
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
-- attribute "entryuuid" not allowed
>>>>>
>>>>> The sudorule was add via the web-GUI on a Centos 8stream master.
>>>>>
>>>>> The replication more or less succeeded, besides this error
message. However,
>>>>> * checkipaconsistency reports "LDAP Conflicts" (the
Centos 7 master has count 1, the other masters have count 0)
>>>>> * ipa-healthcheck reports an error too
>>>>>
>>>>> [
>>>>> {
>>>>> "source":
"ipahealthcheck.ds.replication",
>>>>> "kw": {
>>>>> "msg": "Replication conflict",
>>>>> "glue": false,
>>>>> "conflict": "Schema violation",
>>>>> "key":
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=ghs,dc=nl"
>>>>> },
>>>>> "uuid":
"01d364fc-e48e-44bd-9ea8-63db1e800788",
>>>>> "duration": "0.001689",
>>>>> "when": "20211122070012Z",
>>>>> "check": "ReplicationConflictCheck",
>>>>> "result": "ERROR"
>>>>> }
>>>>> ]
>>>>>
>>>>> Any advise how to get rid of the error messages would be greatly
appreciated.
>>>>> --
>>>>> Kees
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>
>>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
>>>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
<
https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
>>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
<
https://fedoraproject.org/wiki/Mailing_list_guidelines>
>>>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure <
https://pagure.io/fedora-infrastructure>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email
tofreeipa-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List
Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists...
>>>> Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List
Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists...
>>> Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
>