Bug 688931

Summary: Run ipa-ldap-updater on upgrades, or warn that it needs to be run
Product: Red Hat Enterprise Linux 6 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: benl, dpal, jgalipea
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.0.0-17.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:44:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rob Crittenden 2011-03-18 14:52:08 UTC 
Description of problem:

We need to either run ipa-ldap-updater on upgrades or warn that it needs to be run.

Need to confirm that all services are being restarted on upgrades as well.
Comment 1 Dmitri Pal 2011-03-22 01:33:26 UTC 
https://fedorahosted.org/freeipa/ticket/1087
Comment 2 Rob Crittenden 2011-03-22 19:00:58 UTC 
master: ca5332951c68904b0763f79f3612209271206b2a
Comment 4 Jenny Severance 2011-04-08 17:25:00 UTC 
please add steps to reproduce this issue.  Thanks!
Comment 5 Rob Crittenden 2011-04-11 14:30:09 UTC 
Install an older N-V-R of IPA and run the IPA installer.

Upgrade to to these bits.

During rpm installation in %post it should:
- shut down 389-ds
- reconfigure 389-ds, there will be a new dse.ldif in the DS configuration directory named dse.ldif.ipa.[some_hex_number]
- apply updates (there aren't really any yet)
- restore 389-ds configuration
- restart 389-ds

You might try running rpm directly to install the update rather than using yum and pass in -vv to see the internals of what is going on (beware, it is truly ugly).
Comment 6 Jenny Severance 2011-04-15 17:17:15 UTC 
Installed master and slave - ipa-server-2.0.0-20.el6.x86_64.

1) added user and tested kinit on both master and slaver
2) yum update ipa-server on master
3) dse.ldif backed up

-rw-------. 1 dirsrv dirsrv 86088 Apr 15 13:07 dse.ldif
-rw-------. 1 dirsrv dirsrv 86088 Apr 15 13:07 dse.ldif.bak
-rw-------. 1 dirsrv root   86051 Apr 15 13:00 dse.ldif.ipa.afe82889c3248a8a

4) directory server restarted

[14/Apr/2011:14:07:00 -0400] - slapd shutting down - signaling operation threads
[14/Apr/2011:14:07:00 -0400] - slapd shutting down - closing down internal subsystems and plugins
[14/Apr/2011:14:07:00 -0400] - Waiting for 4 database threads to stop
[14/Apr/2011:14:07:00 -0400] - All database threads now stopped
[14/Apr/2011:14:07:00 -0400] - slapd stopped.
[14/Apr/2011:14:07:02 -0400] - 389-Directory/1.2.8.0 B2011.095.1758 starting up
[14/Apr/2011:14:07:02 -0400] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one...
[14/Apr/2011:14:07:02 -0400] attrcrypt - Key for cipher AES successfully generated and stored


5) tested kinit as user successful

6) yum update on slave
7) dse.ldif backup

-rw-------. 1 dirsrv dirsrv 85099 Apr 15 13:08 dse.ldif
-rw-------. 1 dirsrv dirsrv 85099 Apr 15 13:07 dse.ldif.bak
-rw-------. 1 dirsrv root   85103 Apr 15 13:04 dse.ldif.ipa.41c41cbec336f6e

8) directory server restarted

[15/Apr/2011:13:04:49 -0400] - slapd shutting down - signaling operation threads
[15/Apr/2011:13:04:49 -0400] - slapd shutting down - closing down internal subsystems and plugins
[15/Apr/2011:13:04:49 -0400] - Waiting for 4 database threads to stop
[15/Apr/2011:13:04:49 -0400] - All database threads now stopped
[15/Apr/2011:13:04:49 -0400] - slapd stopped.
[15/Apr/2011:13:04:53 -0400] - 389-Directory/1.2.8.1 B2011.101.1815 starting up
[15/Apr/2011:13:04:53 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat, dc=testrelm
[15/Apr/2011:13:04:53 -0400] schema-compat-plugin - warning: no entries set up under ou=SUDOers, dc=testrelm
[15/Apr/2011:13:04:53 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=testrelm--no CoS Templates found, which should be added before the CoS Definition.
[15/Apr/2011:13:04:53 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=testrelm--no CoS Templates found, which should be added before the CoS Definition.
[15/Apr/2011:13:04:53 -0400] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[15/Apr/2011:13:04:53 -0400] - Listening on All Interfaces port 636 for LDAPS requests
[15/Apr/2011:13:04:53 -0400] - Listening on /var/run/slapd-TESTRELM.socket for LDAPI requests
[15/Apr/2011:13:04:59 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) ((null))
[15/Apr/2011:13:04:59 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server)
[15/Apr/2011:13:04:59 -0400] NSMMReplicationPlugin - agmt="cn=meTodhcp-100-18-88.testrelm" (dhcp-100-18-88:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ((null))
[15/Apr/2011:13:05:02 -0400] NSMMReplicationPlugin - agmt="cn=meTodhcp-100-18-88.testrelm" (dhcp-100-18-88:389): Replication bind with GSSAPI auth resumed
[15/Apr/2011:13:08:14 -0400] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry "uid=test,cn=users,cn=accounts,dc=testrelm".


9) tested kinit as user successful

upgrade version:

ipa-server-2.0.0-21.el6.x86_64
Comment 7 errata-xmlrpc 2011-05-19 13:44:43 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0631.html