Bug 746589

Summary: automember functionality not available for upgraded IPA server
Product: Red Hat Enterprise Linux 6 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: dpal, jgalipea, matt, mkosek, rmeggins, sigbjorn, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-1.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:15:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 751495, 781506    
Bug Blocks: 756082    
Attachments:
Description Flags
automember update file none

Description Martin Kosek 2011-10-17 07:35:23 UTC 
Description of problem:

freeipa 2.1.1 introduced automember functionality (https://fedorahosted.org/freeipa/ticket/1272) providing means of automatic group membership during the insertion of predefined object types in LDAP.

This functionality is available only when predefined data is in in LDAP (cn=Hostgroup,cn=automember,cn=etc,$SUFFIX and cn=Group,cn=automember,cn=etc,$SUFFIX).

Since we do not add this data during ipa-server upgrade process, ipa-server configured before ipa 2.1.1 won't have this data and any membership operation will result in error:

# ipa automember-add --type=group devel
ipa: ERROR: Auto Membership is not configured

Version-Release number of selected component (if applicable):

ipa-server-2.1.2-101.20111014T1857zgit3506dc8.el6.x86_64


How reproducible:

Steps to Reproduce:
1. Install and configure ipa-server before 2.1.1 rebase
2. Run upgrade to the most recent ipa-server
3. Try to add automember rule: ipa automember-add --type=group devel

Actual results:

IPA reports an error:

# ipa automember-add --type=group devel
ipa: ERROR: Auto Membership is not configured

Expected results:

Automember rule is added
Comment 1 Martin Kosek 2011-10-17 07:36:37 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1992
Comment 4 Matt Mossholder 2011-10-29 13:38:56 UTC 
This has bitten me on my Free IPA server. It doesn't just prevent you from using automembership functionality, it also causes the Web UI to return a 903 error when you initially connect, completely preventing its use.

Is there a way to get the LDAP information into a server that has already been upgraded?
Comment 5 Martin Kosek 2011-10-31 11:09:52 UTC 
Created attachment 530949 [details]
automember update file
Comment 6 Martin Kosek 2011-10-31 11:13:07 UTC 
(In reply to comment #4)
> This has bitten me on my Free IPA server. It doesn't just prevent you from
> using automembership functionality, it also causes the Web UI to return a 903
> error when you initially connect, completely preventing its use.
> 
> Is there a way to get the LDAP information into a server that has already been
> upgraded?

Matt, if you want to fix the issue before it is released, you can use the update file I just attached. This is how I fixed automember for FreeIPA server upgraded from 2.0.0 to 2.1.3:

# ipa-ldap-updater 40-automember.update 
Directory Manager password: 

INFO Parsing file /home/mkosek/40-automember.update
INFO Updating existing entry: cn=Auto Membership Plugin,cn=plugins,cn=config
INFO Done
INFO New entry: cn=automember,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
INFO New entry: cn=Hostgroup,cn=automember,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
INFO New entry: cn=Group,cn=automember,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
Comment 8 Matt Mossholder 2011-11-03 02:24:57 UTC 
This is what I get when running the update through ipa-ldap-updater:

[root@ipa1 ~]# ipa-ldap-updater 40-automember.update 
Directory Manager password: 

INFO Parsing file 40-automember.update
INFO Updating existing entry: cn=Auto Membership Plugin,cn=plugins,cn=config
INFO Done
INFO New entry: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
ERROR Add failure cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
INFO Updating existing entry: cn=UPG Template,cn=etc,dc=mossholder,dc=com
INFO Done
INFO New entry: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
ERROR Add failure cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
INFO Updating existing entry: cn=UPG Definition,cn=Managed Entries,cn=plugins,cn=config
INFO Done
INFO New entry: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
ERROR Add failure cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
INFO Updating existing entry: cn=NGP HGP Template,cn=etc,dc=mossholder,dc=com
INFO Done
INFO New entry: cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
ERROR Add failure cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
INFO Updating existing entry: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config
INFO Done
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
ERROR Delete failed: Server is unwilling to perform: Not a valid operation.
ERROR Delete failed: Server is unwilling to perform: Deleting an active managed entries template is not allowed. Delete the associated config entry first.
ERROR Delete failed: Server is unwilling to perform: Not a valid operation.
ERROR Delete failed: Server is unwilling to perform: Deleting an active managed entries template is not allowed. Delete the associated config entry first.
Comment 9 Martin Kosek 2011-11-03 14:38:13 UTC 
This is pretty confusing output. Matt, can you please check what is your freeipa-server version?

ipa-ldap-updater is obviously doing more that it should. As you can see in the 40-automember.update and my ipa-ldap-update output, it should just update cn=Auto Membership Plugin,cn=plugins,cn=config and cn=automember,cn=etc,$YOURSUFFIX but it seems it did not.
Comment 10 Matt Mossholder 2011-11-03 14:54:14 UTC 
Agreed, the output is strange.... Here's my version info!

[root@ipa1 log]# rpm -qv freeipa-server
freeipa-server-2.1.3-2.fc15.x86_64
Comment 11 Martin Kosek 2011-11-03 16:09:51 UTC 
We need to find out what's wrong with your FreeIPA instance first. I did another test by upgrading from FreeIPA 2.1.0 to FreeIPA 2.1.3 on F-15 and then I run 40-automember.update, but your issue did not occur.

I would like to ask you for some more information to help us understand the state of your FreeIPA instance. You would need to be kinit-ed as admin to make the ldapsearch-es work:

1) Contents of original managed entries configuration:
$ ldapsearch -h localhost -Y GSSAPI -b 'cn=Managed Entries,cn=plugins,cn=config'

2) Contents of your cn=etc,dc=mossholder,dc=com
$ ldapsearch -h localhost -Y GSSAPI -b 'cn=etc,dc=mossholder,dc=com'

3) Please run the update again, with debug on so we get the full debug output:
$ ipa-ldap-updater -d 40-automember.update 


Some errors may also be in dirsrv log. Yours should be in:
/var/log/dirsrv/slapd-MOSSHOLDER-COM/errors
Comment 12 Matt Mossholder 2011-11-04 11:06:03 UTC 
Here you go.. thanks for the help!

####### 1 #######
[root@ipa1 log]# ldapsearch -h localhost -Y GSSAPI -b 'cn=Managed Entries,cn=plugins,cn=config'
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=Managed Entries,cn=plugins,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Managed Entries, plugins, config
dn: cn=Managed Entries,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: nsContainer
cn: Managed Entries
nsslapd-pluginPath: libmanagedentries-plugin
nsslapd-pluginInitfunc: mep_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: Managed Entries
nsslapd-pluginVersion: 1.2.10.a4
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Managed Entries plugin

# NGP Definition, Managed Entries, plugins, config
dn: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
cn: NGP Definition
originscope: cn=hostgroups,cn=accounts,dc=mossholder,dc=com
originfilter: objectclass=ipahostgroup
managedbase: cn=ng,cn=alt,dc=mossholder,dc=com
managedtemplate: cn=NGP HGP Template,cn=etc,dc=mossholder,dc=com

# UPG Definition, Managed Entries, plugins, config
dn: cn=UPG Definition,cn=Managed Entries,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
cn: UPG Definition
originscope: cn=users,cn=accounts,dc=mossholder,dc=com
originfilter: (&(objectclass=posixAccount)(!(description=__no_upg__)))
managedbase: cn=groups,cn=accounts,dc=mossholder,dc=com
managedtemplate: cn=UPG Template,cn=etc,dc=mossholder,dc=com

# search result
search: 4
result: 0 Success

# numResponses: 4
# numEntries: 3




####### 2 #######
[root@ipa1 log]# ldapsearch -h localhost -Y GSSAPI -b 'cn=Managed Entries,cn=plugins,cn=config'
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=Managed Entries,cn=plugins,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Managed Entries, plugins, config
dn: cn=Managed Entries,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: nsContainer
cn: Managed Entries
nsslapd-pluginPath: libmanagedentries-plugin
nsslapd-pluginInitfunc: mep_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: Managed Entries
nsslapd-pluginVersion: 1.2.10.a4
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Managed Entries plugin

# NGP Definition, Managed Entries, plugins, config
dn: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
cn: NGP Definition
originscope: cn=hostgroups,cn=accounts,dc=mossholder,dc=com
originfilter: objectclass=ipahostgroup
managedbase: cn=ng,cn=alt,dc=mossholder,dc=com
managedtemplate: cn=NGP HGP Template,cn=etc,dc=mossholder,dc=com

# UPG Definition, Managed Entries, plugins, config
dn: cn=UPG Definition,cn=Managed Entries,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
cn: UPG Definition
originscope: cn=users,cn=accounts,dc=mossholder,dc=com
originfilter: (&(objectclass=posixAccount)(!(description=__no_upg__)))
managedbase: cn=groups,cn=accounts,dc=mossholder,dc=com
managedtemplate: cn=UPG Template,cn=etc,dc=mossholder,dc=com

# search result
search: 4
result: 0 Success

# numResponses: 4
# numEntries: 3
[root@ipa1 log]# ldapsearch -h localhost -Y GSSAPI -b 'cn=etc,dc=mossholder,dc=com'
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=etc,dc=mossholder,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# etc, mossholder.com
dn: cn=etc,dc=mossholder,dc=com
objectClass: nsContainer
objectClass: top
cn: etc

# sysaccounts, etc, mossholder.com
dn: cn=sysaccounts,cn=etc,dc=mossholder,dc=com
objectClass: nsContainer
objectClass: top
cn: sysaccounts

# entitlements, etc, mossholder.com
dn: cn=entitlements,cn=etc,dc=mossholder,dc=com
objectClass: nsContainer
objectClass: top
cn: entitlements

# ipa, etc, mossholder.com
dn: cn=ipa,cn=etc,dc=mossholder,dc=com
objectClass: nsContainer
objectClass: top
cn: ipa

# masters, ipa, etc, mossholder.com
dn: cn=masters,cn=ipa,cn=etc,dc=mossholder,dc=com
objectClass: nsContainer
objectClass: top
cn: masters

# replicas, ipa, etc, mossholder.com
dn: cn=replicas,cn=ipa,cn=etc,dc=mossholder,dc=com
objectClass: nsContainer
objectClass: top
cn: replicas

# dna, ipa, etc, mossholder.com
dn: cn=dna,cn=ipa,cn=etc,dc=mossholder,dc=com
objectClass: nsContainer
objectClass: top
cn: dna

# posix-ids, dna, ipa, etc, mossholder.com
dn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mossholder,dc=com
objectClass: nsContainer
objectClass: top
cn: posix-ids

# ipaConfig, etc, mossholder.com
dn: cn=ipaConfig,cn=etc,dc=mossholder,dc=com
objectClass: nsContainer
objectClass: top
objectClass: ipaGuiConfig
objectClass: ipaConfigObject
ipaUserSearchFields: uid,givenname,sn,telephonenumber,ou,title
ipaGroupSearchFields: cn,description
ipaSearchTimeLimit: 2
ipaSearchRecordsLimit: 100
ipaHomesRootDir: /home
ipaDefaultLoginShell: /bin/sh
ipaDefaultPrimaryGroup: ipausers
ipaMaxUsernameLength: 32
ipaPwdExpAdvNotify: 4
ipaGroupObjectClasses: top
ipaGroupObjectClasses: groupofnames
ipaGroupObjectClasses: nestedgroup
ipaGroupObjectClasses: ipausergroup
ipaGroupObjectClasses: ipaobject
ipaUserObjectClasses: top
ipaUserObjectClasses: person
ipaUserObjectClasses: organizationalperson
ipaUserObjectClasses: inetorgperson
ipaUserObjectClasses: inetuser
ipaUserObjectClasses: posixaccount
ipaUserObjectClasses: krbprincipalaux
ipaUserObjectClasses: krbticketpolicyaux
ipaUserObjectClasses: ipaobject
ipaDefaultEmailDomain: mossholder.com
ipaMigrationEnabled: FALSE
ipaConfigString: AllowNThash
cn: ipaConfig
ipaCertificateSubjectBase: O=MOSSHOLDER.COM

# virtual operations, etc, mossholder.com
dn: cn=virtual operations,cn=etc,dc=mossholder,dc=com
objectClass: top
objectClass: nsContainer
cn: virtual operations

# retrieve certificate, virtual operations, etc, mossholder.com
dn: cn=retrieve certificate,cn=virtual operations,cn=etc,dc=mossholder,dc=com
objectClass: top
objectClass: nsContainer
cn: retrieve certificate

# request certificate, virtual operations, etc, mossholder.com
dn: cn=request certificate,cn=virtual operations,cn=etc,dc=mossholder,dc=com
objectClass: top
objectClass: nsContainer
cn: request certificate

# request certificate different host, virtual operations, etc, mossholder.com
dn: cn=request certificate different host,cn=virtual operations,cn=etc,dc=moss
 holder,dc=com
objectClass: top
objectClass: nsContainer
cn: request certificate different host

# certificate status, virtual operations, etc, mossholder.com
dn: cn=certificate status,cn=virtual operations,cn=etc,dc=mossholder,dc=com
objectClass: top
objectClass: nsContainer
cn: certificate status

# revoke certificate, virtual operations, etc, mossholder.com
dn: cn=revoke certificate,cn=virtual operations,cn=etc,dc=mossholder,dc=com
objectClass: top
objectClass: nsContainer
cn: revoke certificate

# certificate remove hold, virtual operations, etc, mossholder.com
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,dc=mossholder,dc=c
 om
objectClass: top
objectClass: nsContainer
cn: certificate remove hold

# UPG Template, etc, mossholder.com
dn: cn=UPG Template,cn=etc,dc=mossholder,dc=com
objectClass: mepTemplateEntry
objectClass: top
cn: UPG Template
mepRDNAttr: cn
mepStaticAttr: objectclass: posixgroup
mepStaticAttr: objectclass: ipaobject
mepStaticAttr: ipaUniqueId: autogenerate
mepMappedAttr: cn: $uid
mepMappedAttr: gidNumber: $uidNumber
mepMappedAttr: description: User private group for $uid

# NGP HGP Template, etc, mossholder.com
dn: cn=NGP HGP Template,cn=etc,dc=mossholder,dc=com
objectClass: mepTemplateEntry
objectClass: top
cn: NGP HGP Template
mepRDNAttr: cn
mepStaticAttr: ipaUniqueId: autogenerate
mepStaticAttr: objectclass: ipanisnetgroup
mepStaticAttr: objectclass: ipaobject
mepStaticAttr: nisDomainName: mossholder.com
mepMappedAttr: cn: $cn
mepMappedAttr: memberHost: $dn
mepMappedAttr: description: ipaNetgroup $cn

# sudo, sysaccounts, etc, mossholder.com
dn: uid=sudo,cn=sysaccounts,cn=etc,dc=mossholder,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: sudo

# ipa1.mossholder.com, masters, ipa, etc, mossholder.com
dn: cn=ipa1.mossholder.com,cn=masters,cn=ipa,cn=etc,dc=mossholder,dc=com
objectClass: top
objectClass: nsContainer
cn: ipa1.mossholder.com

# CA, ipa1.mossholder.com, masters, ipa, etc, mossholder.com
dn: cn=CA,cn=ipa1.mossholder.com,cn=masters,cn=ipa,cn=etc,dc=mossholder,dc=com
objectClass: nsContainer
objectClass: ipaConfigObject
objectClass: top
ipaConfigString: enabledService
ipaConfigString: startOrder 50
cn: CA

# kdc, sysaccounts, etc, mossholder.com
dn: uid=kdc,cn=sysaccounts,cn=etc,dc=mossholder,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: kdc

# KDC, ipa1.mossholder.com, masters, ipa, etc, mossholder.com
dn: cn=KDC,cn=ipa1.mossholder.com,cn=masters,cn=ipa,cn=etc,dc=mossholder,dc=co
 m
objectClass: nsContainer
objectClass: ipaConfigObject
objectClass: top
ipaConfigString: enabledService
ipaConfigString: startOrder 10
cn: KDC

# KPASSWD, ipa1.mossholder.com, masters, ipa, etc, mossholder.com
dn: cn=KPASSWD,cn=ipa1.mossholder.com,cn=masters,cn=ipa,cn=etc,dc=mossholder,d
 c=com
objectClass: nsContainer
objectClass: ipaConfigObject
objectClass: top
ipaConfigString: enabledService
ipaConfigString: startOrder 20
cn: KPASSWD

# HTTP, ipa1.mossholder.com, masters, ipa, etc, mossholder.com
dn: cn=HTTP,cn=ipa1.mossholder.com,cn=masters,cn=ipa,cn=etc,dc=mossholder,dc=c
 om
objectClass: nsContainer
objectClass: ipaConfigObject
objectClass: top
ipaConfigString: enabledService
ipaConfigString: startOrder 40
cn: HTTP

# replication, etc, mossholder.com
dn: cn=replication,cn=etc,dc=mossholder,dc=com
objectClass: nsDS5Replica
objectClass: top
nsDS5ReplicaId: 3
nsDS5ReplicaRoot: dc=mossholder,dc=com
cn: replication

# ipa1.mossholder.com + 0, posix-ids, dna, ipa, etc, mossholder.com
dn: dnaHostname=ipa1.mossholder.com+dnaPortNum=0,cn=posix-ids,cn=dna,cn=ipa,cn
 =etc,dc=mossholder,dc=com
objectClass: extensibleObject
objectClass: top
dnahostname: ipa1.mossholder.com
dnaportnum: 0
dnasecureportnum: 636
dnaremainingvalues: 199987

# ipa1.mossholder.com + 389, posix-ids, dna, ipa, etc, mossholder.com
dn: dnaHostname=ipa1.mossholder.com+dnaPortNum=389,cn=posix-ids,cn=dna,cn=ipa,
 cn=etc,dc=mossholder,dc=com
objectClass: extensibleObject
objectClass: top
dnahostname: ipa1.mossholder.com
dnaportnum: 389
dnasecureportnum: 636
dnaremainingvalues: 199987

# search result
search: 4
result: 0 Success

# numResponses: 29
# numEntries: 28





####### 3 #######
[root@ipa1 ~]# ipa-ldap-updater -d 40-automember.update
Directory Manager password: 

INFO Parsing file 40-automember.update
INFO Updating existing entry: cn=Auto Membership Plugin,cn=plugins,cn=config
DEBUG ---------------------------------------------
DEBUG dn: cn=Auto Membership Plugin,cn=plugins,cn=config
DEBUG nsslapd-pluginpath: libautomember-plugin
DEBUG cn: Auto Membership Plugin
DEBUG objectclass: 
DEBUG 	top
DEBUG 	nsSlapdPlugin
DEBUG 	extensibleObject
DEBUG nsslapd-plugindescription: Auto Membership plugin
DEBUG nsslapd-pluginenabled: on
DEBUG nsslapd-pluginid: Auto Membership
DEBUG nsslapd-pluginversion: 1.2.10.a4
DEBUG nsslapd-plugin-depends-on-type: database
DEBUG nsslapd-pluginvendor: 389 Project
DEBUG nsslapd-pluginconfigarea: cn=automember,cn=etc,dc=mossholder,dc=com
DEBUG nsslapd-plugintype: preoperation
DEBUG nsslapd-plugininitfunc: automember_init
DEBUG addifnew: 'cn=automember,cn=etc,dc=mossholder,dc=com' to nsslapd-pluginConfigArea, current value ['cn=automember,cn=etc,dc=mossholder,dc=com']
DEBUG ---------------------------------------------
DEBUG dn: cn=Auto Membership Plugin,cn=plugins,cn=config
DEBUG nsslapd-pluginpath: libautomember-plugin
DEBUG cn: Auto Membership Plugin
DEBUG objectclass: 
DEBUG 	top
DEBUG 	nsSlapdPlugin
DEBUG 	extensibleObject
DEBUG nsslapd-plugindescription: Auto Membership plugin
DEBUG nsslapd-pluginenabled: on
DEBUG nsslapd-pluginid: Auto Membership
DEBUG nsslapd-pluginversion: 1.2.10.a4
DEBUG nsslapd-plugin-depends-on-type: database
DEBUG nsslapd-pluginvendor: 389 Project
DEBUG nsslapd-pluginconfigarea: cn=automember,cn=etc,dc=mossholder,dc=com
DEBUG nsslapd-plugintype: preoperation
DEBUG nsslapd-plugininitfunc: automember_init
DEBUG ---------------------------------------------
DEBUG Final value
DEBUG dn: cn=Auto Membership Plugin,cn=plugins,cn=config
DEBUG nsslapd-pluginpath: libautomember-plugin
DEBUG cn: Auto Membership Plugin
DEBUG objectclass: 
DEBUG 	top
DEBUG 	nsSlapdPlugin
DEBUG 	extensibleObject
DEBUG nsslapd-plugindescription: Auto Membership plugin
DEBUG nsslapd-pluginenabled: on
DEBUG nsslapd-pluginid: Auto Membership
DEBUG nsslapd-pluginversion: 1.2.10.a4
DEBUG nsslapd-plugin-depends-on-type: database
DEBUG nsslapd-pluginvendor: 389 Project
DEBUG nsslapd-pluginconfigarea: cn=automember,cn=etc,dc=mossholder,dc=com
DEBUG nsslapd-plugintype: preoperation
DEBUG nsslapd-plugininitfunc: automember_init
DEBUG []
DEBUG Live 1, updated 0
INFO Done
INFO New entry: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG ---------------------------------------------
DEBUG dn: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG objectclass: 
DEBUG 	mepTemplateEntry
DEBUG 	top
DEBUG mepmappedattr: 
DEBUG 	cn:$uid
DEBUG 	gidNumber:$uidNumber
DEBUG 	description:User private group for $uid
DEBUG mepstaticattr: 
DEBUG 	objectclass:posixgroup
DEBUG 	objectclass:ipaobject
DEBUG 	ipaUniqueId:autogenerate
DEBUG cn: UPG Template
DEBUG meprdnattr: cn
DEBUG ---------------------------------------------
DEBUG Final value
DEBUG dn: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG objectclass: 
DEBUG 	mepTemplateEntry
DEBUG 	top
DEBUG mepmappedattr: 
DEBUG 	cn:$uid
DEBUG 	gidNumber:$uidNumber
DEBUG 	description:User private group for $uid
DEBUG mepstaticattr: 
DEBUG 	objectclass:posixgroup
DEBUG 	objectclass:ipaobject
DEBUG 	ipaUniqueId:autogenerate
DEBUG cn: UPG Template
DEBUG meprdnattr: cn
ERROR Add failure cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
INFO Updating existing entry: cn=UPG Template,cn=etc,dc=mossholder,dc=com
DEBUG ---------------------------------------------
DEBUG dn: cn=UPG Template,cn=etc,dc=mossholder,dc=com
DEBUG objectclass: 
DEBUG 	mepTemplateEntry
DEBUG 	top
DEBUG mepmappedattr: 
DEBUG 	cn: $uid
DEBUG 	gidNumber: $uidNumber
DEBUG 	description: User private group for $uid
DEBUG mepstaticattr: 
DEBUG 	objectclass: posixgroup
DEBUG 	objectclass: ipaobject
DEBUG 	ipaUniqueId: autogenerate
DEBUG cn: UPG Template
DEBUG meprdnattr: cn
DEBUG ---------------------------------------------
DEBUG Final value
DEBUG dn: cn=UPG Template,cn=etc,dc=mossholder,dc=com
DEBUG objectclass: 
DEBUG 	mepTemplateEntry
DEBUG 	top
DEBUG mepmappedattr: 
DEBUG 	cn: $uid
DEBUG 	gidNumber: $uidNumber
DEBUG 	description: User private group for $uid
DEBUG mepstaticattr: 
DEBUG 	objectclass: posixgroup
DEBUG 	objectclass: ipaobject
DEBUG 	ipaUniqueId: autogenerate
DEBUG cn: UPG Template
DEBUG meprdnattr: cn
DEBUG []
DEBUG Live 1, updated 0
INFO Done
INFO New entry: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG ---------------------------------------------
DEBUG dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG cn: UPG Definition
DEBUG objectclass: 
DEBUG 	extensibleObject
DEBUG 	top
DEBUG managedbase: cn=groups,cn=accounts,dc=mossholder,dc=com
DEBUG originfilter: (&(objectclass=posixAccount)(!(description=__no_upg__)))
DEBUG originscope: cn=users,cn=accounts,dc=mossholder,dc=com
DEBUG managedtemplate: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG ---------------------------------------------
DEBUG Final value
DEBUG dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG cn: UPG Definition
DEBUG objectclass: 
DEBUG 	extensibleObject
DEBUG 	top
DEBUG managedbase: cn=groups,cn=accounts,dc=mossholder,dc=com
DEBUG originfilter: (&(objectclass=posixAccount)(!(description=__no_upg__)))
DEBUG originscope: cn=users,cn=accounts,dc=mossholder,dc=com
DEBUG managedtemplate: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
ERROR Add failure cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
INFO Updating existing entry: cn=UPG Definition,cn=Managed Entries,cn=plugins,cn=config
DEBUG ---------------------------------------------
DEBUG dn: cn=UPG Definition,cn=Managed Entries,cn=plugins,cn=config
DEBUG cn: UPG Definition
DEBUG objectclass: 
DEBUG 	extensibleObject
DEBUG 	top
DEBUG managedbase: cn=groups,cn=accounts,dc=mossholder,dc=com
DEBUG originfilter: (&(objectclass=posixAccount)(!(description=__no_upg__)))
DEBUG originscope: cn=users,cn=accounts,dc=mossholder,dc=com
DEBUG managedtemplate: cn=UPG Template,cn=etc,dc=mossholder,dc=com
DEBUG ---------------------------------------------
DEBUG Final value
DEBUG dn: cn=UPG Definition,cn=Managed Entries,cn=plugins,cn=config
DEBUG cn: UPG Definition
DEBUG objectclass: 
DEBUG 	extensibleObject
DEBUG 	top
DEBUG managedbase: cn=groups,cn=accounts,dc=mossholder,dc=com
DEBUG originfilter: (&(objectclass=posixAccount)(!(description=__no_upg__)))
DEBUG originscope: cn=users,cn=accounts,dc=mossholder,dc=com
DEBUG managedtemplate: cn=UPG Template,cn=etc,dc=mossholder,dc=com
DEBUG []
DEBUG Live 1, updated 0
INFO Done
INFO New entry: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG ---------------------------------------------
DEBUG dn: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG objectclass: 
DEBUG 	mepTemplateEntry
DEBUG 	top
DEBUG mepmappedattr: 
DEBUG 	cn:$cn
DEBUG 	memberHost:$dn
DEBUG 	description:ipaNetgroup $cn
DEBUG mepstaticattr: 
DEBUG 	ipaUniqueId:autogenerate
DEBUG 	objectclass:ipanisnetgroup
DEBUG 	objectclass:ipaobject
DEBUG 	nisDomainName:mossholder.com
DEBUG cn: NGP HGP Template
DEBUG meprdnattr: cn
DEBUG ---------------------------------------------
DEBUG Final value
DEBUG dn: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG objectclass: 
DEBUG 	mepTemplateEntry
DEBUG 	top
DEBUG mepmappedattr: 
DEBUG 	cn:$cn
DEBUG 	memberHost:$dn
DEBUG 	description:ipaNetgroup $cn
DEBUG mepstaticattr: 
DEBUG 	ipaUniqueId:autogenerate
DEBUG 	objectclass:ipanisnetgroup
DEBUG 	objectclass:ipaobject
DEBUG 	nisDomainName:mossholder.com
DEBUG cn: NGP HGP Template
DEBUG meprdnattr: cn
ERROR Add failure cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
INFO Updating existing entry: cn=NGP HGP Template,cn=etc,dc=mossholder,dc=com
DEBUG ---------------------------------------------
DEBUG dn: cn=NGP HGP Template,cn=etc,dc=mossholder,dc=com
DEBUG objectclass: 
DEBUG 	mepTemplateEntry
DEBUG 	top
DEBUG mepmappedattr: 
DEBUG 	cn: $cn
DEBUG 	memberHost: $dn
DEBUG 	description: ipaNetgroup $cn
DEBUG mepstaticattr: 
DEBUG 	ipaUniqueId: autogenerate
DEBUG 	objectclass: ipanisnetgroup
DEBUG 	objectclass: ipaobject
DEBUG 	nisDomainName: mossholder.com
DEBUG cn: NGP HGP Template
DEBUG meprdnattr: cn
DEBUG ---------------------------------------------
DEBUG Final value
DEBUG dn: cn=NGP HGP Template,cn=etc,dc=mossholder,dc=com
DEBUG objectclass: 
DEBUG 	mepTemplateEntry
DEBUG 	top
DEBUG mepmappedattr: 
DEBUG 	cn: $cn
DEBUG 	memberHost: $dn
DEBUG 	description: ipaNetgroup $cn
DEBUG mepstaticattr: 
DEBUG 	ipaUniqueId: autogenerate
DEBUG 	objectclass: ipanisnetgroup
DEBUG 	objectclass: ipaobject
DEBUG 	nisDomainName: mossholder.com
DEBUG cn: NGP HGP Template
DEBUG meprdnattr: cn
DEBUG []
DEBUG Live 1, updated 0
INFO Done
INFO New entry: cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG ---------------------------------------------
DEBUG dn: cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG cn: NGP Definition
DEBUG objectclass: 
DEBUG 	extensibleObject
DEBUG 	top
DEBUG managedbase: cn=ng,cn=alt,dc=mossholder,dc=com
DEBUG originfilter: objectclass=ipahostgroup
DEBUG originscope: cn=hostgroups,cn=accounts,dc=mossholder,dc=com
DEBUG managedtemplate: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG ---------------------------------------------
DEBUG Final value
DEBUG dn: cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
DEBUG cn: NGP Definition
DEBUG objectclass: 
DEBUG 	extensibleObject
DEBUG 	top
DEBUG managedbase: cn=ng,cn=alt,dc=mossholder,dc=com
DEBUG originfilter: objectclass=ipahostgroup
DEBUG originscope: cn=hostgroups,cn=accounts,dc=mossholder,dc=com
DEBUG managedtemplate: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
ERROR Add failure cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=mossholder,dc=com
INFO Updating existing entry: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config
DEBUG ---------------------------------------------
DEBUG dn: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config
DEBUG cn: NGP Definition
DEBUG objectclass: 
DEBUG 	extensibleObject
DEBUG 	top
DEBUG managedbase: cn=ng,cn=alt,dc=mossholder,dc=com
DEBUG originfilter: objectclass=ipahostgroup
DEBUG originscope: cn=hostgroups,cn=accounts,dc=mossholder,dc=com
DEBUG managedtemplate: cn=NGP HGP Template,cn=etc,dc=mossholder,dc=com
DEBUG ---------------------------------------------
DEBUG Final value
DEBUG dn: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config
DEBUG cn: NGP Definition
DEBUG objectclass: 
DEBUG 	extensibleObject
DEBUG 	top
DEBUG managedbase: cn=ng,cn=alt,dc=mossholder,dc=com
DEBUG originfilter: objectclass=ipahostgroup
DEBUG originscope: cn=hostgroups,cn=accounts,dc=mossholder,dc=com
DEBUG managedtemplate: cn=NGP HGP Template,cn=etc,dc=mossholder,dc=com
DEBUG []
DEBUG Live 1, updated 0
INFO Done
DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
DEBUG Restarting IPA to initialize updates before performing deletes:
Restarting IPA to initialize updates before performing deletes:
DEBUG   [1/2]: stopping directory server
  [1/2]: stopping directory server
DEBUG args=/sbin/service dirsrv stop 
DEBUG stdout=Shutting down dirsrv: 
    MOSSHOLDER-COM...[  OK  ]
    PKI-IPA...[  OK  ]

DEBUG stderr=
DEBUG   duration: 7 seconds
DEBUG   [2/2]: starting directory server
  [2/2]: starting directory server
DEBUG args=/sbin/service dirsrv start 
DEBUG stdout=Starting dirsrv: 
    MOSSHOLDER-COM...[  OK  ]
    PKI-IPA...[  OK  ]

DEBUG stderr=
DEBUG   duration: 4 seconds
DEBUG done configuring dirsrv.
done configuring dirsrv.
ERROR Delete failed: Server is unwilling to perform: Not a valid operation.
ERROR Delete failed: Server is unwilling to perform: Deleting an active managed entries template is not allowed. Delete the associated config entry first.
ERROR Delete failed: Server is unwilling to perform: Not a valid operation.
ERROR Delete failed: Server is unwilling to perform: Deleting an active managed entries template is not allowed. Delete the associated config entry first.





####### 4 #######
[04/Nov/2011:07:03:32 -0400] - slapd shutting down - signaling operation threads
[04/Nov/2011:07:03:32 -0400] - slapd shutting down - closing down internal subsystems and plugins
[04/Nov/2011:07:03:33 -0400] - Waiting for 4 database threads to stop
[04/Nov/2011:07:03:34 -0400] - All database threads now stopped
[04/Nov/2011:07:03:34 -0400] - slapd stopped.
[04/Nov/2011:07:03:40 -0400] - 389-Directory/1.2.10.a4 B2011.281.315 starting up
[04/Nov/2011:07:03:40 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat, dc=mossholder,dc=com
[04/Nov/2011:07:03:40 -0400] schema-compat-plugin - warning: no entries set up under ou=SUDOers, dc=mossholder,dc=com
[04/Nov/2011:07:03:40 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=mossholder,dc=com--no CoS Templates found, which should be added before the CoS Definition.
[04/Nov/2011:07:03:40 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=mossholder,dc=com--no CoS Templates found, which should be added before the CoS Definition.
[04/Nov/2011:07:03:40 -0400] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[04/Nov/2011:07:03:40 -0400] - Listening on All Interfaces port 636 for LDAPS requests
[04/Nov/2011:07:03:40 -0400] - Listening on /var/run/slapd-MOSSHOLDER-COM.socket for LDAPI requests
Comment 13 Martin Kosek 2011-11-04 17:17:18 UTC 
Matt, thanks for all this information. From what I see, reorganization of Managed Entries in LDAP which was introduced in this ticket:

https://fedorahosted.org/freeipa/ticket/1708

was not processed correctly in your LDAP server instance. If you updated a previous version of FreeIPA server, these entries should have updated automatically when the freeipa-server RPM was updated. In your case, the update either did not happen at all or failed.

Do you remember what is the update history of your freeipa-server package? Like what was the freeipa-server version when you first installed IPA and what freeipa-server updates did you run after that? It could help reproduce this issue.

Here is something that should help if the LDAP update failed in your case. Can you run this command?

# /usr/sbin/ipa-ldap-updater --upgrade

This would upgrade your LDAP instance in the same way as its done during RPM updates. If this succeeds, running update with 40-automember.update (as we tried earlier) should work.
Comment 14 Matt Mossholder 2011-11-04 17:47:31 UTC 
Running '/usr/sbin/ipa-ldap-updater --upgrade' followed by 40-automember.update did the trick.

Here's the revision history from my /var/log/yum.log:

May 15 23:42:50 Installed: freeipa-server-2.0.1-2.fc15.x86_64
Aug 27 18:47:38 Updated: freeipa-server-2.1.0-1.fc15.x86_64
Oct 29 08:39:46 Updated: freeipa-server-2.1.3-2.fc15.x86_64
Comment 15 Matt Mossholder 2011-11-04 18:07:57 UTC 
I take that back... it is only "mostly fixed" :)

I am still getting this in /var/log/httpd/error_log whenever I visit the web interface. The web interface itself claims a 903 error.

[Fri Nov 04 14:03:53 2011] [error] ipa: ERROR: non-public: KeyError: 'automemberregexrule'
[Fri Nov 04 14:03:53 2011] [error] Traceback (most recent call last):
[Fri Nov 04 14:03:53 2011] [error]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in wsgi_execute
[Fri Nov 04 14:03:53 2011] [error]     result = self.Command[name](*args, **options)
[Fri Nov 04 14:03:53 2011] [error]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__
[Fri Nov 04 14:03:53 2011] [error]     ret = self.run(*args, **options)
[Fri Nov 04 14:03:53 2011] [error]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run
[Fri Nov 04 14:03:53 2011] [error]     return self.execute(*args, **options)
[Fri Nov 04 14:03:53 2011] [error]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 66, in execute
[Fri Nov 04 14:03:53 2011] [error]     (o.name, json_serialize(o)) for o in self.api.Object()
[Fri Nov 04 14:03:53 2011] [error]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 66, in <genexpr>
[Fri Nov 04 14:03:53 2011] [error]     (o.name, json_serialize(o)) for o in self.api.Object()
[Fri Nov 04 14:03:53 2011] [error]   File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 49, in json_serialize
[Fri Nov 04 14:03:53 2011] [error]     return json_serialize(obj.__json__())
[Fri Nov 04 14:03:53 2011] [error]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 490, in __json__
[Fri Nov 04 14:03:53 2011] [error]     attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses)
[Fri Nov 04 14:03:53 2011] [error]   File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 277, in attribute_types
[Fri Nov 04 14:03:53 2011] [error]     object_class = self.sed[ObjectClass][object_class_oid]
[Fri Nov 04 14:03:53 2011] [error] KeyError: 'automemberregexrule'
[Fri Nov 04 14:03:53 2011] [error] ipa: INFO: admin: json_metadata(u'all', None): KeyError
Comment 16 Martin Kosek 2011-11-05 11:36:10 UTC 
Ok, now we are getting somewhere. Your dirsrv instance seems to miss new automember schema. This is probably caused by Bug 751495.

You can verify this easily:
1) Please check that your dirsrv version supports automember (it should). There should be a schema file here:

/etc/dirsrv/schema/10automember-plugin.ldif

2) Then please check if your dirsrv _instance_ have the new schema (dirsrv didn't support this feature at the time you installed dirsrv) - we can check that from 389-ds-base version.

In your case, the automember schema file should be there:

/etc/dirsrv/slapd-MOSSHOLDER-COM/schema/10automember-plugin.ldif

If it isn't there and I am convinced it isn't, we will need to add it and restart dirsrv and reload httpd:

# cp /etc/dirsrv/schema/10automember-plugin.ldif /etc/dirsrv/slapd-MOSSHOLDER-COM/schema/10automember-plugin.ldif
# service dirsrv restart
# service httpd reload

Now, the FreeIPA automember update should be run again to be sure the data is there:

# ipa-ldap-updater -d 40-automember.update 

Then, the automember feature should just work.
Comment 17 Matt Mossholder 2011-11-05 13:19:21 UTC 
That's not it, as the automember plugin already exists in /etc/dirsrv/slapd-MOSSHOLDER-COM/schema/10automember-plugin.ldif. However, I diff'd the to ldif files, and they aren't the same. The same was true for the /etc/dirsrv/slapd-PKI-CA/schema/10automember-plugin.ldif , so I replaced it as well.


I checked the other schemas to see how they compared with the versions in /etc/dirsrv/schema as well. Here are the results:

##############
[root@ipa1 schema]# for i in *; do  diff -q $i /etc/dirsrv/slapd-MOSSHOLDER-COM/schema/$i; done
Files 99user.ldif and /etc/dirsrv/slapd-MOSSHOLDER-COM/schema/99user.ldif differ

[root@ipa1 schema]# for i in *; do  diff -q $i /etc/dirsrv/slapd-PKI-IPA/schema/$i; done
Files 01core389.ldif and /etc/dirsrv/slapd-PKI-IPA/schema/01core389.ldif differ
Files 02common.ldif and /etc/dirsrv/slapd-PKI-IPA/schema/02common.ldif differ
Files 99user.ldif and /etc/dirsrv/slapd-PKI-IPA/schema/99user.ldif differ
##############

I'm not sure those file SHOULD be the same, so I left them alone.

I'm still getting 903 errors, even after the schema updates. Here are the current entries from the error_log:
##############
[Sat Nov 05 09:08:58 2011] [error] [client 192.168.0.1] File does not exist: /usr/share/ipa/ui/develop.js, referer: https://ipa1.mossholder.com/ipa/ui/
[Sat Nov 05 09:08:59 2011] [error] ipa: INFO: admin: batch: i18n_messages(): SUCCESS
[Sat Nov 05 09:08:59 2011] [error] ipa: INFO: admin: batch: user_find(None, whoami=True, all=True): SUCCESS
[Sat Nov 05 09:08:59 2011] [error] ipa: INFO: admin: batch: env(None): SUCCESS
[Sat Nov 05 09:08:59 2011] [error] ipa: INFO: admin: batch: dns_is_enabled(): SUCCESS
[Sat Nov 05 09:08:59 2011] [error] ipa: INFO: admin: batch: hbacrule_find(None, accessruletype=u'deny'): SUCCESS
[Sat Nov 05 09:08:59 2011] [error] ipa: INFO: admin: batch(({u'params': [[], {}], u'method': u'i18n_messages'}, {u'params': [[], {u'all': True, u'whoami': True}], u'method': u'user_find'}, {u'params': [[], {}], u'method': u'env'}, {u'params': [[], {}], u'method': u'dns_is_enabled'}, {u'params': [[], {u'accessruletype': u'deny'}], u'method': u'hbacrule_find'})): SUCCESS
[Sat Nov 05 09:08:59 2011] [error] ipa: ERROR: non-public: KeyError: 'automemberregexrule'
[Sat Nov 05 09:08:59 2011] [error] Traceback (most recent call last):
[Sat Nov 05 09:08:59 2011] [error]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in wsgi_execute
[Sat Nov 05 09:08:59 2011] [error]     result = self.Command[name](*args, **options)
[Sat Nov 05 09:08:59 2011] [error]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__
[Sat Nov 05 09:08:59 2011] [error]     ret = self.run(*args, **options)
[Sat Nov 05 09:08:59 2011] [error]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run
[Sat Nov 05 09:08:59 2011] [error]     return self.execute(*args, **options)
[Sat Nov 05 09:08:59 2011] [error]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 66, in execute
[Sat Nov 05 09:08:59 2011] [error]     (o.name, json_serialize(o)) for o in self.api.Object()
[Sat Nov 05 09:08:59 2011] [error]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 66, in <genexpr>
[Sat Nov 05 09:08:59 2011] [error]     (o.name, json_serialize(o)) for o in self.api.Object()
[Sat Nov 05 09:08:59 2011] [error]   File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 49, in json_serialize
[Sat Nov 05 09:08:59 2011] [error]     return json_serialize(obj.__json__())
[Sat Nov 05 09:08:59 2011] [error]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 490, in __json__
[Sat Nov 05 09:08:59 2011] [error]     attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses)
[Sat Nov 05 09:08:59 2011] [error]   File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 277, in attribute_types
[Sat Nov 05 09:08:59 2011] [error]     object_class = self.sed[ObjectClass][object_class_oid]
[Sat Nov 05 09:08:59 2011] [error] KeyError: 'automemberregexrule'
[Sat Nov 05 09:08:59 2011] [error] ipa: INFO: admin: json_metadata(u'all', None): KeyError
[Sat Nov 05 09:08:59 2011] [error] ipa: INFO: admin: json_metadata(None, u'all'): SUCCESS
Comment 18 Martin Kosek 2011-11-07 07:35:54 UTC 
Ok, the root cause must be different. Though I have not ruled the failed LDAP update root cause out yet. Nathan, Can you please check if these state that Matt described in the last post cannot be caused by failed LDAP update?

Btw. Matt, if you want to check if the automemberregexrule is available in your dirsrv instance you can try this LDAP search:

# ldapsearch -Y GSSAPI -h localhost -b cn=schema objectClasses | grep -A 3 -i automemberregexrule
Comment 19 Rich Megginson 2011-11-07 15:11:36 UTC 
We did find a problem with update in 389-ds-base.  This has been fixed - see https://bugzilla.redhat.com/show_bug.cgi?id=751495 for more info.  The 389-ds-base build with the fix has been pushed out to updates-testing.  Please try with that version and see if you can reproduce the bug.
Comment 20 Rob Crittenden 2011-11-07 15:17:02 UTC 
You need to restart Apache to see the schema changes in the framework.
Comment 21 Matt Mossholder 2011-11-07 15:21:46 UTC 
The update to 389-ds-base seems to have done the trick... thanks everyone!
Comment 22 Martin Kosek 2011-11-29 08:03:10 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/9cdeabc778c3eaf9e62eee4fc047c2fd1ec58260
ipa-2-1: https://fedorahosted.org/freeipa/changeset/990553221fa53c7a294a80c07b8c89118ef6b3be
Comment 24 Scott Poore 2012-03-30 20:41:41 UTC 
Verified.

Version :: ipa-server-2.2.0-5.el6.x86_64

Automated Test Results ::

Not able to run beaker jobs due to waiting on other bug resolutions but, can manually run automated test:

# upgrade_bz_746589 

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: upgrade_bz_746589: automember functionality not available for upgraded IPA server
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [15:29:56] ::  Machine in recipe is MASTER
:: [15:29:57] ::  checking if upgrade
--------------------------------------
Added group "ipa-automember-bz-746589"
--------------------------------------
  Group name: ipa-automember-bz-746589
  Description: ipa-automember-bz-746589
  GID: 1928200004
:: [   PASS   ] :: Running 'ipa group-add --desc=ipa-automember-bz-746589 ipa-automember-bz-746589'
:: [   PASS   ] :: Running 'ipa automember-add --type=group ipa-automember-bz-746589  > /tmp/upgrade_bz_746589.out 2>&1'
:: [   PASS   ] :: BZ 746589 not found
result_server not set, assuming developer mode.
Setting <MASTER_IP> to state upgrade_bz_746589.8
:: [   PASS   ] :: Running 'rhts-sync-set -s 'upgrade_bz_746589.8' -m <MASTER_IP>'

Manual Test Results ::

# ipa group-add bz746589 --desc=bztest
----------------------
Added group "bz746589"
----------------------
  Group name: bz746589
  Description: bztest
  GID: 1928200005

# ipa automember-add --type=group bz746589 
--------------------------------
Added automember rule "bz746589"
--------------------------------
  Automember Rule: bz746589

# ipa automember-find
Grouping Type: group
---------------
1 rules matched
---------------
  Automember Rule: bz746589
----------------------------
Number of entries returned 1
----------------------------
Comment 26 Martin Kosek 2012-04-18 20:30:01 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 28 errata-xmlrpc 2012-06-20 13:15:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html