Upstream ticket: https://fedorahosted.org/freeipa/ticket/4537 After upgrade to 389-ds-base 1.3.3.2, Referential Integrity plugin no longer works: # ipa user-add --first=Foo --last=Bar --manager admin fbar # ipa user-add --first=Foo --last=Bar --manager fbar fbar2 ------------------ Added user "fbar2" ------------------ ... Manager: uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test ... # ipa user-del fbar ------------------- Deleted user "fbar" ------------------- # ipa user-show fbar2 --all dn: uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test ... Manager: fbar <<<< ... This is caused by changed RI plugin which no longer expects RI attributes by nsslapd-pluginargX bur rather in referint-membership-attr: # ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w Secret123 -b 'cn=referential integrity postoperation,cn=plugins,cn=config' # extended LDIF # # LDAPv3 # base <cn=referential integrity postoperation,cn=plugins,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # referential integrity postoperation, plugins, config dn: cn=referential integrity postoperation,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: referential integrity postoperation nsslapd-pluginPath: libreferint-plugin nsslapd-pluginInitfunc: referint_postop_init nsslapd-pluginType: betxnpostoperation nsslapd-pluginEnabled: on nsslapd-pluginprecedence: 40 referint-update-delay: 0 referint-logfile: /var/log/dirsrv/slapd-MKOSEK-FEDORA20-TEST/referint referint-logchanges: 0 referint-membership-attr: member referint-membership-attr: uniquemember referint-membership-attr: owner referint-membership-attr: seeAlso nsslapd-plugin-depends-on-type: database nsslapd-pluginId: referint nsslapd-pluginVersion: 1.3.3.2.a1 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: referential integrity plugin nsslapd-pluginarg7: manager nsslapd-pluginarg8: secretary nsslapd-pluginarg9: memberuser nsslapd-pluginarg10: memberhost nsslapd-pluginarg11: sourcehost nsslapd-pluginarg12: memberservice nsslapd-pluginarg13: managedby nsslapd-pluginarg14: memberallowcmd nsslapd-pluginarg15: memberdenycmd nsslapd-pluginarg16: ipasudorunas nsslapd-pluginarg17: ipasudorunasgroup nsslapd-pluginentryscope: dc=mkosek-fedora20,dc=test nsslapd-plugincontainerscope: dc=mkosek-fedora20,dc=test nsslapd-pluginarg18: ipatokenradiusconfiglink # search result search: 2 result: 0 Success # numResponses: 2
Fixed in upstream 4.0.3
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4537
python-qrcode-5.0.1-1.fc21, freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/FEDORA-2014-10811/389-ds-base-1.3.3.3-1.fc21,python-qrcode-5.0.1-1.fc21,freeipa-4.0.3-1.fc21
Package freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21, python-qrcode-5.0.1-2.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-4.0.3-1.fc21 389-ds-base-1.3.3.3-1.fc21 python-qrcode-5.0.1-2.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-10811/389-ds-base-1.3.3.3-1.fc21,python-qrcode-5.0.1-2.fc21,freeipa-4.0.3-1.fc21 then log in and leave karma (feedback).
freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21, python-qrcode-5.0.1-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.