Bug 1220788 - request to backport ticket 3578 to RHEL6. Provoking migration to 7.1 issues.
Summary: request to backport ticket 3578 to RHEL6. Provoking migration to 7.1 issues.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Tomas Capek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-12 12:53 UTC by German Parente
Modified: 2019-07-11 09:08 UTC (History)
8 users (show)

Fixed In Version: ipa-3.0.0-47.el6
Doc Type: Known Issue
Doc Text:
False-positive error messages when migrating to Red Hat Enterprise Linux 7.1 Previously, bad definition of the dc attribute in /usr/share/ipa/05rfc2247.ldif caused bogus error messages to be returned during migration. Even though the attribute has been fixed, the bug persists if the copy-schema-to-ca.py script was run on Red Hat Enterprise Linux 6.6 prior to running it on Red Hat Enterprise Linux 6.7. To work around this problem, manually copy /usr/share/ipa/schema/05rfc2247.ldif to /etc/dirsrv/slapd-PKI-IPA/schema/ and restart Identity Management.
Clone Of:
Environment:
Last Closed: 2015-07-22 07:39:56 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1462 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2015-07-21 14:14:52 UTC
Red Hat Bugzilla 1224769 None None None Never

Internal Links: 1224769

Description German Parente 2015-05-12 12:53:02 UTC
Description of problem:

it's explained in:

https://fedorahosted.org/freeipa/ticket/3578#comment:15

When migrating to 7.1, both instances of dirsrv are merged. 

copy-schema-to-ca.py script is copying the file:

/usr/share/ipa/05rfc2247.ldif

included in RHEL6 and the bad definition of attribute "dc" is spread into whole topology provoking these errors:

[15/Apr/2015:12:33:06 +0100] attr_syntax_create - Error: the EQUALITY
matching rule [caseIgnoreIA5Match] is not compatible with the syntax
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[15/Apr/2015:12:33:06 +0100] attr_syntax_create - Error: the SUBSTR
matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the
syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]


Version-Release number of selected component (if applicable): 

ipa-server-3.0.0-42.el6.x86_64

Actual results:


Expected results:


Additional info:

Comment 1 German Parente 2015-05-12 12:55:13 UTC
copy-schema-to-ca.py is including this definition in the list of files to copy. This should not be.

SCHEMA_FILENAMES = (
    "60kerberos.ldif",
    "60samba.ldif",
    "60ipaconfig.ldif",
    "60basev2.ldif",
    "60basev3.ldif",
    "60ipadns.ldif",
    "61kerberos-ipav3.ldif",
    "65ipacertstore.ldif",
    "65ipasudo.ldif",
    "70ipaotp.ldif",
    "05rfc2247.ldif",   <----- HERE

the file in the 389 rpms is right.

But the one included in ipa-server rpm still shows bad definition for rhel6.

Comment 3 Petr Vobornik 2015-05-12 13:48:39 UTC
Do I understand it correctly that the proposal is to backport [1] and nothing else? Or do you also want to backport the other patch [2] from ticket #3578?


[1] https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=e9863e3fe3cc5ca016c4e216ae3d34b750a34c73
[2] https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d4a0fa34afd30765e5ea6f0df21976a6494f13d6

Comment 4 German Parente 2015-05-12 14:22:10 UTC
Hi Petr,

thanks for taking care of this bug.

The error I am seeing is related to [1] but I think the full fix should be backport'd.

Comment 11 errata-xmlrpc 2015-07-22 07:39:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1462.html


Note You need to log in before you can comment on or make changes to this bug.