Bug 2436933 - ipa-healthcheck claims that system indexes are missing or incorrect
Summary: ipa-healthcheck claims that system indexes are missing or incorrect
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: 389-ds-base
Version: 43
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Viktor Ashirov
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-04 21:38 UTC by Thomas Clark
Modified: 2026-02-26 01:09 UTC (History)
12 users (show)

Fixed In Version: 389-ds-base-3.1.4-7.fc43
Clone Of:
Environment:
Last Closed: 2026-02-26 01:09:14 UTC
Type: ---
Embargoed:
fedora-admin-xmlrpc: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 7223 0 None closed Fix system index configuration issues (parentid/ancestorid) 2026-02-11 07:06:09 UTC
Github 389ds 389-ds-base pull 7226 0 None Merged Issue 7223 - Fix system index configuration issues (parentid/ancestorid) 2026-02-11 07:06:09 UTC
Red Hat Issue Tracker FC-3092 0 None None None 2026-02-04 21:47:47 UTC

Description Thomas Clark 2026-02-04 21:38:46 UTC 
Recently (not sure exactly when) I began seeing indexing errors on starting freeipa and when running ipa-healthcheck. I noticed that freeipa was upgraded in F43, so I upgraded from F42 to F43, but it didn't change the errors. There is a similar issue from October 2025, and I'm not sure if this is a regression or something new. From ipa-healthcheck:
[
  {
    "source": "ipahealthcheck.ds.backends",
    "check": "BackendsCheck",
    "result": "CRITICAL",
    "uuid": "aff0ac5d-5a61-4b98-9fa5-922327c4f7c8",
    "when": "20260204212241Z",
    "duration": "0.146653",
    "kw": {
      "key": "DSBLE0007",
      "items": [
        "cn=changelog"
      ],
      "msg": "System indexes are essential for proper directory server operation. Missing or\nincorrectly configured system indexes can lead to poor search performance, replication\nissues, and other operational problems.\n\nThe following system indexes should be present with correct configuration:\n- entryrdn: index type 'subtree'\n- parentid: index type 'eq' with matching rule 'integerOrderingMatch'\n- ancestorid: index type 'eq' with matching rule 'integerOrderingMatch'\n- objectClass: index type 'eq'\n- aci: index type 'pres'\n- nscpEntryDN: index type 'eq'\n- nsUniqueId: index type 'eq'\n- nsds5ReplConflict: index types 'eq', 'pres'\n- nsCertSubjectDN: index type 'eq'\n- numsubordinates: index type 'pres'\n- nsTombstoneCSN: index type 'eq'\n- targetuniqueid: index type 'eq'\n- changeNumber: index type 'eq' with matching rule 'integerOrderingMatch'\n- entryusn: index type 'eq' with matching rule 'integerOrderingMatch'\n\nCurrent discrepancies:\n- Index parentid missing matching rule: integerOrderingMatch\n- Index parentid missing fine grain definition of IDs limit: integerOrderingMatch\n"
    }
  },
  {
    "source": "ipahealthcheck.ds.backends",
    "check": "BackendsCheck",
    "result": "CRITICAL",
    "uuid": "458f139f-19bd-480d-b502-8d41955a6fe8",
    "when": "20260204212241Z",
    "duration": "0.146663",
    "kw": {
      "key": "DSBLE0007",
      "items": [
        "o=ipaca"
      ],
      "msg": "System indexes are essential for proper directory server operation. Missing or\nincorrectly configured system indexes can lead to poor search performance, replication\nissues, and other operational problems.\n\nThe following system indexes should be present with correct configuration:\n- entryrdn: index type 'subtree'\n- parentid: index type 'eq' with matching rule 'integerOrderingMatch'\n- ancestorid: index type 'eq' with matching rule 'integerOrderingMatch'\n- objectClass: index type 'eq'\n- aci: index type 'pres'\n- nscpEntryDN: index type 'eq'\n- nsUniqueId: index type 'eq'\n- nsds5ReplConflict: index types 'eq', 'pres'\n- nsCertSubjectDN: index type 'eq'\n- numsubordinates: index type 'pres'\n- nsTombstoneCSN: index type 'eq'\n- targetuniqueid: index type 'eq'\n- entryusn: index type 'eq' with matching rule 'integerOrderingMatch'\n\nCurrent discrepancies:\n- Index parentid missing matching rule: integerOrderingMatch\n- Index parentid missing fine grain definition of IDs limit: integerOrderingMatch\n"
    }
  },
  {
    "source": "ipahealthcheck.ds.backends",
    "check": "BackendsCheck",
    "result": "CRITICAL",
    "uuid": "705d8957-c9db-479b-938a-f00ed9dc2cad",
    "when": "20260204212241Z",
    "duration": "0.146666",
    "kw": {
      "key": "DSBLE0007",
      "items": [
        "dc=ferree-clark,dc=org"
      ],
      "msg": "System indexes are essential for proper directory server operation. Missing or\nincorrectly configured system indexes can lead to poor search performance, replication\nissues, and other operational problems.\n\nThe following system indexes should be present with correct configuration:\n- entryrdn: index type 'subtree'\n- parentid: index type 'eq' with matching rule 'integerOrderingMatch'\n- ancestorid: index type 'eq' with matching rule 'integerOrderingMatch'\n- objectClass: index type 'eq'\n- aci: index type 'pres'\n- nscpEntryDN: index type 'eq'\n- nsUniqueId: index type 'eq'\n- nsds5ReplConflict: index types 'eq', 'pres'\n- nsCertSubjectDN: index type 'eq'\n- numsubordinates: index type 'pres'\n- nsTombstoneCSN: index type 'eq'\n- targetuniqueid: index type 'eq'\n- entryusn: index type 'eq' with matching rule 'integerOrderingMatch'\n\nCurrent discrepancies:\n- Index parentid missing matching rule: integerOrderingMatch\n- Index parentid missing fine grain definition of IDs limit: integerOrderingMatch\n"
    }
  },
  {
    "source": "ipahealthcheck.ipa.dna",
    "check": "IPADNARangeCheck",
    "result": "WARNING",
    "uuid": "7a3f9391-7ee3-422c-8a6d-302fc22ffa92",
    "when": "20260204212249Z",
    "duration": "0.139987",
    "kw": {
      "key": "no_dna_range_defined",
      "range_start": 0,
      "range_max": 0,
      "next_start": 0,
      "next_max": 0,
      "msg": "No DNA range defined. If no masters define a range then users and groups cannot be created."
    }
  }
]


Reproducible: Always

Steps to Reproduce:
1. Start freeipa
2.
3.
Actual Results:
Produces errors as above

Expected Results:
Should start without errors
Comment 1 Rob Crittenden 2026-02-04 21:46:24 UTC 
Re-assigning to 389-ds team to evaluate.

The DNA warning can be ignored if at least one server has a configured range.
Comment 2 Thomas Clark 2026-02-07 00:06:10 UTC 
I have 3 freeipa servers.  Two of them are installed from the Fedora repository, and both of those show errors as described above.  The third server is running under docker using image freeipa/freeipa-server:fedora-42 and it does not show any errors.
Comment 3 Fedora Update System 2026-02-10 15:14:41 UTC 
FEDORA-2026-f2e628fb5f (389-ds-base-3.1.4-5.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-f2e628fb5f
Comment 4 Fedora Update System 2026-02-11 01:11:28 UTC 
FEDORA-2026-f2e628fb5f has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-f2e628fb5f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-f2e628fb5f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Viktor Ashirov 2026-02-11 07:06:09 UTC 
Updated package is missing spec file change needed to trigger `dsctl index-check` during upgrade, moving to ASSIGNED.
Comment 6 Fedora Update System 2026-02-11 08:09:13 UTC 
FEDORA-2026-b28aa7e8fa (389-ds-base-3.1.4-6.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-b28aa7e8fa
Comment 7 Fedora Update System 2026-02-12 01:31:42 UTC 
FEDORA-2026-b28aa7e8fa has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-b28aa7e8fa`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-b28aa7e8fa

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2026-02-13 18:12:14 UTC 
FEDORA-2026-2241482fa6 (389-ds-base-3.1.4-7.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-2241482fa6
Comment 9 Fedora Update System 2026-02-13 19:25:02 UTC 
FEDORA-2026-27ce708600 (389-ds-base-3.1.4-7.fc43, python3.14-3.14.3-1.fc43, and 1 more) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-27ce708600
Comment 10 Fedora Update System 2026-02-14 01:29:18 UTC 
FEDORA-2026-27ce708600 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-27ce708600`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-27ce708600

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2026-02-26 01:09:14 UTC 
FEDORA-2026-27ce708600 (389-ds-base-3.1.4-7.fc43, python3.14-3.14.3-1.fc43, and 1 more) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.