Description of problem: Instead of modifying the existing localityname attribute, ipa host-mod --locality keeps adding more localityname attributes. On a side note: Probably shouldn't be multi-valued. The host can only physically be in one place :-) [root@jennyv2 schema]# ipa host-show jennyv4.bos.redhat.com cn: jennyv4.bos.redhat.com description: this is a very interesting description localityname: Mountain View, CA nshardwareplatform: i686 nshostlocation: IDM Westford lab 3 nsosversion: redhat 5.3 Tikanga [root@jennyv2 schema]# ipa host-mod --locality="Brookline, NH" jennyv4.bos.redhat.com Host updated [root@jennyv2 schema]# ipa host-show jennyv4.bos.redhat.com cn: jennyv4.bos.redhat.com description: this is a very interesting description localityname: Mountain View, CA localityname: Brookline, NH nshardwareplatform: i686 nshostlocation: IDM Westford lab 3 nsosversion: redhat 5.3 Tikanga [root@jennyv2 schema]# ipa host-mod --locality="Westford, MA" jennyv4.bos.redhat.com Host updated [root@jennyv2 schema]# ipa host-show jennyv4.bos.redhat.com cn: jennyv4.bos.redhat.com description: this is a very interesting description localityname: Mountain View, CA localityname: Brookline, NH localityname: Westford, MA nshardwareplatform: i686 nshostlocation: IDM Westford lab 3 nsosversion: redhat 5.3 Tikanga Version-Release number of selected component (if applicable): 2.0 How reproducible: always Steps to Reproduce: 1. see above 2. 3. Actual results: each modification creates another localityname attribute Expected results: one localityname attribute - host-mod to replace the value. Additional info:
additonal info ipa host-show FQDN on host with multiple localityname results in ipa: ERROR: an internal error has occured
The Apache error log should contain the backtrace hidden by this internal error output. Can you attach a tail -100 /var/log/httpd/error_log to the bug?
Created attachment 342441 [details] apache error_log
The problem is/was that LDAP had synonyms for its attributes. 'localityname' (used by the host plugin) is equivalent to 'l' and 'locality'. LDAP seems to prefer the shortest versions. The LDAP backend(s) in IPA generate modlists (i.e. what should be modified) by comparing the new and old values of the attribute. But since the new value is stored under 'localityname' and the old value is returned from LDAP under 'l', there is no valid comparison going on. I submitted a patch on freeipa-devel that should fix this issue in the host plugin, but we should be careful when creating new plugins, as there is no easy generic fix for this kind of bug.