Bug 908400 - During Migration - If Schema is unavailable migration fails
During Migration - If Schema is unavailable migration fails
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
Unspecified Unspecified
urgent Severity high
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
: ZStream
Depends On: 906846 910538 910665
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-06 10:48 EST by Jiri Pallich
Modified: 2013-03-07 03:39 EST (History)
9 users (show)

See Also:
Fixed In Version: ipa-3.0.0-26.el6_4
Doc Type: Bug Fix
Doc Text:
Identity Management attempts to retrieve the LDAP schema from the remote server during migration. Previously, such an attempt failed when migrating from an OpenLDAP server. With this update, Identity Management also looks in cn=subschema and migrations from OpenLDAP servers no longer fail.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-07 03:39:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jiri Pallich 2013-02-06 10:48:36 EST
This bug has been copied from bug #906846 and has been proposed
to be backported to 6.4 z-stream (EUS).
Comment 5 Scott Poore 2013-02-19 09:29:07 EST
Verified.

Version ::

ipa-server-3.0.0-26.el6_4.1.x86_64

You'll note below that I first test to see the failure and then the fix after update.

Manual Test Results ::

[root@rhel6-2 ~]# yum -y install openldap-servers openldap-clients
Loaded plugins: product-id, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
beaker-client                                                                   | 1.3 kB     00:00    
beaker-client/primary                                                           | 7.2 kB     00:00    
beaker-client                                                                                    35/35
rhel64                                                                          | 3.9 kB     00:00    
rhel64/primary_db                                                               | 3.1 MB     00:02    
rhel64-optional                                                                 | 3.7 kB     00:00    
rhel64-optional/primary_db                                                      | 1.3 MB     00:01    
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package openldap-clients.x86_64 0:2.4.23-31.el6 will be installed
---> Package openldap-servers.x86_64 0:2.4.23-31.el6 will be installed
--> Processing Dependency: libltdl.so.7()(64bit) for package: openldap-servers-2.4.23-31.el6.x86_64
--> Running transaction check
---> Package libtool-ltdl.x86_64 0:2.2.6-15.5.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                      Arch               Version                      Repository          Size
=======================================================================================================
Installing:
 openldap-clients             x86_64             2.4.23-31.el6                rhel64             165 k
 openldap-servers             x86_64             2.4.23-31.el6                rhel64             2.0 M
Installing for dependencies:
 libtool-ltdl                 x86_64             2.2.6-15.5.el6               rhel64              44 k

Transaction Summary
=======================================================================================================
Install       3 Package(s)

Total download size: 2.2 M
Installed size: 5.0 M
Downloading Packages:
(1/3): libtool-ltdl-2.2.6-15.5.el6.x86_64.rpm                                   |  44 kB     00:00    
(2/3): openldap-clients-2.4.23-31.el6.x86_64.rpm                                | 165 kB     00:00    
(3/3): openldap-servers-2.4.23-31.el6.x86_64.rpm                                | 2.0 MB     00:01    
-------------------------------------------------------------------------------------------------------
Total                                                                  911 kB/s | 2.2 MB     00:02    
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : libtool-ltdl-2.2.6-15.5.el6.x86_64                                                  1/3
  Installing : openldap-servers-2.4.23-31.el6.x86_64                                               2/3
  Installing : openldap-clients-2.4.23-31.el6.x86_64                                               3/3
rhel64/productid                                                                | 1.7 kB     00:00    
  Verifying  : openldap-servers-2.4.23-31.el6.x86_64                                               1/3
  Verifying  : libtool-ltdl-2.2.6-15.5.el6.x86_64                                                  2/3
  Verifying  : openldap-clients-2.4.23-31.el6.x86_64                                               3/3

Installed:
  openldap-clients.x86_64 0:2.4.23-31.el6            openldap-servers.x86_64 0:2.4.23-31.el6          

Dependency Installed:
  libtool-ltdl.x86_64 0:2.2.6-15.5.el6                                                                

Complete!

[root@rhel6-2 ~]# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]

[root@rhel6-2 ~]# service slapd start
Starting slapd:                                            [  OK  ]

[root@rhel6-2 ~]# service slapd stop
Stopping slapd:                                            [  OK  ]

[root@rhel6-2 ~]# rm -rf /etc/openldap/slapd.d/*

[root@rhel6-2 ~]# rm -rf /var/lib/ldap/*

[root@rhel6-2 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@rhel6-2 ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.example.conf

[root@rhel6-2 ~]# sed -i "s/my-domain/example/g" /etc/openldap/slapd.example.conf

[root@rhel6-2 ~]# sed -i "s/Manager/admin/g"   /etc/openldap/slapd.example.conf

[root@rhel6-2 ~]# echo -e "rootpw\t\t$(slappasswd -s <PASSWORD>)" >> /etc/openldap/slapd.example.conf

[root@rhel6-2 ~]# echo "" | slapadd -f /etc/openldap/slapd.example.conf
The first database does not allow slapadd; using the first available one (2)

[root@rhel6-2 ~]# slaptest -f /etc/openldap/slapd.example.conf -F /etc/openldap/slapd.d
config file testing succeeded

[root@rhel6-2 ~]# cd /etc/openldap

[root@rhel6-2 openldap]# cat > example.com.ldif <<EOF
> # Root entry
> dn: dc=example,dc=com
> objectclass: dcObject
> objectclass: organization
> o: Example Company
> dc: example
> EOF

[root@rhel6-2 openldap]# cat > admin.example.com.ldif <<EOF
> # Admin DN
> dn: cn=admin,dc=example,dc=com
> objectclass: organizationalRole
> cn: admin
> EOF

[root@rhel6-2 openldap]# cat > users.example.com.ldif <<EOF
> # Base DN for users
> dn: ou=users,dc=example,dc=com
> objectclass: top
> objectclass: organizationalUnit
> ou: users
> EOF

[root@rhel6-2 openldap]# cat > groups.example.com.ldif <<EOF
> # Base DN for groups
> dn: ou=groups,dc=example,dc=com
> objectclass: top
> objectclass: organizationalUnit
> ou: groups
> EOF

[root@rhel6-2 openldap]# slapadd -l        example.com.ldif
The first database does not allow slapadd; using the first available one (2)
_#################### 100.00% eta   none elapsed            none fast!        
Closing DB...

[root@rhel6-2 openldap]# slapadd -l  admin.example.com.ldif
The first database does not allow slapadd; using the first available one (2)
_#################### 100.00% eta   none elapsed            none fast!        
Closing DB...

[root@rhel6-2 openldap]# slapadd -l  users.example.com.ldif
The first database does not allow slapadd; using the first available one (2)
_#################### 100.00% eta   none elapsed            none fast!        
Closing DB...

[root@rhel6-2 openldap]# slapadd -l groups.example.com.ldif
The first database does not allow slapadd; using the first available one (2)
_#################### 100.00% eta   none elapsed            none fast!        
Closing DB...

[root@rhel6-2 openldap]# chown -R ldap:ldap /var/lib/ldap

[root@rhel6-2 openldap]# chown -R ldap:ldap /etc/openldap/slapd.d

[root@rhel6-2 openldap]# service slapd restart
Stopping slapd:                                            [FAILED]
Starting slapd:                                            [  OK  ]

[root@rhel6-2 openldap]# ldapsearch -x -D 'cn=admin,dc=example,dc=com' -b 'dc=example,dc=com' -w <PASSWORD>
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: Example Company
dc: example

# admin, example.com
dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
cn: admin

# users, example.com
dn: ou=users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users

# groups, example.com
dn: ou=groups,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4

[root@rhel6-2 openldap]# ldapadd -x -D 'cn=admin,dc=example,dc=com' -w <PASSWORD> <<EOF
> dn: uid=tuser1,ou=users,dc=example,dc=com
> uidNumber: 100161
> gidNumber: 100161
> objectclass: posixAccount
> homeDirectory: /home/tuser1
> uid: Test_User1
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> ou: users
> cn: Test User1
> sn: User1
> EOF
adding new entry "uid=tuser1,ou=users,dc=example,dc=com"

[root@rhel6-2 openldap]# ldapadd -x -D 'cn=admin,dc=example,dc=com' -w <PASSWORD> <<EOF
> dn: cn=tgroup2,ou=groups,dc=example,dc=com
> objectClass: top
> objectClass: groupOfNames
> member: uid=tuser1,ou=users,dc=example,dc=com
> EOF
adding new entry "cn=tgroup2,ou=groups,dc=example,dc=com"

[root@rhel6-2 openldap]#  


***** ON IPA Master with ipa-server-3.0.0-25.el6:

[root@rhel6-1 quickinstall]# kinit admin
Password for admin@TESTRELM.COM:

[root@rhel6-1 quickinstall]# ipa config-mod --enable-migration=TRUE
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: TRUE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@rhel6-1 quickinstall]# ipa migrate-ds --user-container="ou=users,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" --bind-dn="cn=admin,dc=example,dc=com" --with-compat ldap://rhel6-2.example.com
Password:
ipa: ERROR: uri=ldap://rhel6-2.example.com: Unable to retrieve LDAP schema: No such object:

[root@rhel6-1 quickinstall]# yum -y update ipa-server
Loaded plugins: product-id, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
ipa                                                                             | 1.3 kB     00:00    
ipa/primary                                                                     | 3.7 kB     00:00    
ipa                                                                                                7/7
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:3.0.0-25.el6 will be updated
--> Processing Dependency: ipa-server = 3.0.0-25.el6 for package: ipa-server-selinux-3.0.0-25.el6.x86_64
--> Processing Dependency: ipa-server = 3.0.0-25.el6 for package: ipa-server-selinux-3.0.0-25.el6.x86_64
---> Package ipa-server.x86_64 0:3.0.0-26.el6_4.1 will be an update
--> Processing Dependency: ipa-python = 3.0.0-26.el6_4.1 for package: ipa-server-3.0.0-26.el6_4.1.x86_64
--> Processing Dependency: ipa-client = 3.0.0-26.el6_4.1 for package: ipa-server-3.0.0-26.el6_4.1.x86_64
--> Processing Dependency: ipa-admintools = 3.0.0-26.el6_4.1 for package: ipa-server-3.0.0-26.el6_4.1.x86_64
--> Running transaction check
---> Package ipa-admintools.x86_64 0:3.0.0-25.el6 will be updated
---> Package ipa-admintools.x86_64 0:3.0.0-26.el6_4.1 will be an update
---> Package ipa-client.x86_64 0:3.0.0-25.el6 will be updated
---> Package ipa-client.x86_64 0:3.0.0-26.el6_4.1 will be an update
---> Package ipa-python.x86_64 0:3.0.0-25.el6 will be updated
---> Package ipa-python.x86_64 0:3.0.0-26.el6_4.1 will be an update
---> Package ipa-server-selinux.x86_64 0:3.0.0-25.el6 will be updated
---> Package ipa-server-selinux.x86_64 0:3.0.0-26.el6_4.1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                        Arch               Version                       Repository       Size
=======================================================================================================
Updating:
 ipa-server                     x86_64             3.0.0-26.el6_4.1              ipa             1.1 M
Updating for dependencies:
 ipa-admintools                 x86_64             3.0.0-26.el6_4.1              ipa              62 k
 ipa-client                     x86_64             3.0.0-26.el6_4.1              ipa             138 k
 ipa-python                     x86_64             3.0.0-26.el6_4.1              ipa             921 k
 ipa-server-selinux             x86_64             3.0.0-26.el6_4.1              ipa              61 k

Transaction Summary
=======================================================================================================
Upgrade       5 Package(s)

Total download size: 2.3 M
Downloading Packages:
(1/5): ipa-admintools-3.0.0-26.el6_4.1.x86_64.rpm                               |  62 kB     00:00    
(2/5): ipa-client-3.0.0-26.el6_4.1.x86_64.rpm                                   | 138 kB     00:01    
(3/5): ipa-python-3.0.0-26.el6_4.1.x86_64.rpm                                   | 921 kB     00:03    
(4/5): ipa-server-3.0.0-26.el6_4.1.x86_64.rpm                                   | 1.1 MB     00:03    
(5/5): ipa-server-selinux-3.0.0-26.el6_4.1.x86_64.rpm                           |  61 kB     00:00    
-------------------------------------------------------------------------------------------------------
Total                                                                  188 kB/s | 2.3 MB     00:12    
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : ipa-python-3.0.0-26.el6_4.1.x86_64                                                 1/10
  Updating   : ipa-client-3.0.0-26.el6_4.1.x86_64                                                 2/10
  Updating   : ipa-admintools-3.0.0-26.el6_4.1.x86_64                                             3/10
  Updating   : ipa-server-3.0.0-26.el6_4.1.x86_64                                                 4/10
  Updating   : ipa-server-selinux-3.0.0-26.el6_4.1.x86_64                                         5/10
  Cleanup    : ipa-server-selinux-3.0.0-25.el6.x86_64                                             6/10
  Cleanup    : ipa-server-3.0.0-25.el6.x86_64                                                     7/10
  Cleanup    : ipa-admintools-3.0.0-25.el6.x86_64                                                 8/10
  Cleanup    : ipa-client-3.0.0-25.el6.x86_64                                                     9/10
  Cleanup    : ipa-python-3.0.0-25.el6.x86_64                                                    10/10
  Verifying  : ipa-client-3.0.0-26.el6_4.1.x86_64                                                 1/10
  Verifying  : ipa-server-selinux-3.0.0-26.el6_4.1.x86_64                                         2/10
  Verifying  : ipa-python-3.0.0-26.el6_4.1.x86_64                                                 3/10
  Verifying  : ipa-admintools-3.0.0-26.el6_4.1.x86_64                                             4/10
  Verifying  : ipa-server-3.0.0-26.el6_4.1.x86_64                                                 5/10
  Verifying  : ipa-admintools-3.0.0-25.el6.x86_64                                                 6/10
  Verifying  : ipa-server-3.0.0-25.el6.x86_64                                                     7/10
  Verifying  : ipa-server-selinux-3.0.0-25.el6.x86_64                                             8/10
  Verifying  : ipa-python-3.0.0-25.el6.x86_64                                                     9/10
  Verifying  : ipa-client-3.0.0-25.el6.x86_64                                                    10/10

Updated:
  ipa-server.x86_64 0:3.0.0-26.el6_4.1                                                                

Dependency Updated:
  ipa-admintools.x86_64 0:3.0.0-26.el6_4.1         ipa-client.x86_64 0:3.0.0-26.el6_4.1                
  ipa-python.x86_64 0:3.0.0-26.el6_4.1             ipa-server-selinux.x86_64 0:3.0.0-26.el6_4.1        

Complete!

[root@rhel6-1 quickinstall]# ipactl restart
Restarting Directory Service
Shutting down dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Starting dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Starting Kerberos 5 Admin Server:                          [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Starting ipa_memcached:                                    [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]

[root@rhel6-1 quickinstall]# kinit admin
Password for admin@TESTRELM.COM:

[root@rhel6-1 quickinstall]# ipa config-mod --enable-migration=TRUE
ipa: ERROR: no modifications to be performed

[root@rhel6-1 quickinstall]# ipa migrate-ds --user-container="ou=users,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" --bind-dn="cn=admin,dc=example,dc=com" --with-compat ldap://rhel6-2.example.com
Password:
-----------
migrate-ds:
-----------
Migrated:
  user: tuser1
  group: tgroup2
Failed user:
Failed group:
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.
Comment 7 errata-xmlrpc 2013-03-07 03:39:23 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0606.html

Note You need to log in before you can comment on or make changes to this bug.