[Freeipa-users] .LDAPUpdate: ERROR Add failure missing required attribute "objectclass"

Discussion:

Traiano Welcome

2015-04-11 19:51:46 UTC

Hi

I got this error while installing an IPA replica of my primary master
IDM server:

".LDAPUpdate: ERROR Add failure missing required attribute "objectclass"

Replica add command:

ipa-replica-install --setup-ca --setup-dns --no-forwarders
/var/lib/ipa/replica-info-siteX-idm-slve.lol.local.gpg

A little more context:

---
.
.
.

Done configuring ipa-otpd.
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure
missing required attribute "objectclass"
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure
missing required attribute "objectclass"
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure
missing required attribute "objectclass"
ipa : ERROR Anonymous ACI not found, cannot update it
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Using reverse zone xxx.16.172.in-addr.arpa.

---

What does this error mean? If it's suggesting that somehow a key ldap
attribute was not created, how can I fix this?

Thanks in advance,
Traiano

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Dmitri Pal

2015-04-13 02:14:21 UTC

Permalink

Post by Traiano Welcome
Hi
I got this error while installing an IPA replica of my primary master
".LDAPUpdate: ERROR Add failure missing required attribute "objectclass"
ipa-replica-install --setup-ca --setup-dns --no-forwarders
/var/lib/ipa/replica-info-siteX-idm-slve.lol.local.gpg
---
.
.
.
Done configuring ipa-otpd.
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure
missing required attribute "objectclass"
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure
missing required attribute "objectclass"
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure
missing required attribute "objectclass"
ipa : ERROR Anonymous ACI not found, cannot update it
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Using reverse zone xxx.16.172.in-addr.arpa.
---
What does this error mean? If it's suggesting that somehow a key ldap
attribute was not created, how can I fix this?
Thanks in advance,
Traiano

You are probably installing a replica on a server that has different
version than the server that created the initial replica file.
What are the versions you are working with?
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Traiano Welcome

2015-04-13 04:41:12 UTC

Permalink

Hi Dmitri

Thanks for the response.

Post by Traiano Welcome
Hi
I got this error while installing an IPA replica of my primary master
".LDAPUpdate: ERROR Add failure missing required attribute
"objectclass"
ipa-replica-install --setup-ca --setup-dns --no-forwarders
/var/lib/ipa/replica-info-siteX-idm-slve.lol.local.gpg
---
.
.
.
Done configuring ipa-otpd.
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure
missing required attribute "objectclass"
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure
missing required attribute "objectclass"
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure
missing required attribute "objectclass"
ipa : ERROR Anonymous ACI not found, cannot update it
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Using reverse zone xxx.16.172.in-addr.arpa.
---
What does this error mean? If it's suggesting that somehow a key ldap
attribute was not created, how can I fix this?
Thanks in advance,
Traiano

You are probably installing a replica on a server that has different version
than the server that created the initial replica file.
What are the versions you are working with?

That's possible, but very unlikely, I installed master and replicas of
the same .iso, to make sure of no package variations in repos.

CentOS 7.0 with this set of packages off the installation CD:

---
ipa-admintools-3.3.3-28.el7.centos.x86_64.rpm
ipa-client-3.3.3-28.el7.centos.x86_64.rpm
ipa-gothic-fonts-003.03-5.el7.noarch.rpm
ipa-mincho-fonts-003.03-5.el7.noarch.rpm
ipa-pgothic-fonts-003.03-5.el7.noarch.rpm
ipa-pmincho-fonts-003.03-5.el7.noarch.rpm
ipa-python-3.3.3-28.el7.centos.x86_64.rpm
ipa-server-3.3.3-28.el7.centos.x86_64.rpm
ipa-server-trust-ad-3.3.3-28.el7.centos.x86_64.rpm
python-sssdconfig-1.11.2-65.el7.noarch.rpm
sssd-1.11.2-65.el7.x86_64.rpm
sssd-ad-1.11.2-65.el7.x86_64.rpm
sssd-client-1.11.2-65.el7.x86_64.rpm
sssd-common-1.11.2-65.el7.x86_64.rpm
sssd-common-pac-1.11.2-65.el7.x86_64.rpm
sssd-ipa-1.11.2-65.el7.x86_64.rpm
sssd-krb5-1.11.2-65.el7.x86_64.rpm
sssd-krb5-common-1.11.2-65.el7.x86_64.rpm
sssd-ldap-1.11.2-65.el7.x86_64.rpm
sssd-proxy-1.11.2-65.el7.x86_64.rpm
---

I any case, I think I've 'overwritten' the problem by upgrading to
FreeIPA 4.1.0 ... This seems to have fixed that particular problem.

--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Martin Kosek

2015-04-13 06:39:38 UTC

Permalink

Most probably, update process tried to add members to some
object/role/privilege, it did not exist so it tried to add just the members,
which failed as objectclass is required for new objects.

We would need to see ipareplica-install.log, to see which attribute it was.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project