freeipa/install/updates/90-post_upgrade_plugins.update
Florence Blanc-Renaud 69bda6b440 Fix ipa-server-upgrade: This entry already exists
ipa-server-upgrade fails when running the ipaload_cacrt plugin. The plugin
finds all CA certificates in /etc/httpd/alias and uploads them in LDAP
below cn=certificates,cn=ipa,cn=etc,$BASEDN.
The issue happens because there is already an entry in LDAP for IPA CA, but
with a different DN. The nickname in /etc/httpd/alias can differ from
$DOMAIN IPA CA.

To avoid the issue:
1/ during upgrade, run a new plugin that removes duplicates and restarts ldap
(to make sure that uniqueness attr plugin is working after the new plugin)
2/ modify upload_cacert plugin so that it is using $DOMAIN IPA CA instead of
cn=$nickname,cn=ipa,cn=etc,$BASEDN when uploading IPA CA.

https://pagure.io/freeipa/issue/7125

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-30 12:47:53 +02:00

36 lines
1022 B
Plaintext

# first
# middle
plugin: update_ca_topology
plugin: update_ipaconfigstring_dnsversion_to_ipadnsversion
plugin: update_dnszones
plugin: update_dns_limits
plugin: update_sigden_extdom_broken_config
plugin: update_sids
plugin: update_default_range
plugin: update_default_trust_view
plugin: update_tdo_gidnumber
plugin: update_ca_renewal_master
plugin: update_idrange_type
plugin: update_pacs
plugin: update_service_principalalias
plugin: update_fix_duplicate_cacrt_in_ldap
plugin: update_upload_cacrt
# update_ra_cert_store has to be executed after update_ca_renewal_master
plugin: update_ra_cert_store
# last
# DNS version 1
plugin: update_master_to_dnsforwardzones
# DNS version 2
plugin: update_dnsforward_emptyzones
plugin: update_managed_post
plugin: update_managed_permissions
plugin: update_read_replication_agreements_permission
plugin: update_idrange_baserid
plugin: update_passync_privilege_update
plugin: update_dnsserver_configuration_into_ldap
plugin: update_ldap_server_list
plugin: update_dna_shared_config