Red Hat Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments

    • IDM server upgrade

    Posted on

    Hi,

    I had to upgrade IDM servers from RHEL 7.5 to RHEL 7.9 and I've encountered some issues which I want to share so others can avoid headaches.

    So if you check the documentation it says that you just need to run

    yum update ipa-*

    and it will do the trick. Once it is done you can update the rest of the system packages.
    This method works up to RHEL 7.7 and ipa-server-4.6.5-11.el7_7.4.x86_64

    The first issue happens when you try to update the ipa-* packages from ipa-server-4.6.5-11.el7_7.4.x86_64 to ipa-server-4.6.6-11.el7.x86_64.
    The actual yum command finishes successfully. Also, the ipa-server-upgrade command is successful which runs after the cleanups.
    But once the command returns the replication is completely broken across all nodes. The reason is that the LDAP server is non-responsive.

    Reason:
    The upgrade requires the update of 389-ds-base and 389-ds-base-libs before running ipa-server-upgrade. Unfortunately, the ipa-server packages have no requirements for these 2 packages.

    To fix this:
    - ipactl stop & (it will hang at 'Stopping Directory server' just wait until it reaching that step)
    - kill -4 $(ps -C ns-slapd -o pid=)
    - wait until replication recovered between all active nodes
    - ipactl start

    To avoid:
    I didn't test it on RHEL 7.7 but it was the fix when upgrading from RHEL 7.8 to RHEL 7.9 so I assume it helps here as well since the ipa-server-upgrade command restarts the directory service multiple times.
    Simply run

    yum upgrade

    on the IDM server. It will update the 389-ds packages first then run the ipa-server-upgrade after yum's cleanup is done. After the replication is recovered on all nodes you can restart the server.

    The second issue occurs when upgrading from RHEL 7.8 to RHEL 7.9.
    The 'yum update ipa-*' will hang after yum's cleanup is done and the post actions are running. Replication is down across all nodes.

    Reason:
    Very similar. 389-ds-base and 389-ds-base-libs needs to be updated before ipa-server-upgrade run.
    In the background you can find an 'ipactl restart' command hanging because the LDAP server is non-responsive.

    To fix:
    - kill -4 $(ps -C ns-slapd -o pid=)
    - let yum finish the rest

    To avoid:
    Simply run

    yum upgrade

    This will finish without issues. After the replication is recovered on all nodes you can restart the server.

    I hope it'll help others to have a smooth upgrade.

    by

    points

    Responses

    Red Hat LinkedIn YouTube Facebook X, formerly Twitter

    Quick Links

    Help

    Site Info

    Related Sites

    © 2026 Red Hat