ipa automember-rebuild failed - ipa: ERROR: Automember LDAP task timeout, Task DN: 'cn=bde76264-2cb1-4065-a0d4-0930005260c2,cn=automember rebuild membership,cn=tasks,cn=config'

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • IPA server 4.*

Issue

  • ipa automember-rebuild is failing with error:
# ipa automember-rebuild --type=group
IMPORTANT: In case of a high number of users, hosts or groups, the operation may require high CPU usage.
ipa: ERROR: Automember LDAP task timeout, Task DN: 'cn=bde76264-2cb1-4065-a0d4-0930005260c2,cn=automember rebuild membership,cn=tasks,cn=config'

Resolution

1. Log in IPA server as user root.

2. Backup file.

 # cp -a /usr/lib/python3.6/site-packages/ipaserver/plugins/automember.py /root/automember.py_ORIGINAL

3. Edit file /usr/lib/python3.6/site-packages/ipaserver/plugins/automember.py and make following change.

if time.time() > (start_time + 600):

Note: The value has been changed from 60 to 600.

4. Restart the Httpd service

# systemctl restart httpd.service
# systemctl status httpd.service

5. Try the command again.

# date ; ipa automember-rebuild --type=group ; date

Root Cause

  • The task is failing due to timeout after 60 seconds.
  • File /usr/lib/python3.6/site-packages/ipaserver/plugins/automember.py contains the timeout value of 60 seconds.
                if 'nstaskexitcode' in task:
                    if str(task.single_value['nstaskexitcode']) == '0':
                        summary=task.single_value['nstaskstatus']
                        break
                    raise errors.DatabaseError(
                        desc=task.single_value['nstaskstatus'],
                        info=_("Task DN = '%s'" % task_dn))
                time.sleep(1)
                if time.time() > (start_time + 60):
                   raise errors.TaskTimeout(task=_('Automember'), task_dn=task_dn)

Diagnostic Steps

  1. Edit file /etc/ipa/default.conf and add debug mode.
[global]
.
.
debug = True

Note: Post above change, restart of HTTPD service is required.

# systemctl restart httpd
# systemctl status httpd
  1. Check the timeout value set in file.
# grep -ri  "start_time +"  /usr/lib/python3.6/site-packages/ipaserver/plugins/automember.py

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments