[Freeipa-devel] [PATCH] 910 fix memberof for privileges
Martin Kosek
mkosek at redhat.com
Thu Dec 8 09:31:17 UTC 2011
On Wed, 2011-12-07 at 13:50 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Tue, 2011-12-06 at 14:03 -0500, Rob Crittenden wrote:
> >> Some privileges were being created after the permissions that were
> >> pointing to it causing the memberof to not be generated.
> >>
> >> This patch reorders things for new installs and creates a PBAC memberof
> >> task that will correct an upgrade.
> >>
> >> rob
> >
> > I found few issues with this patch:
> >
> > 1) It needs a rebase, Makefile.am chunk does not apply.
>
> Done.
>
> >
> > 2) The patch won't fix "Modify Group membership" privilege issue. The
> > problem here is that this privilege does not have any permissions
> > assigned at all.
>
> Right, I started looking at the wrong privilege. Fixed.
>
> >
> > 3) The update has failed in my case (on F16):
> >
> > # ipa-ldap-updater --upgrade
> > Upgrading IPA:
> > [1/8]: stopping directory server
> > [2/8]: saving configuration
> > [3/8]: disabling listeners
> > [4/8]: starting directory server
> > [5/8]: upgrading server
> > ipa : ERROR Upgrade failed with Unable to connect to LDAP server ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket
> > [6/8]: stopping directory server
> > [7/8]: restoring configuration
> > [8/8]: starting directory server
> > done configuring dirsrv.
> > ipa : INFO IPA upgrade failed.
> > IPA upgrade failed.
> >
> > The socker is there though, no AVC in audit.log either.
> > # ls /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket
> > /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket
> >
> > Did the update work for you?
>
> Yes, it works for me. I think this problem is unrelated to my patch.
> Might be worth it to check the 389-ds logs to see if it started properly.
>
> rob
There was still a collision in Makefile.am. Rebased and pushed to
master, ipa-2-1.
The problem with ipa-ldap-updater is present on F-16 only - we try to
connect to socket before it is created by dirsrv. I created a ticket to
address this one:
https://fedorahosted.org/freeipa/ticket/2175
Martin
More information about the Freeipa-devel
mailing list