[Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Martin Kosek
mkosek at redhat.com
Thu Oct 6 19:39:11 UTC 2011
On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
> >> The aci prefix was missing in the description of the three dns acis
> >> which made them not show up when viewing their permission entries.
> >>
> >> rob
> >
> > This works fine, but it is just a part of a solution. DNS related
> > privileges miss memberof attribute for the DNS permissions and thus the
> > permissions are not listed:
> >
> > # ipa permission-show "add dns entries"
> > Permission name: add dns entries
> > Permissions: add
> > Type: dnsrecord
> > Granted to Privilege: DNS Administrators, DNS Servers
> >
> > # ipa privilege-show "DNS Administrators"
> > Privilege name: DNS Administrators
> > Description: DNS Administrators
> > <<< Missing permissions
> >
> > I think the reason is that the permissions are in a wrong order in the
> > LDIF and are created before the privilege itself. When member links are
> > being created for DNS permissions, the memberof plugin cannot add
> > memberof attributes for the privilege since it does not exist yet. This
> > is the main issue that the BZ bug complains about.
> >
> > Martin
> >
>
> There are two problems:
>
> 1. The acis lacked a prefix so they didn't appear as permissions
>
> 2. The permission was added before the privilege so the memberof values
> weren't being calculated.
>
> This fixes it for new installs and adds an update to fix up existing
> installs.
>
> rob
It works fine when doing upgrade. However, when running a clean install,
I get these errors:
# ipa-server-install --setup-dns
...
[9/13]: publish CA cert
[10/13]: creating a keytab for httpd
[11/13]: configuring SELinux for httpd
[12/13]: restarting httpd
[13/13]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
root : ERROR Add failure Object class violation: missing required attribute "objectclass"
root : ERROR Add failure Object class violation: missing required attribute "objectclass"
root : ERROR Add failure Object class violation: missing required attribute "objectclass"
Restarting IPA to initialize updates before performing deletes:
[1/2]: stopping directory server
[2/2]: starting directory server
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Configuring named:
[1/9]: adding DNS container
[2/9]: setting up our zone
[3/9]: setting up reverse zone
[4/9]: setting up our own record
[5/9]: setting up kerberos principal
[6/9]: setting up named.conf
[7/9]: restarting named
[8/9]: configuring named to start on boot
[9/9]: changing resolv.conf to point to ourselves
done configuring named.
==============================================================================
Setup complete
Do you hit this too? Permissions and privileges member attributes were OK though.
Martin
More information about the Freeipa-devel
mailing list