[Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis

Martin Kosek mkosek at redhat.com
Thu Oct 6 19:39:11 UTC 2011 

On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
> >> The aci prefix was missing in the description of the three dns acis
> >> which made them not show up when viewing their permission entries.
> >>
> >> rob
> >
> > This works fine, but it is just a part of a solution. DNS related
> > privileges miss memberof attribute for the DNS permissions and thus the
> > permissions are not listed:
> >
> > # ipa permission-show "add dns entries"
> >    Permission name: add dns entries
> >    Permissions: add
> >    Type: dnsrecord
> >    Granted to Privilege: DNS Administrators, DNS Servers
> >
> > # ipa privilege-show "DNS Administrators"
> >    Privilege name: DNS Administrators
> >    Description: DNS Administrators
> > <<<  Missing permissions
> >
> > I think the reason is that the permissions are in a wrong order in the
> > LDIF and are created before the privilege itself. When member links are
> > being created for DNS permissions, the memberof plugin cannot add
> > memberof attributes for the privilege since it does not exist yet. This
> > is the main issue that the BZ bug complains about.
> >
> > Martin
> >
> 
> There are two problems:
> 
> 1. The acis lacked a prefix so they didn't appear as permissions
> 
> 2. The permission was added before the privilege so the memberof values 
> weren't being calculated.
> 
> This fixes it for new installs and adds an update to fix up existing 
> installs.
> 
> rob

It works fine when doing upgrade. However, when running a clean install,
I get these errors:

# ipa-server-install --setup-dns
...
  [9/13]: publish CA cert
  [10/13]: creating a keytab for httpd
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
root        : ERROR    Add failure Object class violation: missing required attribute "objectclass"
root        : ERROR    Add failure Object class violation: missing required attribute "objectclass"
root        : ERROR    Add failure Object class violation: missing required attribute "objectclass"
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.
==============================================================================
Setup complete

Do you hit this too? Permissions and privileges member attributes were OK though.

Martin

More information about the Freeipa-devel mailing list