[Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis

Rob Crittenden rcritten at redhat.com
Thu Oct 6 19:46:46 UTC 2011 

Martin Kosek wrote:
> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
>>>> The aci prefix was missing in the description of the three dns acis
>>>> which made them not show up when viewing their permission entries.
>>>>
>>>> rob
>>>
>>> This works fine, but it is just a part of a solution. DNS related
>>> privileges miss memberof attribute for the DNS permissions and thus the
>>> permissions are not listed:
>>>
>>> # ipa permission-show "add dns entries"
>>>     Permission name: add dns entries
>>>     Permissions: add
>>>     Type: dnsrecord
>>>     Granted to Privilege: DNS Administrators, DNS Servers
>>>
>>> # ipa privilege-show "DNS Administrators"
>>>     Privilege name: DNS Administrators
>>>     Description: DNS Administrators
>>> <<<   Missing permissions
>>>
>>> I think the reason is that the permissions are in a wrong order in the
>>> LDIF and are created before the privilege itself. When member links are
>>> being created for DNS permissions, the memberof plugin cannot add
>>> memberof attributes for the privilege since it does not exist yet. This
>>> is the main issue that the BZ bug complains about.
>>>
>>> Martin
>>>
>>
>> There are two problems:
>>
>> 1. The acis lacked a prefix so they didn't appear as permissions
>>
>> 2. The permission was added before the privilege so the memberof values
>> weren't being calculated.
>>
>> This fixes it for new installs and adds an update to fix up existing
>> installs.
>>
>> rob
>
> It works fine when doing upgrade. However, when running a clean install,
> I get these errors:
>
> # ipa-server-install --setup-dns
> ...
>    [9/13]: publish CA cert
>    [10/13]: creating a keytab for httpd
>    [11/13]: configuring SELinux for httpd
>    [12/13]: restarting httpd
>    [13/13]: configuring httpd to start on boot
> done configuring httpd.
> Applying LDAP updates
> root        : ERROR    Add failure Object class violation: missing required attribute "objectclass"
> root        : ERROR    Add failure Object class violation: missing required attribute "objectclass"
> root        : ERROR    Add failure Object class violation: missing required attribute "objectclass"
> Restarting IPA to initialize updates before performing deletes:
>    [1/2]: stopping directory server
>    [2/2]: starting directory server
> done configuring dirsrv.
> Restarting the directory server
> Restarting the KDC
> Restarting the web server
> Configuring named:
>    [1/9]: adding DNS container
>    [2/9]: setting up our zone
>    [3/9]: setting up reverse zone
>    [4/9]: setting up our own record
>    [5/9]: setting up kerberos principal
>    [6/9]: setting up named.conf
>    [7/9]: restarting named
>    [8/9]: configuring named to start on boot
>    [9/9]: changing resolv.conf to point to ourselves
> done configuring named.
> ==============================================================================
> Setup complete
>
> Do you hit this too? Permissions and privileges member attributes were OK though.
>
> Martin
>

Bah, ok. We only create these permissions when dns is installed so I'll 
need to find some way to optionally add this.

rob

More information about the Freeipa-devel mailing list