[Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Rob Crittenden
rcritten at redhat.com
Thu Oct 6 21:06:52 UTC 2011
Rob Crittenden wrote:
> Martin Kosek wrote:
>> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
>>>>> The aci prefix was missing in the description of the three dns acis
>>>>> which made them not show up when viewing their permission entries.
>>>>>
>>>>> rob
>>>>
>>>> This works fine, but it is just a part of a solution. DNS related
>>>> privileges miss memberof attribute for the DNS permissions and thus the
>>>> permissions are not listed:
>>>>
>>>> # ipa permission-show "add dns entries"
>>>> Permission name: add dns entries
>>>> Permissions: add
>>>> Type: dnsrecord
>>>> Granted to Privilege: DNS Administrators, DNS Servers
>>>>
>>>> # ipa privilege-show "DNS Administrators"
>>>> Privilege name: DNS Administrators
>>>> Description: DNS Administrators
>>>> <<< Missing permissions
>>>>
>>>> I think the reason is that the permissions are in a wrong order in the
>>>> LDIF and are created before the privilege itself. When member links are
>>>> being created for DNS permissions, the memberof plugin cannot add
>>>> memberof attributes for the privilege since it does not exist yet. This
>>>> is the main issue that the BZ bug complains about.
>>>>
>>>> Martin
>>>>
>>>
>>> There are two problems:
>>>
>>> 1. The acis lacked a prefix so they didn't appear as permissions
>>>
>>> 2. The permission was added before the privilege so the memberof values
>>> weren't being calculated.
>>>
>>> This fixes it for new installs and adds an update to fix up existing
>>> installs.
>>>
>>> rob
>>
>> It works fine when doing upgrade. However, when running a clean install,
>> I get these errors:
>>
>> # ipa-server-install --setup-dns
>> ...
>> [9/13]: publish CA cert
>> [10/13]: creating a keytab for httpd
>> [11/13]: configuring SELinux for httpd
>> [12/13]: restarting httpd
>> [13/13]: configuring httpd to start on boot
>> done configuring httpd.
>> Applying LDAP updates
>> root : ERROR Add failure Object class violation: missing required
>> attribute "objectclass"
>> root : ERROR Add failure Object class violation: missing required
>> attribute "objectclass"
>> root : ERROR Add failure Object class violation: missing required
>> attribute "objectclass"
>> Restarting IPA to initialize updates before performing deletes:
>> [1/2]: stopping directory server
>> [2/2]: starting directory server
>> done configuring dirsrv.
>> Restarting the directory server
>> Restarting the KDC
>> Restarting the web server
>> Configuring named:
>> [1/9]: adding DNS container
>> [2/9]: setting up our zone
>> [3/9]: setting up reverse zone
>> [4/9]: setting up our own record
>> [5/9]: setting up kerberos principal
>> [6/9]: setting up named.conf
>> [7/9]: restarting named
>> [8/9]: configuring named to start on boot
>> [9/9]: changing resolv.conf to point to ourselves
>> done configuring named.
>> ==============================================================================
>>
>> Setup complete
>>
>> Do you hit this too? Permissions and privileges member attributes were
>> OK though.
>>
>> Martin
>>
>
> Bah, ok. We only create these permissions when dns is installed so I'll
> need to find some way to optionally add this.
>
> rob
I needed to add a new type to the updater to only add new values if the
entry exists.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-887-3-prefix.patch
Type: text/x-patch
Size: 12226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111006/2632a634/attachment.bin>
More information about the Freeipa-devel
mailing list