[Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Martin Kosek
mkosek at redhat.com
Fri Oct 7 07:53:33 UTC 2011
On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
> >>> Martin Kosek wrote:
> >>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
> >>>>> The aci prefix was missing in the description of the three dns acis
> >>>>> which made them not show up when viewing their permission entries.
> >>>>>
> >>>>> rob
> >>>>
> >>>> This works fine, but it is just a part of a solution. DNS related
> >>>> privileges miss memberof attribute for the DNS permissions and thus the
> >>>> permissions are not listed:
> >>>>
> >>>> # ipa permission-show "add dns entries"
> >>>> Permission name: add dns entries
> >>>> Permissions: add
> >>>> Type: dnsrecord
> >>>> Granted to Privilege: DNS Administrators, DNS Servers
> >>>>
> >>>> # ipa privilege-show "DNS Administrators"
> >>>> Privilege name: DNS Administrators
> >>>> Description: DNS Administrators
> >>>> <<< Missing permissions
> >>>>
> >>>> I think the reason is that the permissions are in a wrong order in the
> >>>> LDIF and are created before the privilege itself. When member links are
> >>>> being created for DNS permissions, the memberof plugin cannot add
> >>>> memberof attributes for the privilege since it does not exist yet. This
> >>>> is the main issue that the BZ bug complains about.
> >>>>
> >>>> Martin
> >>>>
> >>>
> >>> There are two problems:
> >>>
> >>> 1. The acis lacked a prefix so they didn't appear as permissions
> >>>
> >>> 2. The permission was added before the privilege so the memberof values
> >>> weren't being calculated.
> >>>
> >>> This fixes it for new installs and adds an update to fix up existing
> >>> installs.
> >>>
> >>> rob
> >>
> >> It works fine when doing upgrade. However, when running a clean install,
> >> I get these errors:
> >>
> >> # ipa-server-install --setup-dns
> >> ...
> >> [9/13]: publish CA cert
> >> [10/13]: creating a keytab for httpd
> >> [11/13]: configuring SELinux for httpd
> >> [12/13]: restarting httpd
> >> [13/13]: configuring httpd to start on boot
> >> done configuring httpd.
> >> Applying LDAP updates
> >> root : ERROR Add failure Object class violation: missing required
> >> attribute "objectclass"
> >> root : ERROR Add failure Object class violation: missing required
> >> attribute "objectclass"
> >> root : ERROR Add failure Object class violation: missing required
> >> attribute "objectclass"
> >> Restarting IPA to initialize updates before performing deletes:
> >> [1/2]: stopping directory server
> >> [2/2]: starting directory server
> >> done configuring dirsrv.
> >> Restarting the directory server
> >> Restarting the KDC
> >> Restarting the web server
> >> Configuring named:
> >> [1/9]: adding DNS container
> >> [2/9]: setting up our zone
> >> [3/9]: setting up reverse zone
> >> [4/9]: setting up our own record
> >> [5/9]: setting up kerberos principal
> >> [6/9]: setting up named.conf
> >> [7/9]: restarting named
> >> [8/9]: configuring named to start on boot
> >> [9/9]: changing resolv.conf to point to ourselves
> >> done configuring named.
> >> ==============================================================================
> >>
> >> Setup complete
> >>
> >> Do you hit this too? Permissions and privileges member attributes were
> >> OK though.
> >>
> >> Martin
> >>
> >
> > Bah, ok. We only create these permissions when dns is installed so I'll
> > need to find some way to optionally add this.
> >
> > rob
>
> I needed to add a new type to the updater to only add new values if the
> entry exists.
>
> rob
I still get the same error. We have a new handy addifnew update type
ready, lets use it in these DNS .update file too :-)
Martin
More information about the Freeipa-devel
mailing list