[Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Rob Crittenden
rcritten at redhat.com
Fri Oct 7 12:52:42 UTC 2011
Martin Kosek wrote:
> On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
>>>>>>> The aci prefix was missing in the description of the three dns acis
>>>>>>> which made them not show up when viewing their permission entries.
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> This works fine, but it is just a part of a solution. DNS related
>>>>>> privileges miss memberof attribute for the DNS permissions and thus the
>>>>>> permissions are not listed:
>>>>>>
>>>>>> # ipa permission-show "add dns entries"
>>>>>> Permission name: add dns entries
>>>>>> Permissions: add
>>>>>> Type: dnsrecord
>>>>>> Granted to Privilege: DNS Administrators, DNS Servers
>>>>>>
>>>>>> # ipa privilege-show "DNS Administrators"
>>>>>> Privilege name: DNS Administrators
>>>>>> Description: DNS Administrators
>>>>>> <<< Missing permissions
>>>>>>
>>>>>> I think the reason is that the permissions are in a wrong order in the
>>>>>> LDIF and are created before the privilege itself. When member links are
>>>>>> being created for DNS permissions, the memberof plugin cannot add
>>>>>> memberof attributes for the privilege since it does not exist yet. This
>>>>>> is the main issue that the BZ bug complains about.
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>
>>>>> There are two problems:
>>>>>
>>>>> 1. The acis lacked a prefix so they didn't appear as permissions
>>>>>
>>>>> 2. The permission was added before the privilege so the memberof values
>>>>> weren't being calculated.
>>>>>
>>>>> This fixes it for new installs and adds an update to fix up existing
>>>>> installs.
>>>>>
>>>>> rob
>>>>
>>>> It works fine when doing upgrade. However, when running a clean install,
>>>> I get these errors:
>>>>
>>>> # ipa-server-install --setup-dns
>>>> ...
>>>> [9/13]: publish CA cert
>>>> [10/13]: creating a keytab for httpd
>>>> [11/13]: configuring SELinux for httpd
>>>> [12/13]: restarting httpd
>>>> [13/13]: configuring httpd to start on boot
>>>> done configuring httpd.
>>>> Applying LDAP updates
>>>> root : ERROR Add failure Object class violation: missing required
>>>> attribute "objectclass"
>>>> root : ERROR Add failure Object class violation: missing required
>>>> attribute "objectclass"
>>>> root : ERROR Add failure Object class violation: missing required
>>>> attribute "objectclass"
>>>> Restarting IPA to initialize updates before performing deletes:
>>>> [1/2]: stopping directory server
>>>> [2/2]: starting directory server
>>>> done configuring dirsrv.
>>>> Restarting the directory server
>>>> Restarting the KDC
>>>> Restarting the web server
>>>> Configuring named:
>>>> [1/9]: adding DNS container
>>>> [2/9]: setting up our zone
>>>> [3/9]: setting up reverse zone
>>>> [4/9]: setting up our own record
>>>> [5/9]: setting up kerberos principal
>>>> [6/9]: setting up named.conf
>>>> [7/9]: restarting named
>>>> [8/9]: configuring named to start on boot
>>>> [9/9]: changing resolv.conf to point to ourselves
>>>> done configuring named.
>>>> ==============================================================================
>>>>
>>>> Setup complete
>>>>
>>>> Do you hit this too? Permissions and privileges member attributes were
>>>> OK though.
>>>>
>>>> Martin
>>>>
>>>
>>> Bah, ok. We only create these permissions when dns is installed so I'll
>>> need to find some way to optionally add this.
>>>
>>> rob
>>
>> I needed to add a new type to the updater to only add new values if the
>> entry exists.
>>
>> rob
>
> I still get the same error. We have a new handy addifnew update type
> ready, lets use it in these DNS .update file too :-)
>
> Martin
>
addifnew adds single value attributes if they aren't already in the
entry, that will cause the same error.
rob
More information about the Freeipa-devel
mailing list