[Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Martin Kosek
mkosek at redhat.com
Fri Oct 7 14:46:13 UTC 2011
On Fri, 2011-10-07 at 08:52 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote:
> >> Rob Crittenden wrote:
> >>> Martin Kosek wrote:
> >>>> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
> >>>>> Martin Kosek wrote:
> >>>>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
> >>>>>>> The aci prefix was missing in the description of the three dns acis
> >>>>>>> which made them not show up when viewing their permission entries.
> >>>>>>>
> >>>>>>> rob
> >>>>>>
> >>>>>> This works fine, but it is just a part of a solution. DNS related
> >>>>>> privileges miss memberof attribute for the DNS permissions and thus the
> >>>>>> permissions are not listed:
> >>>>>>
> >>>>>> # ipa permission-show "add dns entries"
> >>>>>> Permission name: add dns entries
> >>>>>> Permissions: add
> >>>>>> Type: dnsrecord
> >>>>>> Granted to Privilege: DNS Administrators, DNS Servers
> >>>>>>
> >>>>>> # ipa privilege-show "DNS Administrators"
> >>>>>> Privilege name: DNS Administrators
> >>>>>> Description: DNS Administrators
> >>>>>> <<< Missing permissions
> >>>>>>
> >>>>>> I think the reason is that the permissions are in a wrong order in the
> >>>>>> LDIF and are created before the privilege itself. When member links are
> >>>>>> being created for DNS permissions, the memberof plugin cannot add
> >>>>>> memberof attributes for the privilege since it does not exist yet. This
> >>>>>> is the main issue that the BZ bug complains about.
> >>>>>>
> >>>>>> Martin
> >>>>>>
> >>>>>
> >>>>> There are two problems:
> >>>>>
> >>>>> 1. The acis lacked a prefix so they didn't appear as permissions
> >>>>>
> >>>>> 2. The permission was added before the privilege so the memberof values
> >>>>> weren't being calculated.
> >>>>>
> >>>>> This fixes it for new installs and adds an update to fix up existing
> >>>>> installs.
> >>>>>
> >>>>> rob
> >>>>
> >>>> It works fine when doing upgrade. However, when running a clean install,
> >>>> I get these errors:
> >>>>
> >>>> # ipa-server-install --setup-dns
> >>>> ...
> >>>> [9/13]: publish CA cert
> >>>> [10/13]: creating a keytab for httpd
> >>>> [11/13]: configuring SELinux for httpd
> >>>> [12/13]: restarting httpd
> >>>> [13/13]: configuring httpd to start on boot
> >>>> done configuring httpd.
> >>>> Applying LDAP updates
> >>>> root : ERROR Add failure Object class violation: missing required
> >>>> attribute "objectclass"
> >>>> root : ERROR Add failure Object class violation: missing required
> >>>> attribute "objectclass"
> >>>> root : ERROR Add failure Object class violation: missing required
> >>>> attribute "objectclass"
> >>>> Restarting IPA to initialize updates before performing deletes:
> >>>> [1/2]: stopping directory server
> >>>> [2/2]: starting directory server
> >>>> done configuring dirsrv.
> >>>> Restarting the directory server
> >>>> Restarting the KDC
> >>>> Restarting the web server
> >>>> Configuring named:
> >>>> [1/9]: adding DNS container
> >>>> [2/9]: setting up our zone
> >>>> [3/9]: setting up reverse zone
> >>>> [4/9]: setting up our own record
> >>>> [5/9]: setting up kerberos principal
> >>>> [6/9]: setting up named.conf
> >>>> [7/9]: restarting named
> >>>> [8/9]: configuring named to start on boot
> >>>> [9/9]: changing resolv.conf to point to ourselves
> >>>> done configuring named.
> >>>> ==============================================================================
> >>>>
> >>>> Setup complete
> >>>>
> >>>> Do you hit this too? Permissions and privileges member attributes were
> >>>> OK though.
> >>>>
> >>>> Martin
> >>>>
> >>>
> >>> Bah, ok. We only create these permissions when dns is installed so I'll
> >>> need to find some way to optionally add this.
> >>>
> >>> rob
> >>
> >> I needed to add a new type to the updater to only add new values if the
> >> entry exists.
> >>
> >> rob
> >
> > I still get the same error. We have a new handy addifnew update type
> > ready, lets use it in these DNS .update file too :-)
> >
> > Martin
> >
>
> addifnew adds single value attributes if they aren't already in the
> entry, that will cause the same error.
>
> rob
I tested the patch when I replaced all add: directives 40-dns.update
with addifexist. The clean installation now did not produce any error,
memberships were OK.
However, updating existing installation with DNS was not OK - privileges
are still without memberof attributes:
# ipa privilege-find dns
--------------------
2 privileges matched
--------------------
Privilege name: DNS Administrators
Description: DNS Administrators
Privilege name: DNS Servers
Description: DNS Servers
----------------------------
Number of entries returned 2
----------------------------
Martin
More information about the Freeipa-devel
mailing list