[Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis

Rob Crittenden rcritten at redhat.com
Fri Oct 7 15:09:11 UTC 2011 

Martin Kosek wrote:
> On Fri, 2011-10-07 at 08:52 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote:
>>>> Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
>>>>>>> Martin Kosek wrote:
>>>>>>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
>>>>>>>>> The aci prefix was missing in the description of the three dns acis
>>>>>>>>> which made them not show up when viewing their permission entries.
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>
>>>>>>>> This works fine, but it is just a part of a solution. DNS related
>>>>>>>> privileges miss memberof attribute for the DNS permissions and thus the
>>>>>>>> permissions are not listed:
>>>>>>>>
>>>>>>>> # ipa permission-show "add dns entries"
>>>>>>>> Permission name: add dns entries
>>>>>>>> Permissions: add
>>>>>>>> Type: dnsrecord
>>>>>>>> Granted to Privilege: DNS Administrators, DNS Servers
>>>>>>>>
>>>>>>>> # ipa privilege-show "DNS Administrators"
>>>>>>>> Privilege name: DNS Administrators
>>>>>>>> Description: DNS Administrators
>>>>>>>> <<<   Missing permissions
>>>>>>>>
>>>>>>>> I think the reason is that the permissions are in a wrong order in the
>>>>>>>> LDIF and are created before the privilege itself. When member links are
>>>>>>>> being created for DNS permissions, the memberof plugin cannot add
>>>>>>>> memberof attributes for the privilege since it does not exist yet. This
>>>>>>>> is the main issue that the BZ bug complains about.
>>>>>>>>
>>>>>>>> Martin
>>>>>>>>
>>>>>>>
>>>>>>> There are two problems:
>>>>>>>
>>>>>>> 1. The acis lacked a prefix so they didn't appear as permissions
>>>>>>>
>>>>>>> 2. The permission was added before the privilege so the memberof values
>>>>>>> weren't being calculated.
>>>>>>>
>>>>>>> This fixes it for new installs and adds an update to fix up existing
>>>>>>> installs.
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> It works fine when doing upgrade. However, when running a clean install,
>>>>>> I get these errors:
>>>>>>
>>>>>> # ipa-server-install --setup-dns
>>>>>> ...
>>>>>> [9/13]: publish CA cert
>>>>>> [10/13]: creating a keytab for httpd
>>>>>> [11/13]: configuring SELinux for httpd
>>>>>> [12/13]: restarting httpd
>>>>>> [13/13]: configuring httpd to start on boot
>>>>>> done configuring httpd.
>>>>>> Applying LDAP updates
>>>>>> root : ERROR Add failure Object class violation: missing required
>>>>>> attribute "objectclass"
>>>>>> root : ERROR Add failure Object class violation: missing required
>>>>>> attribute "objectclass"
>>>>>> root : ERROR Add failure Object class violation: missing required
>>>>>> attribute "objectclass"
>>>>>> Restarting IPA to initialize updates before performing deletes:
>>>>>> [1/2]: stopping directory server
>>>>>> [2/2]: starting directory server
>>>>>> done configuring dirsrv.
>>>>>> Restarting the directory server
>>>>>> Restarting the KDC
>>>>>> Restarting the web server
>>>>>> Configuring named:
>>>>>> [1/9]: adding DNS container
>>>>>> [2/9]: setting up our zone
>>>>>> [3/9]: setting up reverse zone
>>>>>> [4/9]: setting up our own record
>>>>>> [5/9]: setting up kerberos principal
>>>>>> [6/9]: setting up named.conf
>>>>>> [7/9]: restarting named
>>>>>> [8/9]: configuring named to start on boot
>>>>>> [9/9]: changing resolv.conf to point to ourselves
>>>>>> done configuring named.
>>>>>> ==============================================================================
>>>>>>
>>>>>> Setup complete
>>>>>>
>>>>>> Do you hit this too? Permissions and privileges member attributes were
>>>>>> OK though.
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>
>>>>> Bah, ok. We only create these permissions when dns is installed so I'll
>>>>> need to find some way to optionally add this.
>>>>>
>>>>> rob
>>>>
>>>> I needed to add a new type to the updater to only add new values if the
>>>> entry exists.
>>>>
>>>> rob
>>>
>>> I still get the same error. We have a new handy addifnew update type
>>> ready, lets use it in these DNS .update file too :-)
>>>
>>> Martin
>>>
>>
>> addifnew adds single value attributes if they aren't already in the
>> entry, that will cause the same error.
>>
>> rob
>
> I tested the patch when I replaced all add: directives 40-dns.update
> with addifexist. The clean installation now did not produce any error,
> memberships were OK.
>
> However, updating existing installation with DNS was not OK - privileges
> are still without memberof attributes:
>
> # ipa privilege-find dns
> --------------------
> 2 privileges matched
> --------------------
>    Privilege name: DNS Administrators
>    Description: DNS Administrators
>
>    Privilege name: DNS Servers
>    Description: DNS Servers
> ----------------------------
> Number of entries returned 2
> ----------------------------
>
> Martin
>

Strange, it works for me. Can you try this updated patch?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-887-4-prefix.patch
Type: text/x-patch
Size: 12268 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111007/cd182ea0/attachment.bin>

More information about the Freeipa-devel mailing list