[Freeipa-devel] [PATCH 0087] Fix: missing records in 40-dns.update

Petr Spacek pspacek at redhat.com
Thu Jul 3 18:57:06 UTC 2014 

On 3.7.2014 19:34, Martin Basti wrote:
> On Thu, 2014-07-03 at 14:59 +0200, Petr Spacek wrote:
>> On 2.7.2014 10:32, Petr Spacek wrote:
>>> On 2.7.2014 10:23, Martin Basti wrote:
>>>> On Wed, 2014-07-02 at 09:40 +0200, Petr Spacek wrote:
>>>>> On 1.7.2014 17:28, Martin Basti wrote:
>>>>>> Patch attached
>>>>>
>>>>> I'm not able to apply it on top of current master
>>>>> (21e1e4ac3bd62c20c6331ea3dc09793e3a869c22).
>>>>>
>>>> Sorry I lost myself in ACIs, it depends on the patch mbasti-0084-2 and
>>>> 0085-2
>>>
>>> Okay, I will test it when you send new versions of 0084 and 0085.
>>
>> NACK. It doesn't work for me for some reason, tlsarecord was not added to aci
>> for some reason.
>>
>> The same problem applies to DLVRecord and nSEC3PARAMRecord. DS record seems to
>> be okay.
>>
>
> Updated patch attached


Sorry, NACK! ;-)

Upgrade from 3.3.5 died with error in ipa-ldap-updater:

Parsing update file '/usr/share/ipa/updates/40-dns.update'
Updating existing entry: cn=IPA DNS,cn=plugins,cn=config
Done
Updating existing entry: cn=dns,dc=ipa,dc=example
Unexpected error - see /var/log/ipaupgrade.log for details:
InvalidSyntax: targetattr "idnsforwarders dlvrecord" does not exist in schema. 
Please add attributeTypes "idnsforwarders dlvrecord" to schema if necessary. 
ACL Syntax Error(-5):(targetattr = \22idnsname || cn || idnsallowdynupdate || 
dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || 
cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || 
hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || 
locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord 
|| dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || 
idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || 
idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || 
idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || 
idnsforwardpolicy || idnsforwarders dlvrecord || idnssecinlinesigning || 
nsec3paramrecord || tlsarecord\22)(target = 
\22ldap:///idnsname=\2a,cn=dns,dc=ipa,dc=example\22)(version 3.0;acl \22Update 
DNS entries in a zone\22;allow (write) userattr = 
\22parent[0,1].managedby#GROUPDN\22;): Invalid syntax.


/var/log/ipaupgrade.log says this:

2014-07-03T18:52:48Z DEBUG Final value after applying updates
2014-07-03T18:52:48Z DEBUG dn: cn=dns,dc=ipa,dc=example
2014-07-03T18:52:48Z DEBUG objectClass:
2014-07-03T18:52:48Z DEBUG      nsContainer
2014-07-03T18:52:48Z DEBUG      top
2014-07-03T18:52:48Z DEBUG      idnsConfigObject
2014-07-03T18:52:48Z DEBUG      idnsConfigObject
2014-07-03T18:52:48Z DEBUG aci:
2014-07-03T18:52:48Z DEBUG      (target = 
"ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "Add DNS 
entries in a zone";allow (add) userattr = "parent[1].manage
dby#GROUPDN";)
2014-07-03T18:52:48Z DEBUG      (target = 
"ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "Remove DNS 
entries from a zone";allow (delete) userattr = "parent[1
].managedby#GROUPDN";)
2014-07-03T18:52:48Z DEBUG      (targetattr = "idnsname || cn || 
idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record 
|| nsrecord || cnamerecord ||
ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || 
minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord 
|| naptrrecord |
| kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || 
rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || 
idnssoarname || idnssoaseria
l || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || 
idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || 
idnsforwardpolicy ||
  idnsforwarders")(target = 
"ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "Update DNS 
entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROU
PDN";)
2014-07-03T18:52:48Z DEBUG      (targetattr = "*")(version 3.0; acl "Allow 
read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS 
Entries,cn=permissions,cn
=pbac,dc=ipa,dc=example" or userattr = "parent[0,1].managedby#GROUPDN";)
2014-07-03T18:52:48Z DEBUG      (target = 
"ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "Add DNS 
entries in a zone";allow (add) userattr = "parent[1].manage
dby#GROUPDN";)
2014-07-03T18:52:48Z DEBUG      (target = 
"ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "Remove DNS 
entries from a zone";allow (delete) userattr = "parent[1
].managedby#GROUPDN";)
2014-07-03T18:52:48Z DEBUG      (targetattr = "idnsname || cn || 
idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record 
|| nsrecord || cnamerecord ||
ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || 
minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord 
|| naptrrecord |
| kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || 
rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || 
idnssoarname || idnssoaseria
l || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || 
idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || 
idnsforwardpolicy ||
  idnsforwarders dlvrecord || idnssecinlinesigning || nsec3paramrecord || 
tlsarecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 
3.0;acl "Update DNS entries in a zone";allow (write) userattr = 
"parent[0,1].managedby#GROUPDN";)
2014-07-03T18:52:48Z DEBUG cn:
2014-07-03T18:52:48Z DEBUG      dns
2014-07-03T18:52:48Z DEBUG [(0, u'aci', ['(targetattr = "idnsname || cn || 
idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record 
|| nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord 
|| mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || 
keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord 
|| dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || 
idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || 
idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || 
idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || 
idnsforwardpolicy || idnsforwarders dlvrecord || idnssecinlinesigning || 
nsec3paramrecord || tlsarecord")(target = 
"ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "Update DNS 
entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)'])]
2014-07-03T18:52:48Z DEBUG Live 1, updated 1
2014-07-03T18:52:48Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
     return_value = self.run()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 
213, in run
     modified = ld.update(self.files, ordered=True) or modified
   File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", 
line 859, in update
     self._run_updates(all_updates)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", 
line 791, in _run_updates
     self._update_record(update)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", 
line 712, in _update_record
     self.conn.update_entry(entry)
   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1622, in 
update_entry
     self.conn.modify_s(entry.dn, modlist)
   File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
     self.gen.throw(type, value, traceback)
   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1183, in 
error_handler
     raise errors.InvalidSyntax(attr=info)

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list