[Freeipa-devel] ACI "Midair collision" bug (Was: [PATCHES] 0552-0554 Upgrading write permissions)

Petr Viktorin pviktori at redhat.com
Mon May 26 11:38:12 UTC 2014 

On 05/22/2014 03:07 PM, Petr Viktorin wrote:
> Hello,
> Here I start upgrading  the existing default permissions to the new
> Managed style.
>
> https://fedorahosted.org/freeipa/ticket/4346
>
> The patches rely on my patch 0551
> (https://fedorahosted.org/freeipa/ticket/4349)
> You may run into what seems to be a 389 bug. If you get a "Midair
> Collision" (NO_SUCH_ATTRIBUTE) error, restart the DS and try running
> ipa-ldap-updater again. I'm working with Ludwig on this one.
>


This bug is indeed in 389 and there's a fix. I'll test with the current 
build to verify.



I'm re-sending some of our private comunication to the list, in case 
anyone wants to try reproducing the issue.

On 05/26/2014 11:27 AM, Ludwig Krispenz wrote:
>
> Hi,
>
> I now consitently reproduced the issue and debugged it. It is in fact a case, where in sorting the values of an attribute in some cases another comparison function was used. The current state of the 1.3.2 branch partially fixes and/or prevents the problem by using another defaultcomparison function, with a current build the test scenario passed.
> Maybe you can try the rpms at
>
> http://copr-be.cloud.fedoraproject.org/results/lkrispen/132test/fedora-20-x86_64/389-ds-base-1.3.2.16-20140526081843.fc17/
>
> We will need to provide an official 1.3.217 (and should fix a few more locations which could lead to the problem.
>
> Regards,
> Ludwig


On 05/21/2014 01:19 PM, Petr Viktorin wrote:
>
> Steps to reproduce:
> - Install "master" & "replica" on FreeIPA from the f20 repos
> (freeipa-server-3.3.5-1)
> - Upgrade "master" to my #4344 WIP branch
>   - RPMs: http://fedorapeople.org/~pviktori/rpms/freeipa-2f9399d/
>   - source: git pull http://github.com/encukou/freeipa ticket-4344-wip
> - Run ipa-ldap-updater on the "replica"
> - The problem appears on master.
>
> I can confirm that things work after a restart.
>
>
>
> Commands used to reproduce:
>
> $ ldapsearch -x -h localhost -D 'cn=Directory Manager' -w 12345678 -o
> ldif-wrap=no -b dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com -s base
> aci | grep -i 'Modify Sudo rule'
> aci: (targetattr = "description || ipaenabledflag || usercategory ||
> hostcategory || cmdcategory || ipasudorunasusercategory ||
> ipasudorunasgroupcategory || externaluser || ipasudorunasextuser ||
> ipasudorunasextgroup || memberdenycmd || memberallowcmd ||
> memberuser")(target =
> "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version
> 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn =
> "ldap:///cn=Modify Sudo
> rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)
>
> aci: (targetattr = "cmdcategory || description || externalhost ||
> externaluser || hostcategory || hostmask || ipaenabledflag ||
> ipasudoopt || ipasudorunas || ipasudorunasextgroup ||
> ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory
> || ipasudorunasusercategory || memberallowcmd || memberdenycmd ||
> memberhost || memberuser || sudonotafter || sudonotbefore || sudoorder
> || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version
> 3.0;acl "permission:System: Modify Sudo rule";allow (add) groupdn =
> "ldap:///cn=System: Modify Sudo
> rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)
>
> # System: Modify Sudo rule, permissions, pbac, idm.lab.eng.brq.redhat.com
> dn: cn=System: Modify Sudo
> rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
> # Modify Sudo rule, permissions, pbac, idm.lab.eng.brq.redhat.com
> dn: cn=Modify Sudo
> rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
>
>
> $ ldapmodify -x -h localhost -D 'cn=Directory Manager' -w 12345678
> dn: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
> changetype: modify
> delete: aci
> aci: (targetattr = "description || ipaenabledflag || usercategory ||
> hostcategory || cmdcategory || ipasudorunasusercategory ||
> ipasudorunasgroupcategory || externaluser || ipasudorunasextuser ||
> ipasudorunasextgroup || memberdenycmd || memberallowcmd ||
> memberuser")(target =
> "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version
> 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn =
> "ldap:///cn=Modify Sudo
> rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)
>
>
> modifying entry "dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
> ldap_modify: No such attribute (16)


-- 
Petr³

More information about the Freeipa-devel mailing list