[Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
Martin Basti
mbasti at redhat.com
Mon Jan 25 09:09:37 UTC 2016
On 25.01.2016 09:30, Ludwig Krispenz wrote:
> Hi,
>
> this is from a discussion on the user-list, there is a difference in
> acis on 4.2.0 and 4.2.3
>
> this is the aci which is present in 4.2.0 and is missing in 4.2.3:
>
> aci: (targetattr = "cn || createtimestamp || description || entryusn
> || modify
> timestamp || nsds50ruv || nsds5beginreplicarefresh ||
> nsds5debugreplicatimeou
> t || nsds5flags || nsds5replicaabortcleanruv ||
> nsds5replicaautoreferral || n
> sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn
> || nsds
> 5replicabindmethod || nsds5replicabusywaittime ||
> nsds5replicachangecount ||
> nsds5replicachangessentsincestartup || nsds5replicacleanruv ||
> nsds5replicacl
> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled ||
> nsds5repl
> icahost || nsds5replicaid || nsds5replicalastinitend ||
> nsds5replicalastinits
> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend ||
> nsds5repli
> calastupdatestart || nsds5replicalastupdatestatus ||
> nsds5replicalegacyconsum
> er || nsds5replicaname || nsds5replicaport ||
> nsds5replicaprotocoltimeout ||
> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot ||
> nsds5re
> plicasessionpausetime || nsds5replicastripattrs ||
> nsds5replicatedattributeli
> st || nsds5replicatedattributelisttotal || nsds5replicatimeout ||
> nsds5replic
> atombstonepurgeinterval || nsds5replicatransportinfo ||
> nsds5replicatype || n
> sds5replicaupdateinprogress || nsds5replicaupdateschedule ||
> nsds5task || nsd
> s7directoryreplicasubtree || nsds7dirsynccookie ||
> nsds7newwingroupsyncenable
> d || nsds7newwinusersyncenabled || nsds7windowsdomain ||
> nsds7windowsreplicas
> ubtree || nsruvreplicalastmodified || nsstate || objectclass ||
> onewaysync ||
> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction ||
> winsyncsub
> treepair || winsyncwindowsfilter")(targetfilter =
> "(|(objectclass=nsds5Replic
> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
>
> greement)(objectClass=nsMappingTree))")(version 3.0;acl
> "permission:System: R
> ead Replication Agreements";allow (compare,read,search) groupdn =
> "ldap:///cn
> =System: Read Replication
> Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
> n,dc=net";)
>
> does anybody know if and why this was changed ?
>
This ACI is created by
ipaserver/install/plugins/update_managed_permissions.py
It haven't been touched for a while, did upgrade/install work well?
Maybe re-run ipa-server-upgrade should recreate this entry.
>
>
> On 01/24/2016 03:22 AM, Nathan Peters wrote:
>> # config
>> dn: cn=config
>> aci: (targetattr != aci)(version 3.0; aci "cert manager read access";
>> allow (r
>> ead, search, compare) userdn
>> ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>> aci: (target ="ldap:///cn=automember rebuild
>> membership,cn=tasks,cn=config")(
>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild
>> Membership T
>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild
>> Membership Task
>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>> modifytimestamp || ob
>> jectclass || passsyncmanagersdns*")(target =
>> "ldap:///cn=ipa_pwd_extop,cn=plu
>> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers
>> Configura
>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read
>> PassSync Manager
>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr = "passsyncmanagersdns*")(target =
>> "ldap:///cn=ipa_pwd_extop,
>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync
>> Managers C
>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync
>> Managers Co
>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>> modifytimestamp || ns
>> slapd-directory* || objectclass")(target =
>> "ldap:///cn=config,cn=ldbm databas
>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM
>> Database Confi
>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read
>> LDBM Databas
>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (version 3.0;acl "permission:Add Configuration
>> Sub-Entries";allow (add) g
>> roupdn = "ldap:///cn=Add Configuration
>> Sub-Entries,cn=permissions,cn=pbac,dc=
>> ipatestdomain,dc=net";)
>> aci: (targetattr = "cn || createtimestamp || description || entryusn
>> || modify
>> timestamp || nsds50ruv || nsds5beginreplicarefresh ||
>> nsds5debugreplicatimeou
>> t || nsds5flags || nsds5replicaabortcleanruv ||
>> nsds5replicaautoreferral || n
>> sds5replicabackoffmax || nsds5replicabackoffmin ||
>> nsds5replicabinddn || nsds
>> 5replicabindmethod || nsds5replicabusywaittime ||
>> nsds5replicachangecount ||
>> nsds5replicachangessentsincestartup || nsds5replicacleanruv ||
>> nsds5replicacl
>> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled ||
>> nsds5repl
>> icahost || nsds5replicaid || nsds5replicalastinitend ||
>> nsds5replicalastinits
>> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend ||
>> nsds5repli
>> calastupdatestart || nsds5replicalastupdatestatus ||
>> nsds5replicalegacyconsum
>> er || nsds5replicaname || nsds5replicaport ||
>> nsds5replicaprotocoltimeout ||
>> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot
>> || nsds5re
>> plicasessionpausetime || nsds5replicastripattrs ||
>> nsds5replicatedattributeli
>> st || nsds5replicatedattributelisttotal || nsds5replicatimeout ||
>> nsds5replic
>> atombstonepurgeinterval || nsds5replicatransportinfo ||
>> nsds5replicatype || n
>> sds5replicaupdateinprogress || nsds5replicaupdateschedule ||
>> nsds5task || nsd
>> s7directoryreplicasubtree || nsds7dirsynccookie ||
>> nsds7newwingroupsyncenable
>> d || nsds7newwinusersyncenabled || nsds7windowsdomain ||
>> nsds7windowsreplicas
>> ubtree || nsruvreplicalastmodified || nsstate || objectclass ||
>> onewaysync ||
>> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction ||
>> winsyncsub
>> treepair || winsyncwindowsfilter")(targetfilter =
>> "(|(objectclass=nsds5Replic
>> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
>> greement)(objectClass=nsMappingTree))")(version 3.0;acl
>> "permission:System: R
>> ead Replication Agreements";allow (compare,read,search) groupdn =
>> "ldap:///cn
>> =System: Read Replication
>> Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
>> n,dc=net";)
>>
>> # SNMP, config
>> dn: cn=SNMP,cn=config
>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version
>> 3.0;acl
>> "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");)
>>
>> # tasks, config
>> dn: cn=tasks,cn=config
>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica
>> re-initializatio
>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication
>> Agreements,cn=permis
>> sions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after
>> replica re
>> -initialization"; allow (add) userdn =
>> "ldap:///uid=pkidbuser,ou=people,o=ipa
>> ca";)
>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";
>> allow (read
>> , compare, search) groupdn =
>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
>> atestdomain,dc=net";)
>> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild
>> membershi
>> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read
>> Automember Ta
>> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read
>> Automembe
>> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # csusers, config
>> dn: ou=csusers,cn=config
>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage
>> replication use
>> rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>
>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
>> allow( rea
>> d, search ) userdn ="ldap:///all";)
>>
>> # 2.16.840.1.113730.3.4.9, features, config
>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
>> allow (read,
>> search, compare, proxy) userdn ="ldap:///anyone"; )
>>
>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
>> Agreements";al
>> low (add) groupdn = "ldap:///cn=Add Replication
>> Agreements,cn=permissions,cn=
>> pbac,dc=ipatestdomain,dc=net";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify
>> Replication Agreeme
>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
>> Replication Ag
>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
>> "permission:Rem
>> ove Replication Agreements";allow (delete) groupdn =
>> "ldap:///cn=Remove Repli
>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # o\3Dipaca, mapping tree, config
>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication
>> Agreements"
>> ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify
>> Replication Agre
>> ements"; allow (read, write, search) userdn =
>> "ldap:///uid=pkidbuser,ou=peopl
>> e,o=ipaca";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert
>> manager:
>> Remove Replication Agreements";allow (delete) userdn =
>> "ldap:///uid=pkidbuser
>> ,ou=people,o=ipaca";)
>>
>> # ldbm database, plugins, config
>> dn: cn=ldbm database,cn=plugins,cn=config
>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV
>> searches"; a
>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>
>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config
>> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version
>> 3.0;acl
>> "permission:Modify DNA Range";allow (write) groupdn =
>> "ldap:///cn=Modify DNA
>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue
>> || dnaThre
>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read
>> DNA Range";
>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
>> Range,cn=permiss
>> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # userRoot, ldbm database, plugins, config
>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking
>> the databas
>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication
>> Agreement
>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 12
>> # numEntries: 11
>>
>>
>> ============================================================================
>>
>> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there
>> is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference
>> that the CentOS ACL hasn't changed yet)
>> ============================================================================
>>
>> ================ after reinstallation of dc2 in fedora 23 / ipa 4.2.3
>> =========================
>>
>> [root at dc1 ~]# ldapsearch -b "cn=config" -D
>> "uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W
>> Enter LDAP Password:
>> # config
>> dn: cn=config
>> aci: (targetattr != aci)(version 3.0; aci "cert manager read access";
>> allow (r
>> ead, search, compare) userdn
>> ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>> aci: (target ="ldap:///cn=automember rebuild
>> membership,cn=tasks,cn=config")(
>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild
>> Membership T
>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild
>> Membership Task
>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>> modifytimestamp || ob
>> jectclass || passsyncmanagersdns*")(target =
>> "ldap:///cn=ipa_pwd_extop,cn=plu
>> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers
>> Configura
>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read
>> PassSync Manager
>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr = "passsyncmanagersdns*")(target =
>> "ldap:///cn=ipa_pwd_extop,
>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync
>> Managers C
>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync
>> Managers Co
>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>> modifytimestamp || ns
>> slapd-directory* || objectclass")(target =
>> "ldap:///cn=config,cn=ldbm databas
>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM
>> Database Confi
>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read
>> LDBM Databas
>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (version 3.0;acl "permission:Add Configuration
>> Sub-Entries";allow (add) g
>> roupdn = "ldap:///cn=Add Configuration
>> Sub-Entries,cn=permissions,cn=pbac,dc=
>> ipatestdomain,dc=net";)
>> aci: (targetattr = "cn || createtimestamp || description || entryusn
>> || modify
>> timestamp || nsds50ruv || nsds5beginreplicarefresh ||
>> nsds5debugreplicatimeou
>> t || nsds5flags || nsds5replicaabortcleanruv ||
>> nsds5replicaautoreferral || n
>> sds5replicabackoffmax || nsds5replicabackoffmin ||
>> nsds5replicabinddn || nsds
>> 5replicabindmethod || nsds5replicabusywaittime ||
>> nsds5replicachangecount ||
>> nsds5replicachangessentsincestartup || nsds5replicacleanruv ||
>> nsds5replicacl
>> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled ||
>> nsds5repl
>> icahost || nsds5replicaid || nsds5replicalastinitend ||
>> nsds5replicalastinits
>> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend ||
>> nsds5repli
>> calastupdatestart || nsds5replicalastupdatestatus ||
>> nsds5replicalegacyconsum
>> er || nsds5replicaname || nsds5replicaport ||
>> nsds5replicaprotocoltimeout ||
>> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot
>> || nsds5re
>> plicasessionpausetime || nsds5replicastripattrs ||
>> nsds5replicatedattributeli
>> st || nsds5replicatedattributelisttotal || nsds5replicatimeout ||
>> nsds5replic
>> atombstonepurgeinterval || nsds5replicatransportinfo ||
>> nsds5replicatype || n
>> sds5replicaupdateinprogress || nsds5replicaupdateschedule ||
>> nsds5task || nsd
>> s7directoryreplicasubtree || nsds7dirsynccookie ||
>> nsds7newwingroupsyncenable
>> d || nsds7newwinusersyncenabled || nsds7windowsdomain ||
>> nsds7windowsreplicas
>> ubtree || nsruvreplicalastmodified || nsstate || objectclass ||
>> onewaysync ||
>> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction ||
>> winsyncsub
>> treepair || winsyncwindowsfilter")(targetfilter =
>> "(|(objectclass=nsds5Replic
>> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
>> greement)(objectClass=nsMappingTree))")(version 3.0;acl
>> "permission:System: R
>> ead Replication Agreements";allow (compare,read,search) groupdn =
>> "ldap:///cn
>> =System: Read Replication
>> Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
>> n,dc=net";)
>>
>> # SNMP, config
>> dn: cn=SNMP,cn=config
>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version
>> 3.0;acl
>> "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");)
>>
>> # tasks, config
>> dn: cn=tasks,cn=config
>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica
>> re-initializatio
>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication
>> Agreements,cn=permis
>> sions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after
>> replica re
>> -initialization"; allow (add) userdn =
>> "ldap:///uid=pkidbuser,ou=people,o=ipa
>> ca";)
>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";
>> allow (read
>> , compare, search) groupdn =
>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
>> atestdomain,dc=net";)
>> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild
>> membershi
>> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read
>> Automember Ta
>> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read
>> Automembe
>> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # csusers, config
>> dn: ou=csusers,cn=config
>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage
>> replication use
>> rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>
>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
>> allow( rea
>> d, search ) userdn ="ldap:///all";)
>>
>> # 2.16.840.1.113730.3.4.9, features, config
>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
>> allow (read,
>> search, compare, proxy) userdn ="ldap:///anyone"; )
>>
>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
>> Agreements";al
>> low (add) groupdn = "ldap:///cn=Add Replication
>> Agreements,cn=permissions,cn=
>> pbac,dc=ipatestdomain,dc=net";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify
>> Replication Agreeme
>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
>> Replication Ag
>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
>> "permission:Rem
>> ove Replication Agreements";allow (delete) groupdn =
>> "ldap:///cn=Remove Repli
>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # o\3Dipaca, mapping tree, config
>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication
>> Agreements"
>> ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify
>> Replication Agre
>> ements"; allow (read, write, search) userdn =
>> "ldap:///uid=pkidbuser,ou=peopl
>> e,o=ipaca";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert
>> manager:
>> Remove Replication Agreements";allow (delete) userdn =
>> "ldap:///uid=pkidbuser
>> ,ou=people,o=ipaca";)
>>
>> # ldbm database, plugins, config
>> dn: cn=ldbm database,cn=plugins,cn=config
>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV
>> searches"; a
>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>
>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config
>> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version
>> 3.0;acl
>> "permission:Modify DNA Range";allow (write) groupdn =
>> "ldap:///cn=Modify DNA
>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue
>> || dnaThre
>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read
>> DNA Range";
>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
>> Range,cn=permiss
>> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # userRoot, ldbm database, plugins, config
>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking
>> the databas
>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication
>> Agreement
>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 12
>> # numEntries: 11
>>
>>
>>
>> ============================================================================
>>
>> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the
>> replica file was made from dc1 which is a CentOS server that still
>> has the acls(missing some stuff)
>> ============================================================================
>>
>> aci list on dc2
>>
>> [root at dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config"
>> "(aci=*)" aci
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=config> with scope subtree
>> # filter: (aci=*)
>> # requesting: aci
>> #
>>
>> # config
>> dn: cn=config
>> aci: (targetattr != aci)(version 3.0; aci "cert manager read access";
>> allow (r
>> ead, search, compare) userdn
>> ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>> aci: (target ="ldap:///cn=automember rebuild
>> membership,cn=tasks,cn=config")(
>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild
>> Membership T
>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild
>> Membership Task
>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>> modifytimestamp || ob
>> jectclass || passsyncmanagersdns*")(target =
>> "ldap:///cn=ipa_pwd_extop,cn=plu
>> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers
>> Configura
>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read
>> PassSync Manager
>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr = "passsyncmanagersdns*")(target =
>> "ldap:///cn=ipa_pwd_extop,
>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync
>> Managers C
>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync
>> Managers Co
>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>> modifytimestamp || ns
>> slapd-directory* || objectclass")(target =
>> "ldap:///cn=config,cn=ldbm databas
>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM
>> Database Confi
>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read
>> LDBM Databas
>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (version 3.0;acl "permission:Add Configuration
>> Sub-Entries";allow (add) g
>> roupdn = "ldap:///cn=Add Configuration
>> Sub-Entries,cn=permissions,cn=pbac,dc=
>> ipatestdomain,dc=net";)
>>
>> # SNMP, config
>> dn: cn=SNMP,cn=config
>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version
>> 3.0;acl
>> "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");)
>>
>> # tasks, config
>> dn: cn=tasks,cn=config
>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica
>> re-initializatio
>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication
>> Agreements,cn=permis
>> sions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after
>> replica re
>> -initialization"; allow (add) userdn =
>> "ldap:///uid=pkidbuser,ou=people,o=ipa
>> ca";)
>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";
>> allow (read
>> , compare, search) groupdn =
>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
>> atestdomain,dc=net";)
>>
>> # csusers, config
>> dn: ou=csusers,cn=config
>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage
>> replication use
>> rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>
>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
>> allow( rea
>> d, search ) userdn ="ldap:///all";)
>>
>> # 2.16.840.1.113730.3.4.9, features, config
>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
>> allow (read,
>> search, compare, proxy) userdn ="ldap:///anyone"; )
>>
>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
>> Agreements";al
>> low (add) groupdn = "ldap:///cn=Add Replication
>> Agreements,cn=permissions,cn=
>> pbac,dc=ipatestdomain,dc=net";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify
>> Replication Agreeme
>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
>> Replication Ag
>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
>> "permission:Rem
>> ove Replication Agreements";allow (delete) groupdn =
>> "ldap:///cn=Remove Repli
>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # o\3Dipaca, mapping tree, config
>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication
>> Agreements"
>> ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify
>> Replication Agre
>> ements"; allow (read, write, search) userdn =
>> "ldap:///uid=pkidbuser,ou=peopl
>> e,o=ipaca";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert
>> manager:
>> Remove Replication Agreements";allow (delete) userdn =
>> "ldap:///uid=pkidbuser
>> ,ou=people,o=ipaca";)
>>
>> # ldbm database, plugins, config
>> dn: cn=ldbm database,cn=plugins,cn=config
>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV
>> searches"; a
>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>
>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config
>> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version
>> 3.0;acl
>> "permission:Modify DNA Range";allow (write) groupdn =
>> "ldap:///cn=Modify DNA
>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue
>> || dnaThre
>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read
>> DNA Range";
>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
>> Range,cn=permiss
>> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # userRoot, ldbm database, plugins, config
>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking
>> the databas
>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication
>> Agreement
>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 12
>> # numEntries: 11
>>
>> ============================================================================
>>
>> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now
>> missing some stuff)
>> ============================================================================
>>
>> [root at dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b
>> "cn=config" "(aci=*)" aci
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=config> with scope subtree
>> # filter: (aci=*)
>> # requesting: aci
>> #
>>
>> # config
>> dn: cn=config
>> aci: (targetattr != aci)(version 3.0; aci "cert manager read access";
>> allow (r
>> ead, search, compare) userdn
>> ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>> aci: (target ="ldap:///cn=automember rebuild
>> membership,cn=tasks,cn=config")(
>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild
>> Membership T
>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild
>> Membership Task
>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>> modifytimestamp || ob
>> jectclass || passsyncmanagersdns*")(target =
>> "ldap:///cn=ipa_pwd_extop,cn=plu
>> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers
>> Configura
>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read
>> PassSync Manager
>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr = "passsyncmanagersdns*")(target =
>> "ldap:///cn=ipa_pwd_extop,
>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync
>> Managers C
>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync
>> Managers Co
>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>> modifytimestamp || ns
>> slapd-directory* || objectclass")(target =
>> "ldap:///cn=config,cn=ldbm databas
>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM
>> Database Confi
>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read
>> LDBM Databas
>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (version 3.0;acl "permission:Add Configuration
>> Sub-Entries";allow (add) g
>> roupdn = "ldap:///cn=Add Configuration
>> Sub-Entries,cn=permissions,cn=pbac,dc=
>> ipatestdomain,dc=net";)
>>
>> # SNMP, config
>> dn: cn=SNMP,cn=config
>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version
>> 3.0;acl
>> "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");)
>>
>> # tasks, config
>> dn: cn=tasks,cn=config
>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica
>> re-initializatio
>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication
>> Agreements,cn=permis
>> sions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after
>> replica re
>> -initialization"; allow (add) userdn =
>> "ldap:///uid=pkidbuser,ou=people,o=ipa
>> ca";)
>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";
>> allow (read
>> , compare, search) groupdn =
>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
>> atestdomain,dc=net";)
>>
>> # csusers, config
>> dn: ou=csusers,cn=config
>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage
>> replication use
>> rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>
>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
>> allow( rea
>> d, search ) userdn ="ldap:///all";)
>>
>> # 2.16.840.1.113730.3.4.9, features, config
>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
>> allow (read,
>> search, compare, proxy) userdn ="ldap:///anyone"; )
>>
>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
>> Agreements";al
>> low (add) groupdn = "ldap:///cn=Add Replication
>> Agreements,cn=permissions,cn=
>> pbac,dc=ipatestdomain,dc=net";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify
>> Replication Agreeme
>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
>> Replication Ag
>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
>> "permission:Rem
>> ove Replication Agreements";allow (delete) groupdn =
>> "ldap:///cn=Remove Repli
>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # o\3Dipaca, mapping tree, config
>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication
>> Agreements"
>> ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify
>> Replication Agre
>> ements"; allow (read, write, search) userdn =
>> "ldap:///uid=pkidbuser,ou=peopl
>> e,o=ipaca";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert
>> manager:
>> Remove Replication Agreements";allow (delete) userdn =
>> "ldap:///uid=pkidbuser
>> ,ou=people,o=ipaca";)
>>
>> # ldbm database, plugins, config
>> dn: cn=ldbm database,cn=plugins,cn=config
>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV
>> searches"; a
>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>
>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config
>> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version
>> 3.0;acl
>> "permission:Modify DNA Range";allow (write) groupdn =
>> "ldap:///cn=Modify DNA
>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue
>> || dnaThre
>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read
>> DNA Range";
>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
>> Range,cn=permiss
>> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # userRoot, ldbm database, plugins, config
>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking
>> the databas
>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication
>> Agreement
>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 12
>> # numEntries: 11
>
More information about the Freeipa-devel
mailing list