[Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
Rich Megginson
rmeggins at redhat.com
Fri Jan 22 17:41:03 UTC 2016
On 01/22/2016 10:15 AM, Nathan Peters wrote:
> [root at dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: aci
> #
>
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
> ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
> ,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
> jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
> s Configuration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
> nfiguration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
> slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
> e Configuration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
> roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
> dev-mydomain,dc=net";)
>
> # mapping tree, config
> dn: cn=mapping tree,cn=config
> aci: (target = "ldap:///cn=meTo($dn),cn=*,cn=mapping tree,cn=config")(targetat
> tr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replica
> tion agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($dn),c
> n=computers,cn=accounts,dc=dev-mydomain,dc=net";)
I don't see any acis to allow the IPA admin user to have access to
cn=config or any entries below it.
Looks like the host principal should be able to read the replication
agreements that replicate to it from other hosts.
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 3.0;acl
> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
> n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
> sions,cn=pbac,dc=dev-mydomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
> -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
> ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
> , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dev-
> mydomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
> rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
> d, search ) userdn = "ldap:///all";)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
> search, compare, proxy) userdn = "ldap:///anyone"; )
>
> # dc\3Ddev-mydomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
> ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
> cation Agreements,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
> ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
> e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
> Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
> ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
> "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
> Range,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre
> shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
> ions,cn=pbac,dc=dev-mydomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
> s,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 13
> # numEntries: 12
>
>
>
> -----Original Message-----
> From: Rich Megginson [mailto:rmeggins at redhat.com]
> Sent: January-22-16 6:26 AM
> To: Nathan Peters; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
>
> On 01/21/2016 08:48 PM, Nathan Peters wrote:
>> Here are the results for that aci search using a non gssapi bind by directory manager on the old master that we are attempting to join agains. I don't see anything in this list that would indicate that some users should or should not have access through a certain method. Unless one of those sasl config settings is doing it ?
>>
>> [root at dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)"
> You almost got it. You left out the most important part, at the end of the command, specifying the "aci" attribute:
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Viewing_the_ACIs_for_an_Entry.html
>
> # ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci
>
More information about the Freeipa-users
mailing list