[Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
Rich Megginson
rmeggins at redhat.com
Fri Jan 22 18:23:31 UTC 2016
On 01/22/2016 11:04 AM, Nathan Peters wrote:
> Wow, strange stuff, the search I linked in the last email for our non working dev environment seems short some entries.
>
> For comparison, here is the same search run against our currently working prod environment.
>
> As you can see, our prod environment has a huge aci on the config tree.
>
> For reference, our prod and dev environments were identical (FreeIPA 4.1.4/CentOS7.1) before I updated our dev environment to CentOS7.2/FreeIPA4.2.0 -> Fedora23/FreeIPA4.2.3 -> Fedora23/FreeIPA4.3.0. So at some point during this upgrade process I assume maybe one of the installers deleted acis on our tree? That sounds like the kind of thing that would happen when introducing the new domain level functionality in 4.3, like if someone accidentally thought "oh this replica branch is now in a globally replicated section, we can remove these acis for this local stuff..." and then put that logic into the installer or something...
>
> The real question is, is there some good way of getting those aci's back, like a fixaci command?
I don't know.
>
> =========================
> Prod aci's that do work for comparison
> =========================
>
> [root at dc1-ipa-prod-nvan ~]$ ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: aci
> #
>
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
> ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
> ,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
> jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
> s Configuration,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
> nfiguration,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
> slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
> e Configuration,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
> roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
> myproddomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
> timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou
> t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n
> sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds
> 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
> nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl
> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl
> icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits
> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli
> calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum
> er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re
> plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli
> st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic
> atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n
> sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd
> s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable
> d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas
> ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync ||
> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub
> treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
> greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R
> ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn
> =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=myproddomain,dc
> =net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 3.0;acl
> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
> n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
> sions,cn=pbac,dc=myproddomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
> -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou= people,o=ip
> aca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
> , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=myproddomain,dc=net";)
> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi
> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta
> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe
> r Tasks,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
> rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
> d, search ) userdn = "ldap:///all";)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
> search, compare, proxy) userdn = "ldap:///anyone"; )
>
> # dc\3Dmyproddomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dmyproddomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
> low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
> pbac,dc=myproddomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
> reements,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
> ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
> cation Agreements,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
> ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou= peop
> le,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
> Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
> ,ou= people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
> llow (read) userdn="ldap:///uid=pkidbuser,ou= people,o=ipaca";)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
> "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
> Range,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre
> shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
> ions,cn=pbac,dc=myproddomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
> s,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Nathan Peters
> Sent: January-22-16 9:18 AM
> To: Rich Megginson; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
>
> [root at dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: aci
> #
>
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
> ,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager s Configuration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
> nfiguration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
> slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas e Configuration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
> dev-mydomain,dc=net";)
>
> # mapping tree, config
> dn: cn=mapping tree,cn=config
> aci: (target = "ldap:///cn=meTo($dn),cn=*,cn=mapping tree,cn=config")(targetat tr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replica tion agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($dn),c
> n=computers,cn=accounts,dc=dev-mydomain,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 3.0;acl "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
> sions,cn=pbac,dc=dev-mydomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
> ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dev-
> mydomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea d, search ) userdn = "ldap:///all";)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
> search, compare, proxy) userdn = "ldap:///anyone"; )
>
> # dc\3Ddev-mydomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli cation Agreements,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
> e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
> Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
> ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
> Range,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range"; allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
> ions,cn=pbac,dc=dev-mydomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
> s,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 13
> # numEntries: 12
>
>
>
> -----Original Message-----
> From: Rich Megginson [mailto:rmeggins at redhat.com]
> Sent: January-22-16 6:26 AM
> To: Nathan Peters; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
>
> On 01/21/2016 08:48 PM, Nathan Peters wrote:
>> Here are the results for that aci search using a non gssapi bind by directory manager on the old master that we are attempting to join agains. I don't see anything in this list that would indicate that some users should or should not have access through a certain method. Unless one of those sasl config settings is doing it ?
>>
>> [root at dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)"
> You almost got it. You left out the most important part, at the end of the command, specifying the "aci" attribute:
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Viewing_the_ACIs_for_an_Entry.html
>
> # ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list