[Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
Nathan Peters
Nathan.Peters at globalrelay.net
Tue Jan 26 20:03:50 UTC 2016
After some more investigation, it appears that there may be more ACIs missing.
I added the missing permission (System: Read Replication Agreements) on all my masters, and then the installation failed at this point :
---------------------------
[28/43]: setting up initial replication
Starting replication, please wait until this has completed.
[error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of entry 'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR {'info': "Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of entry 'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'}
ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Because of that and a comparison of my earlier version of ldif files from earlier versions of FreeIPA, I noticed the following ACI also missing from the mapping tree :
--------------------------------------
# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
pbac,dc=mydomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
reements,cn=permissions,cn=pbac,dc=mydomain,dc=net";)
After I added that, I attempted my replica installation again this time it failed on the o=ipaca branch
----------------------------------------
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
[1/23]: creating certificate server user
[2/23]: creating certificate server db
[3/23]: setting up initial replication
[error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 'nsDS5ReplicaBindDN' attribute of entry 'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR {'info': "Insufficient 'write' privilege to the 'nsDS5ReplicaBindDN' attribute of entry 'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'}
ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Looking at that branch of the ldap tree, I noticed some differences
---------------------------------------------------------------------------
In the cn=yourdomain,cn=mapping tree,cn=config you will find the following permissions :
permission:Add Replication Agreements
In the cn=o=ipaca,cn=mapping tree,cn=config you will find the following permissions :
cert manager: Add Replication Agreements
=========================
So I think there are actually 3 issues :
===========================
1. Missing aci on base cn=config entry
2. Missing aci on dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config branch
3. acis are on the o=ipaca branch, but they are wrong as they only apply to cert manager, and not all users
-----Original Message-----
From: Martin Basti [mailto:mbasti at redhat.com]
Sent: January-25-16 4:57 AM
To: Nathan Peters; Rich Megginson; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
Thank you,
I found root cause why "System: Read Replication Agreements" ACI is not on replica.
https://fedorahosted.org/freeipa/ticket/5631
I have to figure out why this permission is added on centos7.2, because IMO this bug is there from 4.0.
On 24.01.2016 03:22, Nathan Peters wrote:
> I can now confirm that this is a 100% reproducible bug, and a pretty severe one at that. You should be able to reproduce this issue at will if you follow these steps. It may actually be possible with less servers and less steps, but here is what I did in a test lab today:
>
> 1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0 with 3 servers, dc1, dc2, dc3, replicating any way you want.
> 3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete the server / vm / whatever you have it running on
> 3. Install Fedora 23 on the same IP address and hostname (dc2.ipatestdomain.net). Install FreeIPA server 4.2.3 from replica file created on CA master (dc1).
>
> Check aci on dc2. You will notice it's now missing a bunch of stuff. So basically, all it takes to lose that ACL is to create a Fedora FreeIPA server and join it to a CentOS domain.
> After I had upgraded all 3 to Fedora, that ACLS was lost permanently as it no longer existed on any server because there were no CentOS servers left.
>
> I'm assuming since this is so easy to reproduce, that you don't actually need my log files.
>
> ACL comparisons below for reference :
> 1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain consists of only CentOS servers
> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS ACL hasn't changed yet)
> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server created from a replica file made from dc1, the centOS 7.2 CA master(missing some stuff)
> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing some stuff)
>
> ============================================================================
> 1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain consists of only CentOS servers
> ============================================================================
> [root at dc1 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: aci
> #
>
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
> ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
> jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
> slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
> roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
> ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
> timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou
> t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n
> sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds
> 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
> nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl
> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl
> icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits
> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli
> calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum
> er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re
> plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli
> st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic
> atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n
> sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd
> s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable
> d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas
> ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync ||
> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub
> treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
> greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R
> ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn
> =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
> n,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 3.0;acl
> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
> n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
> sions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
> -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
> ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
> , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
> atestdomain,dc=net";)
> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi
> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta
> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe
> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
> rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
> d, search ) userdn = "ldap:///all";)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
> search, compare, proxy) userdn = "ldap:///anyone"; )
>
> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
> low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
> pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
> ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
> ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
> e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
> Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
> ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
> "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre
> shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
>
> ============================================================================
> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS ACL hasn't changed yet)
> ============================================================================
> ================ after reinstallation of dc2 in fedora 23 / ipa 4.2.3 =========================
>
> [root at dc1 ~]# ldapsearch -b "cn=config" -D "uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W
> Enter LDAP Password:
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
> ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
> jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
> slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
> roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
> ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
> timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou
> t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n
> sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds
> 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
> nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl
> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl
> icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits
> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli
> calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum
> er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re
> plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli
> st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic
> atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n
> sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd
> s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable
> d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas
> ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync ||
> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub
> treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
> greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R
> ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn
> =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
> n,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 3.0;acl
> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
> n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
> sions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
> -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
> ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
> , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
> atestdomain,dc=net";)
> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi
> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta
> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe
> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
> rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
> d, search ) userdn = "ldap:///all";)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
> search, compare, proxy) userdn = "ldap:///anyone"; )
>
> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
> low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
> pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
> ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
> ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
> e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
> Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
> ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
> "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre
> shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
>
>
> ============================================================================
> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the replica file was made from dc1 which is a CentOS server that still has the acls(missing some stuff)
> ============================================================================
> aci list on dc2
>
> [root at dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: aci
> #
>
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
> ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
> jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
> slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
> roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
> ipatestdomain,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 3.0;acl
> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
> n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
> sions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
> -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
> ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
> , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
> atestdomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
> rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
> d, search ) userdn = "ldap:///all";)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
> search, compare, proxy) userdn = "ldap:///anyone"; )
>
> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
> low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
> pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
> ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
> ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
> e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
> Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
> ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
> "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre
> shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
> ============================================================================
> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing some stuff)
> ============================================================================
> [root at dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: aci
> #
>
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
> ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
> jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
> slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
> roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
> ipatestdomain,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 3.0;acl
> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
> n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
> sions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
> -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
> ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
> , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
> atestdomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
> rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
> d, search ) userdn = "ldap:///all";)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
> search, compare, proxy) userdn = "ldap:///anyone"; )
>
> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
> low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
> pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
> ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
> ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
> e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
> Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
> ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
> "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre
> shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
>
>
> -----Original Message-----
> From: Rich Megginson [mailto:rmeggins at redhat.com]
> Sent: January-22-16 10:24 AM
> To: Nathan Peters; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
>
> On 01/22/2016 11:04 AM, Nathan Peters wrote:
>> Wow, strange stuff, the search I linked in the last email for our non working dev environment seems short some entries.
>>
>> For comparison, here is the same search run against our currently working prod environment.
>>
>> As you can see, our prod environment has a huge aci on the config tree.
>>
>> For reference, our prod and dev environments were identical (FreeIPA 4.1.4/CentOS7.1) before I updated our dev environment to CentOS7.2/FreeIPA4.2.0 -> Fedora23/FreeIPA4.2.3 -> Fedora23/FreeIPA4.3.0. So at some point during this upgrade process I assume maybe one of the installers deleted acis on our tree? That sounds like the kind of thing that would happen when introducing the new domain level functionality in 4.3, like if someone accidentally thought "oh this replica branch is now in a globally replicated section, we can remove these acis for this local stuff..." and then put that logic into the installer or something...
>>
>> The real question is, is there some good way of getting those aci's back, like a fixaci command?
> I don't know.
>
More information about the Freeipa-users
mailing list