[Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists
Martin Basti
mbasti at redhat.com
Tue Jan 26 20:56:26 UTC 2016
On 26.01.2016 21:51, Martin Basti wrote:
>
>
> On 26.01.2016 21:03, Nathan Peters wrote:
>> After some more investigation, it appears that there may be more ACIs
>> missing.
>>
>> I added the missing permission (System: Read Replication Agreements)
>> on all my masters, and then the installation failed at this point :
>> ---------------------------
>> [28/43]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> [error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write'
>> privilege to the 'nsds5BeginReplicaRefresh' attribute of entry
>> 'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping
>> tree,cn=config'.\n", 'desc': 'Insufficient access'}
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR {'info':
>> "Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh'
>> attribute of entry
>> 'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping
>> tree,cn=config'.\n", 'desc': 'Insufficient access'}
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The
>> ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>>
>> Because of that and a comparison of my earlier version of ldif files
>> from earlier versions of FreeIPA, I noticed the following ACI also
>> missing from the mapping tree :
>> --------------------------------------
>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
>> Agreements";al
>> low (add) groupdn = "ldap:///cn=Add Replication
>> Agreements,cn=permissions,cn=
>> pbac,dc=mydomain,dc=net";)
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify
>> Replication Agreeme
>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
>> Replication Ag
>> reements,cn=permissions,cn=pbac,dc=mydomain,dc=net";)
>>
>> After I added that, I attempted my replica installation again this
>> time it failed on the o=ipaca branch
>> ----------------------------------------
>> Configuring certificate server (pki-tomcatd). Estimated time: 3
>> minutes 30 seconds
>> [1/23]: creating certificate server user
>> [2/23]: creating certificate server db
>> [3/23]: setting up initial replication
>> [error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write'
>> privilege to the 'nsDS5ReplicaBindDN' attribute of entry
>> 'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n", 'desc':
>> 'Insufficient access'}
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR {'info':
>> "Insufficient 'write' privilege to the 'nsDS5ReplicaBindDN' attribute
>> of entry 'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n",
>> 'desc': 'Insufficient access'}
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The
>> ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>>
>> Looking at that branch of the ldap tree, I noticed some differences
>> ---------------------------------------------------------------------------
>>
>> In the cn=yourdomain,cn=mapping tree,cn=config you will find the
>> following permissions :
>> permission:Add Replication Agreements
>> In the cn=o=ipaca,cn=mapping tree,cn=config you will find the
>> following permissions :
>> cert manager: Add Replication Agreements
>>
>> =========================
>> So I think there are actually 3 issues :
>> ===========================
>> 1. Missing aci on base cn=config entry
>> 2. Missing aci on dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
>> branch
>> 3. acis are on the o=ipaca branch, but they are wrong as they only
>> apply to cert manager, and not all users
> I'm not sure if this covers your issues, but it may be related
>
> https://fedorahosted.org/freeipa/ticket/5412
>
> Martin
and this https://fedorahosted.org/freeipa/ticket/5575
>>
>> -----Original Message-----
>> From: Martin Basti [mailto:mbasti at redhat.com]
>> Sent: January-25-16 4:57 AM
>> To: Nathan Peters; Rich Megginson; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails
>> with DuplicateEntry: This entry already exists
>>
>> Thank you,
>>
>> I found root cause why "System: Read Replication Agreements" ACI is
>> not on replica.
>>
>> https://fedorahosted.org/freeipa/ticket/5631
>>
>> I have to figure out why this permission is added on centos7.2,
>> because IMO this bug is there from 4.0.
>>
>>
>> On 24.01.2016 03:22, Nathan Peters wrote:
>>> I can now confirm that this is a 100% reproducible bug, and a pretty
>>> severe one at that. You should be able to reproduce this issue at
>>> will if you follow these steps. It may actually be possible with
>>> less servers and less steps, but here is what I did in a test lab
>>> today:
>>>
>>> 1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0
>>> with 3 servers, dc1, dc2, dc3, replicating any way you want.
>>> 3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete
>>> the server / vm / whatever you have it running on
>>> 3. Install Fedora 23 on the same IP address and hostname
>>> (dc2.ipatestdomain.net). Install FreeIPA server 4.2.3 from replica
>>> file created on CA master (dc1).
>>>
>>> Check aci on dc2. You will notice it's now missing a bunch of
>>> stuff. So basically, all it takes to lose that ACL is to create a
>>> Fedora FreeIPA server and join it to a CentOS domain.
>>> After I had upgraded all 3 to Fedora, that ACLS was lost permanently
>>> as it no longer existed on any server because there were no CentOS
>>> servers left.
>>>
>>> I'm assuming since this is so easy to reproduce, that you don't
>>> actually need my log files.
>>>
>>> ACL comparisons below for reference :
>>> 1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain
>>> consists of only CentOS servers
>>> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but
>>> there is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for
>>> reference that the CentOS ACL hasn't changed yet)
>>> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server created
>>> from a replica file made from dc1, the centOS 7.2 CA master(missing
>>> some stuff)
>>> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now
>>> missing some stuff)
>>>
>>> ============================================================================
>>>
>>> 1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain
>>> consists of only CentOS servers
>>> ============================================================================
>>>
>>> [root at dc1 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config"
>>> "(aci=*)" aci
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=config> with scope subtree
>>> # filter: (aci=*)
>>> # requesting: aci
>>> #
>>>
>>> # config
>>> dn: cn=config
>>> aci: (targetattr != aci)(version 3.0; aci "cert manager read
>>> access"; allow (r
>>> ead, search, compare) userdn =
>>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>> aci: (target = "ldap:///cn=automember rebuild
>>> membership,cn=tasks,cn=config")(
>>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild
>>> Membership T
>>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild
>>> Membership Task
>>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>>> modifytimestamp || ob
>>> jectclass || passsyncmanagersdns*")(target =
>>> "ldap:///cn=ipa_pwd_extop,cn=plu
>>> gins,cn=config")(version 3.0;acl "permission:Read PassSync
>>> Managers Configura
>>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read
>>> PassSync Manager
>>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr = "passsyncmanagersdns*")(target =
>>> "ldap:///cn=ipa_pwd_extop,
>>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify
>>> PassSync Managers C
>>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync
>>> Managers Co
>>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>>> modifytimestamp || ns
>>> slapd-directory* || objectclass")(target =
>>> "ldap:///cn=config,cn=ldbm databas
>>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM
>>> Database Confi
>>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read
>>> LDBM Databas
>>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (version 3.0;acl "permission:Add Configuration
>>> Sub-Entries";allow (add) g
>>> roupdn = "ldap:///cn=Add Configuration
>>> Sub-Entries,cn=permissions,cn=pbac,dc=
>>> ipatestdomain,dc=net";)
>>> aci: (targetattr = "cn || createtimestamp || description || entryusn
>>> || modify
>>> timestamp || nsds50ruv || nsds5beginreplicarefresh ||
>>> nsds5debugreplicatimeou
>>> t || nsds5flags || nsds5replicaabortcleanruv ||
>>> nsds5replicaautoreferral || n
>>> sds5replicabackoffmax || nsds5replicabackoffmin ||
>>> nsds5replicabinddn || nsds
>>> 5replicabindmethod || nsds5replicabusywaittime ||
>>> nsds5replicachangecount ||
>>> nsds5replicachangessentsincestartup || nsds5replicacleanruv ||
>>> nsds5replicacl
>>> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled
>>> || nsds5repl
>>> icahost || nsds5replicaid || nsds5replicalastinitend ||
>>> nsds5replicalastinits
>>> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend
>>> || nsds5repli
>>> calastupdatestart || nsds5replicalastupdatestatus ||
>>> nsds5replicalegacyconsum
>>> er || nsds5replicaname || nsds5replicaport ||
>>> nsds5replicaprotocoltimeout ||
>>> nsds5replicapurgedelay || nsds5replicareferral ||
>>> nsds5replicaroot || nsds5re
>>> plicasessionpausetime || nsds5replicastripattrs ||
>>> nsds5replicatedattributeli
>>> st || nsds5replicatedattributelisttotal || nsds5replicatimeout ||
>>> nsds5replic
>>> atombstonepurgeinterval || nsds5replicatransportinfo ||
>>> nsds5replicatype || n
>>> sds5replicaupdateinprogress || nsds5replicaupdateschedule ||
>>> nsds5task || nsd
>>> s7directoryreplicasubtree || nsds7dirsynccookie ||
>>> nsds7newwingroupsyncenable
>>> d || nsds7newwinusersyncenabled || nsds7windowsdomain ||
>>> nsds7windowsreplicas
>>> ubtree || nsruvreplicalastmodified || nsstate || objectclass ||
>>> onewaysync ||
>>> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction
>>> || winsyncsub
>>> treepair || winsyncwindowsfilter")(targetfilter =
>>> "(|(objectclass=nsds5Replic
>>> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
>>> greement)(objectClass=nsMappingTree))")(version 3.0;acl
>>> "permission:System: R
>>> ead Replication Agreements";allow (compare,read,search) groupdn =
>>> "ldap:///cn
>>> =System: Read Replication
>>> Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
>>> n,dc=net";)
>>>
>>> # SNMP, config
>>> dn: cn=SNMP,cn=config
>>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr
>>> !="aci")(version 3.0;acl
>>> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
>>>
>>> # tasks, config
>>> dn: cn=tasks,cn=config
>>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica
>>> re-initializatio
>>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication
>>> Agreements,cn=permis
>>> sions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after
>>> replica re
>>> -initialization"; allow (add) userdn =
>>> "ldap:///uid=pkidbuser,ou=people,o=ipa
>>> ca";)
>>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";
>>> allow (read
>>> , compare, search) groupdn =
>>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
>>> atestdomain,dc=net";)
>>> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild
>>> membershi
>>> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read
>>> Automember Ta
>>> sks";allow (compare,read,search) groupdn = "ldap:///cn=System:
>>> Read Automembe
>>> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # csusers, config
>>> dn: ou=csusers,cn=config
>>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage
>>> replication use
>>> rs"; allow (all) userdn =
>>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>>
>>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
>>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
>>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
>>> allow( rea
>>> d, search ) userdn = "ldap:///all";)
>>>
>>> # 2.16.840.1.113730.3.4.9, features, config
>>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
>>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
>>> allow (read,
>>> search, compare, proxy) userdn = "ldap:///anyone"; )
>>>
>>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
>>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
>>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
>>> Agreements";al
>>> low (add) groupdn = "ldap:///cn=Add Replication
>>> Agreements,cn=permissions,cn=
>>> pbac,dc=ipatestdomain,dc=net";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify
>>> Replication Agreeme
>>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
>>> Replication Ag
>>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
>>> "permission:Rem
>>> ove Replication Agreements";allow (delete) groupdn =
>>> "ldap:///cn=Remove Repli
>>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # o\3Dipaca, mapping tree, config
>>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
>>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication
>>> Agreements"
>>> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify
>>> Replication Agre
>>> ements"; allow (read, write, search) userdn =
>>> "ldap:///uid=pkidbuser,ou=peopl
>>> e,o=ipaca";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
>>> "cert manager:
>>> Remove Replication Agreements";allow (delete) userdn =
>>> "ldap:///uid=pkidbuser
>>> ,ou=people,o=ipaca";)
>>>
>>> # ldbm database, plugins, config
>>> dn: cn=ldbm database,cn=plugins,cn=config
>>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV
>>> searches"; a
>>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>>
>>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>>> Plugin,cn=plugins,cn=config
>>> aci: (targetattr=dnaNextRange || dnaNextValue ||
>>> dnaMaxValue)(version 3.0;acl
>>> "permission:Modify DNA Range";allow (write) groupdn =
>>> "ldap:///cn=Modify DNA
>>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue
>>> || dnaThre
>>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read
>>> DNA Range";
>>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
>>> Range,cn=permiss
>>> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # userRoot, ldbm database, plugins, config
>>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
>>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking
>>> the databas
>>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove
>>> Replication Agreement
>>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 12
>>> # numEntries: 11
>>>
>>>
>>> ============================================================================
>>>
>>> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but
>>> there is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for
>>> reference that the CentOS ACL hasn't changed yet)
>>> ============================================================================
>>>
>>> ================ after reinstallation of dc2 in fedora 23 / ipa
>>> 4.2.3 =========================
>>>
>>> [root at dc1 ~]# ldapsearch -b "cn=config" -D
>>> "uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W
>>> Enter LDAP Password:
>>> # config
>>> dn: cn=config
>>> aci: (targetattr != aci)(version 3.0; aci "cert manager read
>>> access"; allow (r
>>> ead, search, compare) userdn =
>>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>> aci: (target = "ldap:///cn=automember rebuild
>>> membership,cn=tasks,cn=config")(
>>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild
>>> Membership T
>>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild
>>> Membership Task
>>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>>> modifytimestamp || ob
>>> jectclass || passsyncmanagersdns*")(target =
>>> "ldap:///cn=ipa_pwd_extop,cn=plu
>>> gins,cn=config")(version 3.0;acl "permission:Read PassSync
>>> Managers Configura
>>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read
>>> PassSync Manager
>>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr = "passsyncmanagersdns*")(target =
>>> "ldap:///cn=ipa_pwd_extop,
>>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify
>>> PassSync Managers C
>>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync
>>> Managers Co
>>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>>> modifytimestamp || ns
>>> slapd-directory* || objectclass")(target =
>>> "ldap:///cn=config,cn=ldbm databas
>>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM
>>> Database Confi
>>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read
>>> LDBM Databas
>>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (version 3.0;acl "permission:Add Configuration
>>> Sub-Entries";allow (add) g
>>> roupdn = "ldap:///cn=Add Configuration
>>> Sub-Entries,cn=permissions,cn=pbac,dc=
>>> ipatestdomain,dc=net";)
>>> aci: (targetattr = "cn || createtimestamp || description || entryusn
>>> || modify
>>> timestamp || nsds50ruv || nsds5beginreplicarefresh ||
>>> nsds5debugreplicatimeou
>>> t || nsds5flags || nsds5replicaabortcleanruv ||
>>> nsds5replicaautoreferral || n
>>> sds5replicabackoffmax || nsds5replicabackoffmin ||
>>> nsds5replicabinddn || nsds
>>> 5replicabindmethod || nsds5replicabusywaittime ||
>>> nsds5replicachangecount ||
>>> nsds5replicachangessentsincestartup || nsds5replicacleanruv ||
>>> nsds5replicacl
>>> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled
>>> || nsds5repl
>>> icahost || nsds5replicaid || nsds5replicalastinitend ||
>>> nsds5replicalastinits
>>> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend
>>> || nsds5repli
>>> calastupdatestart || nsds5replicalastupdatestatus ||
>>> nsds5replicalegacyconsum
>>> er || nsds5replicaname || nsds5replicaport ||
>>> nsds5replicaprotocoltimeout ||
>>> nsds5replicapurgedelay || nsds5replicareferral ||
>>> nsds5replicaroot || nsds5re
>>> plicasessionpausetime || nsds5replicastripattrs ||
>>> nsds5replicatedattributeli
>>> st || nsds5replicatedattributelisttotal || nsds5replicatimeout ||
>>> nsds5replic
>>> atombstonepurgeinterval || nsds5replicatransportinfo ||
>>> nsds5replicatype || n
>>> sds5replicaupdateinprogress || nsds5replicaupdateschedule ||
>>> nsds5task || nsd
>>> s7directoryreplicasubtree || nsds7dirsynccookie ||
>>> nsds7newwingroupsyncenable
>>> d || nsds7newwinusersyncenabled || nsds7windowsdomain ||
>>> nsds7windowsreplicas
>>> ubtree || nsruvreplicalastmodified || nsstate || objectclass ||
>>> onewaysync ||
>>> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction
>>> || winsyncsub
>>> treepair || winsyncwindowsfilter")(targetfilter =
>>> "(|(objectclass=nsds5Replic
>>> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
>>> greement)(objectClass=nsMappingTree))")(version 3.0;acl
>>> "permission:System: R
>>> ead Replication Agreements";allow (compare,read,search) groupdn =
>>> "ldap:///cn
>>> =System: Read Replication
>>> Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
>>> n,dc=net";)
>>>
>>> # SNMP, config
>>> dn: cn=SNMP,cn=config
>>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr
>>> !="aci")(version 3.0;acl
>>> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
>>>
>>> # tasks, config
>>> dn: cn=tasks,cn=config
>>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica
>>> re-initializatio
>>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication
>>> Agreements,cn=permis
>>> sions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after
>>> replica re
>>> -initialization"; allow (add) userdn =
>>> "ldap:///uid=pkidbuser,ou=people,o=ipa
>>> ca";)
>>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";
>>> allow (read
>>> , compare, search) groupdn =
>>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
>>> atestdomain,dc=net";)
>>> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild
>>> membershi
>>> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read
>>> Automember Ta
>>> sks";allow (compare,read,search) groupdn = "ldap:///cn=System:
>>> Read Automembe
>>> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # csusers, config
>>> dn: ou=csusers,cn=config
>>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage
>>> replication use
>>> rs"; allow (all) userdn =
>>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>>
>>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
>>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
>>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
>>> allow( rea
>>> d, search ) userdn = "ldap:///all";)
>>>
>>> # 2.16.840.1.113730.3.4.9, features, config
>>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
>>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
>>> allow (read,
>>> search, compare, proxy) userdn = "ldap:///anyone"; )
>>>
>>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
>>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
>>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
>>> Agreements";al
>>> low (add) groupdn = "ldap:///cn=Add Replication
>>> Agreements,cn=permissions,cn=
>>> pbac,dc=ipatestdomain,dc=net";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify
>>> Replication Agreeme
>>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
>>> Replication Ag
>>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
>>> "permission:Rem
>>> ove Replication Agreements";allow (delete) groupdn =
>>> "ldap:///cn=Remove Repli
>>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # o\3Dipaca, mapping tree, config
>>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
>>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication
>>> Agreements"
>>> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify
>>> Replication Agre
>>> ements"; allow (read, write, search) userdn =
>>> "ldap:///uid=pkidbuser,ou=peopl
>>> e,o=ipaca";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
>>> "cert manager:
>>> Remove Replication Agreements";allow (delete) userdn =
>>> "ldap:///uid=pkidbuser
>>> ,ou=people,o=ipaca";)
>>>
>>> # ldbm database, plugins, config
>>> dn: cn=ldbm database,cn=plugins,cn=config
>>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV
>>> searches"; a
>>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>>
>>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>>> Plugin,cn=plugins,cn=config
>>> aci: (targetattr=dnaNextRange || dnaNextValue ||
>>> dnaMaxValue)(version 3.0;acl
>>> "permission:Modify DNA Range";allow (write) groupdn =
>>> "ldap:///cn=Modify DNA
>>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue
>>> || dnaThre
>>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read
>>> DNA Range";
>>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
>>> Range,cn=permiss
>>> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # userRoot, ldbm database, plugins, config
>>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
>>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking
>>> the databas
>>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove
>>> Replication Agreement
>>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 12
>>> # numEntries: 11
>>>
>>>
>>>
>>> ============================================================================
>>>
>>> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the
>>> replica file was made from dc1 which is a CentOS server that still
>>> has the acls(missing some stuff)
>>> ============================================================================
>>>
>>> aci list on dc2
>>>
>>> [root at dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config"
>>> "(aci=*)" aci
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=config> with scope subtree
>>> # filter: (aci=*)
>>> # requesting: aci
>>> #
>>>
>>> # config
>>> dn: cn=config
>>> aci: (targetattr != aci)(version 3.0; aci "cert manager read
>>> access"; allow (r
>>> ead, search, compare) userdn =
>>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>> aci: (target = "ldap:///cn=automember rebuild
>>> membership,cn=tasks,cn=config")(
>>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild
>>> Membership T
>>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild
>>> Membership Task
>>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>>> modifytimestamp || ob
>>> jectclass || passsyncmanagersdns*")(target =
>>> "ldap:///cn=ipa_pwd_extop,cn=plu
>>> gins,cn=config")(version 3.0;acl "permission:Read PassSync
>>> Managers Configura
>>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read
>>> PassSync Manager
>>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr = "passsyncmanagersdns*")(target =
>>> "ldap:///cn=ipa_pwd_extop,
>>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify
>>> PassSync Managers C
>>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync
>>> Managers Co
>>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>>> modifytimestamp || ns
>>> slapd-directory* || objectclass")(target =
>>> "ldap:///cn=config,cn=ldbm databas
>>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM
>>> Database Confi
>>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read
>>> LDBM Databas
>>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (version 3.0;acl "permission:Add Configuration
>>> Sub-Entries";allow (add) g
>>> roupdn = "ldap:///cn=Add Configuration
>>> Sub-Entries,cn=permissions,cn=pbac,dc=
>>> ipatestdomain,dc=net";)
>>>
>>> # SNMP, config
>>> dn: cn=SNMP,cn=config
>>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr
>>> !="aci")(version 3.0;acl
>>> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
>>>
>>> # tasks, config
>>> dn: cn=tasks,cn=config
>>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica
>>> re-initializatio
>>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication
>>> Agreements,cn=permis
>>> sions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after
>>> replica re
>>> -initialization"; allow (add) userdn =
>>> "ldap:///uid=pkidbuser,ou=people,o=ipa
>>> ca";)
>>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";
>>> allow (read
>>> , compare, search) groupdn =
>>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
>>> atestdomain,dc=net";)
>>>
>>> # csusers, config
>>> dn: ou=csusers,cn=config
>>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage
>>> replication use
>>> rs"; allow (all) userdn =
>>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>>
>>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
>>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
>>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
>>> allow( rea
>>> d, search ) userdn = "ldap:///all";)
>>>
>>> # 2.16.840.1.113730.3.4.9, features, config
>>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
>>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
>>> allow (read,
>>> search, compare, proxy) userdn = "ldap:///anyone"; )
>>>
>>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
>>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
>>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
>>> Agreements";al
>>> low (add) groupdn = "ldap:///cn=Add Replication
>>> Agreements,cn=permissions,cn=
>>> pbac,dc=ipatestdomain,dc=net";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify
>>> Replication Agreeme
>>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
>>> Replication Ag
>>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
>>> "permission:Rem
>>> ove Replication Agreements";allow (delete) groupdn =
>>> "ldap:///cn=Remove Repli
>>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # o\3Dipaca, mapping tree, config
>>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
>>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication
>>> Agreements"
>>> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify
>>> Replication Agre
>>> ements"; allow (read, write, search) userdn =
>>> "ldap:///uid=pkidbuser,ou=peopl
>>> e,o=ipaca";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
>>> "cert manager:
>>> Remove Replication Agreements";allow (delete) userdn =
>>> "ldap:///uid=pkidbuser
>>> ,ou=people,o=ipaca";)
>>>
>>> # ldbm database, plugins, config
>>> dn: cn=ldbm database,cn=plugins,cn=config
>>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV
>>> searches"; a
>>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>>
>>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>>> Plugin,cn=plugins,cn=config
>>> aci: (targetattr=dnaNextRange || dnaNextValue ||
>>> dnaMaxValue)(version 3.0;acl
>>> "permission:Modify DNA Range";allow (write) groupdn =
>>> "ldap:///cn=Modify DNA
>>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue
>>> || dnaThre
>>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read
>>> DNA Range";
>>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
>>> Range,cn=permiss
>>> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # userRoot, ldbm database, plugins, config
>>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
>>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking
>>> the databas
>>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove
>>> Replication Agreement
>>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 12
>>> # numEntries: 11
>>>
>>> ============================================================================
>>>
>>> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now
>>> missing some stuff)
>>> ============================================================================
>>>
>>> [root at dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b
>>> "cn=config" "(aci=*)" aci
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=config> with scope subtree
>>> # filter: (aci=*)
>>> # requesting: aci
>>> #
>>>
>>> # config
>>> dn: cn=config
>>> aci: (targetattr != aci)(version 3.0; aci "cert manager read
>>> access"; allow (r
>>> ead, search, compare) userdn =
>>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>> aci: (target = "ldap:///cn=automember rebuild
>>> membership,cn=tasks,cn=config")(
>>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild
>>> Membership T
>>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild
>>> Membership Task
>>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>>> modifytimestamp || ob
>>> jectclass || passsyncmanagersdns*")(target =
>>> "ldap:///cn=ipa_pwd_extop,cn=plu
>>> gins,cn=config")(version 3.0;acl "permission:Read PassSync
>>> Managers Configura
>>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read
>>> PassSync Manager
>>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr = "passsyncmanagersdns*")(target =
>>> "ldap:///cn=ipa_pwd_extop,
>>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify
>>> PassSync Managers C
>>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync
>>> Managers Co
>>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr = "cn || createtimestamp || entryusn ||
>>> modifytimestamp || ns
>>> slapd-directory* || objectclass")(target =
>>> "ldap:///cn=config,cn=ldbm databas
>>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM
>>> Database Confi
>>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read
>>> LDBM Databas
>>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (version 3.0;acl "permission:Add Configuration
>>> Sub-Entries";allow (add) g
>>> roupdn = "ldap:///cn=Add Configuration
>>> Sub-Entries,cn=permissions,cn=pbac,dc=
>>> ipatestdomain,dc=net";)
>>>
>>> # SNMP, config
>>> dn: cn=SNMP,cn=config
>>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr
>>> !="aci")(version 3.0;acl
>>> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
>>>
>>> # tasks, config
>>> dn: cn=tasks,cn=config
>>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica
>>> re-initializatio
>>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication
>>> Agreements,cn=permis
>>> sions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after
>>> replica re
>>> -initialization"; allow (add) userdn =
>>> "ldap:///uid=pkidbuser,ou=people,o=ipa
>>> ca";)
>>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";
>>> allow (read
>>> , compare, search) groupdn =
>>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
>>> atestdomain,dc=net";)
>>>
>>> # csusers, config
>>> dn: ou=csusers,cn=config
>>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage
>>> replication use
>>> rs"; allow (all) userdn =
>>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>>
>>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
>>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
>>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
>>> allow( rea
>>> d, search ) userdn = "ldap:///all";)
>>>
>>> # 2.16.840.1.113730.3.4.9, features, config
>>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
>>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
>>> allow (read,
>>> search, compare, proxy) userdn = "ldap:///anyone"; )
>>>
>>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
>>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
>>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
>>> Agreements";al
>>> low (add) groupdn = "ldap:///cn=Add Replication
>>> Agreements,cn=permissions,cn=
>>> pbac,dc=ipatestdomain,dc=net";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify
>>> Replication Agreeme
>>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
>>> Replication Ag
>>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
>>> "permission:Rem
>>> ove Replication Agreements";allow (delete) groupdn =
>>> "ldap:///cn=Remove Repli
>>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # o\3Dipaca, mapping tree, config
>>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
>>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication
>>> Agreements"
>>> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify
>>> Replication Agre
>>> ements"; allow (read, write, search) userdn =
>>> "ldap:///uid=pkidbuser,ou=peopl
>>> e,o=ipaca";)
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
>>> "cert manager:
>>> Remove Replication Agreements";allow (delete) userdn =
>>> "ldap:///uid=pkidbuser
>>> ,ou=people,o=ipaca";)
>>>
>>> # ldbm database, plugins, config
>>> dn: cn=ldbm database,cn=plugins,cn=config
>>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV
>>> searches"; a
>>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
>>>
>>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>>> Plugin,cn=plugins,cn=config
>>> aci: (targetattr=dnaNextRange || dnaNextValue ||
>>> dnaMaxValue)(version 3.0;acl
>>> "permission:Modify DNA Range";allow (write) groupdn =
>>> "ldap:///cn=Modify DNA
>>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue
>>> || dnaThre
>>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read
>>> DNA Range";
>>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
>>> Range,cn=permiss
>>> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # userRoot, ldbm database, plugins, config
>>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
>>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking
>>> the databas
>>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove
>>> Replication Agreement
>>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 12
>>> # numEntries: 11
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Rich Megginson [mailto:rmeggins at redhat.com]
>>> Sent: January-22-16 10:24 AM
>>> To: Nathan Peters; freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation
>>> fails with DuplicateEntry: This entry already exists
>>>
>>> On 01/22/2016 11:04 AM, Nathan Peters wrote:
>>>> Wow, strange stuff, the search I linked in the last email for our
>>>> non working dev environment seems short some entries.
>>>>
>>>> For comparison, here is the same search run against our currently
>>>> working prod environment.
>>>>
>>>> As you can see, our prod environment has a huge aci on the config
>>>> tree.
>>>>
>>>> For reference, our prod and dev environments were identical
>>>> (FreeIPA 4.1.4/CentOS7.1) before I updated our dev environment to
>>>> CentOS7.2/FreeIPA4.2.0 -> Fedora23/FreeIPA4.2.3 ->
>>>> Fedora23/FreeIPA4.3.0. So at some point during this upgrade
>>>> process I assume maybe one of the installers deleted acis on our
>>>> tree? That sounds like the kind of thing that would happen when
>>>> introducing the new domain level functionality in 4.3, like if
>>>> someone accidentally thought "oh this replica branch is now in a
>>>> globally replicated section, we can remove these acis for this
>>>> local stuff..." and then put that logic into the installer or
>>>> something...
>>>>
>>>> The real question is, is there some good way of getting those aci's
>>>> back, like a fixaci command?
>>> I don't know.
>>>
>
More information about the Freeipa-users
mailing list