On Fri, 2011-10-07 at 08:52 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> Martin Kosek wrote: > >>>> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote: > >>>>> Martin Kosek wrote: > >>>>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: > >>>>>>> The aci prefix was missing in the description of the three dns acis > >>>>>>> which made them not show up when viewing their permission entries. > >>>>>>> > >>>>>>> rob > >>>>>> > >>>>>> This works fine, but it is just a part of a solution. DNS related > >>>>>> privileges miss memberof attribute for the DNS permissions and thus the > >>>>>> permissions are not listed: > >>>>>> > >>>>>> # ipa permission-show "add dns entries" > >>>>>> Permission name: add dns entries > >>>>>> Permissions: add > >>>>>> Type: dnsrecord > >>>>>> Granted to Privilege: DNS Administrators, DNS Servers > >>>>>> > >>>>>> # ipa privilege-show "DNS Administrators" > >>>>>> Privilege name: DNS Administrators > >>>>>> Description: DNS Administrators > >>>>>> <<< Missing permissions > >>>>>> > >>>>>> I think the reason is that the permissions are in a wrong order in the > >>>>>> LDIF and are created before the privilege itself. When member links are > >>>>>> being created for DNS permissions, the memberof plugin cannot add > >>>>>> memberof attributes for the privilege since it does not exist yet. This > >>>>>> is the main issue that the BZ bug complains about. > >>>>>> > >>>>>> Martin > >>>>>> > >>>>> > >>>>> There are two problems: > >>>>> > >>>>> 1. The acis lacked a prefix so they didn't appear as permissions > >>>>> > >>>>> 2. The permission was added before the privilege so the memberof values > >>>>> weren't being calculated. > >>>>> > >>>>> This fixes it for new installs and adds an update to fix up existing > >>>>> installs. > >>>>> > >>>>> rob > >>>> > >>>> It works fine when doing upgrade. However, when running a clean install, > >>>> I get these errors: > >>>> > >>>> # ipa-server-install --setup-dns > >>>> ... > >>>> [9/13]: publish CA cert > >>>> [10/13]: creating a keytab for httpd > >>>> [11/13]: configuring SELinux for httpd > >>>> [12/13]: restarting httpd > >>>> [13/13]: configuring httpd to start on boot > >>>> done configuring httpd. > >>>> Applying LDAP updates > >>>> root : ERROR Add failure Object class violation: missing required > >>>> attribute "objectclass" > >>>> root : ERROR Add failure Object class violation: missing required > >>>> attribute "objectclass" > >>>> root : ERROR Add failure Object class violation: missing required > >>>> attribute "objectclass" > >>>> Restarting IPA to initialize updates before performing deletes: > >>>> [1/2]: stopping directory server > >>>> [2/2]: starting directory server > >>>> done configuring dirsrv. > >>>> Restarting the directory server > >>>> Restarting the KDC > >>>> Restarting the web server > >>>> Configuring named: > >>>> [1/9]: adding DNS container > >>>> [2/9]: setting up our zone > >>>> [3/9]: setting up reverse zone > >>>> [4/9]: setting up our own record > >>>> [5/9]: setting up kerberos principal > >>>> [6/9]: setting up named.conf > >>>> [7/9]: restarting named > >>>> [8/9]: configuring named to start on boot > >>>> [9/9]: changing resolv.conf to point to ourselves > >>>> done configuring named. > >>>> ============================================================================== > >>>> > >>>> Setup complete > >>>> > >>>> Do you hit this too? Permissions and privileges member attributes were > >>>> OK though. > >>>> > >>>> Martin > >>>> > >>> > >>> Bah, ok. We only create these permissions when dns is installed so I'll > >>> need to find some way to optionally add this. > >>> > >>> rob > >> > >> I needed to add a new type to the updater to only add new values if the > >> entry exists. > >> > >> rob > > > > I still get the same error. We have a new handy addifnew update type > > ready, lets use it in these DNS .update file too :-) > > > > Martin > > > > addifnew adds single value attributes if they aren't already in the > entry, that will cause the same error. > > rob
I tested the patch when I replaced all add: directives 40-dns.update with addifexist. The clean installation now did not produce any error, memberships were OK. However, updating existing installation with DNS was not OK - privileges are still without memberof attributes: # ipa privilege-find dns -------------------- 2 privileges matched -------------------- Privilege name: DNS Administrators Description: DNS Administrators Privilege name: DNS Servers Description: DNS Servers ---------------------------- Number of entries returned 2 ---------------------------- Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel