Re: [Freeipa-devel] [PATCH] 910 fix memberof for privileges

Rob Crittenden Wed, 07 Dec 2011 10:51:14 -0800

Martin Kosek wrote:

On Tue, 2011-12-06 at 14:03 -0500, Rob Crittenden wrote:

Some privileges were being created after the permissions that were
pointing to it causing the memberof to not be generated.


This patch reorders things for new installs and creates a PBAC memberof
task that will correct an upgrade.

rob


I found few issues with this patch:

1) It needs a rebase, Makefile.am chunk does not apply.


Done.


2) The patch won't fix "Modify Group membership" privilege issue. The
problem here is that this privilege does not have any permissions
assigned at all.


Right, I started looking at the wrong privilege. Fixed.


3) The update has failed in my case (on F16):

# ipa-ldap-updater --upgrade
Upgrading IPA:
   [1/8]: stopping directory server
   [2/8]: saving configuration
   [3/8]: disabling listeners
   [4/8]: starting directory server
   [5/8]: upgrading server
ipa         : ERROR    Upgrade failed with Unable to connect to LDAP server 
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket
   [6/8]: stopping directory server
   [7/8]: restoring configuration
   [8/8]: starting directory server
done configuring dirsrv.
ipa         : INFO     IPA upgrade failed.
IPA upgrade failed.

The socker is there though, no AVC in audit.log either.
# ls /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket
/var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket

Did the update work for you?

Yes, it works for me. I think this problem is unrelated to my patch.Might be worth it to check the 389-ds logs to see if it started properly.

rob

>From d0328a2448914be208dc3e3a58ca0bf83a130e01 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <[email protected]>
Date: Tue, 6 Dec 2011 14:01:46 -0500
Subject: [PATCH] Reorder priviledges so that memberof for permissions are
 generated properly.

The privilege was added after the permission causing the memberof to not
be generated.

Add a new task to regenerate memberof for existing PBAC to fix upgrades.

https://fedorahosted.org/freeipa/ticket/2058
https://fedorahosted.org/freeipa/ticket/2059
https://fedorahosted.org/freeipa/ticket/2060
https://fedorahosted.org/freeipa/ticket/2061
---
 install/updates/40-delegation.update   |   41 +++++++++++++++----------------
 install/updates/45-roles.update        |    3 ++
 install/updates/55-pbacmemberof.update |   10 +++++++
 install/updates/Makefile.am            |    1 +
 4 files changed, 34 insertions(+), 21 deletions(-)
 create mode 100644 install/updates/55-pbacmemberof.update

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index a852ba4..cd5b498 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -18,6 +18,12 @@ dn: $SUFFIX
 add:aci: '(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,$SUFFIX"; )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
 
 # Host-Based Access Control
+dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: HBAC Administrator
+default:description: HBAC Administrator
 
 dn: cn=Add HBAC rule,cn=permissions,cn=pbac,$SUFFIX
 default:objectClass: groupofnames
@@ -82,13 +88,6 @@ default:objectClass: top
 default:cn: Manage HBAC service group membership
 default:member: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
 
-dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
-default:objectClass: nestedgroup
-default:objectClass: groupofnames
-default:objectClass: top
-default:cn: HBAC Administrator
-default:description: HBAC Administrator
-
 dn: $SUFFIX
 add:aci: '(target = "ldap:///ipauniqueid=*,cn=hbac,$SUFFIX";)(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)'
 add:aci: '(target = "ldap:///ipauniqueid=*,cn=hbac,$SUFFIX";)(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)'
@@ -102,6 +101,13 @@ add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn
 
 # SUDO
 
+dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: Sudo Administrator
+default:description: Sudo Administrator
+
 dn: cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX
 default:objectClass: groupofnames
 default:objectClass: ipapermission
@@ -165,13 +171,6 @@ default:objectClass: top
 default:cn: Manage Sudo command group membership
 default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
 
-dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
-default:objectClass: nestedgroup
-default:objectClass: groupofnames
-default:objectClass: top
-default:cn: Sudo Administrator
-default:description: Sudo Administrator
-
 dn: $SUFFIX
 add:aci: '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)'
 add:aci: '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)'
@@ -184,6 +183,13 @@ add:aci: '(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,$SUFFIX";)(version 3.0
 add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,$SUFFIX";)(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,$SUFFIX";)'
 
 # Password Policy
+dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: Password Policy Administrator
+default:description: Password Policy Administrator
+
 dn: cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX
 default:objectClass: groupofnames
 default:objectClass: ipapermission
@@ -226,13 +232,6 @@ default:objectClass: top
 default:cn: Modify Group Password Policy
 default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
 
-dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
-default:objectClass: nestedgroup
-default:objectClass: groupofnames
-default:objectClass: top
-default:cn: Password Policy Administrator
-default:description: Password Policy Administrator
-
 dn: $SUFFIX
 add:aci: '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)'
 add:aci: '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)'
diff --git a/install/updates/45-roles.update b/install/updates/45-roles.update
index 04f4be8..3803cee 100644
--- a/install/updates/45-roles.update
+++ b/install/updates/45-roles.update
@@ -21,6 +21,9 @@ default:cn: Modify Group membership
 default:description: Modify Group membership
 default:member: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
 
+dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
+add:member: 'cn=Modify Group membership,cn=privileges,cn=pbac,$SUFFIX'
+
 dn: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
 default:objectClass: groupofnames
 default:objectClass: nestedgroup
diff --git a/install/updates/55-pbacmemberof.update b/install/updates/55-pbacmemberof.update
new file mode 100644
index 0000000..bc17f56
--- /dev/null
+++ b/install/updates/55-pbacmemberof.update
@@ -0,0 +1,10 @@
+#
+# This needs to come later in the cycle otherwise the DN sorting is going
+# to cause it to execute before the member attributes are added
+dn: cn=Update PBAC memberOf $TIME, cn=memberof task, cn=tasks, cn=config
+add: objectClass: top
+add: objectClass: extensibleObject
+add: cn: IPA PBAC memberOf $TIME
+add: basedn: 'cn=privileges,cn=pbac,$SUFFIX'
+add: filter: (objectclass=*)
+add: ttl: 10
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 5cf4309..cc71176 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -27,6 +27,7 @@ app_DATA =				\
 	50-hbacservice.update		\
 	50-nis.update			\
 	50-ipaconfig.update		\
+	55-pbacmemberof.update		\
 	$(NULL)
 
 EXTRA_DIST =				\
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 910 fix memberof for privileges

Reply via email to