On Wed, 2011-12-07 at 13:50 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > On Tue, 2011-12-06 at 14:03 -0500, Rob Crittenden wrote: > >> Some privileges were being created after the permissions that were > >> pointing to it causing the memberof to not be generated. > >> > >> This patch reorders things for new installs and creates a PBAC memberof > >> task that will correct an upgrade. > >> > >> rob > > > > I found few issues with this patch: > > > > 1) It needs a rebase, Makefile.am chunk does not apply. > > Done. > > > > > 2) The patch won't fix "Modify Group membership" privilege issue. The > > problem here is that this privilege does not have any permissions > > assigned at all. > > Right, I started looking at the wrong privilege. Fixed. > > > > > 3) The update has failed in my case (on F16): > > > > # ipa-ldap-updater --upgrade > > Upgrading IPA: > > [1/8]: stopping directory server > > [2/8]: saving configuration > > [3/8]: disabling listeners > > [4/8]: starting directory server > > [5/8]: upgrading server > > ipa : ERROR Upgrade failed with Unable to connect to LDAP server > > ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket > > [6/8]: stopping directory server > > [7/8]: restoring configuration > > [8/8]: starting directory server > > done configuring dirsrv. > > ipa : INFO IPA upgrade failed. > > IPA upgrade failed. > > > > The socker is there though, no AVC in audit.log either. > > # ls /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket > > /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket > > > > Did the update work for you? > > Yes, it works for me. I think this problem is unrelated to my patch. > Might be worth it to check the 389-ds logs to see if it started properly. > > rob
There was still a collision in Makefile.am. Rebased and pushed to master, ipa-2-1. The problem with ipa-ldap-updater is present on F-16 only - we try to connect to socket before it is created by dirsrv. I created a ticket to address this one: https://fedorahosted.org/freeipa/ticket/2175 Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
