Re: [Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

Mon, 25 Jan 2016 01:11:32 -0800 


On 25.01.2016 09:30, Ludwig Krispenz wrote:

Hi,


this is from a discussion on the user-list, there is a difference in 
acis on 4.2.0 and 4.2.3


this is the aci which is present in 4.2.0 and is missing in 4.2.3:


aci: (targetattr = "cn || createtimestamp || description || entryusn 
|| modify
 timestamp || nsds50ruv || nsds5beginreplicarefresh || 
nsds5debugreplicatimeou
 t || nsds5flags || nsds5replicaabortcleanruv || 
nsds5replicaautoreferral || n
 sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn 
|| nsds
 5replicabindmethod || nsds5replicabusywaittime || 
nsds5replicachangecount ||
 nsds5replicachangessentsincestartup || nsds5replicacleanruv || 
nsds5replicacl
 eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || 
nsds5repl
 icahost || nsds5replicaid || nsds5replicalastinitend || 
nsds5replicalastinits
 tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || 
nsds5repli
 calastupdatestart || nsds5replicalastupdatestatus || 
nsds5replicalegacyconsum
 er || nsds5replicaname || nsds5replicaport || 
nsds5replicaprotocoltimeout ||
 nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || 
nsds5re
 plicasessionpausetime || nsds5replicastripattrs || 
nsds5replicatedattributeli
 st || nsds5replicatedattributelisttotal || nsds5replicatimeout || 
nsds5replic
 atombstonepurgeinterval || nsds5replicatransportinfo || 
nsds5replicatype || n
 sds5replicaupdateinprogress || nsds5replicaupdateschedule || 
nsds5task || nsd
 s7directoryreplicasubtree || nsds7dirsynccookie || 
nsds7newwingroupsyncenable
 d || nsds7newwinusersyncenabled || nsds7windowsdomain || 
nsds7windowsreplicas
 ubtree || nsruvreplicalastmodified || nsstate || objectclass || 
onewaysync ||
  winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || 
winsyncsub
 treepair || winsyncwindowsfilter")(targetfilter = 
"(|(objectclass=nsds5Replic
 a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA 

 greement)(objectClass=nsMappingTree))")(version 3.0;acl 
"permission:System: R
 ead Replication Agreements";allow (compare,read,search) groupdn = 
"ldap:///cn
 =System: Read Replication 
Agreements,cn=permissions,cn=pbac,dc=ipatestdomai

 n,dc=net";)

does anybody know if and why this was changed ?


This ACI is created by 
ipaserver/install/plugins/update_managed_permissions.py


It haven't been touched for a while, did upgrade/install work well?

Maybe re-run ipa-server-upgrade should recreate this entry.




On 01/24/2016 03:22 AM, Nathan Peters wrote:

# config
dn: cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; 
allow (r
  ead, search, compare) userdn 
="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target ="ldap:///cn=automember rebuild 
membership,cn=tasks,cn=config")(
  targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild 
Membership T
  ask";allow (add) groupdn = "ldap:///cn=Add  Automember Rebuild 
Membership Task

  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ob
  jectclass || passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,cn=plu
  gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers 
Configura
  tion";allow (compare,read,search) groupdn = "ldap:///cn=Read 
PassSync Manager

  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,
  cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync 
Managers C
  onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync 
Managers Co

  nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ns
  slapd-directory* || objectclass")(target = 
"ldap:///cn=config,cn=ldbm  databas
  e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM 
Database Confi
  guration";allow (compare,read,search) groupdn = "ldap:///cn=Read  
LDBM Databas

  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (version 3.0;acl "permission:Add Configuration 
Sub-Entries";allow (add) g
  roupdn = "ldap:///cn=Add  Configuration 
Sub-Entries,cn=permissions,cn=pbac,dc=

  ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || description || entryusn 
|| modify
  timestamp || nsds50ruv || nsds5beginreplicarefresh || 
nsds5debugreplicatimeou
  t || nsds5flags || nsds5replicaabortcleanruv || 
nsds5replicaautoreferral || n
  sds5replicabackoffmax || nsds5replicabackoffmin || 
nsds5replicabinddn || nsds
  5replicabindmethod || nsds5replicabusywaittime || 
nsds5replicachangecount ||
  nsds5replicachangessentsincestartup || nsds5replicacleanruv || 
nsds5replicacl
  eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || 
nsds5repl
  icahost || nsds5replicaid || nsds5replicalastinitend || 
nsds5replicalastinits
  tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || 
nsds5repli
  calastupdatestart || nsds5replicalastupdatestatus || 
nsds5replicalegacyconsum
  er || nsds5replicaname || nsds5replicaport || 
nsds5replicaprotocoltimeout ||
  nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot 
|| nsds5re
  plicasessionpausetime || nsds5replicastripattrs || 
nsds5replicatedattributeli
  st || nsds5replicatedattributelisttotal || nsds5replicatimeout || 
nsds5replic
  atombstonepurgeinterval || nsds5replicatransportinfo || 
nsds5replicatype || n
  sds5replicaupdateinprogress || nsds5replicaupdateschedule || 
nsds5task || nsd
  s7directoryreplicasubtree || nsds7dirsynccookie || 
nsds7newwingroupsyncenable
  d || nsds7newwinusersyncenabled || nsds7windowsdomain || 
nsds7windowsreplicas
  ubtree || nsruvreplicalastmodified || nsstate || objectclass || 
onewaysync ||
   winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || 
winsyncsub
  treepair || winsyncwindowsfilter")(targetfilter = 
"(|(objectclass=nsds5Replic

a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA

  greement)(objectClass=nsMappingTree))")(version 3.0;acl 
"permission:System: R
  ead Replication Agreements";allow (compare,read,search) groupdn = 
"ldap:///cn
  =System: Read Replication 
Agreements,cn=permissions,cn=pbac,dc=ipatestdomai

  n,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config

aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 
3.0;acl

  "snmp";allow (read, search, compare)(userdn ="ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config

aci: (targetattr=*)(version 3.0; acl "Run tasks after replica 
re-initializatio
  n"; allow (add) groupdn = "ldap:///cn=Modify  Replication 
Agreements,cn=permis

  sions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after 
replica re
  -initialization"; allow (add) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipa

  ca";)

aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; 
allow (read
  , compare, search) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,dc=grip

  atestdomain,dc=net";)

aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild 
membershi
  p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read 
Automember Ta
  sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read 
Automembe

  r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager manage 
replication use

  rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config

aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; 
allow( rea

  d, search ) userdn ="ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config

aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; 
allow (read,

   search, compare, proxy) userdn ="ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "permission:Add Replication 
Agreements";al
  low (add) groupdn = "ldap:///cn=Add  Replication 
Agreements,cn=permissions,cn=

  pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

  ass=nsMappingTree))")(version 3.0; acl "permission:Modify 
Replication Agreeme
  nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify  
Replication Ag

  reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
"permission:Rem
  ove Replication Agreements";allow (delete) groupdn = 
"ldap:///cn=Remove  Repli

  cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication 
Agreements"

  ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

  ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify 
Replication Agre
  ements"; allow (read, write, search) userdn = 
"ldap:///uid=pkidbuser,ou=peopl

  e,o=ipaca";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert 
manager:
  Remove Replication Agreements";allow (delete) userdn = 
"ldap:///uid=pkidbuser

  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV 
searches"; a

  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config

dn: cn=Posix IDs,cn=Distributed Numeric Assignment 
Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 
3.0;acl
  "permission:Modify DNA Range";allow (write) groupdn = 
"ldap:///cn=Modify  DNA

  Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  
|| dnaThre
  shold || dnaType || objectclass)(version 3.0;acl "permission:Read 
DNA Range";
  allow (read, search, compare) groupdn = "ldap:///cn=Read  DNA 
Range,cn=permiss

  ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking 
the databas
  e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication 
Agreement

  s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11



============================================================================ 

2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there 
is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference 
that the CentOS ACL hasn't changed yet)
============================================================================ 

================ after reinstallation of dc2 in fedora 23 / ipa 4.2.3 
=========================



[root@dc1 ~]# ldapsearch -b "cn=config" -D 
"uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W

Enter LDAP Password:
# config
dn: cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; 
allow (r
  ead, search, compare) userdn 
="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target ="ldap:///cn=automember rebuild 
membership,cn=tasks,cn=config")(
  targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild 
Membership T
  ask";allow (add) groupdn = "ldap:///cn=Add  Automember Rebuild 
Membership Task

  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ob
  jectclass || passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,cn=plu
  gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers 
Configura
  tion";allow (compare,read,search) groupdn = "ldap:///cn=Read 
PassSync Manager

  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,
  cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync 
Managers C
  onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync 
Managers Co

  nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ns
  slapd-directory* || objectclass")(target = 
"ldap:///cn=config,cn=ldbm  databas
  e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM 
Database Confi
  guration";allow (compare,read,search) groupdn = "ldap:///cn=Read  
LDBM Databas

  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (version 3.0;acl "permission:Add Configuration 
Sub-Entries";allow (add) g
  roupdn = "ldap:///cn=Add  Configuration 
Sub-Entries,cn=permissions,cn=pbac,dc=

  ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || description || entryusn 
|| modify
  timestamp || nsds50ruv || nsds5beginreplicarefresh || 
nsds5debugreplicatimeou
  t || nsds5flags || nsds5replicaabortcleanruv || 
nsds5replicaautoreferral || n
  sds5replicabackoffmax || nsds5replicabackoffmin || 
nsds5replicabinddn || nsds
  5replicabindmethod || nsds5replicabusywaittime || 
nsds5replicachangecount ||
  nsds5replicachangessentsincestartup || nsds5replicacleanruv || 
nsds5replicacl
  eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || 
nsds5repl
  icahost || nsds5replicaid || nsds5replicalastinitend || 
nsds5replicalastinits
  tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || 
nsds5repli
  calastupdatestart || nsds5replicalastupdatestatus || 
nsds5replicalegacyconsum
  er || nsds5replicaname || nsds5replicaport || 
nsds5replicaprotocoltimeout ||
  nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot 
|| nsds5re
  plicasessionpausetime || nsds5replicastripattrs || 
nsds5replicatedattributeli
  st || nsds5replicatedattributelisttotal || nsds5replicatimeout || 
nsds5replic
  atombstonepurgeinterval || nsds5replicatransportinfo || 
nsds5replicatype || n
  sds5replicaupdateinprogress || nsds5replicaupdateschedule || 
nsds5task || nsd
  s7directoryreplicasubtree || nsds7dirsynccookie || 
nsds7newwingroupsyncenable
  d || nsds7newwinusersyncenabled || nsds7windowsdomain || 
nsds7windowsreplicas
  ubtree || nsruvreplicalastmodified || nsstate || objectclass || 
onewaysync ||
   winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || 
winsyncsub
  treepair || winsyncwindowsfilter")(targetfilter = 
"(|(objectclass=nsds5Replic

a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA

  greement)(objectClass=nsMappingTree))")(version 3.0;acl 
"permission:System: R
  ead Replication Agreements";allow (compare,read,search) groupdn = 
"ldap:///cn
  =System: Read Replication 
Agreements,cn=permissions,cn=pbac,dc=ipatestdomai

  n,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config

aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 
3.0;acl

  "snmp";allow (read, search, compare)(userdn ="ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config

aci: (targetattr=*)(version 3.0; acl "Run tasks after replica 
re-initializatio
  n"; allow (add) groupdn = "ldap:///cn=Modify  Replication 
Agreements,cn=permis

  sions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after 
replica re
  -initialization"; allow (add) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipa

  ca";)

aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; 
allow (read
  , compare, search) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,dc=grip

  atestdomain,dc=net";)

aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild 
membershi
  p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read 
Automember Ta
  sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read 
Automembe

  r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager manage 
replication use

  rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config

aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; 
allow( rea

  d, search ) userdn ="ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config

aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; 
allow (read,

   search, compare, proxy) userdn ="ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "permission:Add Replication 
Agreements";al
  low (add) groupdn = "ldap:///cn=Add  Replication 
Agreements,cn=permissions,cn=

  pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

  ass=nsMappingTree))")(version 3.0; acl "permission:Modify 
Replication Agreeme
  nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify  
Replication Ag

  reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
"permission:Rem
  ove Replication Agreements";allow (delete) groupdn = 
"ldap:///cn=Remove  Repli

  cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication 
Agreements"

  ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

  ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify 
Replication Agre
  ements"; allow (read, write, search) userdn = 
"ldap:///uid=pkidbuser,ou=peopl

  e,o=ipaca";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert 
manager:
  Remove Replication Agreements";allow (delete) userdn = 
"ldap:///uid=pkidbuser

  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV 
searches"; a

  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config

dn: cn=Posix IDs,cn=Distributed Numeric Assignment 
Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 
3.0;acl
  "permission:Modify DNA Range";allow (write) groupdn = 
"ldap:///cn=Modify  DNA

  Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  
|| dnaThre
  shold || dnaType || objectclass)(version 3.0;acl "permission:Read 
DNA Range";
  allow (read, search, compare) groupdn = "ldap:///cn=Read  DNA 
Range,cn=permiss

  ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking 
the databas
  e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication 
Agreement

  s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11




============================================================================ 

3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the 
replica file was made from dc1 which is a CentOS server that still 
has the acls(missing some stuff)
============================================================================ 


aci list on dc2


[root@dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" 
"(aci=*)" aci

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; 
allow (r
  ead, search, compare) userdn 
="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target ="ldap:///cn=automember rebuild 
membership,cn=tasks,cn=config")(
  targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild 
Membership T
  ask";allow (add) groupdn = "ldap:///cn=Add  Automember Rebuild 
Membership Task

  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ob
  jectclass || passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,cn=plu
  gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers 
Configura
  tion";allow (compare,read,search) groupdn = "ldap:///cn=Read 
PassSync Manager

  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,
  cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync 
Managers C
  onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync 
Managers Co

  nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ns
  slapd-directory* || objectclass")(target = 
"ldap:///cn=config,cn=ldbm  databas
  e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM 
Database Confi
  guration";allow (compare,read,search) groupdn = "ldap:///cn=Read  
LDBM Databas

  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (version 3.0;acl "permission:Add Configuration 
Sub-Entries";allow (add) g
  roupdn = "ldap:///cn=Add  Configuration 
Sub-Entries,cn=permissions,cn=pbac,dc=

  ipatestdomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config

aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 
3.0;acl

  "snmp";allow (read, search, compare)(userdn ="ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config

aci: (targetattr=*)(version 3.0; acl "Run tasks after replica 
re-initializatio
  n"; allow (add) groupdn = "ldap:///cn=Modify  Replication 
Agreements,cn=permis

  sions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after 
replica re
  -initialization"; allow (add) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipa

  ca";)

aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; 
allow (read
  , compare, search) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,dc=grip

  atestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager manage 
replication use

  rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config

aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; 
allow( rea

  d, search ) userdn ="ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config

aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; 
allow (read,

   search, compare, proxy) userdn ="ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "permission:Add Replication 
Agreements";al
  low (add) groupdn = "ldap:///cn=Add  Replication 
Agreements,cn=permissions,cn=

  pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

  ass=nsMappingTree))")(version 3.0; acl "permission:Modify 
Replication Agreeme
  nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify  
Replication Ag

  reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
"permission:Rem
  ove Replication Agreements";allow (delete) groupdn = 
"ldap:///cn=Remove  Repli

  cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication 
Agreements"

  ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

  ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify 
Replication Agre
  ements"; allow (read, write, search) userdn = 
"ldap:///uid=pkidbuser,ou=peopl

  e,o=ipaca";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert 
manager:
  Remove Replication Agreements";allow (delete) userdn = 
"ldap:///uid=pkidbuser

  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV 
searches"; a

  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config

dn: cn=Posix IDs,cn=Distributed Numeric Assignment 
Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 
3.0;acl
  "permission:Modify DNA Range";allow (write) groupdn = 
"ldap:///cn=Modify  DNA

  Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  
|| dnaThre
  shold || dnaType || objectclass)(version 3.0;acl "permission:Read 
DNA Range";
  allow (read, search, compare) groupdn = "ldap:///cn=Read  DNA 
Range,cn=permiss

  ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking 
the databas
  e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication 
Agreement

  s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11


============================================================================ 

4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now 
missing some stuff)
============================================================================ 

[root@dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b 
"cn=config" "(aci=*)" aci

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; 
allow (r
  ead, search, compare) userdn 
="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target ="ldap:///cn=automember rebuild 
membership,cn=tasks,cn=config")(
  targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild 
Membership T
  ask";allow (add) groupdn = "ldap:///cn=Add  Automember Rebuild 
Membership Task

  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ob
  jectclass || passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,cn=plu
  gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers 
Configura
  tion";allow (compare,read,search) groupdn = "ldap:///cn=Read 
PassSync Manager

  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,
  cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync 
Managers C
  onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync 
Managers Co

  nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ns
  slapd-directory* || objectclass")(target = 
"ldap:///cn=config,cn=ldbm  databas
  e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM 
Database Confi
  guration";allow (compare,read,search) groupdn = "ldap:///cn=Read  
LDBM Databas

  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (version 3.0;acl "permission:Add Configuration 
Sub-Entries";allow (add) g
  roupdn = "ldap:///cn=Add  Configuration 
Sub-Entries,cn=permissions,cn=pbac,dc=

  ipatestdomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config

aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 
3.0;acl

  "snmp";allow (read, search, compare)(userdn ="ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config

aci: (targetattr=*)(version 3.0; acl "Run tasks after replica 
re-initializatio
  n"; allow (add) groupdn = "ldap:///cn=Modify  Replication 
Agreements,cn=permis

  sions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after 
replica re
  -initialization"; allow (add) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipa

  ca";)

aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; 
allow (read
  , compare, search) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,dc=grip

  atestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager manage 
replication use

  rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config

aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; 
allow( rea

  d, search ) userdn ="ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config

aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; 
allow (read,

   search, compare, proxy) userdn ="ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "permission:Add Replication 
Agreements";al
  low (add) groupdn = "ldap:///cn=Add  Replication 
Agreements,cn=permissions,cn=

  pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

  ass=nsMappingTree))")(version 3.0; acl "permission:Modify 
Replication Agreeme
  nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify  
Replication Ag

  reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
"permission:Rem
  ove Replication Agreements";allow (delete) groupdn = 
"ldap:///cn=Remove  Repli

  cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication 
Agreements"

  ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

  ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify 
Replication Agre
  ements"; allow (read, write, search) userdn = 
"ldap:///uid=pkidbuser,ou=peopl

  e,o=ipaca";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert 
manager:
  Remove Replication Agreements";allow (delete) userdn = 
"ldap:///uid=pkidbuser

  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV 
searches"; a

  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config

dn: cn=Posix IDs,cn=Distributed Numeric Assignment 
Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 
3.0;acl
  "permission:Modify DNA Range";allow (write) groupdn = 
"ldap:///cn=Modify  DNA

  Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  
|| dnaThre
  shold || dnaType || objectclass)(version 3.0;acl "permission:Read 
DNA Range";
  allow (read, search, compare) groupdn = "ldap:///cn=Read  DNA 
Range,cn=permiss

  ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking 
the databas
  e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication 
Agreement

  s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11




--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code






















					Reply via email to