Re: [Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

Ludwig Krispenz Mon, 25 Jan 2016 01:15:32 -0800

Hi Martin,
this is what the guy on freeipa-users said he did:


>>>

I can now confirm that this is a 100% reproducible bug, and a pretty severe one 
at that.  You should be able to reproduce this issue at will if you follow 
these steps.  It may actually be possible with less servers and less steps, but 
here is what I did in a test lab today:

1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0 with 3 
servers, dc1, dc2, dc3, replicating any way you want.
3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete the server 
/ vm / whatever you have it running on
3. Install Fedora 23 on the same IP address and hostname 
(dc2.ipatestdomain.net).  Install FreeIPA server 4.2.3 from replica file 
created on CA master (dc1).

Check aci on dc2.  You will notice it's now missing a bunch of stuff.  So 
basically, all it takes to lose that ACL is to create a Fedora FreeIPA server 
and join it to a CentOS domain.
After I had upgraded all 3 to Fedora, that ACLS was lost permanently as it no 
longer existed on any server because there were no CentOS servers left.

<<<

If you have more questions on the test case, could you ask directly onthe user list, thanks


On 01/25/2016 10:09 AM, Martin Basti wrote:

On 25.01.2016 09:30, Ludwig Krispenz wrote:
Hi,
this is from a discussion on the user-list, there is a difference inacis on 4.2.0 and 4.2.3
this is the aci which is present in 4.2.0 and is missing in 4.2.3:
aci: (targetattr = "cn || createtimestamp || description || entryusn|| modifytimestamp || nsds50ruv || nsds5beginreplicarefresh ||nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv ||nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin ||nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime ||nsds5replicachangecount ||nsds5replicachangessentsincestartup || nsds5replicacleanruv ||nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled ||nsds5replicahost || nsds5replicaid || nsds5replicalastinitend ||nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend ||nsds5replicalastupdatestart || nsds5replicalastupdatestatus ||nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport ||nsds5replicaprotocoltimeout ||nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot|| nsds5replicasessionpausetime || nsds5replicastripattrs ||nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout ||nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo ||nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule ||nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie ||nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain ||nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass ||onewaysync ||winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction ||winsyncsubtreepair || winsyncwindowsfilter")(targetfilter ="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl"permission:System: Read Replication Agreements";allow (compare,read,search) groupdn ="ldap:///cn=System: Read ReplicationAgreements,cn=permissions,cn=pbac,dc=ipatestdomai
 n,dc=net";)

does anybody know if and why this was changed ?
This ACI is created byipaserver/install/plugins/update_managed_permissions.py
It haven't been touched for a while, did upgrade/install work well?

Maybe re-run ipa-server-upgrade should recreate this entry.
On 01/24/2016 03:22 AM, Nathan Peters wrote:
# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager readaccess"; allow (read, search, compare) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)aci: (target ="ldap:///cn=automember rebuildmembership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember RebuildMembership Task";allow (add) groupdn = "ldap:///cn=Add Automember RebuildMembership Task
  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||modifytimestamp || objectclass || passsyncmanagersdns*")(target ="ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Read PassSyncManagers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=ReadPassSync Manager
  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target ="ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSyncManagers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSyncManagers Co
nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||modifytimestamp || nsslapd-directory* || objectclass")(target ="ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBMDatabase Configuration";allow (compare,read,search) groupdn = "ldap:///cn=ReadLDBM Databas
  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add ConfigurationSub-Entries";allow (add) groupdn = "ldap:///cn=Add ConfigurationSub-Entries,cn=permissions,cn=pbac,dc=
  ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn|| modifytimestamp || nsds50ruv || nsds5beginreplicarefresh ||nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv ||nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin ||nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime ||nsds5replicachangecount ||nsds5replicachangessentsincestartup || nsds5replicacleanruv ||nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled|| nsds5replicahost || nsds5replicaid || nsds5replicalastinitend ||nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend ||nsds5replicalastupdatestart || nsds5replicalastupdatestatus ||nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport ||nsds5replicaprotocoltimeout ||nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot|| nsds5replicasessionpausetime || nsds5replicastripattrs ||nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout ||nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo ||nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule ||nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie ||nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain ||nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass ||onewaysync ||winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction ||winsyncsubtreepair || winsyncwindowsfilter")(targetfilter ="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl"permission:System: Read Replication Agreements";allow (compare,read,search) groupdn ="ldap:///cn=System: Read ReplicationAgreements,cn=permissions,cn=pbac,dc=ipatestdomai
  n,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr!="aci")(version 3.0;acl
  "snmp";allow (read, search, compare)(userdn ="ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replicare-initialization"; allow (add) groupdn = "ldap:///cn=Modify ReplicationAgreements,cn=permis
  sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks afterreplica re-initialization"; allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipa
  ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";allow (read, compare, search) groupdn ="ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
  atestdomain,dc=net";)
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuildmembership,cn=tasks,cn=config")(version 3.0;acl "permission:System: ReadAutomember Tasks";allow (compare,read,search) groupdn = "ldap:///cn=System:Read Automembe
  r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager managereplication use
  rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";allow( rea
  d, search ) userdn ="ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";allow (read,
   search, compare, proxy) userdn ="ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add ReplicationAgreements";allow (add) groupdn = "ldap:///cn=Add ReplicationAgreements,cn=permissions,cn=
  pbac,dc=ipatestdomain,dc=net";)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:ModifyReplication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=ModifyReplication Ag
  reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl"permission:Remove Replication Agreements";allow (delete) groupdn ="ldap:///cn=Remove Repli
  cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add ReplicationAgreements"
  ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: ModifyReplication Agreements"; allow (read, write, search) userdn ="ldap:///uid=pkidbuser,ou=peopl
  e,o=ipaca";)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl"cert manager:Remove Replication Agreements";allow (delete) userdn ="ldap:///uid=pkidbuser
  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLVsearches"; a
  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric AssignmentPlugin,cn=plugins,cn=configaci: (targetattr=dnaNextRange || dnaNextValue ||dnaMaxValue)(version 3.0;acl"permission:Modify DNA Range";allow (write) groupdn ="ldap:///cn=Modify DNA
  Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue|| dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:ReadDNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNARange,cn=permiss
  ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow markingthe database readonly"; allow (write) groupdn = "ldap:///cn=RemoveReplication Agreement
  s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11
============================================================================2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 butthere is now a Fedora 23 FreeIPA 4.2.3 server in the domain (forreference that the CentOS ACL hasn't changed yet)============================================================================================ after reinstallation of dc2 in fedora 23 / ipa4.2.3 =========================
[root@dc1 ~]# ldapsearch -b "cn=config" -D"uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W
Enter LDAP Password:
# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager readaccess"; allow (read, search, compare) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)aci: (target ="ldap:///cn=automember rebuildmembership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember RebuildMembership Task";allow (add) groupdn = "ldap:///cn=Add Automember RebuildMembership Task
  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||modifytimestamp || objectclass || passsyncmanagersdns*")(target ="ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Read PassSyncManagers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=ReadPassSync Manager
  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target ="ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSyncManagers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSyncManagers Co
nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||modifytimestamp || nsslapd-directory* || objectclass")(target ="ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBMDatabase Configuration";allow (compare,read,search) groupdn = "ldap:///cn=ReadLDBM Databas
  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add ConfigurationSub-Entries";allow (add) groupdn = "ldap:///cn=Add ConfigurationSub-Entries,cn=permissions,cn=pbac,dc=
  ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn|| modifytimestamp || nsds50ruv || nsds5beginreplicarefresh ||nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv ||nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin ||nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime ||nsds5replicachangecount ||nsds5replicachangessentsincestartup || nsds5replicacleanruv ||nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled|| nsds5replicahost || nsds5replicaid || nsds5replicalastinitend ||nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend ||nsds5replicalastupdatestart || nsds5replicalastupdatestatus ||nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport ||nsds5replicaprotocoltimeout ||nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot|| nsds5replicasessionpausetime || nsds5replicastripattrs ||nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout ||nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo ||nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule ||nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie ||nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain ||nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass ||onewaysync ||winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction ||winsyncsubtreepair || winsyncwindowsfilter")(targetfilter ="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl"permission:System: Read Replication Agreements";allow (compare,read,search) groupdn ="ldap:///cn=System: Read ReplicationAgreements,cn=permissions,cn=pbac,dc=ipatestdomai
  n,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr!="aci")(version 3.0;acl
  "snmp";allow (read, search, compare)(userdn ="ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replicare-initialization"; allow (add) groupdn = "ldap:///cn=Modify ReplicationAgreements,cn=permis
  sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks afterreplica re-initialization"; allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipa
  ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";allow (read, compare, search) groupdn ="ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
  atestdomain,dc=net";)
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuildmembership,cn=tasks,cn=config")(version 3.0;acl "permission:System: ReadAutomember Tasks";allow (compare,read,search) groupdn = "ldap:///cn=System:Read Automembe
  r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager managereplication use
  rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";allow( rea
  d, search ) userdn ="ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";allow (read,
   search, compare, proxy) userdn ="ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add ReplicationAgreements";allow (add) groupdn = "ldap:///cn=Add ReplicationAgreements,cn=permissions,cn=
  pbac,dc=ipatestdomain,dc=net";)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:ModifyReplication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=ModifyReplication Ag
  reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl"permission:Remove Replication Agreements";allow (delete) groupdn ="ldap:///cn=Remove Repli
  cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add ReplicationAgreements"
  ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: ModifyReplication Agreements"; allow (read, write, search) userdn ="ldap:///uid=pkidbuser,ou=peopl
  e,o=ipaca";)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl"cert manager:Remove Replication Agreements";allow (delete) userdn ="ldap:///uid=pkidbuser
  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLVsearches"; a
  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric AssignmentPlugin,cn=plugins,cn=configaci: (targetattr=dnaNextRange || dnaNextValue ||dnaMaxValue)(version 3.0;acl"permission:Modify DNA Range";allow (write) groupdn ="ldap:///cn=Modify DNA
  Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue|| dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:ReadDNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNARange,cn=permiss
  ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow markingthe database readonly"; allow (write) groupdn = "ldap:///cn=RemoveReplication Agreement
  s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11
============================================================================3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and thereplica file was made from dc1 which is a CentOS server that stillhas the acls(missing some stuff)============================================================================
aci list on dc2
[root@dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config""(aci=*)" aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager readaccess"; allow (read, search, compare) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)aci: (target ="ldap:///cn=automember rebuildmembership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember RebuildMembership Task";allow (add) groupdn = "ldap:///cn=Add Automember RebuildMembership Task
  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||modifytimestamp || objectclass || passsyncmanagersdns*")(target ="ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Read PassSyncManagers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=ReadPassSync Manager
  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target ="ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSyncManagers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSyncManagers Co
nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||modifytimestamp || nsslapd-directory* || objectclass")(target ="ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBMDatabase Configuration";allow (compare,read,search) groupdn = "ldap:///cn=ReadLDBM Databas
  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add ConfigurationSub-Entries";allow (add) groupdn = "ldap:///cn=Add ConfigurationSub-Entries,cn=permissions,cn=pbac,dc=
  ipatestdomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr!="aci")(version 3.0;acl
  "snmp";allow (read, search, compare)(userdn ="ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replicare-initialization"; allow (add) groupdn = "ldap:///cn=Modify ReplicationAgreements,cn=permis
  sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks afterreplica re-initialization"; allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipa
  ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";allow (read, compare, search) groupdn ="ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
  atestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager managereplication use
  rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";allow( rea
  d, search ) userdn ="ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";allow (read,
   search, compare, proxy) userdn ="ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add ReplicationAgreements";allow (add) groupdn = "ldap:///cn=Add ReplicationAgreements,cn=permissions,cn=
  pbac,dc=ipatestdomain,dc=net";)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:ModifyReplication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=ModifyReplication Ag
  reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl"permission:Remove Replication Agreements";allow (delete) groupdn ="ldap:///cn=Remove Repli
  cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add ReplicationAgreements"
  ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: ModifyReplication Agreements"; allow (read, write, search) userdn ="ldap:///uid=pkidbuser,ou=peopl
  e,o=ipaca";)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl"cert manager:Remove Replication Agreements";allow (delete) userdn ="ldap:///uid=pkidbuser
  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLVsearches"; a
  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric AssignmentPlugin,cn=plugins,cn=configaci: (targetattr=dnaNextRange || dnaNextValue ||dnaMaxValue)(version 3.0;acl"permission:Modify DNA Range";allow (write) groupdn ="ldap:///cn=Modify DNA
  Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue|| dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:ReadDNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNARange,cn=permiss
  ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow markingthe database readonly"; allow (write) groupdn = "ldap:///cn=RemoveReplication Agreement
  s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11
============================================================================4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (nowmissing some stuff)============================================================================[root@dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b"cn=config" "(aci=*)" aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager readaccess"; allow (read, search, compare) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)aci: (target ="ldap:///cn=automember rebuildmembership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember RebuildMembership Task";allow (add) groupdn = "ldap:///cn=Add Automember RebuildMembership Task
  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||modifytimestamp || objectclass || passsyncmanagersdns*")(target ="ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Read PassSyncManagers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=ReadPassSync Manager
  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target ="ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSyncManagers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSyncManagers Co
nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||modifytimestamp || nsslapd-directory* || objectclass")(target ="ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBMDatabase Configuration";allow (compare,read,search) groupdn = "ldap:///cn=ReadLDBM Databas
  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add ConfigurationSub-Entries";allow (add) groupdn = "ldap:///cn=Add ConfigurationSub-Entries,cn=permissions,cn=pbac,dc=
  ipatestdomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr!="aci")(version 3.0;acl
  "snmp";allow (read, search, compare)(userdn ="ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replicare-initialization"; allow (add) groupdn = "ldap:///cn=Modify ReplicationAgreements,cn=permis
  sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks afterreplica re-initialization"; allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipa
  ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";allow (read, compare, search) groupdn ="ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
  atestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager managereplication use
  rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";allow( rea
  d, search ) userdn ="ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";allow (read,
   search, compare, proxy) userdn ="ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add ReplicationAgreements";allow (add) groupdn = "ldap:///cn=Add ReplicationAgreements,cn=permissions,cn=
  pbac,dc=ipatestdomain,dc=net";)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:ModifyReplication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=ModifyReplication Ag
  reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl"permission:Remove Replication Agreements";allow (delete) groupdn ="ldap:///cn=Remove Repli
  cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add ReplicationAgreements"
  ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: ModifyReplication Agreements"; allow (read, write, search) userdn ="ldap:///uid=pkidbuser,ou=peopl
  e,o=ipaca";)
aci:(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl"cert manager:Remove Replication Agreements";allow (delete) userdn ="ldap:///uid=pkidbuser
  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLVsearches"; a
  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric AssignmentPlugin,cn=plugins,cn=configaci: (targetattr=dnaNextRange || dnaNextValue ||dnaMaxValue)(version 3.0;acl"permission:Modify DNA Range";allow (write) groupdn ="ldap:///cn=Modify DNA
  Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue|| dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:ReadDNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNARange,cn=permiss
  ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow markingthe database readonly"; allow (write) groupdn = "ldap:///cn=RemoveReplication Agreement
  s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

Reply via email to