Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Martin Kosek wrote: On Fri, 2011-10-07 at 11:09 -0400, Rob Crittenden wrote: Martin Kosek wrote: I tested the patch when I replaced all add: directives 40-dns.update with addifexist. The clean installation now did not produce any error, memberships were OK. However, updating existing installation with DNS was not OK - privileges are still without memberof attributes: # ipa privilege-find dns 2 privileges matched Privilege name: DNS Administrators Description: DNS Administrators Privilege name: DNS Servers Description: DNS Servers Number of entries returned 2 Martin Strange, it works for me. Can you try this updated patch? rob I must have been doing something wrong. This one works fine - both upgrade and a fresh installation. ACK. Martin Ok, pushed to master and ipa-2-1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
On Fri, 2011-10-07 at 11:09 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > > > I tested the patch when I replaced all add: directives 40-dns.update > > with addifexist. The clean installation now did not produce any error, > > memberships were OK. > > > > However, updating existing installation with DNS was not OK - privileges > > are still without memberof attributes: > > > > # ipa privilege-find dns > > > > 2 privileges matched > > > >Privilege name: DNS Administrators > >Description: DNS Administrators > > > >Privilege name: DNS Servers > >Description: DNS Servers > > > > Number of entries returned 2 > > > > > > Martin > > > > Strange, it works for me. Can you try this updated patch? > > rob I must have been doing something wrong. This one works fine - both upgrade and a fresh installation. ACK. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Martin Kosek wrote: On Fri, 2011-10-07 at 08:52 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: The aci prefix was missing in the description of the three dns acis which made them not show up when viewing their permission entries. rob This works fine, but it is just a part of a solution. DNS related privileges miss memberof attribute for the DNS permissions and thus the permissions are not listed: # ipa permission-show "add dns entries" Permission name: add dns entries Permissions: add Type: dnsrecord Granted to Privilege: DNS Administrators, DNS Servers # ipa privilege-show "DNS Administrators" Privilege name: DNS Administrators Description: DNS Administrators <<< Missing permissions I think the reason is that the permissions are in a wrong order in the LDIF and are created before the privilege itself. When member links are being created for DNS permissions, the memberof plugin cannot add memberof attributes for the privilege since it does not exist yet. This is the main issue that the BZ bug complains about. Martin There are two problems: 1. The acis lacked a prefix so they didn't appear as permissions 2. The permission was added before the privilege so the memberof values weren't being calculated. This fixes it for new installs and adds an update to fix up existing installs. rob It works fine when doing upgrade. However, when running a clean install, I get these errors: # ipa-server-install --setup-dns ... [9/13]: publish CA cert [10/13]: creating a keytab for httpd [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates root : ERROR Add failure Object class violation: missing required attribute "objectclass" root : ERROR Add failure Object class violation: missing required attribute "objectclass" root : ERROR Add failure Object class violation: missing required attribute "objectclass" Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. == Setup complete Do you hit this too? Permissions and privileges member attributes were OK though. Martin Bah, ok. We only create these permissions when dns is installed so I'll need to find some way to optionally add this. rob I needed to add a new type to the updater to only add new values if the entry exists. rob I still get the same error. We have a new handy addifnew update type ready, lets use it in these DNS .update file too :-) Martin addifnew adds single value attributes if they aren't already in the entry, that will cause the same error. rob I tested the patch when I replaced all add: directives 40-dns.update with addifexist. The clean installation now did not produce any error, memberships were OK. However, updating existing installation with DNS was not OK - privileges are still without memberof attributes: # ipa privilege-find dns 2 privileges matched Privilege name: DNS Administrators Description: DNS Administrators Privilege name: DNS Servers Description: DNS Servers Number of entries returned 2 Martin Strange, it works for me. Can you try this updated patch? rob From 3af60b5ed587b0a341ba8ceaf4045175954ca621 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 5 Oct 2011 17:16:05 -0400 Subject: [PATCH] Fix DNS permissions and membership in privileges This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898 --- install/share/dns.ldif | 46 +- install/tools/man/ipa-ldap-updater.1 |1 + install/updates/40-delegation.update |6 install/updates/40-dns.update| 22 install/updates/Makefile.am |1 + ipaserver/install/ldapupdate.py | 16 ++- 6 files changed, 67 insertions(+), 25 deletions(-) create mod
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
On Fri, 2011-10-07 at 08:52 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> Martin Kosek wrote: > On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: > >>> The aci prefix was missing in the description of the three dns acis > >>> which made them not show up when viewing their permission entries. > >>> > >>> rob > >> > >> This works fine, but it is just a part of a solution. DNS related > >> privileges miss memberof attribute for the DNS permissions and thus the > >> permissions are not listed: > >> > >> # ipa permission-show "add dns entries" > >> Permission name: add dns entries > >> Permissions: add > >> Type: dnsrecord > >> Granted to Privilege: DNS Administrators, DNS Servers > >> > >> # ipa privilege-show "DNS Administrators" > >> Privilege name: DNS Administrators > >> Description: DNS Administrators > >> <<< Missing permissions > >> > >> I think the reason is that the permissions are in a wrong order in the > >> LDIF and are created before the privilege itself. When member links are > >> being created for DNS permissions, the memberof plugin cannot add > >> memberof attributes for the privilege since it does not exist yet. This > >> is the main issue that the BZ bug complains about. > >> > >> Martin > >> > > > > There are two problems: > > > > 1. The acis lacked a prefix so they didn't appear as permissions > > > > 2. The permission was added before the privilege so the memberof values > > weren't being calculated. > > > > This fixes it for new installs and adds an update to fix up existing > > installs. > > > > rob > > It works fine when doing upgrade. However, when running a clean install, > I get these errors: > > # ipa-server-install --setup-dns > ... > [9/13]: publish CA cert > [10/13]: creating a keytab for httpd > [11/13]: configuring SELinux for httpd > [12/13]: restarting httpd > [13/13]: configuring httpd to start on boot > done configuring httpd. > Applying LDAP updates > root : ERROR Add failure Object class violation: missing required > attribute "objectclass" > root : ERROR Add failure Object class violation: missing required > attribute "objectclass" > root : ERROR Add failure Object class violation: missing required > attribute "objectclass" > Restarting IPA to initialize updates before performing deletes: > [1/2]: stopping directory server > [2/2]: starting directory server > done configuring dirsrv. > Restarting the directory server > Restarting the KDC > Restarting the web server > Configuring named: > [1/9]: adding DNS container > [2/9]: setting up our zone > [3/9]: setting up reverse zone > [4/9]: setting up our own record > [5/9]: setting up kerberos principal > [6/9]: setting up named.conf > [7/9]: restarting named > [8/9]: configuring named to start on boot > [9/9]: changing resolv.conf to point to ourselves > done configuring named. > == > > Setup complete > > Do you hit this too? Permissions and privileges member attributes were > OK though. > > Martin > > >>> > >>> Bah, ok. We only create these permissions when dns is installed so I'll > >>> need to find some way to optionally add this. > >>> > >>> rob > >> > >> I needed to add a new type to the updater to only add new values if the > >> entry exists. > >> > >> rob > > > > I still get the same error. We have a new handy addifnew update type > > ready, lets use it in these DNS .update file too :-) > > > > Martin > > > > addifnew adds single value attributes if they aren't already in the > entry, that will cause the same error. > > rob I tested the patch when I replaced all add: directives 40-dns.update with addifexist. The clean installation now did not produce any error, memberships were OK. However, updating existing installation with DNS was not OK - privileges are still without memberof attributes: # ipa privilege-find dns 2 privileges matched Privilege name: DNS Administrators Description: DNS Administrators Privilege name: DNS Servers Description: DNS Servers Number of entries returned 2 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Martin Kosek wrote: On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: The aci prefix was missing in the description of the three dns acis which made them not show up when viewing their permission entries. rob This works fine, but it is just a part of a solution. DNS related privileges miss memberof attribute for the DNS permissions and thus the permissions are not listed: # ipa permission-show "add dns entries" Permission name: add dns entries Permissions: add Type: dnsrecord Granted to Privilege: DNS Administrators, DNS Servers # ipa privilege-show "DNS Administrators" Privilege name: DNS Administrators Description: DNS Administrators <<< Missing permissions I think the reason is that the permissions are in a wrong order in the LDIF and are created before the privilege itself. When member links are being created for DNS permissions, the memberof plugin cannot add memberof attributes for the privilege since it does not exist yet. This is the main issue that the BZ bug complains about. Martin There are two problems: 1. The acis lacked a prefix so they didn't appear as permissions 2. The permission was added before the privilege so the memberof values weren't being calculated. This fixes it for new installs and adds an update to fix up existing installs. rob It works fine when doing upgrade. However, when running a clean install, I get these errors: # ipa-server-install --setup-dns ... [9/13]: publish CA cert [10/13]: creating a keytab for httpd [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates root : ERROR Add failure Object class violation: missing required attribute "objectclass" root : ERROR Add failure Object class violation: missing required attribute "objectclass" root : ERROR Add failure Object class violation: missing required attribute "objectclass" Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. == Setup complete Do you hit this too? Permissions and privileges member attributes were OK though. Martin Bah, ok. We only create these permissions when dns is installed so I'll need to find some way to optionally add this. rob I needed to add a new type to the updater to only add new values if the entry exists. rob I still get the same error. We have a new handy addifnew update type ready, lets use it in these DNS .update file too :-) Martin addifnew adds single value attributes if they aren't already in the entry, that will cause the same error. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote: > >>> Martin Kosek wrote: > On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: > > The aci prefix was missing in the description of the three dns acis > > which made them not show up when viewing their permission entries. > > > > rob > > This works fine, but it is just a part of a solution. DNS related > privileges miss memberof attribute for the DNS permissions and thus the > permissions are not listed: > > # ipa permission-show "add dns entries" > Permission name: add dns entries > Permissions: add > Type: dnsrecord > Granted to Privilege: DNS Administrators, DNS Servers > > # ipa privilege-show "DNS Administrators" > Privilege name: DNS Administrators > Description: DNS Administrators > <<< Missing permissions > > I think the reason is that the permissions are in a wrong order in the > LDIF and are created before the privilege itself. When member links are > being created for DNS permissions, the memberof plugin cannot add > memberof attributes for the privilege since it does not exist yet. This > is the main issue that the BZ bug complains about. > > Martin > > >>> > >>> There are two problems: > >>> > >>> 1. The acis lacked a prefix so they didn't appear as permissions > >>> > >>> 2. The permission was added before the privilege so the memberof values > >>> weren't being calculated. > >>> > >>> This fixes it for new installs and adds an update to fix up existing > >>> installs. > >>> > >>> rob > >> > >> It works fine when doing upgrade. However, when running a clean install, > >> I get these errors: > >> > >> # ipa-server-install --setup-dns > >> ... > >> [9/13]: publish CA cert > >> [10/13]: creating a keytab for httpd > >> [11/13]: configuring SELinux for httpd > >> [12/13]: restarting httpd > >> [13/13]: configuring httpd to start on boot > >> done configuring httpd. > >> Applying LDAP updates > >> root : ERROR Add failure Object class violation: missing required > >> attribute "objectclass" > >> root : ERROR Add failure Object class violation: missing required > >> attribute "objectclass" > >> root : ERROR Add failure Object class violation: missing required > >> attribute "objectclass" > >> Restarting IPA to initialize updates before performing deletes: > >> [1/2]: stopping directory server > >> [2/2]: starting directory server > >> done configuring dirsrv. > >> Restarting the directory server > >> Restarting the KDC > >> Restarting the web server > >> Configuring named: > >> [1/9]: adding DNS container > >> [2/9]: setting up our zone > >> [3/9]: setting up reverse zone > >> [4/9]: setting up our own record > >> [5/9]: setting up kerberos principal > >> [6/9]: setting up named.conf > >> [7/9]: restarting named > >> [8/9]: configuring named to start on boot > >> [9/9]: changing resolv.conf to point to ourselves > >> done configuring named. > >> == > >> > >> Setup complete > >> > >> Do you hit this too? Permissions and privileges member attributes were > >> OK though. > >> > >> Martin > >> > > > > Bah, ok. We only create these permissions when dns is installed so I'll > > need to find some way to optionally add this. > > > > rob > > I needed to add a new type to the updater to only add new values if the > entry exists. > > rob I still get the same error. We have a new handy addifnew update type ready, lets use it in these DNS .update file too :-) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: The aci prefix was missing in the description of the three dns acis which made them not show up when viewing their permission entries. rob This works fine, but it is just a part of a solution. DNS related privileges miss memberof attribute for the DNS permissions and thus the permissions are not listed: # ipa permission-show "add dns entries" Permission name: add dns entries Permissions: add Type: dnsrecord Granted to Privilege: DNS Administrators, DNS Servers # ipa privilege-show "DNS Administrators" Privilege name: DNS Administrators Description: DNS Administrators <<< Missing permissions I think the reason is that the permissions are in a wrong order in the LDIF and are created before the privilege itself. When member links are being created for DNS permissions, the memberof plugin cannot add memberof attributes for the privilege since it does not exist yet. This is the main issue that the BZ bug complains about. Martin There are two problems: 1. The acis lacked a prefix so they didn't appear as permissions 2. The permission was added before the privilege so the memberof values weren't being calculated. This fixes it for new installs and adds an update to fix up existing installs. rob It works fine when doing upgrade. However, when running a clean install, I get these errors: # ipa-server-install --setup-dns ... [9/13]: publish CA cert [10/13]: creating a keytab for httpd [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates root : ERROR Add failure Object class violation: missing required attribute "objectclass" root : ERROR Add failure Object class violation: missing required attribute "objectclass" root : ERROR Add failure Object class violation: missing required attribute "objectclass" Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. == Setup complete Do you hit this too? Permissions and privileges member attributes were OK though. Martin Bah, ok. We only create these permissions when dns is installed so I'll need to find some way to optionally add this. rob I needed to add a new type to the updater to only add new values if the entry exists. rob From 5b42fd757840c088323f589cfb26b4607b892958 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 5 Oct 2011 17:16:05 -0400 Subject: [PATCH] Fix DNS permissions and membership in privileges This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898 --- install/share/dns.ldif | 46 +- install/tools/man/ipa-ldap-updater.1 |1 + install/updates/40-delegation.update |6 install/updates/40-dns.update| 22 install/updates/Makefile.am |1 + ipaserver/install/ldapupdate.py | 16 ++- 6 files changed, 67 insertions(+), 25 deletions(-) create mode 100644 install/updates/40-dns.update diff --git a/install/share/dns.ldif b/install/share/dns.ldif index dc79222..1ffadb5 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,6 +4,29 @@ objectClass: nsContainer objectClass: top cn: dns +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Martin Kosek wrote: On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: The aci prefix was missing in the description of the three dns acis which made them not show up when viewing their permission entries. rob This works fine, but it is just a part of a solution. DNS related privileges miss memberof attribute for the DNS permissions and thus the permissions are not listed: # ipa permission-show "add dns entries" Permission name: add dns entries Permissions: add Type: dnsrecord Granted to Privilege: DNS Administrators, DNS Servers # ipa privilege-show "DNS Administrators" Privilege name: DNS Administrators Description: DNS Administrators <<< Missing permissions I think the reason is that the permissions are in a wrong order in the LDIF and are created before the privilege itself. When member links are being created for DNS permissions, the memberof plugin cannot add memberof attributes for the privilege since it does not exist yet. This is the main issue that the BZ bug complains about. Martin There are two problems: 1. The acis lacked a prefix so they didn't appear as permissions 2. The permission was added before the privilege so the memberof values weren't being calculated. This fixes it for new installs and adds an update to fix up existing installs. rob It works fine when doing upgrade. However, when running a clean install, I get these errors: # ipa-server-install --setup-dns ... [9/13]: publish CA cert [10/13]: creating a keytab for httpd [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates root: ERRORAdd failure Object class violation: missing required attribute "objectclass" root: ERRORAdd failure Object class violation: missing required attribute "objectclass" root: ERRORAdd failure Object class violation: missing required attribute "objectclass" Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. == Setup complete Do you hit this too? Permissions and privileges member attributes were OK though. Martin Bah, ok. We only create these permissions when dns is installed so I'll need to find some way to optionally add this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: > >> The aci prefix was missing in the description of the three dns acis > >> which made them not show up when viewing their permission entries. > >> > >> rob > > > > This works fine, but it is just a part of a solution. DNS related > > privileges miss memberof attribute for the DNS permissions and thus the > > permissions are not listed: > > > > # ipa permission-show "add dns entries" > >Permission name: add dns entries > >Permissions: add > >Type: dnsrecord > >Granted to Privilege: DNS Administrators, DNS Servers > > > > # ipa privilege-show "DNS Administrators" > >Privilege name: DNS Administrators > >Description: DNS Administrators > > <<< Missing permissions > > > > I think the reason is that the permissions are in a wrong order in the > > LDIF and are created before the privilege itself. When member links are > > being created for DNS permissions, the memberof plugin cannot add > > memberof attributes for the privilege since it does not exist yet. This > > is the main issue that the BZ bug complains about. > > > > Martin > > > > There are two problems: > > 1. The acis lacked a prefix so they didn't appear as permissions > > 2. The permission was added before the privilege so the memberof values > weren't being calculated. > > This fixes it for new installs and adds an update to fix up existing > installs. > > rob It works fine when doing upgrade. However, when running a clean install, I get these errors: # ipa-server-install --setup-dns ... [9/13]: publish CA cert [10/13]: creating a keytab for httpd [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates root: ERRORAdd failure Object class violation: missing required attribute "objectclass" root: ERRORAdd failure Object class violation: missing required attribute "objectclass" root: ERRORAdd failure Object class violation: missing required attribute "objectclass" Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. == Setup complete Do you hit this too? Permissions and privileges member attributes were OK though. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Martin Kosek wrote: On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: The aci prefix was missing in the description of the three dns acis which made them not show up when viewing their permission entries. rob This works fine, but it is just a part of a solution. DNS related privileges miss memberof attribute for the DNS permissions and thus the permissions are not listed: # ipa permission-show "add dns entries" Permission name: add dns entries Permissions: add Type: dnsrecord Granted to Privilege: DNS Administrators, DNS Servers # ipa privilege-show "DNS Administrators" Privilege name: DNS Administrators Description: DNS Administrators <<< Missing permissions I think the reason is that the permissions are in a wrong order in the LDIF and are created before the privilege itself. When member links are being created for DNS permissions, the memberof plugin cannot add memberof attributes for the privilege since it does not exist yet. This is the main issue that the BZ bug complains about. Martin There are two problems: 1. The acis lacked a prefix so they didn't appear as permissions 2. The permission was added before the privilege so the memberof values weren't being calculated. This fixes it for new installs and adds an update to fix up existing installs. rob From f0c46cac3afea07bbcf02af254f73c29dc122fd8 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 5 Oct 2011 17:16:05 -0400 Subject: [PATCH] Fix DNS permissions and membership in privileges This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898 --- install/share/dns.ldif | 46 +- install/updates/40-delegation.update |6 install/updates/40-dns.update| 22 install/updates/Makefile.am |1 + 4 files changed, 52 insertions(+), 23 deletions(-) create mode 100644 install/updates/40-dns.update diff --git a/install/share/dns.ldif b/install/share/dns.ldif index dc79222..1ffadb5 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,6 +4,29 @@ objectClass: nsContainer objectClass: top cn: dns +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";) + +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Administrators +description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Servers +description: DNS Servers + dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: groupofnames @@ -30,26 +53,3 @@ cn: update dns entries description: Update DNS entries member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX - -dn: $SUFFIX -changetype: modify -add: aci -aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxr
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: > The aci prefix was missing in the description of the three dns acis > which made them not show up when viewing their permission entries. > > rob This works fine, but it is just a part of a solution. DNS related privileges miss memberof attribute for the DNS permissions and thus the permissions are not listed: # ipa permission-show "add dns entries" Permission name: add dns entries Permissions: add Type: dnsrecord Granted to Privilege: DNS Administrators, DNS Servers # ipa privilege-show "DNS Administrators" Privilege name: DNS Administrators Description: DNS Administrators <<< Missing permissions I think the reason is that the permissions are in a wrong order in the LDIF and are created before the privilege itself. When member links are being created for DNS permissions, the memberof plugin cannot add memberof attributes for the privilege since it does not exist yet. This is the main issue that the BZ bug complains about. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
The aci prefix was missing in the description of the three dns acis which made them not show up when viewing their permission entries. rob From c00f13df7e3152d7185706e43eed24aff50bef87 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 5 Oct 2011 17:16:05 -0400 Subject: [PATCH] Add missing prefix to DNS aci names. https://fedorahosted.org/freeipa/ticket/1898 --- install/share/dns.ldif |6 +++--- install/updates/40-delegation.update |6 ++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/install/share/dns.ldif b/install/share/dns.ldif index dc79222..5a52d10 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -34,9 +34,9 @@ member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";) dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 66c62ed..a235211 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -262,3 +262,9 @@ add:member: 'cn=admins,cn=groups,cn=accounts,$SUFFIX' # Don't allow admins to update enrolledBy dn: $SUFFIX replace:aci:'(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)' + +# The original DNS permissions lacked the tag. +dn: $SUFFIX +replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)' +replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)' +replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord |