[Freeipa-users] Re: sudorules attribute "entryuuid" not allowed

2021-11-23 Thread Kees Bakker via FreeIPA-users 

Hi Thierry,

That worked. I choose the second option, add entryuuid to the Centos 7 system.
ipa-healthcheck is happy now and so is checkipaconsistency.

Thanks for the help.
-- Kees

On 23-11-2021 17:17, Thierry Bordaz wrote:

Hi Kees,

Indeed this problem may have raised because in intermediate centos builds 
(without #4872 fix) we delivered a wrong attribute definition.

ATM we need to get the 'entryuuid' definition on Centos7.
I guess it is not present there. You may check with 'ldapsearch -D "DM" -b 
"cn=schema" -o ldif-wrap=no -LLL attributetypes |grep -i entryuuid

I see two options:

  * Do a dummy update of the schema (add a dummy attributetype) on Centos8, so 
that it contains a nsschemaCSN that is recent. Then next replication session, 
the new definition will be learned by Centos7.
  * stop centos7 instance, copy the content of 03entryuuid.ldif into the 
99users.ldif of the instance, start the instance

regards
thierry

On 11/23/21 4:12 PM, Kees Bakker wrote:

Hi Thierry,

It was not sufficient to modify 03entryuuid.ldif. I'm still getting the attribute 
"entryuuid" not allowed error on the Centos 7 system.

Do I need to disable the entryUUID plugin? If so, how do I do that?
-- Kees

On 23-11-2021 10:29, Thierry Bordaz wrote:

Hi Kees,

The missing fix #4872 is pretty small [1]. Initial definition of entryuuid 
required a syntax/MR that was not available with previous versions, so it broke 
schema replication in mixed topology.

A easy workaround is to stop 1.4.3.23 instance, edit 
/usr/share/dirsrv/schema/03entryuuid.ldif on 1.4.3.23 installations and restart 
the server. A dummy update on 1.4.3.23 will trigger the replication of the 
schema definition of 'entryuuid' and then CentOS 7 instance will be able to 
manage entryuuid attribute.

Regards
theirry


[1] 
https://github.com/389ds/389-ds-base/commit/bce941ec3cdf77eaf4bc3ea744f1df6e5bfd9d38

On 11/23/21 10:17 AM, Kees Bakker via FreeIPA-users wrote:

So, I have 1.4.3.23. A change was made in 1.4.3.26 (commit f370a281b8, Issue 
4872).
The latest in Centos 8 Stream is 1.4.3.23-10

That leaves me with the following questions.

1. What do I need to do to disable the entryUUID plugin?
2. What do I need to do to fix the current LDAP conflict?
3. Do I really need 389-ds-base 1.4.3.26 or later (if I manage to disable the 
entryUUID plugin)?
-- Kees

On 22-11-2021 20:04, Kees Bakker via FreeIPA-users wrote:

On Centos 7

389-ds-base-snmp-1.3.9.1-13.el7_7.x86_64
389-ds-base-libs-1.3.9.1-13.el7_7.x86_64
389-ds-base-1.3.9.1-13.el7_7.x86_64
389-ds-base-debuginfo-1.3.9.1-13.el7_7.x86_64

On Centos 8 Stream

389-ds-base-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
python3-lib389-1.4.3.23-7.module_el8.5.0+889+90e0384f.noarch
389-ds-base-libs-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
-- Kees

On 22-11-2021 18:39, Florence Blanc-Renaud wrote:

Hi,

the error looks similar to https://github.com/389ds/389-ds-base/issues/4872 
.
The CentOS 8 Streams master probably has a version of 389ds that doesn't 
contain the fix, and has entryuuid plugin enabled (that generates an entryuuid 
attribute). The schema failed to be replicated to the CentOS 7 server, and the 
entryuuid attribute present in the entry causes replication issues.

Which versions are installed on the other replicas? You may have to disable the 
entryuuid plugin or update 389ds.
flo


On Mon, Nov 22, 2021 at 3:30 PM Kees Bakker via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>> wrote:

Hi,

On my Centos 7 master there was this error message

[19/Nov/2021:11:16:11.863597190 +0100] - ERR - oc_check_allowed_sv - Entry 
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com" 
-- attribute "entryuuid" not allowed
[19/Nov/2021:11:16:26.331298112 +0100] - ERR - oc_check_allowed_sv - Entry 
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com" 
-- attribute "entryuuid" not allowed
[19/Nov/2021:11:16:45.264647201 +0100] - ERR - oc_check_allowed_sv - Entry 
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com" 
-- attribute "entryuuid" not allowed

The sudorule was add via the web-GUI on a Centos 8stream master.

The replication more or less succeeded, besides this error message. However,
* checkipaconsistency reports "LDAP Conflicts" (the Centos 7 master has 
count 1, the other masters have count 0)
* ipa-healthcheck reports an error too

[
   {
 "source": "ipahealthcheck.ds.replication",
 "kw": {
   "msg": "Replication conflict",
   "glue": false,
   "conflict": "Schema violation",
   "key": 
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=ghs,dc=nl"
 },
 "uuid": "01d364fc-e48e-44bd-9ea8-63db1e800788",
 "duration": "0.001689",
 "when": "20211122070012Z",
 "check": "ReplicationConfl

[Freeipa-users] Re: sudorules attribute "entryuuid" not allowed

2021-11-23 Thread Thierry Bordaz via FreeIPA-users 

Hi Kees,

Indeed this problem may have raised because in intermediate centos 
builds (without #4872 fix) we delivered a wrong attribute definition.


ATM we need to get the 'entryuuid' definition on Centos7.
I guess it is not present there. You may check with 'ldapsearch -D "DM" 
-b "cn=schema" -o ldif-wrap=no -LLL attributetypes |grep -i entryuuid


I see two options:

 * Do a dummy update of the schema (add a dummy attributetype) on
   Centos8, so that it contains a nsschemaCSN that is recent. Then next
   replication session, the new definition will be learned by Centos7.
 * stop centos7 instance, copy the content of 03entryuuid.ldif into the
   99users.ldif of the instance, start the instance

regards
thierry

On 11/23/21 4:12 PM, Kees Bakker wrote:

Hi Thierry,

It was not sufficient to modify 03entryuuid.ldif. I'm still getting 
the attribute "entryuuid" not allowed error on the Centos 7 system.


Do I need to disable the entryUUID plugin? If so, how do I do that?
-- Kees

On 23-11-2021 10:29, Thierry Bordaz wrote:

Hi Kees,

The missing fix #4872 is pretty small [1]. Initial definition of 
entryuuid required a syntax/MR that was not available with previous 
versions, so it broke schema replication in mixed topology.


A easy workaround is to stop 1.4.3.23 instance, edit 
/usr/share/dirsrv/schema/03entryuuid.ldif on 1.4.3.23 installations 
and restart the server. A dummy update on 1.4.3.23 will trigger the 
replication of the schema definition of 'entryuuid' and then CentOS 7 
instance will be able to manage entryuuid attribute.


Regards
theirry


[1] 
https://github.com/389ds/389-ds-base/commit/bce941ec3cdf77eaf4bc3ea744f1df6e5bfd9d38


On 11/23/21 10:17 AM, Kees Bakker via FreeIPA-users wrote:
So, I have 1.4.3.23. A change was made in 1.4.3.26 (commit 
f370a281b8, Issue 4872).

The latest in Centos 8 Stream is 1.4.3.23-10

That leaves me with the following questions.

1. What do I need to do to disable the entryUUID plugin?
2. What do I need to do to fix the current LDAP conflict?
3. Do I really need 389-ds-base 1.4.3.26 or later (if I manage to 
disable the entryUUID plugin)?

-- Kees

On 22-11-2021 20:04, Kees Bakker via FreeIPA-users wrote:

On Centos 7

389-ds-base-snmp-1.3.9.1-13.el7_7.x86_64
389-ds-base-libs-1.3.9.1-13.el7_7.x86_64
389-ds-base-1.3.9.1-13.el7_7.x86_64
389-ds-base-debuginfo-1.3.9.1-13.el7_7.x86_64

On Centos 8 Stream

389-ds-base-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
python3-lib389-1.4.3.23-7.module_el8.5.0+889+90e0384f.noarch
389-ds-base-libs-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
-- Kees

On 22-11-2021 18:39, Florence Blanc-Renaud wrote:

Hi,

the error looks similar to 
https://github.com/389ds/389-ds-base/issues/4872 
.
The CentOS 8 Streams master probably has a version of 389ds that 
doesn't contain the fix, and has entryuuid plugin enabled (that 
generates an entryuuid attribute). The schema failed to be 
replicated to the CentOS 7 server, and the entryuuid attribute 
present in the entry causes replication issues.


Which versions are installed on the other replicas? You may have 
to disable the entryuuid plugin or update 389ds.

flo


On Mon, Nov 22, 2021 at 3:30 PM Kees Bakker via FreeIPA-users 
> wrote:


Hi,

On my Centos 7 master there was this error message

[19/Nov/2021:11:16:11.863597190 +0100] - ERR -
oc_check_allowed_sv - Entry

"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
-- attribute "entryuuid" not allowed
[19/Nov/2021:11:16:26.331298112 +0100] - ERR -
oc_check_allowed_sv - Entry

"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
-- attribute "entryuuid" not allowed
[19/Nov/2021:11:16:45.264647201 +0100] - ERR -
oc_check_allowed_sv - Entry

"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
-- attribute "entryuuid" not allowed

The sudorule was add via the web-GUI on a Centos 8stream master.

The replication more or less succeeded, besides this error
message. However,
* checkipaconsistency reports "LDAP Conflicts" (the Centos 7
master has count 1, the other masters have count 0)
* ipa-healthcheck reports an error too

[
   {
 "source": "ipahealthcheck.ds.replication",
 "kw": {
   "msg": "Replication conflict",
   "glue": false,
   "conflict": "Schema violation",
   "key":

"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=ghs,dc=nl"
 },
 "uuid": "01d364fc-e48e-44bd-9ea8-63db1e800788",
 "duration": "0.001689",
 "when": "20211122070012Z",
 "check": "ReplicationConflictCheck",
 "result": "ERROR"
   }
]

Any advise how to get rid of the error messages would be
greatly appreciated.
-- 
Kees

[Freeipa-users] Re: sudorules attribute "entryuuid" not allowed

2021-11-23 Thread Kees Bakker via FreeIPA-users 

Hi Thierry,

It was not sufficient to modify 03entryuuid.ldif. I'm still getting the attribute 
"entryuuid" not allowed error on the Centos 7 system.

Do I need to disable the entryUUID plugin? If so, how do I do that?
-- Kees

On 23-11-2021 10:29, Thierry Bordaz wrote:

Hi Kees,

The missing fix #4872 is pretty small [1]. Initial definition of entryuuid 
required a syntax/MR that was not available with previous versions, so it broke 
schema replication in mixed topology.

A easy workaround is to stop 1.4.3.23 instance, edit 
/usr/share/dirsrv/schema/03entryuuid.ldif on 1.4.3.23 installations and restart 
the server. A dummy update on 1.4.3.23 will trigger the replication of the 
schema definition of 'entryuuid' and then CentOS 7 instance will be able to 
manage entryuuid attribute.

Regards
theirry


[1] 
https://github.com/389ds/389-ds-base/commit/bce941ec3cdf77eaf4bc3ea744f1df6e5bfd9d38

On 11/23/21 10:17 AM, Kees Bakker via FreeIPA-users wrote:

So, I have 1.4.3.23. A change was made in 1.4.3.26 (commit f370a281b8, Issue 
4872).
The latest in Centos 8 Stream is 1.4.3.23-10

That leaves me with the following questions.

1. What do I need to do to disable the entryUUID plugin?
2. What do I need to do to fix the current LDAP conflict?
3. Do I really need 389-ds-base 1.4.3.26 or later (if I manage to disable the 
entryUUID plugin)?
-- Kees

On 22-11-2021 20:04, Kees Bakker via FreeIPA-users wrote:

On Centos 7

389-ds-base-snmp-1.3.9.1-13.el7_7.x86_64
389-ds-base-libs-1.3.9.1-13.el7_7.x86_64
389-ds-base-1.3.9.1-13.el7_7.x86_64
389-ds-base-debuginfo-1.3.9.1-13.el7_7.x86_64

On Centos 8 Stream

389-ds-base-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
python3-lib389-1.4.3.23-7.module_el8.5.0+889+90e0384f.noarch
389-ds-base-libs-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
-- Kees

On 22-11-2021 18:39, Florence Blanc-Renaud wrote:

Hi,

the error looks similar to https://github.com/389ds/389-ds-base/issues/4872 
.
The CentOS 8 Streams master probably has a version of 389ds that doesn't 
contain the fix, and has entryuuid plugin enabled (that generates an entryuuid 
attribute). The schema failed to be replicated to the CentOS 7 server, and the 
entryuuid attribute present in the entry causes replication issues.

Which versions are installed on the other replicas? You may have to disable the 
entryuuid plugin or update 389ds.
flo


On Mon, Nov 22, 2021 at 3:30 PM Kees Bakker via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>> wrote:

Hi,

On my Centos 7 master there was this error message

[19/Nov/2021:11:16:11.863597190 +0100] - ERR - oc_check_allowed_sv - Entry 
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com" 
-- attribute "entryuuid" not allowed
[19/Nov/2021:11:16:26.331298112 +0100] - ERR - oc_check_allowed_sv - Entry 
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com" 
-- attribute "entryuuid" not allowed
[19/Nov/2021:11:16:45.264647201 +0100] - ERR - oc_check_allowed_sv - Entry 
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com" 
-- attribute "entryuuid" not allowed

The sudorule was add via the web-GUI on a Centos 8stream master.

The replication more or less succeeded, besides this error message. However,
* checkipaconsistency reports "LDAP Conflicts" (the Centos 7 master has 
count 1, the other masters have count 0)
* ipa-healthcheck reports an error too

[
   {
 "source": "ipahealthcheck.ds.replication",
 "kw": {
   "msg": "Replication conflict",
   "glue": false,
   "conflict": "Schema violation",
   "key": 
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=ghs,dc=nl"
 },
 "uuid": "01d364fc-e48e-44bd-9ea8-63db1e800788",
 "duration": "0.001689",
 "when": "20211122070012Z",
 "check": "ReplicationConflictCheck",
 "result": "ERROR"
   }
]

Any advise how to get rid of the error messages would be greatly 
appreciated.
-- 
Kees

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 

To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 

Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 

List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org 

Do not reply to spam on the list, report it: 
ht

[Freeipa-users] Re: sudo doesn't work with AD groups

2021-11-23 Thread Alexander Bokovoy via FreeIPA-users 

On ti, 23 marras 2021, Nathanaël Blanchet via FreeIPA-users wrote:
  Hello,   
   
  I'm running a 4.9 server.
   
  I added an AD as an external group in a sudo rule following: 
   
  ipa sudorule-add-user "admins" --groups "admins du   
  [1]doma...@levant.abes.fr"   
   
  I notice two kinds of comportment on the guests: 
   
* el8 with 4.9 client can successfully sudo
* el7 with 4.6 client are not allowed to perform sudo (no rule matching
  in the logs) 
   
  Now, if I use the old way to do, i.e:
   
* create a non POSIX external group containing "admins du  
  [2]doma...@levant.abes.fr"   
* and add that group to a POSIX group  
   
  ipa sudorule-add-user "admins" --groups ad_admins_external   
   
  I can perform sudo in any case.  
   
  My deduction is that there is something not backported in the el7 4.6
  client that does exist int el8 4.9 client.   
   
  I suppose there shouldn't be any restriction to make the 4.6 client work 
  in this case. So is this a bug?  
   
  Second question: I've been looking for a long time a way to get the el7  
  4.9 client, but it doesn't seem to exist (maybe compile from sources). Why   
  is this client not packaged for el7 ?


https://pagure.io/freeipa/issue/3226 references this commit
https://pagure.io/freeipa/c/054a068f4705cd715789ceda75fa709404d5f884
which tells that


SSSD uses single attribute 'externalUser' for IPA to pull 'external'
objects referenced in SUDO rules. This means both users and groups are
represented within the same attribute, with groups prefixed with '%',
as described in sudoers(5) man page.



Referencing fully qualified names for users and groups from trusted
Active Directory domains in 'externalUser' attribute of SUDO rules is
supported in SSSD 2.4 or later.


So you need to have SSSD 2.4 or later to have fully qualified AD users
and groups in 'externalUser' attribute.



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] sudo doesn't work with AD groups

2021-11-23 Thread Nathanaël Blanchet via FreeIPA-users 

Hello,

I'm running a 4.9 server.

I added an AD as an external group in a sudo rule following:

ipa sudorule-add-user "admins" --groups "admins du doma...@levant.abes.fr"

I notice two kinds of comportment on the guests:

 * el8 with 4.9 client can successfully sudo
 * el7 with 4.6 client are not allowed to perform sudo (no rule
   matching in the logs)

Now, if I use the old way to do, i.e:

 * create a non POSIX external group containing "admins du
   doma...@levant.abes.fr"
 * and add that group to a POSIX group

ipa sudorule-add-user "admins" --groups ad_admins_external

I can perform sudo in any case.

My deduction is that there is something not backported in the el7 4.6 
client that does exist int el8 4.9 client.


I suppose there shouldn't be any restriction to make the 4.6 client work 
in this case. So is this a bug?


Second question: I've been looking for a long time a way to get the el7 
4.9 client, but it doesn't seem to exist (maybe compile from sources). 
Why is this client not packaged for el7 ?


--
Nathanaël Blanchet

Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5   
Tél. 33 (0)4 67 54 84 55
Fax  33 (0)4 67 54 84 14
blanc...@abes.fr

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: sudorules attribute "entryuuid" not allowed

2021-11-23 Thread Thierry Bordaz via FreeIPA-users 

Hi Kees,

The missing fix #4872 is pretty small [1]. Initial definition of 
entryuuid required a syntax/MR that was not available with previous 
versions, so it broke schema replication in mixed topology.


A easy workaround is to stop 1.4.3.23 instance, edit 
/usr/share/dirsrv/schema/03entryuuid.ldif on 1.4.3.23 installations and 
restart the server. A dummy update on 1.4.3.23 will trigger the 
replication of the schema definition of 'entryuuid' and then CentOS 7 
instance will be able to manage entryuuid attribute.


Regards
theirry


[1] 
https://github.com/389ds/389-ds-base/commit/bce941ec3cdf77eaf4bc3ea744f1df6e5bfd9d38


On 11/23/21 10:17 AM, Kees Bakker via FreeIPA-users wrote:
So, I have 1.4.3.23. A change was made in 1.4.3.26 (commit f370a281b8, 
Issue 4872).

The latest in Centos 8 Stream is 1.4.3.23-10

That leaves me with the following questions.

1. What do I need to do to disable the entryUUID plugin?
2. What do I need to do to fix the current LDAP conflict?
3. Do I really need 389-ds-base 1.4.3.26 or later (if I manage to 
disable the entryUUID plugin)?

-- Kees

On 22-11-2021 20:04, Kees Bakker via FreeIPA-users wrote:

On Centos 7

389-ds-base-snmp-1.3.9.1-13.el7_7.x86_64
389-ds-base-libs-1.3.9.1-13.el7_7.x86_64
389-ds-base-1.3.9.1-13.el7_7.x86_64
389-ds-base-debuginfo-1.3.9.1-13.el7_7.x86_64

On Centos 8 Stream

389-ds-base-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
python3-lib389-1.4.3.23-7.module_el8.5.0+889+90e0384f.noarch
389-ds-base-libs-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
-- Kees

On 22-11-2021 18:39, Florence Blanc-Renaud wrote:

Hi,

the error looks similar to 
https://github.com/389ds/389-ds-base/issues/4872 
.
The CentOS 8 Streams master probably has a version of 389ds that 
doesn't contain the fix, and has entryuuid plugin enabled (that 
generates an entryuuid attribute). The schema failed to be 
replicated to the CentOS 7 server, and the entryuuid attribute 
present in the entry causes replication issues.


Which versions are installed on the other replicas? You may have to 
disable the entryuuid plugin or update 389ds.

flo


On Mon, Nov 22, 2021 at 3:30 PM Kees Bakker via FreeIPA-users 
> wrote:


Hi,

On my Centos 7 master there was this error message

[19/Nov/2021:11:16:11.863597190 +0100] - ERR -
oc_check_allowed_sv - Entry

"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
-- attribute "entryuuid" not allowed
[19/Nov/2021:11:16:26.331298112 +0100] - ERR -
oc_check_allowed_sv - Entry

"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
-- attribute "entryuuid" not allowed
[19/Nov/2021:11:16:45.264647201 +0100] - ERR -
oc_check_allowed_sv - Entry

"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com"
-- attribute "entryuuid" not allowed

The sudorule was add via the web-GUI on a Centos 8stream master.

The replication more or less succeeded, besides this error
message. However,
* checkipaconsistency reports "LDAP Conflicts" (the Centos 7
master has count 1, the other masters have count 0)
* ipa-healthcheck reports an error too

[
   {
 "source": "ipahealthcheck.ds.replication",
 "kw": {
   "msg": "Replication conflict",
   "glue": false,
   "conflict": "Schema violation",
   "key":

"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=ghs,dc=nl"
 },
 "uuid": "01d364fc-e48e-44bd-9ea8-63db1e800788",
 "duration": "0.001689",
 "when": "20211122070012Z",
 "check": "ReplicationConflictCheck",
 "result": "ERROR"
   }
]

Any advise how to get rid of the error messages would be greatly
appreciated.
-- 
Kees

___
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure





___
FreeIPA-users mailing list --freeipa-user

[Freeipa-users] Re: sudorules attribute "entryuuid" not allowed

2021-11-23 Thread Kees Bakker via FreeIPA-users 

So, I have 1.4.3.23. A change was made in 1.4.3.26 (commit f370a281b8, Issue 
4872).
The latest in Centos 8 Stream is 1.4.3.23-10

That leaves me with the following questions.

1. What do I need to do to disable the entryUUID plugin?
2. What do I need to do to fix the current LDAP conflict?
3. Do I really need 389-ds-base 1.4.3.26 or later (if I manage to disable the 
entryUUID plugin)?
-- Kees

On 22-11-2021 20:04, Kees Bakker via FreeIPA-users wrote:

On Centos 7

389-ds-base-snmp-1.3.9.1-13.el7_7.x86_64
389-ds-base-libs-1.3.9.1-13.el7_7.x86_64
389-ds-base-1.3.9.1-13.el7_7.x86_64
389-ds-base-debuginfo-1.3.9.1-13.el7_7.x86_64

On Centos 8 Stream

389-ds-base-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
python3-lib389-1.4.3.23-7.module_el8.5.0+889+90e0384f.noarch
389-ds-base-libs-1.4.3.23-7.module_el8.5.0+889+90e0384f.x86_64
-- Kees

On 22-11-2021 18:39, Florence Blanc-Renaud wrote:

Hi,

the error looks similar to https://github.com/389ds/389-ds-base/issues/4872 
.
The CentOS 8 Streams master probably has a version of 389ds that doesn't 
contain the fix, and has entryuuid plugin enabled (that generates an entryuuid 
attribute). The schema failed to be replicated to the CentOS 7 server, and the 
entryuuid attribute present in the entry causes replication issues.

Which versions are installed on the other replicas? You may have to disable the 
entryuuid plugin or update 389ds.
flo


On Mon, Nov 22, 2021 at 3:30 PM Kees Bakker via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>> wrote:

Hi,

On my Centos 7 master there was this error message

[19/Nov/2021:11:16:11.863597190 +0100] - ERR - oc_check_allowed_sv - Entry 
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com" 
-- attribute "entryuuid" not allowed
[19/Nov/2021:11:16:26.331298112 +0100] - ERR - oc_check_allowed_sv - Entry 
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com" 
-- attribute "entryuuid" not allowed
[19/Nov/2021:11:16:45.264647201 +0100] - ERR - oc_check_allowed_sv - Entry 
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=example,dc=com" 
-- attribute "entryuuid" not allowed

The sudorule was add via the web-GUI on a Centos 8stream master.

The replication more or less succeeded, besides this error message. However,
* checkipaconsistency reports "LDAP Conflicts" (the Centos 7 master has 
count 1, the other masters have count 0)
* ipa-healthcheck reports an error too

[
   {
 "source": "ipahealthcheck.ds.replication",
 "kw": {
   "msg": "Replication conflict",
   "glue": false,
   "conflict": "Schema violation",
   "key": 
"ipaUniqueID=b2211c08-4921-11ec-974b-509a4c9d3b10,cn=sudorules,cn=sudo,dc=ghs,dc=nl"
 },
 "uuid": "01d364fc-e48e-44bd-9ea8-63db1e800788",
 "duration": "0.001689",
 "when": "20211122070012Z",
 "check": "ReplicationConflictCheck",
 "result": "ERROR"
   }
]

Any advise how to get rid of the error messages would be greatly 
appreciated.
-- 
Kees

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 

To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 

Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 

List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org 

Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure 





___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidel