On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
> The aci prefix was missing in the description of the three dns acis
> which made them not show up when viewing their permission entries.
This works fine, but it is just a part of a solution. DNS related
privileges miss memberof attribute for the DNS permissions and thus the
permissions are not listed:
# ipa permission-show "add dns entries"
Permission name: add dns entries
Granted to Privilege: DNS Administrators, DNS Servers
# ipa privilege-show "DNS Administrators"
Privilege name: DNS Administrators
Description: DNS Administrators
<<< Missing permissions
I think the reason is that the permissions are in a wrong order in the
LDIF and are created before the privilege itself. When member links are
being created for DNS permissions, the memberof plugin cannot add
memberof attributes for the privilege since it does not exist yet. This
is the main issue that the BZ bug complains about.
Freeipa-devel mailing list