On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: > >> The aci prefix was missing in the description of the three dns acis > >> which made them not show up when viewing their permission entries. > >> > >> rob > > > > This works fine, but it is just a part of a solution. DNS related > > privileges miss memberof attribute for the DNS permissions and thus the > > permissions are not listed: > > > > # ipa permission-show "add dns entries" > > Permission name: add dns entries > > Permissions: add > > Type: dnsrecord > > Granted to Privilege: DNS Administrators, DNS Servers > > > > # ipa privilege-show "DNS Administrators" > > Privilege name: DNS Administrators > > Description: DNS Administrators > > <<< Missing permissions > > > > I think the reason is that the permissions are in a wrong order in the > > LDIF and are created before the privilege itself. When member links are > > being created for DNS permissions, the memberof plugin cannot add > > memberof attributes for the privilege since it does not exist yet. This > > is the main issue that the BZ bug complains about. > > > > Martin > > > > There are two problems: > > 1. The acis lacked a prefix so they didn't appear as permissions > > 2. The permission was added before the privilege so the memberof values > weren't being calculated. > > This fixes it for new installs and adds an update to fix up existing > installs. > > rob
It works fine when doing upgrade. However, when running a clean install, I get these errors: # ipa-server-install --setup-dns ... [9/13]: publish CA cert [10/13]: creating a keytab for httpd [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates root : ERROR Add failure Object class violation: missing required attribute "objectclass" root : ERROR Add failure Object class violation: missing required attribute "objectclass" root : ERROR Add failure Object class violation: missing required attribute "objectclass" Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. ============================================================================== Setup complete Do you hit this too? Permissions and privileges member attributes were OK though. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
