On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > Martin Kosek wrote: > >> On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote: > >>> Martin Kosek wrote: > >>>> On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: > >>>>> The aci prefix was missing in the description of the three dns acis > >>>>> which made them not show up when viewing their permission entries. > >>>>> > >>>>> rob > >>>> > >>>> This works fine, but it is just a part of a solution. DNS related > >>>> privileges miss memberof attribute for the DNS permissions and thus the > >>>> permissions are not listed: > >>>> > >>>> # ipa permission-show "add dns entries" > >>>> Permission name: add dns entries > >>>> Permissions: add > >>>> Type: dnsrecord > >>>> Granted to Privilege: DNS Administrators, DNS Servers > >>>> > >>>> # ipa privilege-show "DNS Administrators" > >>>> Privilege name: DNS Administrators > >>>> Description: DNS Administrators > >>>> <<< Missing permissions > >>>> > >>>> I think the reason is that the permissions are in a wrong order in the > >>>> LDIF and are created before the privilege itself. When member links are > >>>> being created for DNS permissions, the memberof plugin cannot add > >>>> memberof attributes for the privilege since it does not exist yet. This > >>>> is the main issue that the BZ bug complains about. > >>>> > >>>> Martin > >>>> > >>> > >>> There are two problems: > >>> > >>> 1. The acis lacked a prefix so they didn't appear as permissions > >>> > >>> 2. The permission was added before the privilege so the memberof values > >>> weren't being calculated. > >>> > >>> This fixes it for new installs and adds an update to fix up existing > >>> installs. > >>> > >>> rob > >> > >> It works fine when doing upgrade. However, when running a clean install, > >> I get these errors: > >> > >> # ipa-server-install --setup-dns > >> ... > >> [9/13]: publish CA cert > >> [10/13]: creating a keytab for httpd > >> [11/13]: configuring SELinux for httpd > >> [12/13]: restarting httpd > >> [13/13]: configuring httpd to start on boot > >> done configuring httpd. > >> Applying LDAP updates > >> root : ERROR Add failure Object class violation: missing required > >> attribute "objectclass" > >> root : ERROR Add failure Object class violation: missing required > >> attribute "objectclass" > >> root : ERROR Add failure Object class violation: missing required > >> attribute "objectclass" > >> Restarting IPA to initialize updates before performing deletes: > >> [1/2]: stopping directory server > >> [2/2]: starting directory server > >> done configuring dirsrv. > >> Restarting the directory server > >> Restarting the KDC > >> Restarting the web server > >> Configuring named: > >> [1/9]: adding DNS container > >> [2/9]: setting up our zone > >> [3/9]: setting up reverse zone > >> [4/9]: setting up our own record > >> [5/9]: setting up kerberos principal > >> [6/9]: setting up named.conf > >> [7/9]: restarting named > >> [8/9]: configuring named to start on boot > >> [9/9]: changing resolv.conf to point to ourselves > >> done configuring named. > >> ============================================================================== > >> > >> Setup complete > >> > >> Do you hit this too? Permissions and privileges member attributes were > >> OK though. > >> > >> Martin > >> > > > > Bah, ok. We only create these permissions when dns is installed so I'll > > need to find some way to optionally add this. > > > > rob > > I needed to add a new type to the updater to only add new values if the > entry exists. > > rob
I still get the same error. We have a new handy addifnew update type ready, lets use it in these DNS .update file too :-) Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
