Martin Kosek wrote:
On Thu, 2011-10-06 at 17:06 -0400, Rob Crittenden wrote:
Rob Crittenden wrote:
Martin Kosek wrote:
On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote:
The aci prefix was missing in the description of the three dns acis
which made them not show up when viewing their permission entries.


This works fine, but it is just a part of a solution. DNS related
privileges miss memberof attribute for the DNS permissions and thus the
permissions are not listed:

# ipa permission-show "add dns entries"
Permission name: add dns entries
Permissions: add
Type: dnsrecord
Granted to Privilege: DNS Administrators, DNS Servers

# ipa privilege-show "DNS Administrators"
Privilege name: DNS Administrators
Description: DNS Administrators
<<<  Missing permissions

I think the reason is that the permissions are in a wrong order in the
LDIF and are created before the privilege itself. When member links are
being created for DNS permissions, the memberof plugin cannot add
memberof attributes for the privilege since it does not exist yet. This
is the main issue that the BZ bug complains about.


There are two problems:

1. The acis lacked a prefix so they didn't appear as permissions

2. The permission was added before the privilege so the memberof values
weren't being calculated.

This fixes it for new installs and adds an update to fix up existing


It works fine when doing upgrade. However, when running a clean install,
I get these errors:

# ipa-server-install --setup-dns
[9/13]: publish CA cert
[10/13]: creating a keytab for httpd
[11/13]: configuring SELinux for httpd
[12/13]: restarting httpd
[13/13]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
root : ERROR Add failure Object class violation: missing required
attribute "objectclass"
root : ERROR Add failure Object class violation: missing required
attribute "objectclass"
root : ERROR Add failure Object class violation: missing required
attribute "objectclass"
Restarting IPA to initialize updates before performing deletes:
[1/2]: stopping directory server
[2/2]: starting directory server
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Configuring named:
[1/9]: adding DNS container
[2/9]: setting up our zone
[3/9]: setting up reverse zone
[4/9]: setting up our own record
[5/9]: setting up kerberos principal
[6/9]: setting up named.conf
[7/9]: restarting named
[8/9]: configuring named to start on boot
[9/9]: changing resolv.conf to point to ourselves
done configuring named.

Setup complete

Do you hit this too? Permissions and privileges member attributes were
OK though.


Bah, ok. We only create these permissions when dns is installed so I'll
need to find some way to optionally add this.


I needed to add a new type to the updater to only add new values if the
entry exists.


I still get the same error. We have a new handy addifnew update type
ready, lets use it in these DNS .update file too :-)


addifnew adds single value attributes if they aren't already in the entry, that will cause the same error.


Freeipa-devel mailing list

Reply via email to