On 01/09/2014 02:32 PM, Nathaniel McCallum wrote:
This patch is independent from my patches 0028-0031 and can be merged in
any order.
This patch has a bug, but I can't figure it out. We need to set
nsslapd-access-userattr-strict on cn=config to "off". However, during
the rpm installation, I get this error:
DEBUG Unhandled LDAPError: UNWILLING_TO_PERFORM: {'info': 'Deleting
attributes is not allowed', 'desc': 'Server is unwilling to perform'}
ERROR Update failed: Server is unwilling to perform: Deleting attributes
is not allowed
I'm not sure what is causing this. Does anyone have any suggestions?
I believe the IPA update mechanism works by doing a modify/del of the
attribute followed by a modify/add. By default, cn=config restricts the
attributes which can be deleted. You can add
nsslapd-access-userattr-strict to this list. Unfortunately, it is
rather painful to do so.
Method one: Don't use the ipa update mechanism to update this
attribute. Instead, just use an ldap modify directly e.g. using ldapmodify:
ldapmodify ....
dn: cn=config
changetype: modify
replace: nsslapd-access-userattr-strict
nsslapd-access-userattr-strict: off
or in python-ldap:
conn = ldap.connection(my ldap url)
conn.simple_bind_s("cn=directory manager", "password")
mod = [(ldap.MOD_REPLACE, "nsslapd-access-userattr-strict", ['off'])]
conn.modify_s("cn=config", mod)
Method two: allow deletion of nsslapd-access-userattr-strict in order to
use ipa update method
This will unfortunately require the use of something other than the ipa
update method, again.
1) do a search to get the current value in cn=config
nsslapd-allowed-to-delete-attrs - it is a single space delimited list
2) add nsslapd-access-userattr-strict to the list
3) mod/replace the value
Nathaniel
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
