On 3.7.2014 19:34, Martin Basti wrote:
On Thu, 2014-07-03 at 14:59 +0200, Petr Spacek wrote:
On 2.7.2014 10:32, Petr Spacek wrote:
On 2.7.2014 10:23, Martin Basti wrote:
On Wed, 2014-07-02 at 09:40 +0200, Petr Spacek wrote:
On 1.7.2014 17:28, Martin Basti wrote:
Patch attached


I'm not able to apply it on top of current master
(21e1e4ac3bd62c20c6331ea3dc09793e3a869c22).

Sorry I lost myself in ACIs, it depends on the patch mbasti-0084-2 and
0085-2

Okay, I will test it when you send new versions of 0084 and 0085.

NACK. It doesn't work for me for some reason, tlsarecord was not added to aci
for some reason.

The same problem applies to DLVRecord and nSEC3PARAMRecord. DS record seems to
be okay.


Updated patch attached


Sorry, NACK! ;-)

Upgrade from 3.3.5 died with error in ipa-ldap-updater:

Parsing update file '/usr/share/ipa/updates/40-dns.update'
Updating existing entry: cn=IPA DNS,cn=plugins,cn=config
Done
Updating existing entry: cn=dns,dc=ipa,dc=example
Unexpected error - see /var/log/ipaupgrade.log for details:
InvalidSyntax: targetattr "idnsforwarders dlvrecord" does not exist in schema. Please add attributeTypes "idnsforwarders dlvrecord" to schema if necessary. ACL Syntax Error(-5):(targetattr = \22idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord\22)(target = \22ldap:///idnsname=\2a,cn=dns,dc=ipa,dc=example\22)(version 3.0;acl \22Update DNS entries in a zone\22;allow (write) userattr = \22parent[0,1].managedby#GROUPDN\22;): Invalid syntax.


/var/log/ipaupgrade.log says this:

2014-07-03T18:52:48Z DEBUG Final value after applying updates
2014-07-03T18:52:48Z DEBUG dn: cn=dns,dc=ipa,dc=example
2014-07-03T18:52:48Z DEBUG objectClass:
2014-07-03T18:52:48Z DEBUG      nsContainer
2014-07-03T18:52:48Z DEBUG      top
2014-07-03T18:52:48Z DEBUG      idnsConfigObject
2014-07-03T18:52:48Z DEBUG      idnsConfigObject
2014-07-03T18:52:48Z DEBUG aci:
2014-07-03T18:52:48Z DEBUG (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].manage
dby#GROUPDN";)
2014-07-03T18:52:48Z DEBUG (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1
].managedby#GROUPDN";)
2014-07-03T18:52:48Z DEBUG (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord | | kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaseria l || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROU
PDN";)
2014-07-03T18:52:48Z DEBUG (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn
=pbac,dc=ipa,dc=example" or userattr = "parent[0,1].managedby#GROUPDN";)
2014-07-03T18:52:48Z DEBUG (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].manage
dby#GROUPDN";)
2014-07-03T18:52:48Z DEBUG (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1
].managedby#GROUPDN";)
2014-07-03T18:52:48Z DEBUG (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord | | kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaseria l || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
2014-07-03T18:52:48Z DEBUG cn:
2014-07-03T18:52:48Z DEBUG      dns
2014-07-03T18:52:48Z DEBUG [(0, u'aci', ['(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)'])]
2014-07-03T18:52:48Z DEBUG Live 1, updated 1
2014-07-03T18:52:48Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 213, in run
    modified = ld.update(self.files, ordered=True) or modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 859, in update
    self._run_updates(all_updates)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 791, in _run_updates
    self._update_record(update)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 712, in _update_record
    self.conn.update_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1622, in update_entry
    self.conn.modify_s(entry.dn, modlist)
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1183, in error_handler
    raise errors.InvalidSyntax(attr=info)

--
Petr^2 Spacek

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to