On 01/13/2016 07:18 AM, Jan Cholasta wrote:
On 12.1.2016 19:13, Martin Babinsky wrote:
commit 6ea868e172738bdd6a8fae34e65126cdd134bbbe broke replica install
and management on IPA servers upgraded from pre-4.3 version. The
attached patch fixes this.
https://fedorahosted.org/freeipa/ticket/5575
Any reason to repeat the DN 3 times?
Besides that LGTM.
No other reason than not using brain during copy-pasting ACIs.
Attaching updated patch.
--
Martin^3 Babinsky
From fbb09447ee9de307e78ace3dfb70f01d57694be0 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 12 Jan 2016 18:59:11 +0100
Subject: [PATCH] IPA upgrade: move replication ACIs to the mapping tree entry
During IPA server upgrade from pre-4.3 versions, the ACIs permitting
manipulation of replication agreements are removed from the
'cn="$SUFFIX",cn=mapping tree,cn=config' and 'cn=o\3Dipaca,cn=mapping
tree,cn=config'. However they are never re-added breaking management and
installation of replicas.
This patch modifies the update process so that the ACIs are first added to the
'cn=mapping tree,cn=config' and then removed from the child entries.
https://fedorahosted.org/freeipa/ticket/5575
---
install/updates/20-aci.update | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index cef842bbdf291762ef91d6be63c435b2f2161897..5526efa152340f14f17f833e32cbf8231693534f 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -63,8 +63,12 @@ dn: cn=tasks,cn=config
add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
# Allow hosts to read their replication agreements
+# replication ACIs should reside in cn=mapping tree,cn=config and be common for both suffixes
dn: cn=mapping tree,cn=config
add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
+add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn="$SUFFIX",cn=mapping tree,cn=config
remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
