[root@dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b 
"cn=config" "(aci=*)" aci
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
 ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
 targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
 ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
 jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
 gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
 tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
 s Configuration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
 cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
 onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
 slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
 e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
 guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
 e Configuration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
 roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=

# mapping tree, config
dn: cn=mapping tree,cn=config
aci: (target = "ldap:///cn=meTo($dn),cn=*,cn=mapping tree,cn=config")(targetat
 tr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replica
 tion agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($dn),c

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
 "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
 n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
 -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
 , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dev-

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
 rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

#, features, config
dn: oid=,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
 d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
  search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Ddev-mydomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
 jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
 ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
 cation Agreements,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
 ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
 ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
 ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
 jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
 Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
 llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
 "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
 shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
 allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
 e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement

# search result
search: 2
result: 0 Success

# numResponses: 13
# numEntries: 12

-----Original Message-----
From: Rich Megginson [mailto:rmegg...@redhat.com] 
Sent: January-22-16 6:26 AM
To: Nathan Peters; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with 
DuplicateEntry: This entry already exists

On 01/21/2016 08:48 PM, Nathan Peters wrote:
> Here are the results for that aci search using a non gssapi bind by directory 
> manager on the old master that we are attempting to join agains.  I don't see 
> anything in this list that would indicate that some users should or should 
> not have access through a certain method.  Unless one of those sasl config 
> settings is doing it ?
> [root@dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b 
> "cn=config" "(aci=*)"

You almost got it.  You left out the most important part, at the end of the 
command, specifying the "aci" attribute: 

# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to