On 01/22/2016 10:15 AM, Nathan Peters wrote:
[root@dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" 
"(aci=*)" aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
  ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
  targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
  ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
  ,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
  jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
  gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
  tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
  s Configuration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
  cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
  onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
  nfiguration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
  slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
  e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
  guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
  e Configuration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
  roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
  dev-mydomain,dc=net";)

# mapping tree, config
dn: cn=mapping tree,cn=config
aci: (target = "ldap:///cn=meTo($dn),cn=*,cn=mapping tree,cn=config")(targetat
  tr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replica
  tion agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($dn),c
  n=computers,cn=accounts,dc=dev-mydomain,dc=net";)

I don't see any acis to allow the IPA admin user to have access to cn=config or any entries below it.

Looks like the host principal should be able to read the replication agreements that replicate to it from other hosts.


# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
  "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
  n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
  sions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
  -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
  ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
  , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dev-
  mydomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
  rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
  d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
   search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Ddev-mydomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
  ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
  cation Agreements,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
  ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
  s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
  ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
  ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
  e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
  Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
  "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
  Range,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
  shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
  allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
  ions,cn=pbac,dc=dev-mydomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
  e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
  s,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 13
# numEntries: 12



-----Original Message-----
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: January-22-16 6:26 AM
To: Nathan Peters; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with 
DuplicateEntry: This entry already exists

On 01/21/2016 08:48 PM, Nathan Peters wrote:
Here are the results for that aci search using a non gssapi bind by directory 
manager on the old master that we are attempting to join agains.  I don't see 
anything in this list that would indicate that some users should or should not 
have access through a certain method.  Unless one of those sasl config settings 
is doing it ?

[root@dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" 
"(aci=*)"
You almost got it.  You left out the most important part, at the end of the command, 
specifying the "aci" attribute:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Viewing_the_ACIs_for_an_Entry.html

# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to