Wow, strange stuff, the search I linked in the last email for our non working 
dev environment seems short some entries.

For comparison, here is the same search run against our currently working prod 
environment.

As you can see, our prod environment has a huge aci on the config tree.

 For reference, our prod and dev environments were identical (FreeIPA 
4.1.4/CentOS7.1) before I updated our dev environment to CentOS7.2/FreeIPA4.2.0 
-> Fedora23/FreeIPA4.2.3 -> Fedora23/FreeIPA4.3.0.  So at some point during 
this upgrade process I assume maybe one of the installers deleted acis on our 
tree?  That sounds like the kind of thing that would happen when introducing 
the new domain level functionality in 4.3, like if someone accidentally thought 
"oh this replica branch is now in a globally replicated section, we can remove 
these acis for this local stuff..." and then put that logic into the installer 
or something...

The real question is, is there some good way of getting those aci's back, like 
a fixaci command?

=========================
Prod aci's that do work for comparison
=========================

[root@dc1-ipa-prod-nvan ~]$ ldapsearch -D "cn=directory manager" -W -b 
"cn=config" "(aci=*)" aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";)
aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
s Configuration,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
nfiguration,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
e Configuration,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
myproddomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou
t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n
sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds
5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl
eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl
icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits
tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli
calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum
er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re
plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli
st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic
atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n
sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd
s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable
d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas
ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync ||
  winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub
treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R
ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn
=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=myproddomain,dc
=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
"snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
sions,cn=pbac,dc=myproddomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
-initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou= people,o=ip
aca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
, compare, search) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,dc=myproddomain,dc=net";;)
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi
p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta
sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe
r Tasks,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
  search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dmyproddomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dmyproddomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
pbac,dc=myproddomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
reements,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
cation Agreements,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
;allow (add) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou= peop
le,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
,ou= people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
llow (read) userdn="ldap:///uid=pkidbuser,ou= people,o=ipaca";)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
"permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
Range,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
ions,cn=pbac,dc=myproddomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
s,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11


-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters
Sent: January-22-16 9:18 AM
To: Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with 
DuplicateEntry: This entry already exists

[root@dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b 
"cn=config" "(aci=*)" aci Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r  
ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(  
targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T  
ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
 ,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob  
jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu  
gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura  
tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager  
s Configuration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,  
cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C  
onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
 nfiguration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
 slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas  
e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi  
guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas  
e Configuration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g  
roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
 dev-mydomain,dc=net";)

# mapping tree, config
dn: cn=mapping tree,cn=config
aci: (target = "ldap:///cn=meTo($dn),cn=*,cn=mapping tree,cn=config")(targetat  
tr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replica  
tion agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($dn),c
 n=computers,cn=accounts,dc=dev-mydomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl  
"snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio  
n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
 sions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re  
-initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
 ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read  
, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dev-
 mydomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use  
rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea  
d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
  search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Ddev-mydomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
 jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem  
ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli  
cation Agreements,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
 ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
 s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
 ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre  
ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
 e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
 jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
 Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
 ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a  
llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl  
"permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
 Range,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre  
shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";  
allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
 ions,cn=pbac,dc=dev-mydomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas  
e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
 s,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 13
# numEntries: 12



-----Original Message-----
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: January-22-16 6:26 AM
To: Nathan Peters; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with 
DuplicateEntry: This entry already exists

On 01/21/2016 08:48 PM, Nathan Peters wrote:
> Here are the results for that aci search using a non gssapi bind by directory 
> manager on the old master that we are attempting to join agains.  I don't see 
> anything in this list that would indicate that some users should or should 
> not have access through a certain method.  Unless one of those sasl config 
> settings is doing it ?
>
> [root@dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b 
> "cn=config" "(aci=*)"

You almost got it.  You left out the most important part, at the end of the 
command, specifying the "aci" attribute: 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Viewing_the_ACIs_for_an_Entry.html

# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to