On 26.01.2016 21:03, Nathan Peters wrote:
After some more investigation, it appears that there may be more ACIs missing.

I added the missing permission (System: Read Replication Agreements) on all my 
masters, and then the installation failed at this point :
---------------------------
[28/43]: setting up initial replication
Starting replication, please wait until this has completed.
   [error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 
'nsds5BeginReplicaRefresh' attribute of entry 
'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping 
tree,cn=config'.\n", 'desc': 'Insufficient access'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    {'info': "Insufficient 
'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of entry 
'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping 
tree,cn=config'.\n", 'desc': 'Insufficient access'}
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The 
ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information

Because of that and a comparison of my earlier version of ldif files from 
earlier versions of FreeIPA, I noticed the following ACI also missing from the 
mapping tree :
--------------------------------------
# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
  low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
  pbac,dc=mydomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
  s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
  ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
  nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
  reements,cn=permissions,cn=pbac,dc=mydomain,dc=net";)

After I added that, I attempted my replica installation again this time it 
failed on the o=ipaca branch
----------------------------------------
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 
seconds
   [1/23]: creating certificate server user
   [2/23]: creating certificate server db
   [3/23]: setting up initial replication
   [error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 
'nsDS5ReplicaBindDN' attribute of entry 'cn=replica,cn=o\\3dipaca,cn=mapping 
tree,cn=config'.\n", 'desc': 'Insufficient access'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    {'info': "Insufficient 
'write' privilege to the 'nsDS5ReplicaBindDN' attribute of entry 
'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient 
access'}
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The 
ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information

Looking at that branch of the ldap tree, I noticed some differences
---------------------------------------------------------------------------
In the cn=yourdomain,cn=mapping tree,cn=config you will find the following 
permissions :
permission:Add Replication Agreements
In the cn=o=ipaca,cn=mapping tree,cn=config you will find the following 
permissions :
cert manager: Add Replication Agreements

=========================
So I think there are actually 3 issues :
===========================
1. Missing aci on base cn=config entry
2. Missing aci on dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config branch
3. acis are on the o=ipaca branch, but they are wrong as they only apply to 
cert manager, and not all users
I'm not sure if this covers your issues, but it may be related

https://fedorahosted.org/freeipa/ticket/5412

Martin

-----Original Message-----
From: Martin Basti [mailto:mba...@redhat.com]
Sent: January-25-16 4:57 AM
To: Nathan Peters; Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with 
DuplicateEntry: This entry already exists

Thank you,

I found root cause why "System: Read Replication Agreements" ACI is not on 
replica.

https://fedorahosted.org/freeipa/ticket/5631

I have to figure out why this permission is added on centos7.2, because IMO 
this bug is there from 4.0.


On 24.01.2016 03:22, Nathan Peters wrote:
I can now confirm that this is a 100% reproducible bug, and a pretty severe one 
at that.  You should be able to reproduce this issue at will if you follow 
these steps.  It may actually be possible with less servers and less steps, but 
here is what I did in a test lab today:

1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0 with 3 
servers, dc1, dc2, dc3, replicating any way you want.
3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete the server 
/ vm / whatever you have it running on
3. Install Fedora 23 on the same IP address and hostname 
(dc2.ipatestdomain.net).  Install FreeIPA server 4.2.3 from replica file 
created on CA master (dc1).

Check aci on dc2.  You will notice it's now missing a bunch of stuff.  So 
basically, all it takes to lose that ACL is to create a Fedora FreeIPA server 
and join it to a CentOS domain.
After I had upgraded all 3 to Fedora, that ACLS was lost permanently as it no 
longer existed on any server because there were no CentOS servers left.

I'm assuming since this is so easy to reproduce, that you don't actually need 
my log files.

ACL comparisons below for reference :
1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain consists 
of only CentOS servers
2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now a 
Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS ACL 
hasn't changed yet)
3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server created from a 
replica file made from dc1, the centOS 7.2 CA master(missing some stuff)
4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing some 
stuff)

============================================================================
1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain consists 
of only CentOS servers
============================================================================
[root@dc1 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" 
aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
   ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
   targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
   ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
   jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
   gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
   tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
   cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
   onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
   nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
   slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
   e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
   guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
   roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
   ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
   timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou
   t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n
   sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds
   5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
   nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl
   eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl
   icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits
   tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli
   calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum
   er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
   nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re
   plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli
   st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic
   atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n
   sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd
   s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable
   d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas
   ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync ||
    winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub
   treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
   a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
   greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R
   ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn
   =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
   n,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
   n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
   sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
   -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
   ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
   , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
   atestdomain,dc=net";)
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi
   p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta
   sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe
   r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
   rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
   d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
    search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
   low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
   pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
   s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
   ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
   nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
   ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
   s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
   ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
   ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
   e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
   Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
   ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
   "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
   shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
   allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
   ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
   e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11


============================================================================
2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now a 
Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS ACL 
hasn't changed yet)
============================================================================
================ after reinstallation of dc2 in fedora 23 / ipa 4.2.3 
=========================

[root@dc1 ~]# ldapsearch -b "cn=config" -D 
"uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W
Enter LDAP Password:
# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
   ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
   targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
   ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
   jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
   gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
   tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
   cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
   onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
   nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
   slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
   e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
   guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
   roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
   ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
   timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou
   t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n
   sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds
   5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
   nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl
   eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl
   icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits
   tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli
   calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum
   er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
   nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re
   plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli
   st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic
   atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n
   sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd
   s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable
   d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas
   ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync ||
    winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub
   treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
   a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
   greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R
   ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn
   =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
   n,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
   n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
   sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
   -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
   ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
   , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
   atestdomain,dc=net";)
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi
   p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta
   sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe
   r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
   rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
   d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
    search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
   low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
   pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
   s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
   ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
   nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
   ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
   s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
   ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
   ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
   e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
   Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
   ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
   "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
   shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
   allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
   ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
   e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11



============================================================================
3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the replica 
file was made from dc1 which is a CentOS server that still has the acls(missing 
some stuff)
============================================================================
aci list on dc2

[root@dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" 
aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
   ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
   targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
   ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
   jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
   gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
   tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
   cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
   onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
   nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
   slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
   e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
   guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
   roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
   ipatestdomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
   n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
   sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
   -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
   ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
   , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
   atestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
   rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
   d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
    search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
   low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
   pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
   s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
   ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
   nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
   ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
   s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
   ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
   ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
   e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
   Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
   ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
   "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
   shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
   allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
   ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
   e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11

============================================================================
4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing some 
stuff)
============================================================================
[root@dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b "cn=config" 
"(aci=*)" aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
   ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
   targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
   ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
   jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
   gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
   tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
   cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
   onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
   nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
   slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas
   e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
   guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
   roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
   ipatestdomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
   n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
   sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
   -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
   ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
   , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
   atestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
   rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
   d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
    search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
   low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
   pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
   s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
   ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
   nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
   ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
   s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
   ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
   ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
   e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
   Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
   ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
   "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
   shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
   allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
   ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
   e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11



-----Original Message-----
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: January-22-16 10:24 AM
To: Nathan Peters; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with 
DuplicateEntry: This entry already exists

On 01/22/2016 11:04 AM, Nathan Peters wrote:
Wow, strange stuff, the search I linked in the last email for our non working 
dev environment seems short some entries.

For comparison, here is the same search run against our currently working prod 
environment.

As you can see, our prod environment has a huge aci on the config tree.

    For reference, our prod and dev environments were identical (FreeIPA 4.1.4/CentOS7.1) 
before I updated our dev environment to CentOS7.2/FreeIPA4.2.0 -> Fedora23/FreeIPA4.2.3 
-> Fedora23/FreeIPA4.3.0.  So at some point during this upgrade process I assume maybe one 
of the installers deleted acis on our tree?  That sounds like the kind of thing that would 
happen when introducing the new domain level functionality in 4.3, like if someone accidentally 
thought "oh this replica branch is now in a globally replicated section, we can remove 
these acis for this local stuff..." and then put that logic into the installer or 
something...

The real question is, is there some good way of getting those aci's back, like 
a fixaci command?
I don't know.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to