On 26.01.2016 21:51, Martin Basti wrote:


On 26.01.2016 21:03, Nathan Peters wrote:
After some more investigation, it appears that there may be more ACIs missing.

I added the missing permission (System: Read Replication Agreements) on all my masters, and then the installation failed at this point :
---------------------------
[28/43]: setting up initial replication
Starting replication, please wait until this has completed.
[error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of entry 'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR {'info': "Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of entry 'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'} ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Because of that and a comparison of my earlier version of ldif files from earlier versions of FreeIPA, I noticed the following ACI also missing from the mapping tree :
--------------------------------------
# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
  pbac,dc=mydomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
  reements,cn=permissions,cn=pbac,dc=mydomain,dc=net";)

After I added that, I attempted my replica installation again this time it failed on the o=ipaca branch
----------------------------------------
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
   [1/23]: creating certificate server user
   [2/23]: creating certificate server db
   [3/23]: setting up initial replication
[error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 'nsDS5ReplicaBindDN' attribute of entry 'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR {'info': "Insufficient 'write' privilege to the 'nsDS5ReplicaBindDN' attribute of entry 'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'} ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Looking at that branch of the ldap tree, I noticed some differences
--------------------------------------------------------------------------- In the cn=yourdomain,cn=mapping tree,cn=config you will find the following permissions :
permission:Add Replication Agreements
In the cn=o=ipaca,cn=mapping tree,cn=config you will find the following permissions :
cert manager: Add Replication Agreements

=========================
So I think there are actually 3 issues :
===========================
1. Missing aci on base cn=config entry
2. Missing aci on dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config branch 3. acis are on the o=ipaca branch, but they are wrong as they only apply to cert manager, and not all users
I'm not sure if this covers your issues, but it may be related

https://fedorahosted.org/freeipa/ticket/5412

Martin

and this https://fedorahosted.org/freeipa/ticket/5575


-----Original Message-----
From: Martin Basti [mailto:mba...@redhat.com]
Sent: January-25-16 4:57 AM
To: Nathan Peters; Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

Thank you,

I found root cause why "System: Read Replication Agreements" ACI is not on replica.

https://fedorahosted.org/freeipa/ticket/5631

I have to figure out why this permission is added on centos7.2, because IMO this bug is there from 4.0.


On 24.01.2016 03:22, Nathan Peters wrote:
I can now confirm that this is a 100% reproducible bug, and a pretty severe one at that. You should be able to reproduce this issue at will if you follow these steps. It may actually be possible with less servers and less steps, but here is what I did in a test lab today:

1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0 with 3 servers, dc1, dc2, dc3, replicating any way you want. 3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete the server / vm / whatever you have it running on 3. Install Fedora 23 on the same IP address and hostname (dc2.ipatestdomain.net). Install FreeIPA server 4.2.3 from replica file created on CA master (dc1).

Check aci on dc2. You will notice it's now missing a bunch of stuff. So basically, all it takes to lose that ACL is to create a Fedora FreeIPA server and join it to a CentOS domain. After I had upgraded all 3 to Fedora, that ACLS was lost permanently as it no longer existed on any server because there were no CentOS servers left.

I'm assuming since this is so easy to reproduce, that you don't actually need my log files.

ACL comparisons below for reference :
1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain consists of only CentOS servers 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS ACL hasn't changed yet) 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server created from a replica file made from dc1, the centOS 7.2 CA master(missing some stuff) 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing some stuff)

============================================================================ 1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain consists of only CentOS servers ============================================================================ [root@dc1 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
   ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
   n,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
   sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
   ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
   atestdomain,dc=net";)
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe
   r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
   d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
    search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
   pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
   e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
   ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range"; allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
   ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11


============================================================================ 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS ACL hasn't changed yet) ============================================================================ ================ after reinstallation of dc2 in fedora 23 / ipa 4.2.3 =========================

[root@dc1 ~]# ldapsearch -b "cn=config" -D "uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W
Enter LDAP Password:
# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
   ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
   n,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
   sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
   ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
   atestdomain,dc=net";)
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe
   r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
   d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
    search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
   pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
   e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
   ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range"; allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
   ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11



============================================================================ 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the replica file was made from dc1 which is a CentOS server that still has the acls(missing some stuff) ============================================================================
aci list on dc2

[root@dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
   ipatestdomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
   sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
   ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
   atestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
   d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
    search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
   pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
   e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
   ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range"; allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
   ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11

============================================================================ 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing some stuff) ============================================================================ [root@dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task
   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager
   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co
nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas
   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
   ipatestdomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis
   sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
   ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
   atestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
   d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
    search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
   pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli
   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
   e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
   ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range"; allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss
   ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement
   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11



-----Original Message-----
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: January-22-16 10:24 AM
To: Nathan Peters; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

On 01/22/2016 11:04 AM, Nathan Peters wrote:
Wow, strange stuff, the search I linked in the last email for our non working dev environment seems short some entries.

For comparison, here is the same search run against our currently working prod environment.

As you can see, our prod environment has a huge aci on the config tree.

For reference, our prod and dev environments were identical (FreeIPA 4.1.4/CentOS7.1) before I updated our dev environment to CentOS7.2/FreeIPA4.2.0 -> Fedora23/FreeIPA4.2.3 -> Fedora23/FreeIPA4.3.0. So at some point during this upgrade process I assume maybe one of the installers deleted acis on our tree? That sounds like the kind of thing that would happen when introducing the new domain level functionality in 4.3, like if someone accidentally thought "oh this replica branch is now in a globally replicated section, we can remove these acis for this local stuff..." and then put that logic into the installer or something...

The real question is, is there some good way of getting those aci's back, like a fixaci command?
I don't know.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to