Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

Tue, 26 Jan 2016 13:02:23 -0800 


On 26.01.2016 21:51, Martin Basti wrote:



On 26.01.2016 21:03, Nathan Peters wrote:

After some more investigation, it appears that there may be more ACIs 
missing.



I added the missing permission (System: Read Replication Agreements) 
on all my masters, and then the installation failed at this point :

---------------------------
[28/43]: setting up initial replication
Starting replication, please wait until this has completed.

   [error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' 
privilege to the 'nsds5BeginReplicaRefresh' attribute of entry 
'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping 
tree,cn=config'.\n", 'desc': 'Insufficient access'}

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


ipa.ipapython.install.cli.install_tool(Replica): ERROR {'info': 
"Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' 
attribute of entry 
'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping 
tree,cn=config'.\n", 'desc': 'Insufficient access'}
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The 
ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information



Because of that and a comparison of my earlier version of ldif files 
from earlier versions of FreeIPA, I noticed the following ACI also 
missing from the mapping tree :

--------------------------------------
# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "permission:Add Replication 
Agreements";al
  low (add) groupdn = "ldap:///cn=Add Replication 
Agreements,cn=permissions,cn=

  pbac,dc=mydomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

  ass=nsMappingTree))")(version 3.0; acl "permission:Modify 
Replication Agreeme
  nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify 
Replication Ag

  reements,cn=permissions,cn=pbac,dc=mydomain,dc=net";)


After I added that, I attempted my replica installation again this 
time it failed on the o=ipaca branch

----------------------------------------

Configuring certificate server (pki-tomcatd). Estimated time: 3 
minutes 30 seconds

   [1/23]: creating certificate server user
   [2/23]: creating certificate server db
   [3/23]: setting up initial replication

   [error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' 
privilege to the 'nsDS5ReplicaBindDN' attribute of entry 
'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n", 'desc': 
'Insufficient access'}

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


ipa.ipapython.install.cli.install_tool(Replica): ERROR {'info': 
"Insufficient 'write' privilege to the 'nsDS5ReplicaBindDN' attribute 
of entry 'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n", 
'desc': 'Insufficient access'}
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The 
ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information


Looking at that branch of the ldap tree, I noticed some differences

--------------------------------------------------------------------------- 

In the cn=yourdomain,cn=mapping tree,cn=config you will find the 
following permissions :

permission:Add Replication Agreements

In the cn=o=ipaca,cn=mapping tree,cn=config you will find the 
following permissions :

cert manager: Add Replication Agreements

=========================
So I think there are actually 3 issues :
===========================
1. Missing aci on base cn=config entry

2. Missing aci on dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config 
branch
3. acis are on the o=ipaca branch, but they are wrong as they only 
apply to cert manager, and not all users

I'm not sure if this covers your issues, but it may be related

https://fedorahosted.org/freeipa/ticket/5412

Martin


and this https://fedorahosted.org/freeipa/ticket/5575



-----Original Message-----
From: Martin Basti [mailto:[email protected]]
Sent: January-25-16 4:57 AM
To: Nathan Peters; Rich Megginson; [email protected]

Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails 
with DuplicateEntry: This entry already exists


Thank you,


I found root cause why "System: Read Replication Agreements" ACI is 
not on replica.


https://fedorahosted.org/freeipa/ticket/5631


I have to figure out why this permission is added on centos7.2, 
because IMO this bug is there from 4.0.



On 24.01.2016 03:22, Nathan Peters wrote:

I can now confirm that this is a 100% reproducible bug, and a pretty 
severe one at that.  You should be able to reproduce this issue at 
will if you follow these steps.  It may actually be possible with 
less servers and less steps, but here is what I did in a test lab 
today:



1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0 
with 3 servers, dc1, dc2, dc3, replicating any way you want.
3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete 
the server / vm / whatever you have it running on
3. Install Fedora 23 on the same IP address and hostname 
(dc2.ipatestdomain.net).  Install FreeIPA server 4.2.3 from replica 
file created on CA master (dc1).



Check aci on dc2.  You will notice it's now missing a bunch of 
stuff.  So basically, all it takes to lose that ACL is to create a 
Fedora FreeIPA server and join it to a CentOS domain.
After I had upgraded all 3 to Fedora, that ACLS was lost permanently 
as it no longer existed on any server because there were no CentOS 
servers left.



I'm assuming since this is so easy to reproduce, that you don't 
actually need my log files.


ACL comparisons below for reference :

1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain 
consists of only CentOS servers
2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but 
there is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for 
reference that the CentOS ACL hasn't changed yet)
3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server created 
from a replica file made from dc1, the centOS 7.2 CA master(missing 
some stuff)
4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now 
missing some stuff)



============================================================================ 

1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain 
consists of only CentOS servers
============================================================================ 

[root@dc1 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" 
"(aci=*)" aci

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager read 
access"; allow (r
   ead, search, compare) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target = "ldap:///cn=automember rebuild 
membership,cn=tasks,cn=config")(
   targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild 
Membership T
   ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild 
Membership Task

   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ob
   jectclass || passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,cn=plu
   gins,cn=config")(version 3.0;acl "permission:Read PassSync 
Managers Configura
   tion";allow (compare,read,search) groupdn = "ldap:///cn=Read 
PassSync Manager

   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,
   cn=plugins,cn=config")(version 3.0;acl "permission:Modify 
PassSync Managers C
   onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync 
Managers Co

nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ns
   slapd-directory* || objectclass")(target = 
"ldap:///cn=config,cn=ldbm databas
   e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM 
Database Confi
   guration";allow (compare,read,search) groupdn = "ldap:///cn=Read 
LDBM Databas

   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (version 3.0;acl "permission:Add Configuration 
Sub-Entries";allow (add) g
   roupdn = "ldap:///cn=Add Configuration 
Sub-Entries,cn=permissions,cn=pbac,dc=

   ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || description || entryusn 
|| modify
   timestamp || nsds50ruv || nsds5beginreplicarefresh || 
nsds5debugreplicatimeou
   t || nsds5flags || nsds5replicaabortcleanruv || 
nsds5replicaautoreferral || n
   sds5replicabackoffmax || nsds5replicabackoffmin || 
nsds5replicabinddn || nsds
   5replicabindmethod || nsds5replicabusywaittime || 
nsds5replicachangecount ||
   nsds5replicachangessentsincestartup || nsds5replicacleanruv || 
nsds5replicacl
   eanruvnotified || nsds5replicacredentials || nsds5replicaenabled 
|| nsds5repl
   icahost || nsds5replicaid || nsds5replicalastinitend || 
nsds5replicalastinits
   tart || nsds5replicalastinitstatus || nsds5replicalastupdateend 
|| nsds5repli
   calastupdatestart || nsds5replicalastupdatestatus || 
nsds5replicalegacyconsum
   er || nsds5replicaname || nsds5replicaport || 
nsds5replicaprotocoltimeout ||
   nsds5replicapurgedelay || nsds5replicareferral || 
nsds5replicaroot || nsds5re
   plicasessionpausetime || nsds5replicastripattrs || 
nsds5replicatedattributeli
   st || nsds5replicatedattributelisttotal || nsds5replicatimeout || 
nsds5replic
   atombstonepurgeinterval || nsds5replicatransportinfo || 
nsds5replicatype || n
   sds5replicaupdateinprogress || nsds5replicaupdateschedule || 
nsds5task || nsd
   s7directoryreplicasubtree || nsds7dirsynccookie || 
nsds7newwingroupsyncenable
   d || nsds7newwinusersyncenabled || nsds7windowsdomain || 
nsds7windowsreplicas
   ubtree || nsruvreplicalastmodified || nsstate || objectclass || 
onewaysync ||
    winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction 
|| winsyncsub
   treepair || winsyncwindowsfilter")(targetfilter = 
"(|(objectclass=nsds5Replic

a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA

   greement)(objectClass=nsMappingTree))")(version 3.0;acl 
"permission:System: R
   ead Replication Agreements";allow (compare,read,search) groupdn = 
"ldap:///cn
   =System: Read Replication 
Agreements,cn=permissions,cn=pbac,dc=ipatestdomai

   n,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config

aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr 
!="aci")(version 3.0;acl

   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config

aci: (targetattr=*)(version 3.0; acl "Run tasks after replica 
re-initializatio
   n"; allow (add) groupdn = "ldap:///cn=Modify Replication 
Agreements,cn=permis

   sions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after 
replica re
   -initialization"; allow (add) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipa

   ca";)

aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; 
allow (read
   , compare, search) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,dc=grip

   atestdomain,dc=net";)

aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild 
membershi
   p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read 
Automember Ta
   sks";allow (compare,read,search) groupdn = "ldap:///cn=System: 
Read Automembe

   r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager manage 
replication use
   rs"; allow (all) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipaca";;)


# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config

aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; 
allow( rea

   d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config

aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; 
allow (read,

    search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "permission:Add Replication 
Agreements";al
   low (add) groupdn = "ldap:///cn=Add Replication 
Agreements,cn=permissions,cn=

   pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

   ass=nsMappingTree))")(version 3.0; acl "permission:Modify 
Replication Agreeme
   nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify 
Replication Ag

   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
"permission:Rem
   ove Replication Agreements";allow (delete) groupdn = 
"ldap:///cn=Remove Repli

   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication 
Agreements"

   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

   ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify 
Replication Agre
   ements"; allow (read, write, search) userdn = 
"ldap:///uid=pkidbuser,ou=peopl

   e,o=ipaca";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
"cert manager:
   Remove Replication Agreements";allow (delete) userdn = 
"ldap:///uid=pkidbuser

   ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV 
searches"; a

   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config

dn: cn=Posix IDs,cn=Distributed Numeric Assignment 
Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || 
dnaMaxValue)(version 3.0;acl
   "permission:Modify DNA Range";allow (write) groupdn = 
"ldap:///cn=Modify DNA

   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  
|| dnaThre
   shold || dnaType || objectclass)(version 3.0;acl "permission:Read 
DNA Range";
   allow (read, search, compare) groupdn = "ldap:///cn=Read DNA 
Range,cn=permiss

   ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking 
the databas
   e readonly"; allow (write) groupdn = "ldap:///cn=Remove 
Replication Agreement

   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11



============================================================================ 

2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but 
there is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for 
reference that the CentOS ACL hasn't changed yet)
============================================================================ 

================ after reinstallation of dc2 in fedora 23 / ipa 
4.2.3 =========================



[root@dc1 ~]# ldapsearch -b "cn=config" -D 
"uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W

Enter LDAP Password:
# config
dn: cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager read 
access"; allow (r
   ead, search, compare) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target = "ldap:///cn=automember rebuild 
membership,cn=tasks,cn=config")(
   targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild 
Membership T
   ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild 
Membership Task

   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ob
   jectclass || passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,cn=plu
   gins,cn=config")(version 3.0;acl "permission:Read PassSync 
Managers Configura
   tion";allow (compare,read,search) groupdn = "ldap:///cn=Read 
PassSync Manager

   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,
   cn=plugins,cn=config")(version 3.0;acl "permission:Modify 
PassSync Managers C
   onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync 
Managers Co

nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ns
   slapd-directory* || objectclass")(target = 
"ldap:///cn=config,cn=ldbm databas
   e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM 
Database Confi
   guration";allow (compare,read,search) groupdn = "ldap:///cn=Read 
LDBM Databas

   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (version 3.0;acl "permission:Add Configuration 
Sub-Entries";allow (add) g
   roupdn = "ldap:///cn=Add Configuration 
Sub-Entries,cn=permissions,cn=pbac,dc=

   ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || description || entryusn 
|| modify
   timestamp || nsds50ruv || nsds5beginreplicarefresh || 
nsds5debugreplicatimeou
   t || nsds5flags || nsds5replicaabortcleanruv || 
nsds5replicaautoreferral || n
   sds5replicabackoffmax || nsds5replicabackoffmin || 
nsds5replicabinddn || nsds
   5replicabindmethod || nsds5replicabusywaittime || 
nsds5replicachangecount ||
   nsds5replicachangessentsincestartup || nsds5replicacleanruv || 
nsds5replicacl
   eanruvnotified || nsds5replicacredentials || nsds5replicaenabled 
|| nsds5repl
   icahost || nsds5replicaid || nsds5replicalastinitend || 
nsds5replicalastinits
   tart || nsds5replicalastinitstatus || nsds5replicalastupdateend 
|| nsds5repli
   calastupdatestart || nsds5replicalastupdatestatus || 
nsds5replicalegacyconsum
   er || nsds5replicaname || nsds5replicaport || 
nsds5replicaprotocoltimeout ||
   nsds5replicapurgedelay || nsds5replicareferral || 
nsds5replicaroot || nsds5re
   plicasessionpausetime || nsds5replicastripattrs || 
nsds5replicatedattributeli
   st || nsds5replicatedattributelisttotal || nsds5replicatimeout || 
nsds5replic
   atombstonepurgeinterval || nsds5replicatransportinfo || 
nsds5replicatype || n
   sds5replicaupdateinprogress || nsds5replicaupdateschedule || 
nsds5task || nsd
   s7directoryreplicasubtree || nsds7dirsynccookie || 
nsds7newwingroupsyncenable
   d || nsds7newwinusersyncenabled || nsds7windowsdomain || 
nsds7windowsreplicas
   ubtree || nsruvreplicalastmodified || nsstate || objectclass || 
onewaysync ||
    winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction 
|| winsyncsub
   treepair || winsyncwindowsfilter")(targetfilter = 
"(|(objectclass=nsds5Replic

a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA

   greement)(objectClass=nsMappingTree))")(version 3.0;acl 
"permission:System: R
   ead Replication Agreements";allow (compare,read,search) groupdn = 
"ldap:///cn
   =System: Read Replication 
Agreements,cn=permissions,cn=pbac,dc=ipatestdomai

   n,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config

aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr 
!="aci")(version 3.0;acl

   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config

aci: (targetattr=*)(version 3.0; acl "Run tasks after replica 
re-initializatio
   n"; allow (add) groupdn = "ldap:///cn=Modify Replication 
Agreements,cn=permis

   sions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after 
replica re
   -initialization"; allow (add) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipa

   ca";)

aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; 
allow (read
   , compare, search) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,dc=grip

   atestdomain,dc=net";)

aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild 
membershi
   p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read 
Automember Ta
   sks";allow (compare,read,search) groupdn = "ldap:///cn=System: 
Read Automembe

   r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager manage 
replication use
   rs"; allow (all) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipaca";;)


# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config

aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; 
allow( rea

   d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config

aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; 
allow (read,

    search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "permission:Add Replication 
Agreements";al
   low (add) groupdn = "ldap:///cn=Add Replication 
Agreements,cn=permissions,cn=

   pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

   ass=nsMappingTree))")(version 3.0; acl "permission:Modify 
Replication Agreeme
   nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify 
Replication Ag

   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
"permission:Rem
   ove Replication Agreements";allow (delete) groupdn = 
"ldap:///cn=Remove Repli

   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication 
Agreements"

   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

   ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify 
Replication Agre
   ements"; allow (read, write, search) userdn = 
"ldap:///uid=pkidbuser,ou=peopl

   e,o=ipaca";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
"cert manager:
   Remove Replication Agreements";allow (delete) userdn = 
"ldap:///uid=pkidbuser

   ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV 
searches"; a

   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config

dn: cn=Posix IDs,cn=Distributed Numeric Assignment 
Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || 
dnaMaxValue)(version 3.0;acl
   "permission:Modify DNA Range";allow (write) groupdn = 
"ldap:///cn=Modify DNA

   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  
|| dnaThre
   shold || dnaType || objectclass)(version 3.0;acl "permission:Read 
DNA Range";
   allow (read, search, compare) groupdn = "ldap:///cn=Read DNA 
Range,cn=permiss

   ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking 
the databas
   e readonly"; allow (write) groupdn = "ldap:///cn=Remove 
Replication Agreement

   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11




============================================================================ 

3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the 
replica file was made from dc1 which is a CentOS server that still 
has the acls(missing some stuff)
============================================================================ 


aci list on dc2


[root@dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" 
"(aci=*)" aci

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager read 
access"; allow (r
   ead, search, compare) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target = "ldap:///cn=automember rebuild 
membership,cn=tasks,cn=config")(
   targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild 
Membership T
   ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild 
Membership Task

   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ob
   jectclass || passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,cn=plu
   gins,cn=config")(version 3.0;acl "permission:Read PassSync 
Managers Configura
   tion";allow (compare,read,search) groupdn = "ldap:///cn=Read 
PassSync Manager

   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,
   cn=plugins,cn=config")(version 3.0;acl "permission:Modify 
PassSync Managers C
   onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync 
Managers Co

nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ns
   slapd-directory* || objectclass")(target = 
"ldap:///cn=config,cn=ldbm databas
   e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM 
Database Confi
   guration";allow (compare,read,search) groupdn = "ldap:///cn=Read 
LDBM Databas

   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (version 3.0;acl "permission:Add Configuration 
Sub-Entries";allow (add) g
   roupdn = "ldap:///cn=Add Configuration 
Sub-Entries,cn=permissions,cn=pbac,dc=

   ipatestdomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config

aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr 
!="aci")(version 3.0;acl

   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config

aci: (targetattr=*)(version 3.0; acl "Run tasks after replica 
re-initializatio
   n"; allow (add) groupdn = "ldap:///cn=Modify Replication 
Agreements,cn=permis

   sions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after 
replica re
   -initialization"; allow (add) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipa

   ca";)

aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; 
allow (read
   , compare, search) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,dc=grip

   atestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager manage 
replication use
   rs"; allow (all) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipaca";;)


# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config

aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; 
allow( rea

   d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config

aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; 
allow (read,

    search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "permission:Add Replication 
Agreements";al
   low (add) groupdn = "ldap:///cn=Add Replication 
Agreements,cn=permissions,cn=

   pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

   ass=nsMappingTree))")(version 3.0; acl "permission:Modify 
Replication Agreeme
   nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify 
Replication Ag

   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
"permission:Rem
   ove Replication Agreements";allow (delete) groupdn = 
"ldap:///cn=Remove Repli

   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication 
Agreements"

   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

   ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify 
Replication Agre
   ements"; allow (read, write, search) userdn = 
"ldap:///uid=pkidbuser,ou=peopl

   e,o=ipaca";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
"cert manager:
   Remove Replication Agreements";allow (delete) userdn = 
"ldap:///uid=pkidbuser

   ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV 
searches"; a

   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config

dn: cn=Posix IDs,cn=Distributed Numeric Assignment 
Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || 
dnaMaxValue)(version 3.0;acl
   "permission:Modify DNA Range";allow (write) groupdn = 
"ldap:///cn=Modify DNA

   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  
|| dnaThre
   shold || dnaType || objectclass)(version 3.0;acl "permission:Read 
DNA Range";
   allow (read, search, compare) groupdn = "ldap:///cn=Read DNA 
Range,cn=permiss

   ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking 
the databas
   e readonly"; allow (write) groupdn = "ldap:///cn=Remove 
Replication Agreement

   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11


============================================================================ 

4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now 
missing some stuff)
============================================================================ 

[root@dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b 
"cn=config" "(aci=*)" aci

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager read 
access"; allow (r
   ead, search, compare) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target = "ldap:///cn=automember rebuild 
membership,cn=tasks,cn=config")(
   targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild 
Membership T
   ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild 
Membership Task

   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ob
   jectclass || passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,cn=plu
   gins,cn=config")(version 3.0;acl "permission:Read PassSync 
Managers Configura
   tion";allow (compare,read,search) groupdn = "ldap:///cn=Read 
PassSync Manager

   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,
   cn=plugins,cn=config")(version 3.0;acl "permission:Modify 
PassSync Managers C
   onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync 
Managers Co

nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ns
   slapd-directory* || objectclass")(target = 
"ldap:///cn=config,cn=ldbm databas
   e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM 
Database Confi
   guration";allow (compare,read,search) groupdn = "ldap:///cn=Read 
LDBM Databas

   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (version 3.0;acl "permission:Add Configuration 
Sub-Entries";allow (add) g
   roupdn = "ldap:///cn=Add Configuration 
Sub-Entries,cn=permissions,cn=pbac,dc=

   ipatestdomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config

aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr 
!="aci")(version 3.0;acl

   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config

aci: (targetattr=*)(version 3.0; acl "Run tasks after replica 
re-initializatio
   n"; allow (add) groupdn = "ldap:///cn=Modify Replication 
Agreements,cn=permis

   sions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after 
replica re
   -initialization"; allow (add) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipa

   ca";)

aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; 
allow (read
   , compare, search) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,dc=grip

   atestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config

aci: (targetattr != aci)(version 3.0; aci "cert manager manage 
replication use
   rs"; allow (all) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipaca";;)


# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config

aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; 
allow( rea

   d, search ) userdn = "ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config

aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; 
allow (read,

    search, compare, proxy) userdn = "ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "permission:Add Replication 
Agreements";al
   low (add) groupdn = "ldap:///cn=Add Replication 
Agreements,cn=permissions,cn=

   pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

   ass=nsMappingTree))")(version 3.0; acl "permission:Modify 
Replication Agreeme
   nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify 
Replication Ag

   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
"permission:Rem
   ove Replication Agreements";allow (delete) groupdn = 
"ldap:///cn=Remove Repli

   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config

aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication 
Agreements"

   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd

s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl

   ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify 
Replication Agre
   ements"; allow (read, write, search) userdn = 
"ldap:///uid=pkidbuser,ou=peopl

   e,o=ipaca";)

aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
"cert manager:
   Remove Replication Agreements";allow (delete) userdn = 
"ldap:///uid=pkidbuser

   ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV 
searches"; a

   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config

dn: cn=Posix IDs,cn=Distributed Numeric Assignment 
Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || 
dnaMaxValue)(version 3.0;acl
   "permission:Modify DNA Range";allow (write) groupdn = 
"ldap:///cn=Modify DNA

   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  
|| dnaThre
   shold || dnaType || objectclass)(version 3.0;acl "permission:Read 
DNA Range";
   allow (read, search, compare) groupdn = "ldap:///cn=Read DNA 
Range,cn=permiss

   ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config

aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking 
the databas
   e readonly"; allow (write) groupdn = "ldap:///cn=Remove 
Replication Agreement

   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11



-----Original Message-----
From: Rich Megginson [mailto:[email protected]]
Sent: January-22-16 10:24 AM
To: Nathan Peters; [email protected]

Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation 
fails with DuplicateEntry: This entry already exists


On 01/22/2016 11:04 AM, Nathan Peters wrote:

Wow, strange stuff, the search I linked in the last email for our 
non working dev environment seems short some entries.



For comparison, here is the same search run against our currently 
working prod environment.



As you can see, our prod environment has a huge aci on the config 
tree.



    For reference, our prod and dev environments were identical 
(FreeIPA 4.1.4/CentOS7.1) before I updated our dev environment to 
CentOS7.2/FreeIPA4.2.0 -> Fedora23/FreeIPA4.2.3 -> 
Fedora23/FreeIPA4.3.0.  So at some point during this upgrade 
process I assume maybe one of the installers deleted acis on our 
tree?  That sounds like the kind of thing that would happen when 
introducing the new domain level functionality in 4.3, like if 
someone accidentally thought "oh this replica branch is now in a 
globally replicated section, we can remove these acis for this 
local stuff..." and then put that logic into the installer or 
something...



The real question is, is there some good way of getting those aci's 
back, like a fixaci command?

I don't know.





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





























					Reply via email to