On 05/22/2014 03:07 PM, Petr Viktorin wrote:
Hello,
Here I start upgrading the existing default permissions to the new
Managed style.
https://fedorahosted.org/freeipa/ticket/4346
The patches rely on my patch 0551
(https://fedorahosted.org/freeipa/ticket/4349)
You may run into what seems to be a 389 bug. If you get a "Midair
Collision" (NO_SUCH_ATTRIBUTE) error, restart the DS and try running
ipa-ldap-updater again. I'm working with Ludwig on this one.
This bug is indeed in 389 and there's a fix. I'll test with the current
build to verify.
I'm re-sending some of our private comunication to the list, in case
anyone wants to try reproducing the issue.
On 05/26/2014 11:27 AM, Ludwig Krispenz wrote:
Hi,
I now consitently reproduced the issue and debugged it. It is in fact a case,
where in sorting the values of an attribute in some cases another comparison
function was used. The current state of the 1.3.2 branch partially fixes and/or
prevents the problem by using another defaultcomparison function, with a
current build the test scenario passed.
Maybe you can try the rpms at
http://copr-be.cloud.fedoraproject.org/results/lkrispen/132test/fedora-20-x86_64/389-ds-base-1.3.2.16-20140526081843.fc17/
We will need to provide an official 1.3.217 (and should fix a few more
locations which could lead to the problem.
Regards,
Ludwig
On 05/21/2014 01:19 PM, Petr Viktorin wrote:
Steps to reproduce:
- Install "master" & "replica" on FreeIPA from the f20 repos
(freeipa-server-3.3.5-1)
- Upgrade "master" to my #4344 WIP branch
- RPMs: http://fedorapeople.org/~pviktori/rpms/freeipa-2f9399d/
- source: git pull http://github.com/encukou/freeipa ticket-4344-wip
- Run ipa-ldap-updater on the "replica"
- The problem appears on master.
I can confirm that things work after a restart.
Commands used to reproduce:
$ ldapsearch -x -h localhost -D 'cn=Directory Manager' -w 12345678 -o
ldif-wrap=no -b dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com -s base
aci | grep -i 'Modify Sudo rule'
aci: (targetattr = "description || ipaenabledflag || usercategory ||
hostcategory || cmdcategory || ipasudorunasusercategory ||
ipasudorunasgroupcategory || externaluser || ipasudorunasextuser ||
ipasudorunasextgroup || memberdenycmd || memberallowcmd ||
memberuser")(target =
"ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)(version
3.0;acl "permission:Modify Sudo rule";allow (write) groupdn =
"ldap:///cn=Modify Sudo
rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)
aci: (targetattr = "cmdcategory || description || externalhost ||
externaluser || hostcategory || hostmask || ipaenabledflag ||
ipasudoopt || ipasudorunas || ipasudorunasextgroup ||
ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory
|| ipasudorunasusercategory || memberallowcmd || memberdenycmd ||
memberhost || memberuser || sudonotafter || sudonotbefore || sudoorder
|| usercategory")(targetfilter = "(objectclass=ipasudorule)")(version
3.0;acl "permission:System: Modify Sudo rule";allow (add) groupdn =
"ldap:///cn=System: Modify Sudo
rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)
# System: Modify Sudo rule, permissions, pbac, idm.lab.eng.brq.redhat.com
dn: cn=System: Modify Sudo
rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
# Modify Sudo rule, permissions, pbac, idm.lab.eng.brq.redhat.com
dn: cn=Modify Sudo
rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
$ ldapmodify -x -h localhost -D 'cn=Directory Manager' -w 12345678
dn: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
changetype: modify
delete: aci
aci: (targetattr = "description || ipaenabledflag || usercategory ||
hostcategory || cmdcategory || ipasudorunasusercategory ||
ipasudorunasgroupcategory || externaluser || ipasudorunasextuser ||
ipasudorunasextgroup || memberdenycmd || memberallowcmd ||
memberuser")(target =
"ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)(version
3.0;acl "permission:Modify Sudo rule";allow (write) groupdn =
"ldap:///cn=Modify Sudo
rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)
modifying entry "dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
ldap_modify: No such attribute (16)
--
PetrĀ³
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
