Re: [Freeipa-devel] [PATCH 0113] properly add ACIs to custodia container during IPA upgrade

2015-12-11 Thread David Kupka 

On 10/12/15 10:14, Martin Babinsky wrote:

On 12/08/2015 10:45 AM, Martin Babinsky wrote:

fixes https://fedorahosted.org/freeipa/ticket/5524





Attaching updated patch with simpler fix suggested by Jan.




Thanks for the patch. Works for me, ACK.

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0113] properly add ACIs to custodia container during IPA upgrade

2015-12-11 Thread Tomas Babej 


On 12/11/2015 10:37 AM, David Kupka wrote:
> On 10/12/15 10:14, Martin Babinsky wrote:
>> On 12/08/2015 10:45 AM, Martin Babinsky wrote:
>>> fixes https://fedorahosted.org/freeipa/ticket/5524
>>>
>>>
>>>
>>
>> Attaching updated patch with simpler fix suggested by Jan.
>>
>>
>>
> Thanks for the patch. Works for me, ACK.
> 

I was also finally able to reproduce it on a clear machine.

Pushed to master: a66a2c5160dbc23cdeec55d17422812028939e16

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0113] properly add ACIs to custodia container during IPA upgrade

2015-12-11 Thread Tomas Babej 


On 12/11/2015 12:50 PM, Tomas Babej wrote:
> 
> 
> On 12/11/2015 10:37 AM, David Kupka wrote:
>> On 10/12/15 10:14, Martin Babinsky wrote:
>>> On 12/08/2015 10:45 AM, Martin Babinsky wrote:
 fixes https://fedorahosted.org/freeipa/ticket/5524



>>>
>>> Attaching updated patch with simpler fix suggested by Jan.
>>>
>>>
>>>
>> Thanks for the patch. Works for me, ACK.
>>
> 
> I was also finally able to reproduce it on a clear machine.
> 
> Pushed to master: a66a2c5160dbc23cdeec55d17422812028939e16
> 

Martin actually pushed this 30 minutes ago, actual commit hash is
e130d35687a05cb3d2dd8708b76e7745e337c0c0.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0113] properly add ACIs to custodia container during IPA upgrade

2015-12-10 Thread Martin Babinsky 

On 12/08/2015 10:45 AM, Martin Babinsky wrote:

fixes https://fedorahosted.org/freeipa/ticket/5524





Attaching updated patch with simpler fix suggested by Jan.

--
Martin^3 Babinsky
From 9c7accdc7facec47e9a75f91168dca28db9e343d Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 8 Dec 2015 09:51:09 +0100
Subject: [PATCH] add ACIs for custodia container to its parent during IPA
 upgrade

This fixes the situation when LDAPUpdater tries to add ACIs for storing
secrets in cn=custodia,cn=ipa,cn=etc,$SUFFIX before the container is actually
created leading to creation of container without any ACI and subsequent
erroneous behavior.

https://fedorahosted.org/freeipa/ticket/5524
---
 install/updates/20-aci.update | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index ca4c0df0576b07aa48e6bdd2e70e06f9819b6da9..5b9741d7e05537194038e860f82924018761391c 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -113,6 +113,6 @@ dn: cn=etc,$SUFFIX
 add:aci: (target = "ldap:///cn=replication,cn=etc,$SUFFIX;)(targetattr = "nsDS5ReplicaId")(version 3.0; acl "IPA server hosts can change replica ID"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX;;)
 
 # IPA server hosts can create and manage own Custodia secrets
-dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX
+dn: cn=ipa,cn=etc,$SUFFIX
 add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX; and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX; and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code