Wow, strange stuff, the search I linked in the last email for our non working dev environment seems short some entries.
For comparison, here is the same search run against our currently working prod environment. As you can see, our prod environment has a huge aci on the config tree. For reference, our prod and dev environments were identical (FreeIPA 4.1.4/CentOS7.1) before I updated our dev environment to CentOS7.2/FreeIPA4.2.0 -> Fedora23/FreeIPA4.2.3 -> Fedora23/FreeIPA4.3.0. So at some point during this upgrade process I assume maybe one of the installers deleted acis on our tree? That sounds like the kind of thing that would happen when introducing the new domain level functionality in 4.3, like if someone accidentally thought "oh this replica branch is now in a globally replicated section, we can remove these acis for this local stuff..." and then put that logic into the installer or something... The real question is, is there some good way of getting those aci's back, like a fixaci command? ========================= Prod aci's that do work for comparison ========================= [root@dc1-ipa-prod-nvan ~]$ ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (aci=*) # requesting: aci # # config dn: cn=config aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";) aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task ,cn=permissions,cn=pbac,dc=myproddomain,dc=net";) aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager s Configuration,cn=permissions,cn=pbac,dc=myproddomain,dc=net";) aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co nfiguration,cn=permissions,cn=pbac,dc=myproddomain,dc=net";) aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas e Configuration,cn=permissions,cn=pbac,dc=myproddomain,dc=net";) aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc= myproddomain,dc=net";) aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=myproddomain,dc =net";) # SNMP, config dn: cn=SNMP,cn=config aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);) # tasks, config dn: cn=tasks,cn=config aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis sions,cn=pbac,dc=myproddomain,dc=net";) aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou= people,o=ip aca";) aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=myproddomain,dc=net";;) aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe r Tasks,cn=permissions,cn=pbac,dc=myproddomain,dc=net";) # csusers, config dn: ou=csusers,cn=config aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";) # 1.3.6.1.4.1.4203.1.9.1.1, features, config dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea d, search ) userdn = "ldap:///all";;) # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone";; ) # dc\3Dmyproddomain\2Cdc\3Dnet, mapping tree, config dn: cn=dc\3Dmyproddomain\2Cdc\3Dnet,cn=mapping tree,cn=config aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn= pbac,dc=myproddomain,dc=net";) aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag reements,cn=permissions,cn=pbac,dc=myproddomain,dc=net";) aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli cation Agreements,cn=permissions,cn=pbac,dc=myproddomain,dc=net";) # o\3Dipaca, mapping tree, config dn: cn=o\3Dipaca,cn=mapping tree,cn=config aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements" ;allow (add) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";) aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou= peop le,o=ipaca";) aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser ,ou= people,o=ipaca";) # ldbm database, plugins, config dn: cn=ldbm database,cn=plugins,cn=config aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a llow (read) userdn="ldap:///uid=pkidbuser,ou= people,o=ipaca";) # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=myproddomain,dc=net";) aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range"; allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss ions,cn=pbac,dc=myproddomain,dc=net";) # userRoot, ldbm database, plugins, config dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement s,cn=permissions,cn=pbac,dc=myproddomain,dc=net";) # search result search: 2 result: 0 Success # numResponses: 12 # numEntries: 11 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Nathan Peters Sent: January-22-16 9:18 AM To: Rich Megginson; [email protected] Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists [root@dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (aci=*) # requesting: aci # # config dn: cn=config aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task ,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";) aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager s Configuration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";) aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co nfiguration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";) aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas e Configuration,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";) aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc= dev-mydomain,dc=net";) # mapping tree, config dn: cn=mapping tree,cn=config aci: (target = "ldap:///cn=meTo($dn),cn=*,cn=mapping tree,cn=config")(targetat tr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replica tion agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($dn),c n=computers,cn=accounts,dc=dev-mydomain,dc=net";) # SNMP, config dn: cn=SNMP,cn=config aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);) # tasks, config dn: cn=tasks,cn=config aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis sions,cn=pbac,dc=dev-mydomain,dc=net";) aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa ca";) aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dev- mydomain,dc=net";) # csusers, config dn: ou=csusers,cn=config aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) # 1.3.6.1.4.1.4203.1.9.1.1, features, config dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea d, search ) userdn = "ldap:///all";;) # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone";; ) # dc\3Ddev-mydomain\2Cdc\3Dnet, mapping tree, config dn: cn=dc\3Ddev-mydomain\2Cdc\3Dnet,cn=mapping tree,cn=config aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli cation Agreements,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";) # o\3Dipaca, mapping tree, config dn: cn=o\3Dipaca,cn=mapping tree,cn=config aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements" ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl e,o=ipaca";) aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser ,ou=people,o=ipaca";) # ldbm database, plugins, config dn: cn=ldbm database,cn=plugins,cn=config aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;) # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";) aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range"; allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss ions,cn=pbac,dc=dev-mydomain,dc=net";) # userRoot, ldbm database, plugins, config dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement s,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";) # search result search: 2 result: 0 Success # numResponses: 13 # numEntries: 12 -----Original Message----- From: Rich Megginson [mailto:[email protected]] Sent: January-22-16 6:26 AM To: Nathan Peters; [email protected] Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists On 01/21/2016 08:48 PM, Nathan Peters wrote: > Here are the results for that aci search using a non gssapi bind by directory > manager on the old master that we are attempting to join agains. I don't see > anything in this list that would indicate that some users should or should > not have access through a certain method. Unless one of those sasl config > settings is doing it ? > > [root@dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b > "cn=config" "(aci=*)" You almost got it. You left out the most important part, at the end of the command, specifying the "aci" attribute: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Viewing_the_ACIs_for_an_Entry.html # ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
