After some more investigation, it appears that there may be more ACIs missing.
I added the missing permission (System: Read Replication Agreements) on all my
masters, and then the installation failed at this point :
---------------------------
[28/43]: setting up initial replication
Starting replication, please wait until this has completed.
[error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the
'nsds5BeginReplicaRefresh' attribute of entry
'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping
tree,cn=config'.\n", 'desc': 'Insufficient access'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR {'info':
"Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of
entry
'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping
tree,cn=config'.\n", 'desc': 'Insufficient access'}
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
Because of that and a comparison of my earlier version of ldif files from
earlier versions of FreeIPA, I noticed the following ACI also missing from the
mapping tree :
--------------------------------------
# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
pbac,dc=mydomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
reements,cn=permissions,cn=pbac,dc=mydomain,dc=net";)
After I added that, I attempted my replica installation again this time it
failed on the o=ipaca branch
----------------------------------------
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
[1/23]: creating certificate server user
[2/23]: creating certificate server db
[3/23]: setting up initial replication
[error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the
'nsDS5ReplicaBindDN' attribute of entry 'cn=replica,cn=o\\3dipaca,cn=mapping
tree,cn=config'.\n", 'desc': 'Insufficient access'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR {'info':
"Insufficient 'write' privilege to the 'nsDS5ReplicaBindDN' attribute of entry
'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient
access'}
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
Looking at that branch of the ldap tree, I noticed some differences
---------------------------------------------------------------------------
In the cn=yourdomain,cn=mapping tree,cn=config you will find the following
permissions :
permission:Add Replication Agreements
In the cn=o=ipaca,cn=mapping tree,cn=config you will find the following
permissions :
cert manager: Add Replication Agreements
=========================
So I think there are actually 3 issues :
===========================
1. Missing aci on base cn=config entry
2. Missing aci on dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config branch
3. acis are on the o=ipaca branch, but they are wrong as they only apply to
cert manager, and not all users
-----Original Message-----
From: Martin Basti [mailto:[email protected]]
Sent: January-25-16 4:57 AM
To: Nathan Peters; Rich Megginson; [email protected]
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with
DuplicateEntry: This entry already exists
Thank you,
I found root cause why "System: Read Replication Agreements" ACI is not on
replica.
https://fedorahosted.org/freeipa/ticket/5631
I have to figure out why this permission is added on centos7.2, because IMO
this bug is there from 4.0.
On 24.01.2016 03:22, Nathan Peters wrote:
> I can now confirm that this is a 100% reproducible bug, and a pretty severe
> one at that. You should be able to reproduce this issue at will if you
> follow these steps. It may actually be possible with less servers and less
> steps, but here is what I did in a test lab today:
>
> 1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0 with 3
> servers, dc1, dc2, dc3, replicating any way you want.
> 3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete the
> server / vm / whatever you have it running on
> 3. Install Fedora 23 on the same IP address and hostname
> (dc2.ipatestdomain.net). Install FreeIPA server 4.2.3 from replica file
> created on CA master (dc1).
>
> Check aci on dc2. You will notice it's now missing a bunch of stuff. So
> basically, all it takes to lose that ACL is to create a Fedora FreeIPA server
> and join it to a CentOS domain.
> After I had upgraded all 3 to Fedora, that ACLS was lost permanently as it no
> longer existed on any server because there were no CentOS servers left.
>
> I'm assuming since this is so easy to reproduce, that you don't actually need
> my log files.
>
> ACL comparisons below for reference :
> 1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain consists
> of only CentOS servers
> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now
> a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS
> ACL hasn't changed yet)
> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server created from a
> replica file made from dc1, the centOS 7.2 CA master(missing some stuff)
> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing
> some stuff)
>
> ============================================================================
> 1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain consists
> of only CentOS servers
> ============================================================================
> [root@dc1 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config"
> "(aci=*)" aci
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: aci
> #
>
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
> ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership
> T
> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership
> Task
> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
> jectclass || passsyncmanagersdns*")(target =
> "ldap:///cn=ipa_pwd_extop,cn=plu
> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers
> Configura
> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync
> Manager
> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers
> C
> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers
> Co
> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
> slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm
> databas
> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database
> Confi
> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM
> Databas
> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
> roupdn = "ldap:///cn=Add Configuration
> Sub-Entries,cn=permissions,cn=pbac,dc=
> ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
> timestamp || nsds50ruv || nsds5beginreplicarefresh ||
> nsds5debugreplicatimeou
> t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral ||
> n
> sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn ||
> nsds
> 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
> nsds5replicachangessentsincestartup || nsds5replicacleanruv ||
> nsds5replicacl
> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled ||
> nsds5repl
> icahost || nsds5replicaid || nsds5replicalastinitend ||
> nsds5replicalastinits
> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend ||
> nsds5repli
> calastupdatestart || nsds5replicalastupdatestatus ||
> nsds5replicalegacyconsum
> er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot ||
> nsds5re
> plicasessionpausetime || nsds5replicastripattrs ||
> nsds5replicatedattributeli
> st || nsds5replicatedattributelisttotal || nsds5replicatimeout ||
> nsds5replic
> atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype ||
> n
> sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task ||
> nsd
> s7directoryreplicasubtree || nsds7dirsynccookie ||
> nsds7newwingroupsyncenable
> d || nsds7newwinusersyncenabled || nsds7windowsdomain ||
> nsds7windowsreplicas
> ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync
> ||
> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction ||
> winsyncsub
> treepair || winsyncwindowsfilter")(targetfilter =
> "(|(objectclass=nsds5Replic
>
> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
> greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System:
> R
> ead Replication Agreements";allow (compare,read,search) groupdn =
> "ldap:///cn
> =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
> n,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
> n"; allow (add) groupdn = "ldap:///cn=Modify Replication
> Agreements,cn=permis
> sions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
> -initialization"; allow (add) userdn =
> "ldap:///uid=pkidbuser,ou=people,o=ipa
> ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
> , compare, search) groupdn =
> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
> atestdomain,dc=net";)
> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi
> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember
> Ta
> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read
> Automembe
> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
> rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
> d, search ) userdn = "ldap:///all";;)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
> search, compare, proxy) userdn = "ldap:///anyone";; )
>
> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
> low (add) groupdn = "ldap:///cn=Add Replication
> Agreements,cn=permissions,cn=
> pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication
> Agreeme
> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication
> Ag
> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
> "permission:Rem
> ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove
> Repli
> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication
> Agre
> ements"; allow (read, write, search) userdn =
> "ldap:///uid=pkidbuser,ou=peopl
> e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
> Remove Replication Agreements";allow (delete) userdn =
> "ldap:///uid=pkidbuser
> ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
> "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre
> shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA
> Range";
> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
> Range,cn=permiss
> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication
> Agreement
> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
>
> ============================================================================
> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now
> a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS
> ACL hasn't changed yet)
> ============================================================================
> ================ after reinstallation of dc2 in fedora 23 / ipa 4.2.3
> =========================
>
> [root@dc1 ~]# ldapsearch -b "cn=config" -D
> "uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W
> Enter LDAP Password:
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
> ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership
> T
> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership
> Task
> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
> jectclass || passsyncmanagersdns*")(target =
> "ldap:///cn=ipa_pwd_extop,cn=plu
> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers
> Configura
> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync
> Manager
> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers
> C
> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers
> Co
> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
> slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm
> databas
> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database
> Confi
> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM
> Databas
> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
> roupdn = "ldap:///cn=Add Configuration
> Sub-Entries,cn=permissions,cn=pbac,dc=
> ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
> timestamp || nsds50ruv || nsds5beginreplicarefresh ||
> nsds5debugreplicatimeou
> t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral ||
> n
> sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn ||
> nsds
> 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
> nsds5replicachangessentsincestartup || nsds5replicacleanruv ||
> nsds5replicacl
> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled ||
> nsds5repl
> icahost || nsds5replicaid || nsds5replicalastinitend ||
> nsds5replicalastinits
> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend ||
> nsds5repli
> calastupdatestart || nsds5replicalastupdatestatus ||
> nsds5replicalegacyconsum
> er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot ||
> nsds5re
> plicasessionpausetime || nsds5replicastripattrs ||
> nsds5replicatedattributeli
> st || nsds5replicatedattributelisttotal || nsds5replicatimeout ||
> nsds5replic
> atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype ||
> n
> sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task ||
> nsd
> s7directoryreplicasubtree || nsds7dirsynccookie ||
> nsds7newwingroupsyncenable
> d || nsds7newwinusersyncenabled || nsds7windowsdomain ||
> nsds7windowsreplicas
> ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync
> ||
> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction ||
> winsyncsub
> treepair || winsyncwindowsfilter")(targetfilter =
> "(|(objectclass=nsds5Replic
>
> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
> greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System:
> R
> ead Replication Agreements";allow (compare,read,search) groupdn =
> "ldap:///cn
> =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
> n,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
> n"; allow (add) groupdn = "ldap:///cn=Modify Replication
> Agreements,cn=permis
> sions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
> -initialization"; allow (add) userdn =
> "ldap:///uid=pkidbuser,ou=people,o=ipa
> ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
> , compare, search) groupdn =
> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
> atestdomain,dc=net";)
> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi
> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember
> Ta
> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read
> Automembe
> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
> rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
> d, search ) userdn = "ldap:///all";;)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
> search, compare, proxy) userdn = "ldap:///anyone";; )
>
> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
> low (add) groupdn = "ldap:///cn=Add Replication
> Agreements,cn=permissions,cn=
> pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication
> Agreeme
> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication
> Ag
> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
> "permission:Rem
> ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove
> Repli
> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication
> Agre
> ements"; allow (read, write, search) userdn =
> "ldap:///uid=pkidbuser,ou=peopl
> e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
> Remove Replication Agreements";allow (delete) userdn =
> "ldap:///uid=pkidbuser
> ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
> "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre
> shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA
> Range";
> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
> Range,cn=permiss
> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication
> Agreement
> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
>
>
> ============================================================================
> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the replica
> file was made from dc1 which is a CentOS server that still has the
> acls(missing some stuff)
> ============================================================================
> aci list on dc2
>
> [root@dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config"
> "(aci=*)" aci
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: aci
> #
>
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
> ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership
> T
> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership
> Task
> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
> jectclass || passsyncmanagersdns*")(target =
> "ldap:///cn=ipa_pwd_extop,cn=plu
> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers
> Configura
> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync
> Manager
> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers
> C
> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers
> Co
> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
> slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm
> databas
> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database
> Confi
> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM
> Databas
> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
> roupdn = "ldap:///cn=Add Configuration
> Sub-Entries,cn=permissions,cn=pbac,dc=
> ipatestdomain,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
> n"; allow (add) groupdn = "ldap:///cn=Modify Replication
> Agreements,cn=permis
> sions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
> -initialization"; allow (add) userdn =
> "ldap:///uid=pkidbuser,ou=people,o=ipa
> ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
> , compare, search) groupdn =
> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
> atestdomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
> rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
> d, search ) userdn = "ldap:///all";;)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
> search, compare, proxy) userdn = "ldap:///anyone";; )
>
> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
> low (add) groupdn = "ldap:///cn=Add Replication
> Agreements,cn=permissions,cn=
> pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication
> Agreeme
> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication
> Ag
> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
> "permission:Rem
> ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove
> Repli
> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication
> Agre
> ements"; allow (read, write, search) userdn =
> "ldap:///uid=pkidbuser,ou=peopl
> e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
> Remove Replication Agreements";allow (delete) userdn =
> "ldap:///uid=pkidbuser
> ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
> "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre
> shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA
> Range";
> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
> Range,cn=permiss
> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication
> Agreement
> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
> ============================================================================
> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing
> some stuff)
> ============================================================================
> [root@dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b
> "cn=config" "(aci=*)" aci
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: aci
> #
>
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
> ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership
> T
> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership
> Task
> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
> jectclass || passsyncmanagersdns*")(target =
> "ldap:///cn=ipa_pwd_extop,cn=plu
> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers
> Configura
> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync
> Manager
> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers
> C
> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers
> Co
> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
> slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm
> databas
> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database
> Confi
> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM
> Databas
> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
> roupdn = "ldap:///cn=Add Configuration
> Sub-Entries,cn=permissions,cn=pbac,dc=
> ipatestdomain,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
> n"; allow (add) groupdn = "ldap:///cn=Modify Replication
> Agreements,cn=permis
> sions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
> -initialization"; allow (add) userdn =
> "ldap:///uid=pkidbuser,ou=people,o=ipa
> ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
> , compare, search) groupdn =
> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
> atestdomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
> rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
> d, search ) userdn = "ldap:///all";;)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
> search, compare, proxy) userdn = "ldap:///anyone";; )
>
> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
> low (add) groupdn = "ldap:///cn=Add Replication
> Agreements,cn=permissions,cn=
> pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication
> Agreeme
> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication
> Ag
> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
> "permission:Rem
> ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove
> Repli
> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication
> Agre
> ements"; allow (read, write, search) userdn =
> "ldap:///uid=pkidbuser,ou=peopl
> e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
> Remove Replication Agreements";allow (delete) userdn =
> "ldap:///uid=pkidbuser
> ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
> "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre
> shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA
> Range";
> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
> Range,cn=permiss
> ions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication
> Agreement
> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
>
>
> -----Original Message-----
> From: Rich Megginson [mailto:[email protected]]
> Sent: January-22-16 10:24 AM
> To: Nathan Peters; [email protected]
> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with
> DuplicateEntry: This entry already exists
>
> On 01/22/2016 11:04 AM, Nathan Peters wrote:
>> Wow, strange stuff, the search I linked in the last email for our non
>> working dev environment seems short some entries.
>>
>> For comparison, here is the same search run against our currently working
>> prod environment.
>>
>> As you can see, our prod environment has a huge aci on the config tree.
>>
>> For reference, our prod and dev environments were identical (FreeIPA
>> 4.1.4/CentOS7.1) before I updated our dev environment to
>> CentOS7.2/FreeIPA4.2.0 -> Fedora23/FreeIPA4.2.3 -> Fedora23/FreeIPA4.3.0.
>> So at some point during this upgrade process I assume maybe one of the
>> installers deleted acis on our tree? That sounds like the kind of thing
>> that would happen when introducing the new domain level functionality in
>> 4.3, like if someone accidentally thought "oh this replica branch is now in
>> a globally replicated section, we can remove these acis for this local
>> stuff..." and then put that logic into the installer or something...
>>
>> The real question is, is there some good way of getting those aci's back,
>> like a fixaci command?
> I don't know.
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
