https://fedorahosted.org/freeipa/ticket/5575
^--- That was the one. It triggered differently for me because I had manually re-replaced the aci in the dc=domain,dc=mapping tree branch. Had I left it alone it would have triggered exactly as in thebug report. However, that bug report did let me know how to fix it. I made a brand new FreeIPA 4.3.0 domain with a single master (which has the correct ACI entries for the mapping tree branch), then copied those ACIs into my existing domain (edit dse.ldif when the server is turned off). I was able to successfully install a replica after that. Thanks for pointing out the actual bug. I'm fairly new to debugging 389 DS so knowing what branch needed to be fixed was invaluable. -----Original Message----- From: Martin Basti [mailto:[email protected]] Sent: January-26-16 12:57 PM To: Nathan Peters; Rich Megginson; [email protected] Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists On 26.01.2016 21:51, Martin Basti wrote: > > > On 26.01.2016 21:03, Nathan Peters wrote: >> After some more investigation, it appears that there may be more ACIs >> missing. >> >> I added the missing permission (System: Read Replication Agreements) >> on all my masters, and then the installation failed at this point : >> --------------------------- >> [28/43]: setting up initial replication Starting replication, please >> wait until this has completed. >> [error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' >> privilege to the 'nsds5BeginReplicaRefresh' attribute of entry >> 'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2c >> dc\\3dnet,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient >> access'} Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR {'info': >> "Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' >> attribute of entry >> 'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2c >> dc\\3dnet,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient >> access'} >> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >> ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> >> Because of that and a comparison of my earlier version of ldif files >> from earlier versions of FreeIPA, I noticed the following ACI also >> missing from the mapping tree : >> -------------------------------------- >> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >> Agreements";al >> low (add) groupdn = "ldap:///cn=Add Replication >> Agreements,cn=permissions,cn= >> pbac,dc=mydomain,dc=net";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass >> =nsd >> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >> Replication Agreeme >> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >> Replication Ag >> reements,cn=permissions,cn=pbac,dc=mydomain,dc=net";) >> >> After I added that, I attempted my replica installation again this >> time it failed on the o=ipaca branch >> ---------------------------------------- >> Configuring certificate server (pki-tomcatd). Estimated time: 3 >> minutes 30 seconds >> [1/23]: creating certificate server user >> [2/23]: creating certificate server db >> [3/23]: setting up initial replication >> [error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' >> privilege to the 'nsDS5ReplicaBindDN' attribute of entry >> 'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n", 'desc': >> 'Insufficient access'} >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR {'info': >> "Insufficient 'write' privilege to the 'nsDS5ReplicaBindDN' attribute >> of entry 'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n", >> 'desc': 'Insufficient access'} >> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >> ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> >> Looking at that branch of the ldap tree, I noticed some differences >> --------------------------------------------------------------------- >> ------ >> >> In the cn=yourdomain,cn=mapping tree,cn=config you will find the >> following permissions : >> permission:Add Replication Agreements In the cn=o=ipaca,cn=mapping >> tree,cn=config you will find the following permissions : >> cert manager: Add Replication Agreements >> >> ========================= >> So I think there are actually 3 issues : >> =========================== >> 1. Missing aci on base cn=config entry 2. Missing aci on >> dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config branch 3. acis >> are on the o=ipaca branch, but they are wrong as they only apply to >> cert manager, and not all users > I'm not sure if this covers your issues, but it may be related > > https://fedorahosted.org/freeipa/ticket/5412 > > Martin and this https://fedorahosted.org/freeipa/ticket/5575 >> >> -----Original Message----- >> From: Martin Basti [mailto:[email protected]] >> Sent: January-25-16 4:57 AM >> To: Nathan Peters; Rich Megginson; [email protected] >> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails >> with DuplicateEntry: This entry already exists >> >> Thank you, >> >> I found root cause why "System: Read Replication Agreements" ACI is >> not on replica. >> >> https://fedorahosted.org/freeipa/ticket/5631 >> >> I have to figure out why this permission is added on centos7.2, >> because IMO this bug is there from 4.0. >> >> >> On 24.01.2016 03:22, Nathan Peters wrote: >>> I can now confirm that this is a 100% reproducible bug, and a pretty >>> severe one at that. You should be able to reproduce this issue at >>> will if you follow these steps. It may actually be possible with >>> less servers and less steps, but here is what I did in a test lab >>> today: >>> >>> 1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0 >>> with 3 servers, dc1, dc2, dc3, replicating any way you want. >>> 3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete >>> the server / vm / whatever you have it running on >>> 3. Install Fedora 23 on the same IP address and hostname >>> (dc2.ipatestdomain.net). Install FreeIPA server 4.2.3 from replica >>> file created on CA master (dc1). >>> >>> Check aci on dc2. You will notice it's now missing a bunch of >>> stuff. So basically, all it takes to lose that ACL is to create a >>> Fedora FreeIPA server and join it to a CentOS domain. >>> After I had upgraded all 3 to Fedora, that ACLS was lost permanently >>> as it no longer existed on any server because there were no CentOS >>> servers left. >>> >>> I'm assuming since this is so easy to reproduce, that you don't >>> actually need my log files. >>> >>> ACL comparisons below for reference : >>> 1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain >>> consists of only CentOS servers >>> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but >>> there is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for >>> reference that the CentOS ACL hasn't changed yet) >>> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server created >>> from a replica file made from dc1, the centOS 7.2 CA master(missing >>> some stuff) >>> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now >>> missing some stuff) >>> >>> ============================================================================ >>> >>> >>> 1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain >>> consists of only CentOS servers >>> ============================================================================ >>> >>> >>> [root@dc1 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" >>> "(aci=*)" aci >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <cn=config> with scope subtree >>> # filter: (aci=*) >>> # requesting: aci >>> # >>> >>> # config >>> dn: cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager read >>> access"; allow (r >>> ead, search, compare) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> aci: (target = "ldap:///cn=automember rebuild >>> membership,cn=tasks,cn=config")( >>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild >>> Membership T >>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild >>> Membership Task >>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ob >>> jectclass || passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop,cn=plu >>> gins,cn=config")(version 3.0;acl "permission:Read PassSync >>> Managers Configura >>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> PassSync Manager >>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop, >>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify >>> PassSync Managers C >>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync >>> Managers Co >>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ns >>> slapd-directory* || objectclass")(target = >>> "ldap:///cn=config,cn=ldbm databas >>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM >>> Database Confi >>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> LDBM Databas >>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (version 3.0;acl "permission:Add Configuration >>> Sub-Entries";allow (add) g >>> roupdn = "ldap:///cn=Add Configuration >>> Sub-Entries,cn=permissions,cn=pbac,dc= >>> ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || description || entryusn >>> || modify >>> timestamp || nsds50ruv || nsds5beginreplicarefresh || >>> nsds5debugreplicatimeou >>> t || nsds5flags || nsds5replicaabortcleanruv || >>> nsds5replicaautoreferral || n >>> sds5replicabackoffmax || nsds5replicabackoffmin || >>> nsds5replicabinddn || nsds >>> 5replicabindmethod || nsds5replicabusywaittime || >>> nsds5replicachangecount || >>> nsds5replicachangessentsincestartup || nsds5replicacleanruv || >>> nsds5replicacl >>> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled >>> || nsds5repl >>> icahost || nsds5replicaid || nsds5replicalastinitend || >>> nsds5replicalastinits >>> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend >>> || nsds5repli >>> calastupdatestart || nsds5replicalastupdatestatus || >>> nsds5replicalegacyconsum >>> er || nsds5replicaname || nsds5replicaport || >>> nsds5replicaprotocoltimeout || >>> nsds5replicapurgedelay || nsds5replicareferral || >>> nsds5replicaroot || nsds5re >>> plicasessionpausetime || nsds5replicastripattrs || >>> nsds5replicatedattributeli >>> st || nsds5replicatedattributelisttotal || nsds5replicatimeout || >>> nsds5replic >>> atombstonepurgeinterval || nsds5replicatransportinfo || >>> nsds5replicatype || n >>> sds5replicaupdateinprogress || nsds5replicaupdateschedule || >>> nsds5task || nsd >>> s7directoryreplicasubtree || nsds7dirsynccookie || >>> nsds7newwingroupsyncenable >>> d || nsds7newwinusersyncenabled || nsds7windowsdomain || >>> nsds7windowsreplicas >>> ubtree || nsruvreplicalastmodified || nsstate || objectclass || >>> onewaysync || >>> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction >>> || winsyncsub >>> treepair || winsyncwindowsfilter")(targetfilter = >>> "(|(objectclass=nsds5Replic >>> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA >>> greement)(objectClass=nsMappingTree))")(version 3.0;acl >>> "permission:System: R >>> ead Replication Agreements";allow (compare,read,search) groupdn = >>> "ldap:///cn >>> =System: Read Replication >>> Agreements,cn=permissions,cn=pbac,dc=ipatestdomai >>> n,dc=net";) >>> >>> # SNMP, config >>> dn: cn=SNMP,cn=config >>> aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr >>> !="aci")(version 3.0;acl >>> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);) >>> >>> # tasks, config >>> dn: cn=tasks,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica >>> re-initializatio >>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication >>> Agreements,cn=permis >>> sions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after >>> replica re >>> -initialization"; allow (add) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipa >>> ca";) >>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; >>> allow (read >>> , compare, search) groupdn = >>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip >>> atestdomain,dc=net";) >>> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild >>> membershi >>> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read >>> Automember Ta >>> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: >>> Read Automembe >>> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # csusers, config >>> dn: ou=csusers,cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage >>> replication use >>> rs"; allow (all) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> >>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config >>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config >>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; >>> allow( rea >>> d, search ) userdn = "ldap:///all";;) >>> >>> # 2.16.840.1.113730.3.4.9, features, config >>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; >>> allow (read, >>> search, compare, proxy) userdn = "ldap:///anyone";; ) >>> >>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >>> Agreements";al >>> low (add) groupdn = "ldap:///cn=Add Replication >>> Agreements,cn=permissions,cn= >>> pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >>> Replication Agreeme >>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >>> Replication Ag >>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "permission:Rem >>> ove Replication Agreements";allow (delete) groupdn = >>> "ldap:///cn=Remove Repli >>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # o\3Dipaca, mapping tree, config >>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication >>> Agreements" >>> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify >>> Replication Agre >>> ements"; allow (read, write, search) userdn = >>> "ldap:///uid=pkidbuser,ou=peopl >>> e,o=ipaca";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "cert manager: >>> Remove Replication Agreements";allow (delete) userdn = >>> "ldap:///uid=pkidbuser >>> ,ou=people,o=ipaca";) >>> >>> # ldbm database, plugins, config >>> dn: cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV >>> searches"; a >>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> >>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> aci: (targetattr=dnaNextRange || dnaNextValue || >>> dnaMaxValue)(version 3.0;acl >>> "permission:Modify DNA Range";allow (write) groupdn = >>> "ldap:///cn=Modify DNA >>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue >>> || dnaThre >>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read >>> DNA Range"; >>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA >>> Range,cn=permiss >>> ions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # userRoot, ldbm database, plugins, config >>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking >>> the databas >>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove >>> Replication Agreement >>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 12 >>> # numEntries: 11 >>> >>> >>> ============================================================================ >>> >>> >>> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but >>> there is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for >>> reference that the CentOS ACL hasn't changed yet) >>> ============================================================================ >>> >>> >>> ================ after reinstallation of dc2 in fedora 23 / ipa >>> 4.2.3 ========================= >>> >>> [root@dc1 ~]# ldapsearch -b "cn=config" -D >>> "uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W >>> Enter LDAP Password: >>> # config >>> dn: cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager read >>> access"; allow (r >>> ead, search, compare) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> aci: (target = "ldap:///cn=automember rebuild >>> membership,cn=tasks,cn=config")( >>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild >>> Membership T >>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild >>> Membership Task >>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ob >>> jectclass || passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop,cn=plu >>> gins,cn=config")(version 3.0;acl "permission:Read PassSync >>> Managers Configura >>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> PassSync Manager >>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop, >>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify >>> PassSync Managers C >>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync >>> Managers Co >>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ns >>> slapd-directory* || objectclass")(target = >>> "ldap:///cn=config,cn=ldbm databas >>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM >>> Database Confi >>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> LDBM Databas >>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (version 3.0;acl "permission:Add Configuration >>> Sub-Entries";allow (add) g >>> roupdn = "ldap:///cn=Add Configuration >>> Sub-Entries,cn=permissions,cn=pbac,dc= >>> ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || description || entryusn >>> || modify >>> timestamp || nsds50ruv || nsds5beginreplicarefresh || >>> nsds5debugreplicatimeou >>> t || nsds5flags || nsds5replicaabortcleanruv || >>> nsds5replicaautoreferral || n >>> sds5replicabackoffmax || nsds5replicabackoffmin || >>> nsds5replicabinddn || nsds >>> 5replicabindmethod || nsds5replicabusywaittime || >>> nsds5replicachangecount || >>> nsds5replicachangessentsincestartup || nsds5replicacleanruv || >>> nsds5replicacl >>> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled >>> || nsds5repl >>> icahost || nsds5replicaid || nsds5replicalastinitend || >>> nsds5replicalastinits >>> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend >>> || nsds5repli >>> calastupdatestart || nsds5replicalastupdatestatus || >>> nsds5replicalegacyconsum >>> er || nsds5replicaname || nsds5replicaport || >>> nsds5replicaprotocoltimeout || >>> nsds5replicapurgedelay || nsds5replicareferral || >>> nsds5replicaroot || nsds5re >>> plicasessionpausetime || nsds5replicastripattrs || >>> nsds5replicatedattributeli >>> st || nsds5replicatedattributelisttotal || nsds5replicatimeout || >>> nsds5replic >>> atombstonepurgeinterval || nsds5replicatransportinfo || >>> nsds5replicatype || n >>> sds5replicaupdateinprogress || nsds5replicaupdateschedule || >>> nsds5task || nsd >>> s7directoryreplicasubtree || nsds7dirsynccookie || >>> nsds7newwingroupsyncenable >>> d || nsds7newwinusersyncenabled || nsds7windowsdomain || >>> nsds7windowsreplicas >>> ubtree || nsruvreplicalastmodified || nsstate || objectclass || >>> onewaysync || >>> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction >>> || winsyncsub >>> treepair || winsyncwindowsfilter")(targetfilter = >>> "(|(objectclass=nsds5Replic >>> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA >>> greement)(objectClass=nsMappingTree))")(version 3.0;acl >>> "permission:System: R >>> ead Replication Agreements";allow (compare,read,search) groupdn = >>> "ldap:///cn >>> =System: Read Replication >>> Agreements,cn=permissions,cn=pbac,dc=ipatestdomai >>> n,dc=net";) >>> >>> # SNMP, config >>> dn: cn=SNMP,cn=config >>> aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr >>> !="aci")(version 3.0;acl >>> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);) >>> >>> # tasks, config >>> dn: cn=tasks,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica >>> re-initializatio >>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication >>> Agreements,cn=permis >>> sions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after >>> replica re >>> -initialization"; allow (add) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipa >>> ca";) >>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; >>> allow (read >>> , compare, search) groupdn = >>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip >>> atestdomain,dc=net";) >>> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild >>> membershi >>> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read >>> Automember Ta >>> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: >>> Read Automembe >>> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # csusers, config >>> dn: ou=csusers,cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage >>> replication use >>> rs"; allow (all) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> >>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config >>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config >>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; >>> allow( rea >>> d, search ) userdn = "ldap:///all";;) >>> >>> # 2.16.840.1.113730.3.4.9, features, config >>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; >>> allow (read, >>> search, compare, proxy) userdn = "ldap:///anyone";; ) >>> >>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >>> Agreements";al >>> low (add) groupdn = "ldap:///cn=Add Replication >>> Agreements,cn=permissions,cn= >>> pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >>> Replication Agreeme >>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >>> Replication Ag >>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "permission:Rem >>> ove Replication Agreements";allow (delete) groupdn = >>> "ldap:///cn=Remove Repli >>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # o\3Dipaca, mapping tree, config >>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication >>> Agreements" >>> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify >>> Replication Agre >>> ements"; allow (read, write, search) userdn = >>> "ldap:///uid=pkidbuser,ou=peopl >>> e,o=ipaca";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "cert manager: >>> Remove Replication Agreements";allow (delete) userdn = >>> "ldap:///uid=pkidbuser >>> ,ou=people,o=ipaca";) >>> >>> # ldbm database, plugins, config >>> dn: cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV >>> searches"; a >>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> >>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> aci: (targetattr=dnaNextRange || dnaNextValue || >>> dnaMaxValue)(version 3.0;acl >>> "permission:Modify DNA Range";allow (write) groupdn = >>> "ldap:///cn=Modify DNA >>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue >>> || dnaThre >>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read >>> DNA Range"; >>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA >>> Range,cn=permiss >>> ions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # userRoot, ldbm database, plugins, config >>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking >>> the databas >>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove >>> Replication Agreement >>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 12 >>> # numEntries: 11 >>> >>> >>> >>> ============================================================================ >>> >>> >>> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the >>> replica file was made from dc1 which is a CentOS server that still >>> has the acls(missing some stuff) >>> ============================================================================ >>> >>> >>> aci list on dc2 >>> >>> [root@dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" >>> "(aci=*)" aci >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <cn=config> with scope subtree >>> # filter: (aci=*) >>> # requesting: aci >>> # >>> >>> # config >>> dn: cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager read >>> access"; allow (r >>> ead, search, compare) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> aci: (target = "ldap:///cn=automember rebuild >>> membership,cn=tasks,cn=config")( >>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild >>> Membership T >>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild >>> Membership Task >>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ob >>> jectclass || passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop,cn=plu >>> gins,cn=config")(version 3.0;acl "permission:Read PassSync >>> Managers Configura >>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> PassSync Manager >>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop, >>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify >>> PassSync Managers C >>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync >>> Managers Co >>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ns >>> slapd-directory* || objectclass")(target = >>> "ldap:///cn=config,cn=ldbm databas >>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM >>> Database Confi >>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> LDBM Databas >>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (version 3.0;acl "permission:Add Configuration >>> Sub-Entries";allow (add) g >>> roupdn = "ldap:///cn=Add Configuration >>> Sub-Entries,cn=permissions,cn=pbac,dc= >>> ipatestdomain,dc=net";) >>> >>> # SNMP, config >>> dn: cn=SNMP,cn=config >>> aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr >>> !="aci")(version 3.0;acl >>> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);) >>> >>> # tasks, config >>> dn: cn=tasks,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica >>> re-initializatio >>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication >>> Agreements,cn=permis >>> sions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after >>> replica re >>> -initialization"; allow (add) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipa >>> ca";) >>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; >>> allow (read >>> , compare, search) groupdn = >>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip >>> atestdomain,dc=net";) >>> >>> # csusers, config >>> dn: ou=csusers,cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage >>> replication use >>> rs"; allow (all) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> >>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config >>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config >>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; >>> allow( rea >>> d, search ) userdn = "ldap:///all";;) >>> >>> # 2.16.840.1.113730.3.4.9, features, config >>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; >>> allow (read, >>> search, compare, proxy) userdn = "ldap:///anyone";; ) >>> >>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >>> Agreements";al >>> low (add) groupdn = "ldap:///cn=Add Replication >>> Agreements,cn=permissions,cn= >>> pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >>> Replication Agreeme >>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >>> Replication Ag >>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "permission:Rem >>> ove Replication Agreements";allow (delete) groupdn = >>> "ldap:///cn=Remove Repli >>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # o\3Dipaca, mapping tree, config >>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication >>> Agreements" >>> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify >>> Replication Agre >>> ements"; allow (read, write, search) userdn = >>> "ldap:///uid=pkidbuser,ou=peopl >>> e,o=ipaca";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "cert manager: >>> Remove Replication Agreements";allow (delete) userdn = >>> "ldap:///uid=pkidbuser >>> ,ou=people,o=ipaca";) >>> >>> # ldbm database, plugins, config >>> dn: cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV >>> searches"; a >>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> >>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> aci: (targetattr=dnaNextRange || dnaNextValue || >>> dnaMaxValue)(version 3.0;acl >>> "permission:Modify DNA Range";allow (write) groupdn = >>> "ldap:///cn=Modify DNA >>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue >>> || dnaThre >>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read >>> DNA Range"; >>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA >>> Range,cn=permiss >>> ions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # userRoot, ldbm database, plugins, config >>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking >>> the databas >>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove >>> Replication Agreement >>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 12 >>> # numEntries: 11 >>> >>> ============================================================================ >>> >>> >>> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now >>> missing some stuff) >>> ============================================================================ >>> >>> >>> [root@dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b >>> "cn=config" "(aci=*)" aci >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <cn=config> with scope subtree >>> # filter: (aci=*) >>> # requesting: aci >>> # >>> >>> # config >>> dn: cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager read >>> access"; allow (r >>> ead, search, compare) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> aci: (target = "ldap:///cn=automember rebuild >>> membership,cn=tasks,cn=config")( >>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild >>> Membership T >>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild >>> Membership Task >>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ob >>> jectclass || passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop,cn=plu >>> gins,cn=config")(version 3.0;acl "permission:Read PassSync >>> Managers Configura >>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> PassSync Manager >>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop, >>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify >>> PassSync Managers C >>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync >>> Managers Co >>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ns >>> slapd-directory* || objectclass")(target = >>> "ldap:///cn=config,cn=ldbm databas >>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM >>> Database Confi >>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> LDBM Databas >>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (version 3.0;acl "permission:Add Configuration >>> Sub-Entries";allow (add) g >>> roupdn = "ldap:///cn=Add Configuration >>> Sub-Entries,cn=permissions,cn=pbac,dc= >>> ipatestdomain,dc=net";) >>> >>> # SNMP, config >>> dn: cn=SNMP,cn=config >>> aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr >>> !="aci")(version 3.0;acl >>> "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);) >>> >>> # tasks, config >>> dn: cn=tasks,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica >>> re-initializatio >>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication >>> Agreements,cn=permis >>> sions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after >>> replica re >>> -initialization"; allow (add) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipa >>> ca";) >>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; >>> allow (read >>> , compare, search) groupdn = >>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip >>> atestdomain,dc=net";) >>> >>> # csusers, config >>> dn: ou=csusers,cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage >>> replication use >>> rs"; allow (all) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> >>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config >>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config >>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; >>> allow( rea >>> d, search ) userdn = "ldap:///all";;) >>> >>> # 2.16.840.1.113730.3.4.9, features, config >>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; >>> allow (read, >>> search, compare, proxy) userdn = "ldap:///anyone";; ) >>> >>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >>> Agreements";al >>> low (add) groupdn = "ldap:///cn=Add Replication >>> Agreements,cn=permissions,cn= >>> pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >>> Replication Agreeme >>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >>> Replication Ag >>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "permission:Rem >>> ove Replication Agreements";allow (delete) groupdn = >>> "ldap:///cn=Remove Repli >>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # o\3Dipaca, mapping tree, config >>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication >>> Agreements" >>> ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify >>> Replication Agre >>> ements"; allow (read, write, search) userdn = >>> "ldap:///uid=pkidbuser,ou=peopl >>> e,o=ipaca";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "cert manager: >>> Remove Replication Agreements";allow (delete) userdn = >>> "ldap:///uid=pkidbuser >>> ,ou=people,o=ipaca";) >>> >>> # ldbm database, plugins, config >>> dn: cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV >>> searches"; a >>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;) >>> >>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> aci: (targetattr=dnaNextRange || dnaNextValue || >>> dnaMaxValue)(version 3.0;acl >>> "permission:Modify DNA Range";allow (write) groupdn = >>> "ldap:///cn=Modify DNA >>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue >>> || dnaThre >>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read >>> DNA Range"; >>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA >>> Range,cn=permiss >>> ions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # userRoot, ldbm database, plugins, config >>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking >>> the databas >>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove >>> Replication Agreement >>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 12 >>> # numEntries: 11 >>> >>> >>> >>> -----Original Message----- >>> From: Rich Megginson [mailto:[email protected]] >>> Sent: January-22-16 10:24 AM >>> To: Nathan Peters; [email protected] >>> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation >>> fails with DuplicateEntry: This entry already exists >>> >>> On 01/22/2016 11:04 AM, Nathan Peters wrote: >>>> Wow, strange stuff, the search I linked in the last email for our >>>> non working dev environment seems short some entries. >>>> >>>> For comparison, here is the same search run against our currently >>>> working prod environment. >>>> >>>> As you can see, our prod environment has a huge aci on the config >>>> tree. >>>> >>>> For reference, our prod and dev environments were identical >>>> (FreeIPA 4.1.4/CentOS7.1) before I updated our dev environment to >>>> CentOS7.2/FreeIPA4.2.0 -> Fedora23/FreeIPA4.2.3 -> >>>> Fedora23/FreeIPA4.3.0. So at some point during this upgrade >>>> process I assume maybe one of the installers deleted acis on our >>>> tree? That sounds like the kind of thing that would happen when >>>> introducing the new domain level functionality in 4.3, like if >>>> someone accidentally thought "oh this replica branch is now in a >>>> globally replicated section, we can remove these acis for this >>>> local stuff..." and then put that logic into the installer or >>>> something... >>>> >>>> The real question is, is there some good way of getting those aci's >>>> back, like a fixaci command? >>> I don't know. >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
