In #3566 we want to remove the anonymous read ACI. Currently IPA has an update plugin that will fail the upgrade when the anon ACI is not found. Of course the plugin will be removed in newer versions, but the following scenario will fail:
(* hopefully reworked read ACIs make it to 3.4)
Possible workarounds:
N
N+x
More details are needed. What update plugin fails and how?
The update_anonymous_aci plugin.
update_anonymous_aci
When the anon read ACI is deleted, e.g. ldapmodify with the following:
ldapmodify
dn: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com changetype: modify delete: aci aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
ipa-ldap-updater fails with:
ipa-ldap-updater
2013-09-30T17:20:50Z INFO POST_UPDATE 2013-09-30T17:20:50Z DEBUG Created connection context.ldap2 2013-09-30T17:20:50Z DEBUG raw: update_anonymous_aci 2013-09-30T17:20:50Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache 2013-09-30T17:20:50Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x3ee7ab8> 2013-09-30T17:20:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 209, in run modified = ld.update(self.files, ordered=True) or modified File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 879, in update updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, self.ldapi, self.live_run) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 122, in update (restart, apply_now, res) = self.run(update.name, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 142, in run return self.Updater[method](**kw) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1448, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_anonymous_aci.py", line 45, in execute rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname) File "/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py", line 398, in _find_aci_by_name raise errors.NotFound(reason=_('ACI with name "%s" not found') % aciname) 2013-09-30T17:20:51Z DEBUG The ipa-ldap-updater command failed, exception: NotFound: ACI with name "Enable Anonymous access" not found 2013-09-30T17:20:51Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NotFound: ACI with name "Enable Anonymous access" not found
This fix would be also needed for older FreeIPA servers to be able to properly replicate with FreeIPA server with #3566.
master: c813b8f[[BR]] ipa-3-3: 05e61e4
This ticket does not need to be cloned any more - the version already GA'd.
Metadata Update from @pviktori: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 3.3.x - 2013/10 (bug fixing)
Login to comment on this ticket.