#3956 Update plugin needs the global anonymous read ACI
Closed: Fixed None Opened 10 years ago by pviktori.

In #3566 we want to remove the anonymous read ACI. Currently IPA has an update plugin that will fail the upgrade when the anon ACI is not found. Of course the plugin will be removed in newer versions, but the following scenario will fail:

  • have a 3.1 master
  • install a 3.4* replica: this sets up fine-grained read ACIs and removes the anonymous one
  • upgrade master to 3.3: upgrade fails as anon ACI is not found

(* hopefully reworked read ACIs make it to 3.4)

Possible workarounds:

  • Patch 3.3 (and possibly lower versions) to fail gracefully when the ACI is not there
  • Make the global anonymous read ACI optional; users that upgrade ancient versions to old ones would be advised to turn it on for the upgrade. (This would also
  • Ignore the problem, upgrading to N when N+x is installed in the cluster is not supported

More details are needed. What update plugin fails and how?

The update_anonymous_aci plugin.

When the anon read ACI is deleted, e.g. ldapmodify with the following:

dn: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
changetype: modify
delete: aci
aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)

ipa-ldap-updater fails with:

2013-09-30T17:20:50Z INFO POST_UPDATE
2013-09-30T17:20:50Z DEBUG Created connection context.ldap2
2013-09-30T17:20:50Z DEBUG raw: update_anonymous_aci
2013-09-30T17:20:50Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache
2013-09-30T17:20:50Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x3ee7ab8>
2013-09-30T17:20:51Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 209, in run
    modified = ld.update(self.files, ordered=True) or modified
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 879, in update
    updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, self.ldapi, self.live_run)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 122, in update
    (restart, apply_now, res) = self.run(update.name, **kw)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 142, in run
    return self.Updater[method](**kw)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1448, in __call__
    return self.execute(**options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_anonymous_aci.py", line 45, in execute
    rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py", line 398, in _find_aci_by_name
    raise errors.NotFound(reason=_('ACI with name "%s" not found') % aciname)

2013-09-30T17:20:51Z DEBUG The ipa-ldap-updater command failed, exception: NotFound: ACI with name "Enable Anonymous access" not found
2013-09-30T17:20:51Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
NotFound: ACI with name "Enable Anonymous access" not found

This fix would be also needed for older FreeIPA servers to be able to properly replicate with FreeIPA server with #3566.

This ticket does not need to be cloned any more - the version already GA'd.

Metadata Update from @pviktori:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 3.3.x - 2013/10 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata