Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-154389

ipa-migrate doesn't copy ACI for IPA RBAC permissions

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.1
    • ipa
    • None
    • None
    • Low
    • rhel-idm-ipa
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      ipa-migrate does migrate the IPA RBAC permissions, but doesn't create a proper ACI

      What is the impact of this issue to you?

      listing migrated permission fails with error of no ACI, and it doesn't work

      Please provide the package NVR for which the bug is seen:

      ipa-server-4.12.2-24.el10_1.1.x86_64

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. create a custom RBAC permission
      2. migrate

      Expected results

      correctly working permission

      Actual results

      in original server:

      [root@ipa1 ~]# ipa permission-find 'Request Certificate with SubjectAltName' --all --raw
--------------------
1 permission matched
--------------------
 dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,dc=domain23,dc=local
 cn: Request Certificate with SubjectAltName
 ipapermright: read
 ipapermright: write
 ipapermincludedattr: cn
 ipapermbindruletype: permission
 ipapermlocation: cn=caacls,cn=ca,dc=domain23,dc=local
 ipapermtargetfilter: (memberOf=cn=admins,cn=groups,cn=accounts,dc=domain23,dc=local)
 ipapermtargetfilter: (objectclass=ipacaacl)
 ipapermissiontype: SYSTEM
 ipapermissiontype: V2
 aci: (targetattr = "cn")(targetfilter = "(&(memberOf=cn=admins,cn=groups,cn=accounts,dc=domain23,dc=local)(objectclass=ipacaacl))")(version 3.0;acl "permission:Request Certificate with SubjectAltName";allow (
read,write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,dc=domain23,dc=local";)
 objectclass: top
 objectclass: groupofnames
 objectclass: ipapermission
 objectclass: ipapermissionv2
----------------------------
Number of entries returned 1
----------------------------
[root@ipa1 ~]# ldapsearch -D "cn=Directory Manager" -W -b 'cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,dc=domain23,dc=local'
Enter LDAP Password:  
# extended LDIF
#
# LDAPv3
# base <cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,dc=domain23,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Request Certificate with SubjectAltName, permissions, pbac, domain23.local
dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,dc=domai
n23,dc=local
cn: Request Certificate with SubjectAltName
ipaPermBindRuleType: permission
ipaPermRight: read
ipaPermRight: write
ipaPermLocation: cn=caacls,cn=ca,dc=domain23,dc=local
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,dc=domain23,dc=
local)
ipaPermTargetFilter: (objectclass=ipacaacl)
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermIncludedAttr: cn

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[root@ipa1 ~]# ldapsearch -D "cn=Directory Manager" -W -b 'cn=caacls,cn=ca,dc=domain23,dc=local'
Enter LDAP Password:  
# extended LDIF
#
# LDAPv3
# base <cn=caacls,cn=ca,dc=domain23,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# caacls, ca, domain23.local
dn: cn=caacls,cn=ca,dc=domain23,dc=local
objectClass: nsContainer
objectClass: top
cn: caacls

# 861a4fb6-a3a0-11f0-a410-5254007e6584, caacls, ca, domain23.local
dn: ipaUniqueID=861a4fb6-a3a0-11f0-a410-5254007e6584,cn=caacls,cn=ca,dc=domain
23,dc=local
cn: hosts_services_caIPAserviceCert
hostCategory: all
serviceCategory: all
objectClass: ipaassociation
objectClass: ipacaacl
ipaEnabledFlag: TRUE
ipaUniqueID: 861a4fb6-a3a0-11f0-a410-5254007e6584
ipaMemberCertProfile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=domain23,dc
=local

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

      migrated server:

      [root@ipa3 ~]# ipa permission-show 'Request Certificate with SubjectAltName' --all --raw
ipa: ERROR: The ACI for permission Request Certificate with SubjectAltName was not found in cn=caacls,cn=ca,dc=domain23,dc=local  
[root@ipa3 ~]# ldapsearch -D "cn=Directory Manager" -W -b 'cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,dc=domain23,dc=local'
Enter LDAP Password:  
# extended LDIF
#
# LDAPv3
# base <cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,dc=domain23,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Request Certificate with SubjectAltName, permissions, pbac, domain23.local
dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,dc=domai
n23,dc=local
cn: Request Certificate with SubjectAltName
ipaPermBindRuleType: permission
ipaPermRight: read
ipaPermRight: write
ipaPermLocation: cn=caacls,cn=ca,dc=domain23,dc=local
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,dc=domain23,dc=
local)
ipaPermTargetFilter: (objectclass=ipacaacl)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermIncludedAttr: cn
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[root@ipa3 ~]# ipa permission-show 'Request Certificate with SubjectAltName' --all --raw
ipa: ERROR: The ACI for permission Request Certificate with SubjectAltName was not found in cn=caacls,cn=ca,dc=domain23,dc=local  
[root@ipa3 ~]# # ldapsearch -D "cn=Directory Manager" -W -b 'cn=caacls,cn=ca,dc=domain23,dc=local'
[root@ipa3 ~]#  ldapsearch -D "cn=Directory Manager" -W -b 'cn=caacls,cn=ca,dc=domain23,dc=local'
Enter LDAP Password:  
# extended LDIF
#
# LDAPv3
# base <cn=caacls,cn=ca,dc=domain23,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# caacls, ca, domain23.local
dn: cn=caacls,cn=ca,dc=domain23,dc=local
objectClass: nsContainer
objectClass: top
cn: caacls

# fd4c78c6-1b9f-11f1-b8e0-525400ad0112, caacls, ca, domain23.local
dn: ipaUniqueID=fd4c78c6-1b9f-11f1-b8e0-525400ad0112,cn=caacls,cn=ca,dc=domain
23,dc=local
cn: hosts_services_caIPAserviceCert
hostCategory: all
serviceCategory: all
objectClass: ipaassociation
objectClass: ipacaacl
ipaEnabledFlag: TRUE
ipaUniqueID: fd4c78c6-1b9f-11f1-b8e0-525400ad0112
ipaMemberCertProfile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=domain23,dc
=local

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

      ACI is not processed

              frenaud@redhat.com Florence Renaud
              rhn-support-asharov Aleksandr Sharov
              Florence Renaud Florence Renaud
              Sudhir Menon Sudhir Menon
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: