Bug 772852
| Summary: | "Unresolved rules in --rules" error message is displayed even if the hbacrule is specified using the --rules option. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | jgalipea, mkosek, shaines |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.2.0-1.el6 | Doc Type: | Bug Fix |
| Doc Text: |
No documentation needed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 13:29:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Gowrishankar Rajaiyan
2012-01-10 06:40:01 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2233 I just noticed that the upstream ticket was already created (a link was not placed in the BZ): https://fedorahosted.org/freeipa/ticket/2230 Wouldn't this be because the default searchlimit is 100 ? # ipa config-show Max. username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain for new users: testrelm Search time limit: 2 Search size limit: 100 <================================================ User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM Password Expiration Notification (days): 4 Sorry for the confusion. There are two cases here: 1. When you explicitly specify --rules option with the rule name. In this case the expected result is "access granted: true" which is irrespective of the search size limit set in config. Bugzilla is against this case and the relevant ticket https://fedorahosted.org/freeipa/ticket/2230. I have update the summary to reflect the actual issue. 2. When you do not specify --rules option, then the default search size limit comes in picture which is 100 by default. Modifying this to a desired value and then running hbactest works fine, however, this would mean modifying the default search limit hence I raised an RFE ticket ( https://fedorahosted.org/freeipa/ticket/2231 ) to add --sizelimit option. # ipa config-mod --searchrecordslimit=500 Max. username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain for new users: lab.eng.pnq.redhat.com Search time limit: 2 Search size limit: 500 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=LAB.ENG.PNQ.REDHAT.COM Password Expiration Notification (days): 4 [root@jetfire ~]# ipa hbactest --user=shanks --srchost=ratchet.lab.eng.pnq.redhat.com --host=ratchet.lab.eng.pnq.redhat.com --service=sshd -------------------- Access granted: True -------------------- matched: zrule notmatched: rule1 notmatched: rule10 notmatched: rule100 Pushed to ipa-2-2: 7eaf1dc594294688daeba31a87781d299e45f038 Pushed to master: 1e04e9f02978592d861895bd14e8b3a2ee2c7100
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
No documentation needed.
verified :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacsvc-772852: "Unresolved rules in --rules" error message is displayed even if the hbacrule is specified using the --rules option. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Running 'ipa config-show' :: [ PASS ] :: Running 'ipa config-mod --searchrecordslimit=5' :: [ PASS ] :: Running 'ipa config-show' :: [ PASS ] :: Running 'ipa hbacrule-disable allow_all' :: [ PASS ] :: Running 'ipa hbacrule-add 772852' :: [ PASS ] :: Running 'ipa hbacrule-find' :: [ PASS ] :: Running 'ipa hbacrule-add-user 772852 --users=user772852' :: [ PASS ] :: Running 'ipa hbacrule-add-host 772852 --hosts=intel-s3ea2-03.testrelm.com' :: [ PASS ] :: Running 'ipa hbacrule-add-sourcehost 772852 --hosts=ibm-x3650-04.testrelm.com' :: [ PASS ] :: Running 'ipa hbacrule-add-service 772852 --hbacsvcs=sshd' :: [ PASS ] :: Running 'ipa hbacrule-show 772852 --all' :: [ PASS ] :: Running 'ipa hbactest --user=user772852 --srchost=ibm-x3650-04.testrelm.com --host=intel-s3ea2-03.testrelm.com --service=sshd --rules=772852 | grep -Ex '(Access granted: True| matched: 772852)'' :: [ LOG ] :: Verifies bug https://bugzilla.redhat.com/show_bug.cgi?id=772852 :: [ PASS ] :: Running 'ipa hbactest --user=user772852 --srchost=ibm-x3650-04.testrelm.com --host=intel-s3ea2-03.testrelm.com --service=sshd --rules=772852 | grep "Unresolved rules"' :: [ PASS ] :: Running 'ipa config-mod --searchrecordslimit=100' :: [ PASS ] :: Running 'ipa config-show' :: [ LOG ] :: Duration: 50s :: [ LOG ] :: Assertions: 16 good, 0 bad :: [ PASS ] :: RESULT: ipa-hbacsvc-772852: "Unresolved rules in --rules" error message is displayed even if the hbacrule is specified using the --rules option. version :: ipa-server.i686 0:2.2.0-13.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |