Description of problem: This is the ACIs set to cn=Server Group: > dn: cn=Server Group, cn=kiki.usersys.redhat.com, > ou=usersys.redhat.com, o=NetscapeRoot > aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0; > acl "Enable delegated access"; allow (read, search, compare) > groupdn="ldap:///cn=Server Group, cn=kiki.usersys.redhat.com, > ou=usersys.redhat.com,o=NetscapeRoot";) > aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; > allow (read, search, compare) userdn="ldap:///cn=admin-serv-kiki, > cn=Fedora Administration Server, cn=Server Group, > cn=kiki.usersys.redhat.com, > ou=usersys.redhat.com, o=NetscapeRoot";) The first ACI's targetfilter is (nsconfigRoot=*). The attribute nsconfigRoot used to store the serverroot such as /opt/redhat-ds. We don't have it any more. The attribute used to belong to the Server Group itself. To point to the same entry, we could replace (nsconfigRoot=*) with (nsAdminGroupName=*) or (nsAdminGroupName=Server Group). Since the Admin Server tests are not failing, this ACI may not be used at all for now. (Or some bugs might be hidden, not found yet...) We have 3 choices. 1) fix it, 2) remove the obsolete ACI, 3) file a bug for 9.0. > The ACI is defined in this template file: > ./admserv/schema/ldif/10dsdata.ldif.tmpl > aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0; > acl "Enable delegated access"; allow (read, search, compare) > groupdn="ldap:///cn=Server Group, cn=%fqdn%, ou=%domain%, > o=NetscapeRoot";) Comments from Nathan> I'd vote for filing a bug for 9.0 at this point since nothing is failing. We could remove the ACI, but we would need to respin adminserver again on all platforms. I don't think that this issue is important enough to warrant that work at this stage. If we find that the new ACI is needed for some more advanced feature that our tests are not covering, we have an easy workaround for customers of just adding the required ACI.
Created attachment 356595 [details] git patch file (10dsdata.ldif.tmpl) [File] admserv/schema/ldif/10dsdata.ldif.tmpl [Fix Description] Removing an obsolete ACI which targetfilter includes an old attribute nsconfigFoot which does not exist any more. Tested with setup-ds-admin.pl, register-ds-admin.pl and Console. No unusual behaviour was observed.
Thanks to Nathan for reviewing the change and pointing out the typo! I fixed it in the git comment and pushed to master. $ git merge work Updating ae4b332..c65ea3a Fast forward admserv/schema/ldif/10dsdata.ldif.tmpl | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) $ git push Counting objects: 11, done. Delta compression using 4 threads. Compressing objects: 100% (5/5), done. Writing objects: 100% (6/6), 560 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git ae4b332..c65ea3a master -> master
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, search, compare) groupdn="ldap:///cn=slapd-%dsid%,cn=%brand% Directory Server,cn=Server Group,cn=%fqdn%,ou=%domain%,o=NetscapeRoot";) aci: (targetattr="uniquemember || serverProductName || userpassword || description")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable access delegation"; allow (write) groupdn="ldap:///cn=slapd-%dsid%,cn=%brand% Directory Server,cn=Server Group,cn=%fqdn%,ou=%domain%,o=NetscapeRoot";) Checked, hence VERIFIED.