Description of problem: [yi@dhcp-137 ipa-delegation]$ ipa permission-find testper --all --------------------- 2 permissions matched --------------------- dn: cn=testper,cn=permissions,cn=pbac,dc=sjc,dc=redhat,dc=com Permission name: testper Description: testper Permissions: add Type: user objectclass: groupofnames, top dn: cn=testper,cn=permissions,cn=pbac,dc=sjc,dc=redhat,dc=com Permission name: testper Description: testper Permissions: add Type: user ---------------------------- Number of entries returned 2 ---------------------------- ===> I don't know if it because --all listed it twice or there are 2 identical records in ldap. If no "--all" given for permission-find, there is only ONE record returned. So I believe "--all" just list same record twice [step 1] create record: [yi@dhcp-137 ipa-delegation]$ ipa permission-add testPer --desc=testper --permissions=add --type=user -------------------------- Added permission "testper" -------------------------- Permission name: testper Description: testper Permissions: add Type: user [step 2] run permission-find without "--all" [yi@dhcp-137 ipa-delegation]$ ipa permission-find testper -------------------- 1 permission matched -------------------- Permission name: testper Description: testper Permissions: add Type: user ---------------------------- Number of entries returned 1 ---------------------------- [step 3] with --all option: [yi@dhcp-137 ipa-delegation]$ ipa permission-find testper --all --------------------- 2 permissions matched --------------------- dn: cn=testper,cn=permissions,cn=pbac,dc=sjc,dc=redhat,dc=com Permission name: testper Description: testper Permissions: add Type: user objectclass: groupofnames, top dn: cn=testper,cn=permissions,cn=pbac,dc=sjc,dc=redhat,dc=com Permission name: testper Description: testper Permissions: add Type: user ---------------------------- Number of entries returned 2 ---------------------------- [step 4] delete this permission and search again [yi@dhcp-137 ipa-delegation]$ ipa permission-del testper ---------------------------- Deleted permission "testper" ---------------------------- [yi@dhcp-137 ipa-delegation]$ ipa permission-find testper --all --------------------- 0 permissions matched --------------------- ---------------------------- Number of entries returned 0 ---------------------------- ===everything back to perfect==== Version-Release number of selected component (if applicable): always How reproducible: always
if you do as "--all --raw" only one entry returned: [yi@dhcp-137 ipa-delegation]$ ipa permission-find testper --all --------------------- 2 permissions matched --------------------- dn: cn=testper,cn=permissions,cn=pbac,dc=sjc,dc=redhat,dc=com Permission name: testper Description: testper Permissions: add Target group: ipausers objectclass: groupofnames, top dn: cn=testper,cn=permissions,cn=pbac,dc=sjc,dc=redhat,dc=com Permission name: testper Description: testper Permissions: add Target group: ipausers ---------------------------- Number of entries returned 2 ---------------------------- [yi@dhcp-137 ipa-delegation]$ ipa permission-find testper --all --raw -------------------- 1 permission matched -------------------- dn: cn=testper,cn=permissions,cn=pbac,dc=sjc,dc=redhat,dc=com cn: testper description: testper permissions: add targetgroup: ipausers objectclass: groupofnames objectclass: top ---------------------------- Number of entries returned 1 ----------------------------
https://fedorahosted.org/freeipa/ticket/815 I was able to reproduce this one with adding a new permission via UI and then running the CLI command.
I wasn't able to reproduce the issue on current IPA master. There were many fixes in permission and ACI plugin which probably fixed the root cause (especially ticket #764). I tried several scenarios including Dmitri's reproduction scheme and it worked correctly for me - permission was not listed twice. Please test this issue on current IPA version (after the fix in ticket #764) and if this issue is not fixed I will reopen the ticket.