Hide Forgot
Description of problem: "Unresolved rules in --rules" error message is displayed if the hbacrule is not in the first 100 hbacrules list. Version-Release number of selected component (if applicable): ipa-server-2.1.3-9.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Create more than 100 hbac rules. 2. Create one hbacrule as: # ipa hbacrule-show shanks-hbac Rule name: shanks-hbac Enabled: TRUE Users: shanks Hosts: ratchet.lab.eng.pnq.redhat.com Source Hosts: ratchet.lab.eng.pnq.redhat.com Services: sshd 3. "ipa hbacrule-find" displays only the first 100 rules it finds. Make sure your rule in Step2 is not displayed in this 100. 4. ipa hbactest --user=shanks --srchost=ratchet.lab.eng.pnq.redhat.com --host=ratchet.lab.eng.pnq.redhat.com --service=sshd --rules=shanks-hbac Actual results: --------------------------- Unresolved rules in --rules --------------------------- error: shanks-hbac Expected results: -------------------- Access granted: True -------------------- matched: shanks-hbac Additional info:
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2233
I just noticed that the upstream ticket was already created (a link was not placed in the BZ): https://fedorahosted.org/freeipa/ticket/2230
Wouldn't this be because the default searchlimit is 100 ? # ipa config-show Max. username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain for new users: testrelm Search time limit: 2 Search size limit: 100 <================================================ User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM Password Expiration Notification (days): 4
Sorry for the confusion. There are two cases here: 1. When you explicitly specify --rules option with the rule name. In this case the expected result is "access granted: true" which is irrespective of the search size limit set in config. Bugzilla is against this case and the relevant ticket https://fedorahosted.org/freeipa/ticket/2230. I have update the summary to reflect the actual issue. 2. When you do not specify --rules option, then the default search size limit comes in picture which is 100 by default. Modifying this to a desired value and then running hbactest works fine, however, this would mean modifying the default search limit hence I raised an RFE ticket ( https://fedorahosted.org/freeipa/ticket/2231 ) to add --sizelimit option. # ipa config-mod --searchrecordslimit=500 Max. username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain for new users: lab.eng.pnq.redhat.com Search time limit: 2 Search size limit: 500 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=LAB.ENG.PNQ.REDHAT.COM Password Expiration Notification (days): 4 [root@jetfire ~]# ipa hbactest --user=shanks --srchost=ratchet.lab.eng.pnq.redhat.com --host=ratchet.lab.eng.pnq.redhat.com --service=sshd -------------------- Access granted: True -------------------- matched: zrule notmatched: rule1 notmatched: rule10 notmatched: rule100
Pushed to ipa-2-2: 7eaf1dc594294688daeba31a87781d299e45f038 Pushed to master: 1e04e9f02978592d861895bd14e8b3a2ee2c7100
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
verified :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacsvc-772852: "Unresolved rules in --rules" error message is displayed even if the hbacrule is specified using the --rules option. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Running 'ipa config-show' :: [ PASS ] :: Running 'ipa config-mod --searchrecordslimit=5' :: [ PASS ] :: Running 'ipa config-show' :: [ PASS ] :: Running 'ipa hbacrule-disable allow_all' :: [ PASS ] :: Running 'ipa hbacrule-add 772852' :: [ PASS ] :: Running 'ipa hbacrule-find' :: [ PASS ] :: Running 'ipa hbacrule-add-user 772852 --users=user772852' :: [ PASS ] :: Running 'ipa hbacrule-add-host 772852 --hosts=intel-s3ea2-03.testrelm.com' :: [ PASS ] :: Running 'ipa hbacrule-add-sourcehost 772852 --hosts=ibm-x3650-04.testrelm.com' :: [ PASS ] :: Running 'ipa hbacrule-add-service 772852 --hbacsvcs=sshd' :: [ PASS ] :: Running 'ipa hbacrule-show 772852 --all' :: [ PASS ] :: Running 'ipa hbactest --user=user772852 --srchost=ibm-x3650-04.testrelm.com --host=intel-s3ea2-03.testrelm.com --service=sshd --rules=772852 | grep -Ex '(Access granted: True| matched: 772852)'' :: [ LOG ] :: Verifies bug https://bugzilla.redhat.com/show_bug.cgi?id=772852 :: [ PASS ] :: Running 'ipa hbactest --user=user772852 --srchost=ibm-x3650-04.testrelm.com --host=intel-s3ea2-03.testrelm.com --service=sshd --rules=772852 | grep "Unresolved rules"' :: [ PASS ] :: Running 'ipa config-mod --searchrecordslimit=100' :: [ PASS ] :: Running 'ipa config-show' :: [ LOG ] :: Duration: 50s :: [ LOG ] :: Assertions: 16 good, 0 bad :: [ PASS ] :: RESULT: ipa-hbacsvc-772852: "Unresolved rules in --rules" error message is displayed even if the hbacrule is specified using the --rules option. version :: ipa-server.i686 0:2.2.0-13.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html