Hi everyone,
We recently performed OS patching within our Test LDAP environment consisting of six RHEL 9 servers (2 primaries and 4 replicas) such that it upgraded from Red Hat Enterprise Linux release 9.6 to Red Hat Enterprise Linux release 9.7. During the patching process, the 389-DS packages below were also updated.
389-ds-base-2.6.1-12.el9_6.x86_64 ===> 389-ds-base-2.7.0-7.el9_7.x86_64
389-ds-base-libs-2.6.1-12.el9_6.x86_64 ===> 389-ds-base-libs-2.7.0-7.el9_7.x86_64
Shortly after patching and rebooting, we noticed an issue whereby the service accounts associated with applications in our Test environment were no longer able to search the OU that they were previously able to search successfully prior to patching. To correct the issue, we ended up moving the ACIs associated with application service accounts one level higher in the OU.
As an example, below represents the change that we made to an ACI before and after the OS patching event to resolve the issue:
Original pre-patching ACI when service account searches were successful:
DN: ou=people,dc=university,dc=edu
(targetattr = "*") (version 3.0;acl "app-user";allow (read,search,compare)(userdn = "ldap:///uid=app-user,ou=ldap-apps,dc=university,dc=edu");)
Post-Patching change made when service account searches no longer worked with the above original ACI configuration:
DN: dc=university,dc=edu
(targetattr = "*") (version 3.0;acl "app-user";allow (read,search,compare)(userdn = "ldap:///uid=app-user,ou=ldap-apps,dc=university,dc=edu");)
Has anyone else experienced any changes in ACI behavior when upgrading to the latest 389-ds-base-2.7.0-7 and 389-ds-base-libs-2.7.0-7 packages?
Thanks,
Mike
—
Michael Trenc
Senior DevOps Engineer | Technology Partner Services
Harvard University Information Technology
P:(617) 496-6544 | W:huit.harvard.edu
No comments:
Post a Comment