Re: [Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

Thu, 09 Oct 2014 09:55:13 -0700 

On Thu, 2014-10-09 at 18:38 +0200, Ludwig Krispenz wrote:
> On 10/09/2014 06:32 PM, thierry bordaz wrote:
> > On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:
> >> On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:
> >>> On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:
> >>>
> >>>> The background of this email is this bug:
> >>>> https://fedorahosted.org/freeipa/ticket/4456
> >>>>
> >>>> Attached are two patches which solve this issue for admin users (not
> >>>> very helpful, I know). They depend on this fix in 389:
> >>>> https://fedorahosted.org/389/ticket/47920
> >>>>
> >>>> There are two outstanding issues:
> >>>>
> >>>> 1. 389 does not send the post read control for normal users. The
> >>>> operation itself succeeds, but no control is sent.
> >>>>
> >>>> The relevant sections from the log are attached. 389 is denying access
> >>>> to the following attributes (* = valid, ! = invalid):
> >>>> ! objectClass
> >>>> ! ipatokenOTPalgorithm
> >>>> ! ipatokenOTPdigits
> >>>> * ipatokenOTPkey
> >>>> * ipatokenHOTPcounter
> >>>> ! ipatokenOwner
> >>>> ! managedBy
> >>>> ! ipatokenUniqueID
> >>> Hello Nathaniel,
> >>>
> >>>          The post read control needs access to the modified entry to
> >>>          return it.
> >>>          This access is granted at the condition, the binddn can access
> >>>          attributes.
> >> Agreed and understood.
> >>
> >>>          My understanding is that the target entry is
> >>> ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
> >>>  
> >>> and the binddn "uid=otp,cn=users,cn=accounts,dc=example,dc=com".
> >> Correct.
> >>
> >>>          The only ACI I found that match this target is:
> >>>          aci: (targetfilter = "(objectClass=ipaToken)")
> >>>          (targetattrs = "objectclass || description || managedBy || 
> >>> ipatokenUniqueID || ipatokenDisabled
> >>>           || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor 
> >>> || ipatokenModel || ipatokenSerial || ipatokenOwner")
> >>>          (version 3.0; acl "Users/managers can read basic token 
> >>> info"; allow (read, search, compare) userattr = 
> >>> "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)
> >> Correct.
> >>
> >>>          Do you know if the target entry has 'ipatokenOwner' or
> >>>          'managedBy' with the binddn value ?
> >> Yes, both. So why is access to objectClass (et cetera) being denied?
> > Good question... 
> +1
> could you post the full aci logging not only the summary for the access 
> to the attributes ?

Attached.

[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"cn=anonymous-limits,cn=etc,dc=example,dc=com" for 
"(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" for 
"(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of 
service reference
[08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of 
service reference
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" for 
"(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] ipa-lockout-plugin - preop returning 0: success
 
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" for 
"(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] ipa-pwd-extop - Attempting OTP authentication for 
'uid=otp,cn=users,cn=accounts,dc=example,dc=com'.
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"dc=example,dc=com" for 
"(&(|(objectClass=ipaTokenTOTP)(objectClass=ipaTokenHOTP))(ipatokenOwner=uid=otp,cn=users,cn=accounts,dc=example,dc=com)(|(ipatokenNotBefore<=20141008205439Z)(!(ipatokenNotBefore=*)))(|(ipatokenNotAfter>=20141008205439Z)(!(ipatokenNotAfter=*)))(|(ipatokenDisabled=FALSE)(!(ipatokenDisabled=*))))"
 with scope 2 (sub)
[08/Oct/2014:16:54:39 -0400] ipa-pwd-extop - kerberos key already present in 
user entry: uid=otp,cn=users,cn=accounts,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" for 
"(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" for 
"(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"cn=anonymous-limits,cn=etc,dc=example,dc=com" for 
"(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of 
service reference
[08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of 
service reference
[08/Oct/2014:16:54:39 -0400] ipa-range-check - Not an ID range object, nothing 
to do.
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" for 
"(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD 
target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD 
target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD 
target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD 
target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD 
target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" for 
"(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - #### conn=24 op=1 
binddn="uid=otp,cn=users,cn=accounts,dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Allow add on 
entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(NULL)
 to uid=otp,cn=users,cn=accounts,dc=example,dc=com: allowed by aci(38): 
aciname= "Users can create self-managed tokens", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD 
target=ipaTokenUniqueID=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] DSRetroclPlugin - write_replog_db: write change 
record 11118 for dn: 
"ipaTokenUniqueID=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] DSRetroclPlugin - write_replog_db: add 
targetUniqueId: "32102902-4f2d11e4-a8c0ee17-25642a64"
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD 
target=changenumber=11118,cn=changelog
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - added 
"changenumber=11118,cn=changelog"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"changenumber=11118,cn=changelog" does not belong in 
"cn=compat,dc=example,dc=com"/"cn=computers"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"changenumber=11118,cn=changelog" does not belong in 
"cn=compat,dc=example,dc=com"/"cn=groups"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"changenumber=11118,cn=changelog" does not belong in 
"cn=compat,dc=example,dc=com"/"cn=ng"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"changenumber=11118,cn=changelog" does not belong in 
"cn=compat,dc=example,dc=com"/"cn=users"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"changenumber=11118,cn=changelog" does not belong in 
"ou=sudoers,dc=example,dc=com"/""
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=computers" made in 
("changenumber=11118,cn=changelog") ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=groups" made in 
("changenumber=11118,cn=changelog") ("" in list 
"cn,gidNumber,member,uid,memberUid" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - updating deref_r[0] 
references for "changenumber=11118,cn=changelog"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching for references to 
"changenumber=11118,cn=changelog" (link=1, attributes="","member")
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"cn=groups,cn=accounts,dc=example,dc=com" for 
"(member=changenumber=11118,cn=changelog)" with scope 1
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"cn=users,cn=accounts,dc=example,dc=com" for 
"(member=changenumber=11118,cn=changelog)" with scope 1
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - no more references to chase 
(link=1, attributes="","member")
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=ng" made in 
("changenumber=11118,cn=changelog") ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=users" made in 
("changenumber=11118,cn=changelog") ("" in list 
"uid,cn,gidNumber,uidNumber,loginShell,homeDirectory" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for 
"ou=sudoers,dc=example,dc=com"/"" made in ("changenumber=11118,cn=changelog") 
("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] roles-plugin - --> roles_post_op
[08/Oct/2014:16:54:39 -0400] roles-plugin - --> roles_cache_change_notify
[08/Oct/2014:16:54:39 -0400] roles-plugin - <-- roles_cache_change_notify: not 
a role entry
[08/Oct/2014:16:54:39 -0400] roles-plugin - <-- roles_post_op
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - added 
"ipaTokenUniqueID=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com"
 does not belong in "cn=compat,dc=example,dc=com"/"cn=computers"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com"
 does not belong in "cn=compat,dc=example,dc=com"/"cn=groups"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com"
 does not belong in "cn=compat,dc=example,dc=com"/"cn=ng"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com"
 does not belong in "cn=compat,dc=example,dc=com"/"cn=users"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com"
 does not belong in "ou=sudoers,dc=example,dc=com"/""
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=computers" made in 
("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com")
 ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=groups" made in 
("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com")
 ("" in list "cn,gidNumber,member,uid,memberUid" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - updating deref_r[0] 
references for 
"ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching for references to 
"ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com"
 (link=1, attributes="","member")
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"cn=groups,cn=accounts,dc=example,dc=com" for 
"(member=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com)"
 with scope 1
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"cn=users,cn=accounts,dc=example,dc=com" for 
"(member=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com)"
 with scope 1
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - no more references to chase 
(link=1, attributes="","member")
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=ng" made in 
("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com")
 ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=users" made in 
("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com")
 ("" in list "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory" or list 
empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for 
"ou=sudoers,dc=example,dc=com"/"" made in 
("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com")
 ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com" for "objectclass=*" with 
scope 1 (one)
[08/Oct/2014:16:54:39 -0400] roles-plugin - --> roles_post_op
[08/Oct/2014:16:54:39 -0400] roles-plugin - --> roles_cache_change_notify
[08/Oct/2014:16:54:39 -0400] roles-plugin - <-- roles_cache_change_notify: not 
a role entry
[08/Oct/2014:16:54:39 -0400] roles-plugin - <-- roles_post_op
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - #### conn=24 op=1 
binddn="uid=otp,cn=users,cn=accounts,dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - MODIFY begin
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on 
entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(objectClass)
 to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject 
by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" for 
"(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on 
entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenOTPalgorithm)
 to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject 
by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] DSRetroclPlugin - write_replog_db: write change 
record 11119 for dn: "uid=otp,cn=users,cn=accounts,dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] DSRetroclPlugin - write_replog_db: add 
targetUniqueId: "a93a1d8f-3dc411e4-aaddee17-25642a64"
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on 
entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenOTPdigits)
 to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject 
by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD 
target=changenumber=11119,cn=changelog
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on 
entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenOTPkey)
 to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject 
by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on 
entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenHOTPcounter)
 to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject 
by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - added 
"changenumber=11119,cn=changelog"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"changenumber=11119,cn=changelog" does not belong in 
"cn=compat,dc=example,dc=com"/"cn=computers"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"changenumber=11119,cn=changelog" does not belong in 
"cn=compat,dc=example,dc=com"/"cn=groups"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"changenumber=11119,cn=changelog" does not belong in 
"cn=compat,dc=example,dc=com"/"cn=ng"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"changenumber=11119,cn=changelog" does not belong in 
"cn=compat,dc=example,dc=com"/"cn=users"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry 
"changenumber=11119,cn=changelog" does not belong in 
"ou=sudoers,dc=example,dc=com"/""
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=computers" made in 
("changenumber=11119,cn=changelog") ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=groups" made in 
("changenumber=11119,cn=changelog") ("" in list 
"cn,gidNumber,member,uid,memberUid" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - updating deref_r[0] 
references for "changenumber=11119,cn=changelog"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching for references to 
"changenumber=11119,cn=changelog" (link=1, attributes="","member")
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"cn=groups,cn=accounts,dc=example,dc=com" for 
"(member=changenumber=11119,cn=changelog)" with scope 1
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on 
entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenOwner)
 to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject 
by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from 
"cn=users,cn=accounts,dc=example,dc=com" for 
"(member=changenumber=11119,cn=changelog)" with scope 1
[08/Oct/2014:16:54:40 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on 
entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(managedBy)
 to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject 
by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no more references to chase 
(link=1, attributes="","member")
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=ng" made in 
("changenumber=11119,cn=changelog") ("" in list "" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=users" made in 
("changenumber=11119,cn=changelog") ("" in list 
"uid,cn,gidNumber,uidNumber,loginShell,homeDirectory" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for 
"ou=sudoers,dc=example,dc=com"/"" made in ("changenumber=11119,cn=changelog") 
("" in list "" or list empty)
[08/Oct/2014:16:54:40 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on 
entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenUniqueID)
 to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject 
by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:40 -0400] roles-plugin - --> roles_post_op
[08/Oct/2014:16:54:40 -0400] roles-plugin - --> roles_cache_change_notify
[08/Oct/2014:16:54:40 -0400] roles-plugin - <-- roles_cache_change_notify: not 
a role entry
[08/Oct/2014:16:54:40 -0400] roles-plugin - <-- roles_post_op
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - modified 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com"
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" not in 
"cn=compat,dc=example,dc=com"/"cn=computers", before or after modify
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" not in 
"cn=compat,dc=example,dc=com"/"cn=groups", before or after modify
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" not in 
"cn=compat,dc=example,dc=com"/"cn=ng", before or after modify
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting changes for 
"cn=compat,dc=example,dc=com"/"cn=users" made in 
("uid=otp,cn=users,cn=accounts,dc=example,dc=com") 
(replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn not in 
uid,cn,gidNumber,uidNumber,loginShell,homeDirectory)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" not in 
"ou=sudoers,dc=example,dc=com"/"", before or after modify
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=computers" made in 
("uid=otp,cn=users,cn=accounts,dc=example,dc=com") 
("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in 
list "" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting 
reference-based changes for "cn=compat,dc=example,dc=com"/"cn=groups" made in 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" 
("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" not 
in "cn,gidNumber,member,uid,memberUid")
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=ng" made in 
("uid=otp,cn=users,cn=accounts,dc=example,dc=com") 
("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in 
list "" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting 
reference-based changes for "cn=compat,dc=example,dc=com"/"cn=users" made in 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" 
("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" not 
in "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory")
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for 
"ou=sudoers,dc=example,dc=com"/"" made in 
("uid=otp,cn=users,cn=accounts,dc=example,dc=com") 
("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in 
list "" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=computers" made in 
("uid=otp,cn=users,cn=accounts,dc=example,dc=com") 
("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in 
list "" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting 
reference-based changes for "cn=compat,dc=example,dc=com"/"cn=groups" made in 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" 
("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" not 
in "cn,gidNumber,member,uid,memberUid")
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for 
"cn=compat,dc=example,dc=com"/"cn=ng" made in 
("uid=otp,cn=users,cn=accounts,dc=example,dc=com") 
("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in 
list "" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting 
reference-based changes for "cn=compat,dc=example,dc=com"/"cn=users" made in 
"uid=otp,cn=users,cn=accounts,dc=example,dc=com" 
("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" not 
in "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory")
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for 
"ou=sudoers,dc=example,dc=com"/"" made in 
("uid=otp,cn=users,cn=accounts,dc=example,dc=com") 
("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in 
list "" or list empty)
[08/Oct/2014:16:54:40 -0400] roles-plugin - --> roles_post_op
[08/Oct/2014:16:54:40 -0400] roles-plugin - --> roles_cache_change_notify
[08/Oct/2014:16:54:40 -0400] roles-plugin - <-- roles_cache_change_notify: not 
a role entry
[08/Oct/2014:16:54:40 -0400] roles-plugin - <-- roles_post_op
[08/Oct/2014:16:54:40 -0400] ipa-lockout-plugin - postop returning 0: success

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to