On Thu, 2014-10-09 at 18:38 +0200, Ludwig Krispenz wrote: > On 10/09/2014 06:32 PM, thierry bordaz wrote: > > On 10/09/2014 06:27 PM, Nathaniel McCallum wrote: > >> On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote: > >>> On 10/08/2014 11:46 PM, Nathaniel McCallum wrote: > >>> > >>>> The background of this email is this bug: > >>>> https://fedorahosted.org/freeipa/ticket/4456 > >>>> > >>>> Attached are two patches which solve this issue for admin users (not > >>>> very helpful, I know). They depend on this fix in 389: > >>>> https://fedorahosted.org/389/ticket/47920 > >>>> > >>>> There are two outstanding issues: > >>>> > >>>> 1. 389 does not send the post read control for normal users. The > >>>> operation itself succeeds, but no control is sent. > >>>> > >>>> The relevant sections from the log are attached. 389 is denying access > >>>> to the following attributes (* = valid, ! = invalid): > >>>> ! objectClass > >>>> ! ipatokenOTPalgorithm > >>>> ! ipatokenOTPdigits > >>>> * ipatokenOTPkey > >>>> * ipatokenHOTPcounter > >>>> ! ipatokenOwner > >>>> ! managedBy > >>>> ! ipatokenUniqueID > >>> Hello Nathaniel, > >>> > >>> The post read control needs access to the modified entry to > >>> return it. > >>> This access is granted at the condition, the binddn can access > >>> attributes. > >> Agreed and understood. > >> > >>> My understanding is that the target entry is > >>> ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com > >>> > >>> and the binddn "uid=otp,cn=users,cn=accounts,dc=example,dc=com". > >> Correct. > >> > >>> The only ACI I found that match this target is: > >>> aci: (targetfilter = "(objectClass=ipaToken)") > >>> (targetattrs = "objectclass || description || managedBy || > >>> ipatokenUniqueID || ipatokenDisabled > >>> || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor > >>> || ipatokenModel || ipatokenSerial || ipatokenOwner") > >>> (version 3.0; acl "Users/managers can read basic token > >>> info"; allow (read, search, compare) userattr = > >>> "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";) > >> Correct. > >> > >>> Do you know if the target entry has 'ipatokenOwner' or > >>> 'managedBy' with the binddn value ? > >> Yes, both. So why is access to objectClass (et cetera) being denied? > > Good question... > +1 > could you post the full aci logging not only the summary for the access > to the attributes ?
Attached.
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=anonymous-limits,cn=etc,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "uid=otp,cn=users,cn=accounts,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base) [08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of service reference [08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of service reference [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base) [08/Oct/2014:16:54:39 -0400] ipa-lockout-plugin - preop returning 0: success [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "uid=otp,cn=users,cn=accounts,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base) [08/Oct/2014:16:54:39 -0400] ipa-pwd-extop - Attempting OTP authentication for 'uid=otp,cn=users,cn=accounts,dc=example,dc=com'. [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "dc=example,dc=com" for "(&(|(objectClass=ipaTokenTOTP)(objectClass=ipaTokenHOTP))(ipatokenOwner=uid=otp,cn=users,cn=accounts,dc=example,dc=com)(|(ipatokenNotBefore<=20141008205439Z)(!(ipatokenNotBefore=*)))(|(ipatokenNotAfter>=20141008205439Z)(!(ipatokenNotAfter=*)))(|(ipatokenDisabled=FALSE)(!(ipatokenDisabled=*))))" with scope 2 (sub) [08/Oct/2014:16:54:39 -0400] ipa-pwd-extop - kerberos key already present in user entry: uid=otp,cn=users,cn=accounts,dc=example,dc=com [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "uid=otp,cn=users,cn=accounts,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "uid=otp,cn=users,cn=accounts,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=anonymous-limits,cn=etc,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base) [08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of service reference [08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of service reference [08/Oct/2014:16:54:39 -0400] ipa-range-check - Not an ID range object, nothing to do. [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base) [08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin [08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com [08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin [08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com [08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin [08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com [08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin [08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com [08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin [08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "uid=otp,cn=users,cn=accounts,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base) [08/Oct/2014:16:54:39 -0400] NSACLPlugin - #### conn=24 op=1 binddn="uid=otp,cn=users,cn=accounts,dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Allow add on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(NULL) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: allowed by aci(38): aciname= "Users can create self-managed tokens", acidn="dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD begin [08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD target=ipaTokenUniqueID=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com [08/Oct/2014:16:54:39 -0400] DSRetroclPlugin - write_replog_db: write change record 11118 for dn: "ipaTokenUniqueID=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] DSRetroclPlugin - write_replog_db: add targetUniqueId: "32102902-4f2d11e4-a8c0ee17-25642a64" [08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD begin [08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD target=changenumber=11118,cn=changelog [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - added "changenumber=11118,cn=changelog" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11118,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=computers" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11118,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=groups" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11118,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=ng" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11118,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=users" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11118,cn=changelog" does not belong in "ou=sudoers,dc=example,dc=com"/"" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=computers" made in ("changenumber=11118,cn=changelog") ("" in list "" or list empty) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=groups" made in ("changenumber=11118,cn=changelog") ("" in list "cn,gidNumber,member,uid,memberUid" or list empty) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - updating deref_r[0] references for "changenumber=11118,cn=changelog" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching for references to "changenumber=11118,cn=changelog" (link=1, attributes="","member") [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=groups,cn=accounts,dc=example,dc=com" for "(member=changenumber=11118,cn=changelog)" with scope 1 [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=users,cn=accounts,dc=example,dc=com" for "(member=changenumber=11118,cn=changelog)" with scope 1 [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - no more references to chase (link=1, attributes="","member") [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=ng" made in ("changenumber=11118,cn=changelog") ("" in list "" or list empty) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=users" made in ("changenumber=11118,cn=changelog") ("" in list "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory" or list empty) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "ou=sudoers,dc=example,dc=com"/"" made in ("changenumber=11118,cn=changelog") ("" in list "" or list empty) [08/Oct/2014:16:54:39 -0400] roles-plugin - --> roles_post_op [08/Oct/2014:16:54:39 -0400] roles-plugin - --> roles_cache_change_notify [08/Oct/2014:16:54:39 -0400] roles-plugin - <-- roles_cache_change_notify: not a role entry [08/Oct/2014:16:54:39 -0400] roles-plugin - <-- roles_post_op [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - added "ipaTokenUniqueID=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" does not belong in "cn=compat,dc=example,dc=com"/"cn=computers" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" does not belong in "cn=compat,dc=example,dc=com"/"cn=groups" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" does not belong in "cn=compat,dc=example,dc=com"/"cn=ng" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" does not belong in "cn=compat,dc=example,dc=com"/"cn=users" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" does not belong in "ou=sudoers,dc=example,dc=com"/"" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=computers" made in ("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com") ("" in list "" or list empty) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=groups" made in ("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com") ("" in list "cn,gidNumber,member,uid,memberUid" or list empty) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - updating deref_r[0] references for "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching for references to "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" (link=1, attributes="","member") [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=groups,cn=accounts,dc=example,dc=com" for "(member=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com)" with scope 1 [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=users,cn=accounts,dc=example,dc=com" for "(member=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com)" with scope 1 [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - no more references to chase (link=1, attributes="","member") [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=ng" made in ("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com") ("" in list "" or list empty) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=users" made in ("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com") ("" in list "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory" or list empty) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "ou=sudoers,dc=example,dc=com"/"" made in ("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com") ("" in list "" or list empty) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com" for "objectclass=*" with scope 1 (one) [08/Oct/2014:16:54:39 -0400] roles-plugin - --> roles_post_op [08/Oct/2014:16:54:39 -0400] roles-plugin - --> roles_cache_change_notify [08/Oct/2014:16:54:39 -0400] roles-plugin - <-- roles_cache_change_notify: not a role entry [08/Oct/2014:16:54:39 -0400] roles-plugin - <-- roles_post_op [08/Oct/2014:16:54:39 -0400] NSACLPlugin - #### conn=24 op=1 binddn="uid=otp,cn=users,cn=accounts,dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] NS7bitAttr - MODIFY begin [08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(objectClass) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "uid=otp,cn=users,cn=accounts,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base) [08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenOTPalgorithm) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] DSRetroclPlugin - write_replog_db: write change record 11119 for dn: "uid=otp,cn=users,cn=accounts,dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] DSRetroclPlugin - write_replog_db: add targetUniqueId: "a93a1d8f-3dc411e4-aaddee17-25642a64" [08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenOTPdigits) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD begin [08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD target=changenumber=11119,cn=changelog [08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenOTPkey) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenHOTPcounter) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - added "changenumber=11119,cn=changelog" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11119,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=computers" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11119,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=groups" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11119,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=ng" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11119,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=users" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11119,cn=changelog" does not belong in "ou=sudoers,dc=example,dc=com"/"" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=computers" made in ("changenumber=11119,cn=changelog") ("" in list "" or list empty) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=groups" made in ("changenumber=11119,cn=changelog") ("" in list "cn,gidNumber,member,uid,memberUid" or list empty) [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - updating deref_r[0] references for "changenumber=11119,cn=changelog" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching for references to "changenumber=11119,cn=changelog" (link=1, attributes="","member") [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=groups,cn=accounts,dc=example,dc=com" for "(member=changenumber=11119,cn=changelog)" with scope 1 [08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenOwner) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com" [08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=users,cn=accounts,dc=example,dc=com" for "(member=changenumber=11119,cn=changelog)" with scope 1 [08/Oct/2014:16:54:40 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(managedBy) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com" [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no more references to chase (link=1, attributes="","member") [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=ng" made in ("changenumber=11119,cn=changelog") ("" in list "" or list empty) [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=users" made in ("changenumber=11119,cn=changelog") ("" in list "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory" or list empty) [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "ou=sudoers,dc=example,dc=com"/"" made in ("changenumber=11119,cn=changelog") ("" in list "" or list empty) [08/Oct/2014:16:54:40 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenUniqueID) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com" [08/Oct/2014:16:54:40 -0400] roles-plugin - --> roles_post_op [08/Oct/2014:16:54:40 -0400] roles-plugin - --> roles_cache_change_notify [08/Oct/2014:16:54:40 -0400] roles-plugin - <-- roles_cache_change_notify: not a role entry [08/Oct/2014:16:54:40 -0400] roles-plugin - <-- roles_post_op [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - modified "uid=otp,cn=users,cn=accounts,dc=example,dc=com" [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - "uid=otp,cn=users,cn=accounts,dc=example,dc=com" not in "cn=compat,dc=example,dc=com"/"cn=computers", before or after modify [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - "uid=otp,cn=users,cn=accounts,dc=example,dc=com" not in "cn=compat,dc=example,dc=com"/"cn=groups", before or after modify [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - "uid=otp,cn=users,cn=accounts,dc=example,dc=com" not in "cn=compat,dc=example,dc=com"/"cn=ng", before or after modify [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting changes for "cn=compat,dc=example,dc=com"/"cn=users" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") (replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn not in uid,cn,gidNumber,uidNumber,loginShell,homeDirectory) [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - "uid=otp,cn=users,cn=accounts,dc=example,dc=com" not in "ou=sudoers,dc=example,dc=com"/"", before or after modify [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=computers" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in list "" or list empty) [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=example,dc=com"/"cn=groups" made in "uid=otp,cn=users,cn=accounts,dc=example,dc=com" ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" not in "cn,gidNumber,member,uid,memberUid") [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=ng" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in list "" or list empty) [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=example,dc=com"/"cn=users" made in "uid=otp,cn=users,cn=accounts,dc=example,dc=com" ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" not in "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory") [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "ou=sudoers,dc=example,dc=com"/"" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in list "" or list empty) [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=computers" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in list "" or list empty) [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=example,dc=com"/"cn=groups" made in "uid=otp,cn=users,cn=accounts,dc=example,dc=com" ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" not in "cn,gidNumber,member,uid,memberUid") [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=ng" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in list "" or list empty) [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=example,dc=com"/"cn=users" made in "uid=otp,cn=users,cn=accounts,dc=example,dc=com" ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" not in "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory") [08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "ou=sudoers,dc=example,dc=com"/"" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in list "" or list empty) [08/Oct/2014:16:54:40 -0400] roles-plugin - --> roles_post_op [08/Oct/2014:16:54:40 -0400] roles-plugin - --> roles_cache_change_notify [08/Oct/2014:16:54:40 -0400] roles-plugin - <-- roles_cache_change_notify: not a role entry [08/Oct/2014:16:54:40 -0400] roles-plugin - <-- roles_post_op [08/Oct/2014:16:54:40 -0400] ipa-lockout-plugin - postop returning 0: success
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel