On Wed, 2009-11-25 at 13:45 -0500, Rob Crittenden wrote:
> Jason Gerard DeRose wrote:
> > On Tue, 2009-11-17 at 15:06 -0500, Rob Crittenden wrote:
> >> This enables CRL publishing by dogtag to a place where Apache can get 
> >> the files.
> >>
> >> I have to do a couple of tricks here because dogtag is an optional 
> >> component. This is why in the installer I first see if the dogtag 
> >> SELinux policy is installed and if not add it. Similarly the installer 
> >> will remove it upon uninstall.
> >>
> >> The policy itself just lets dogtag write to some Apache-labeled 
> >> directories. dogtag uses symlinks to mark the latest CRL hence the 
> >> permissions for links.
> >>
> >> rob
> > 
> > can't get this to apply:
> > 
> > Applying: Add SELinux policy for CRL file publishing.
> > error: patch failed: ipa.spec.in:379
> > error: ipa.spec.in: patch does not apply
> > error: patch failed: selinux/Makefile:1
> > error: selinux/Makefile: patch does not apply
> > Patch failed at 0001 Add SELinux policy for CRL file publishing.
> > When you have resolved this problem run "git am --resolved".
> > If you would prefer to skip this patch, instead run "git am --skip".
> > To restore the original branch and stop patching run "git am --abort".
> > 
> > 
> 
> Rebased patch attached.
> 

nack.  This seems to be breaking the installer.  This was a clean build
and install:

Failed to populate the realm structure in kerberos Command
'/usr/kerberos/sbin/kdb5_ldap_util -D
uid=kdc,cn=sysaccounts,cn=etc,dc=example,dc=com -w  Xl"t%3j8}VX create
-s -P >grbc"/F+Sh` -r EXAMPLE.COM -subtrees dc=example,dc=com -sscope
sub' returned non-zero exit status 1
  [6/13]: adding default keytypes
root        : CRITICAL Failed to load default-keytypes.ldif: Command
'/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager
-y /tmp/tmpdRo9BD -f /tmp/tmpdls3uk' returned non-zero exit status 32
ipa: CRITICAL: Failed to load default-keytypes.ldif: Command
'/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager
-y /tmp/tmpdRo9BD -f /tmp/tmpdls3uk' returned non-zero exit status 32
  [7/13]: creating a keytab for the directory
Unexpected error - see ipaserver-install.log for details:
 Command '/usr/kerberos/sbin/kadmin.local -q addprinc -randkey
ldap/fedora11.example....@example.com' returned non-zero exit status 1

I attached the log.

2009-11-25 12:15:46,338 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2009-11-25 12:15:46,356 INFO skipping plugin module ipalib.plugins.cert: env.enable_ra is not True
2009-11-25 12:15:46,384 INFO skipping plugin module ipaserver.plugins.dogtag: dogtag not selected as RA plugin
2009-11-25 12:16:28,588 INFO args=/sbin/service ntpd status 
2009-11-25 12:16:28,588 INFO stdout=ntpd is stopped

2009-11-25 12:16:28,588 INFO stderr=
2009-11-25 12:16:28,635 INFO args=/sbin/service ntpd stop 
2009-11-25 12:16:28,636 INFO stdout=Shutting down ntpd: [FAILED]

2009-11-25 12:16:28,636 INFO stderr=
2009-11-25 12:16:28,644 INFO args=/sbin/chkconfig --list ntpd
2009-11-25 12:16:28,644 INFO stdout=ntpd           	0:off	1:off	2:off	3:off	4:off	5:off	6:off

2009-11-25 12:16:28,644 INFO stderr=
2009-11-25 12:16:28,806 INFO args=/sbin/chkconfig ntpd on
2009-11-25 12:16:28,806 INFO stdout=
2009-11-25 12:16:28,806 INFO stderr=
2009-11-25 12:16:28,837 INFO args=/sbin/service ntpd start 
2009-11-25 12:16:28,837 INFO stdout=Starting ntpd: [  OK  ]

2009-11-25 12:16:28,838 INFO stderr=
2009-11-25 12:16:28,897 INFO args=/usr/sbin/useradd -c DS System User -d /var/lib/dirsrv -M -r -s /sbin/nologin dirsrv
2009-11-25 12:16:28,898 INFO stdout=
2009-11-25 12:16:28,898 INFO stderr=
2009-11-25 12:16:28,937 INFO args=/sbin/service dirsrv status
2009-11-25 12:16:28,938 INFO stdout=
2009-11-25 12:16:28,938 INFO stderr=/bin/ls: cannot access /etc/dirsrv/slapd-*: No such file or directory

2009-11-25 12:16:31,740 INFO args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpZAjmZZ
2009-11-25 12:16:31,740 INFO stdout=[09/11/25:12:16:31] - [Setup] Info Your new DS instance 'EXAMPLE-COM' was successfully created.
Your new DS instance 'EXAMPLE-COM' was successfully created.
[09/11/25:12:16:31] - [Setup] Success Exiting . . .
Log file is '-'

Exiting . . .
Log file is '-'


2009-11-25 12:16:31,741 INFO stderr=
2009-11-25 12:16:33,911 INFO args=/sbin/service dirsrv restart EXAMPLE-COM
2009-11-25 12:16:33,912 INFO stdout=Shutting down dirsrv: 
    EXAMPLE-COM...[  OK  ]
Starting dirsrv: 
    EXAMPLE-COM...[  OK  ]

2009-11-25 12:16:33,912 INFO stderr=
2009-11-25 12:16:33,933 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpq1kTTU -f /usr/share/ipa/memberof-conf.ldif
2009-11-25 12:16:33,934 INFO stdout=replace nsslapd-pluginenabled:
	on
modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config"
modify complete


2009-11-25 12:16:33,934 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:33,955 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp5JzEOK -f /usr/share/ipa/referint-conf.ldif
2009-11-25 12:16:33,955 INFO stdout=replace nsslapd-pluginenabled:
	on
add nsslapd-pluginArg7:
	manager
add nsslapd-pluginArg8:
	secretary
modifying entry "cn=referential integrity postoperation,cn=plugins,cn=config"
modify complete


2009-11-25 12:16:33,956 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:33,973 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpuwnerd -f /usr/share/ipa/ipa-winsync-conf.ldif
2009-11-25 12:16:33,974 INFO stdout=add objectclass:
	top
	nsSlapdPlugin
	extensibleObject
add cn:
	ipa-winsync
add nsslapd-pluginpath:
	libipa_winsync
add nsslapd-plugininitfunc:
	ipa_winsync_plugin_init
add nsslapd-pluginDescription:
	Allows IPA to work with the DS windows sync feature
add nsslapd-pluginid:
	ipa-winsync
add nsslapd-pluginversion:
	1.0
add nsslapd-pluginvendor:
	Red Hat
add nsslapd-plugintype:
	preoperation
add nsslapd-pluginenabled:
	on
add nsslapd-plugin-depends-on-type:
	database
add ipaWinSyncRealmFilter:
	(objectclass=krbRealmContainer)
add ipaWinSyncRealmAttr:
	cn
add ipaWinSyncNewEntryFilter:
	(cn=ipaConfig)
add ipaWinSyncNewUserOCAttr:
	ipauserobjectclasses
add ipaWinSyncUserFlatten:
	true
add ipaWinsyncHomeDirAttr:
	ipaHomesRootDir
add ipaWinSyncDefaultGroupAttr:
	ipaDefaultPrimaryGroup
add ipaWinSyncDefaultGroupFilter:
	(gidNumber=*)(objectclass=posixGroup)(objectclass=groupOfNames)
add ipaWinSyncAcctDisable:
	both
add ipaWinSyncInactivatedFilter:
	(&(cn=inactivated)(objectclass=groupOfNames))
add ipaWinSyncActivatedFilter:
	(&(cn=activated)(objectclass=groupOfNames))
add ipaWinSyncForceSync:
	true
adding new entry "cn=ipa-winsync,cn=plugins,cn=config"
modify complete


2009-11-25 12:16:33,974 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:33,990 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpalaYF3 -f /tmp/tmpL4kOBp
2009-11-25 12:16:33,990 INFO stdout=add objectclass:
	top
	nsSlapdPlugin
	extensibleObject
add cn:
	ipa_enrollment_extop
add nsslapd-pluginpath:
	libipa_enrollment_extop
add nsslapd-plugininitfunc:
	ipaenrollment_init
add nsslapd-plugintype:
	extendedop
add nsslapd-pluginenabled:
	on
add nsslapd-pluginid:
	ipa_enrollment_extop
add nsslapd-pluginversion:
	1.0
add nsslapd-pluginvendor:
	RedHat
add nsslapd-plugindescription:
	Enroll hosts into the IPA domain
add nsslapd-plugin-depends-on-type:
	database
add nsslapd-realmTree:
	dc=example,dc=com
adding new entry "cn=ipa_enrollment_extop,cn=plugins,cn=config"
modify complete


2009-11-25 12:16:33,990 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:34,016 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpPzfy9c -f /tmp/tmpjF_t34
2009-11-25 12:16:34,017 INFO stdout=replace nsslapd-ldapilisten:
	on
modifying entry "cn=config"
modify complete


2009-11-25 12:16:34,017 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:34,058 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpLJz0k8 -f /tmp/tmpr8pSCG
2009-11-25 12:16:34,059 INFO stdout=add objectClass:
	top
	nsSlapdPlugin
	extensibleObject
add cn:
	krbPrincipalName uniqueness
add nsslapd-pluginPath:
	libattr-unique-plugin
add nsslapd-pluginInitfunc:
	NSUniqueAttr_Init
add nsslapd-pluginType:
	preoperation
add nsslapd-pluginEnabled:
	on
add nsslapd-pluginarg0:
	krbPrincipalName
add nsslapd-pluginarg1:
	dc=example,dc=com
add nsslapd-plugin-depends-on-type:
	database
add nsslapd-pluginId:
	NSUniqueAttr
add nsslapd-pluginVersion:
	1.1.0
add nsslapd-pluginVendor:
	Fedora Project
add nsslapd-pluginDescription:
	Enforce unique attribute values
adding new entry "cn=krbPrincipalName uniqueness,cn=plugins,cn=config"
modify complete

add objectClass:
	top
	nsSlapdPlugin
	extensibleObject
add cn:
	netgroup uniqueness
add nsslapd-pluginPath:
	libattr-unique-plugin
add nsslapd-pluginInitfunc:
	NSUniqueAttr_Init
add nsslapd-pluginType:
	preoperation
add nsslapd-pluginEnabled:
	on
add nsslapd-pluginarg0:
	cn
add nsslapd-pluginarg1:
	cn=ng,cn=alt,dc=example,dc=com
add nsslapd-plugin-depends-on-type:
	database
add nsslapd-pluginId:
	NSUniqueAttr
add nsslapd-pluginVersion:
	1.1.0
add nsslapd-pluginVendor:
	Fedora Project
add nsslapd-pluginDescription:
	Enforce unique attribute values
adding new entry "cn=netgroup uniqueness,cn=plugins,cn=config"
modify complete


2009-11-25 12:16:34,059 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:34,151 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp7XlBs4 -f /usr/share/ipa/indices.ldif
2009-11-25 12:16:34,151 INFO stdout=add objectClass:
	top
	nsIndex
add cn:
	krbPrincipalName
add nsSystemIndex:
	false
add nsIndexType:
	eq
	sub
adding new entry "cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
modify complete

add objectClass:
	top
	nsIndex
add cn:
	ou
add nsSystemIndex:
	false
add nsIndexType:
	eq
	sub
adding new entry "cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
modify complete

add objectClass:
	top
	nsIndex
add cn:
	carLicense
add nsSystemIndex:
	false
add nsIndexType:
	eq
	sub
adding new entry "cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
modify complete

add objectClass:
	top
	nsIndex
add cn:
	title
add nsSystemIndex:
	false
add nsIndexType:
	eq
	sub
adding new entry "cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
modify complete

add objectClass:
	top
	nsIndex
add cn:
	manager
add nsSystemIndex:
	false
add nsIndexType:
	eq
adding new entry "cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
modify complete

add objectClass:
	top
	nsIndex
add cn:
	secretary
add nsSystemIndex:
	false
add nsIndexType:
	eq
adding new entry "cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
modify complete

add objectClass:
	top
	nsIndex
add cn:
	displayname
add nsSystemIndex:
	false
add nsIndexType:
	eq
	sub
adding new entry "cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
modify complete

add nsIndexType:
	sub
modifying entry "cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
modify complete

add objectClass:
	top
	nsIndex
add cn:
	uidnumber
add nsSystemIndex:
	false
add nsIndexType:
	eq
add nsMatchingRule:
	integerOrderingMatch
adding new entry "cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
modify complete

add objectClass:
	top
	nsIndex
add cn:
	gidnumber
add nsSystemIndex:
	false
add nsIndexType:
	eq
add nsMatchingRule:
	integerOrderingMatch
adding new entry "cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
modify complete

replace nsIndexType:
	eq,pres
modifying entry "cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
modify complete

replace nsIndexType:
	eq,pres
modifying entry "cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
modify complete


2009-11-25 12:16:34,151 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:34,167 INFO args=/usr/bin/certutil -d /etc/httpd/alias -N -f /etc/httpd/alias/pwdfile.txt
2009-11-25 12:16:34,167 INFO stdout=
2009-11-25 12:16:34,167 INFO stderr=
2009-11-25 12:16:34,242 INFO args=/usr/bin/certutil -d /etc/httpd/alias -L -n CA certificate -a
2009-11-25 12:16:34,243 INFO stdout=-----BEGIN CERTIFICATE-----
MIIB/zCCAWigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBB
IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTA5MTEyNTE5MTYzNFoXDTE5
MTEyNTE5MTYzNFowKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0
aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkhX95pH0HX/CtFmw/
ZojmlktqVbErzhs8Yc8sQh3Il/anWpHfkcif5HTEval8r3a1NRrDiMy222M0U5aS
nj536KIjRN1k41OGWb4B249LAjCXAFDXBj6G8mhImAdCPdb4Y3Lc/otMy7spAKXu
Br2nF+oBHAFpOXZeKBd42kimHwIDAQABozYwNDARBglghkgBhvhCAQEEBAMCAAcw
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAsQwDQYJKoZIhvcNAQEFBQAD
gYEAPzVyVZsKeT07EZ92+3osfWp3puFd6E16zyM1dvg6axzaNT2ZbvZGlGUtMupr
qvOOjHPXgpJ0+LGJCqPrvFMKofTkwwmK8gdRnN7UBApZcwHLosRsUT8eNwXRVYD7
nwv9g7/3EaJjVkEgN+CVPHrWEH0YFVXYf0s5pTH52Cth+ZE=
-----END CERTIFICATE-----

2009-11-25 12:16:34,243 INFO stderr=
2009-11-25 12:16:34,259 INFO args=/usr/bin/pk12util -d /etc/httpd/alias -o /etc/httpd/alias/cacert.p12 -n CA certificate -w /etc/httpd/alias/pwdfile.txt -k /etc/httpd/alias/pwdfile.txt
2009-11-25 12:16:34,259 INFO stdout=pk12util: PKCS12 EXPORT SUCCESSFUL

2009-11-25 12:16:34,260 INFO stderr=
2009-11-25 12:16:34,267 INFO args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n CA certificate -a
2009-11-25 12:16:34,267 INFO stdout=
2009-11-25 12:16:34,268 INFO stderr=certutil: Could not find: CA certificate
: security library: bad database.

2009-11-25 12:16:34,279 INFO args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -N -f /etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt
2009-11-25 12:16:34,279 INFO stdout=
2009-11-25 12:16:34,279 INFO stderr=
2009-11-25 12:16:34,290 INFO args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -A -n CA certificate -t CT,,C -a
2009-11-25 12:16:34,290 INFO stdout=
2009-11-25 12:16:34,290 INFO stderr=
2009-11-25 12:16:34,564 INFO args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -R -s CN=fedora11.example.com,ou=test-ipa,O=IPA -o /var/lib/ipa/ipa-PJMC38/tmpcertreq -k rsa -g 2048 -z /etc/dirsrv/slapd-EXAMPLE-COM//noise.txt -f /etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt
2009-11-25 12:16:34,564 INFO stdout=
2009-11-25 12:16:34,565 INFO stderr=

Generating key.  This may take a few moments...


2009-11-25 12:16:34,588 INFO args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-PJMC38/tmpcert.der -f /etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt
2009-11-25 12:16:34,588 INFO stdout=
2009-11-25 12:16:34,588 INFO stderr=
2009-11-25 12:16:38,025 INFO args=/sbin/service dirsrv restart EXAMPLE-COM
2009-11-25 12:16:38,025 INFO stdout=Shutting down dirsrv: 
    EXAMPLE-COM...[  OK  ]
Starting dirsrv: 
    EXAMPLE-COM...[  OK  ]

2009-11-25 12:16:38,026 INFO stderr=
2009-11-25 12:16:38,050 INFO args=/sbin/service dirsrv status
2009-11-25 12:16:38,051 INFO stdout=dirsrv EXAMPLE-COM (pid 27067) is running...

2009-11-25 12:16:38,051 INFO stderr=
2009-11-25 12:16:38,732 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwpDDnw -f /tmp/tmpvFQsn2
2009-11-25 12:16:38,733 INFO stdout=add objectClass:
	top
	nsContainer
	krbPwdPolicy
add cn:
	accounts
add krbMinPwdLife:
	3600
add krbPwdMinDiffChars:
	0
add krbPwdMinLength:
	8
add krbPwdHistoryLength:
	0
add krbMaxPwdLife:
	7776000
adding new entry "cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	nsContainer
add cn:
	users
adding new entry "cn=users,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	nsContainer
add cn:
	groups
adding new entry "cn=groups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	nsContainer
add cn:
	services
adding new entry "cn=services,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	nsContainer
add cn:
	computers
adding new entry "cn=computers,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	nsContainer
add cn:
	hbac
adding new entry "cn=hbac,dc=example,dc=com"
modify complete

add objectClass:
	nsContainer
	top
add cn:
	etc
adding new entry "cn=etc,dc=example,dc=com"
modify complete

add objectClass:
	nsContainer
	top
add cn:
	sysaccounts
adding new entry "cn=sysaccounts,cn=etc,dc=example,dc=com"
modify complete

add objectClass:
	nsContainer
	top
add cn:
	ipa
adding new entry "cn=ipa,cn=etc,dc=example,dc=com"
modify complete

add objectClass:
	nsContainer
	top
add cn:
	masters
adding new entry "cn=masters,cn=ipa,cn=etc,dc=example,dc=com"
modify complete

add objectClass:
	top
	person
	posixaccount
	krbprincipalaux
	inetuser
add uid:
	admin
add krbPrincipalName:
	ad...@example.com
add cn:
	Administrator
add sn:
	Administrator
add uidNumber:
	1818299552
add gidNumber:
	1818299552
add homeDirectory:
	/home/admin
add loginShell:
	/bin/bash
add gecos:
	Administrator
add nsAccountLock:
	False
adding new entry "uid=admin,cn=users,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	nsContainer
	top
add cn:
	radius
adding new entry "cn=radius,dc=example,dc=com"
modify complete

add objectClass:
	nsContainer
	top
add cn:
	clients
adding new entry "cn=clients,cn=radius,dc=example,dc=com"
modify complete

add objectClass:
	nsContainer
	top
add cn:
	profiles
adding new entry "cn=profiles,cn=radius,dc=example,dc=com"
modify complete

add objectClass:
	top
	radiusprofile
add uid:
	ipa_default
adding new entry "uid=ipa_default, cn=profiles,cn=radius,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
	posixgroup
add cn:
	admins
add description:
	Account administrators group
add gidNumber:
	1818299552
add member:
	uid=admin,cn=users,cn=accounts,dc=example,dc=com
add nsAccountLock:
	False
adding new entry "cn=admins,cn=groups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
	nestedgroup
	ipausergroup
	posixgroup
add gidNumber:
	1818299553
add description:
	Default group for all users
add cn:
	ipausers
adding new entry "cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
	posixgroup
add gidNumber:
	1818299554
add description:
	Limited admins who can edit other users
add cn:
	editors
adding new entry "cn=editors,cn=groups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	nsContainer
	top
	ipaGuiConfig
add ipaUserSearchFields:
	uid,givenname,sn,telephonenumber,ou,title
add ipaGroupSearchFields:
	cn,description
add ipaSearchTimeLimit:
	2
add ipaSearchRecordsLimit:
	0
add ipaHomesRootDir:
	/home
add ipaDefaultLoginShell:
	/bin/sh
add ipaDefaultPrimaryGroup:
	ipausers
add ipaMaxUsernameLength:
	8
add ipaPwdExpAdvNotify:
	4
add ipaGroupObjectClasses:
	top
	groupofnames
	nestedgroup
	ipausergroup
	ipaobject
add ipaUserObjectClasses:
	top
	person
	organizationalperson
	inetorgperson
	inetuser
	posixaccount
	krbprincipalaux
	radiusprofile
	ipaobject
add ipaDefaultEmailDomain:
	example.com
adding new entry "cn=ipaConfig,cn=etc,dc=example,dc=com"
modify complete

add description:
	Lock accounts based on group membership
add objectClass:
	top
	ldapsubentry
	cosSuperDefinition
	cosClassicDefinition
add cosTemplateDn:
	cn=cosTemplates,cn=accounts,dc=example,dc=com
add cosAttribute:
	nsAccountLock operational
add cosSpecifier:
	memberOf
add cn:
	Account Inactivation
adding new entry "cn=account inactivation,cn=accounts,dc=example,dc=com"
modify complete

add objectclass:
	top
	nsContainer
add cn:
	cosTemplates
adding new entry "cn=cosTemplates,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	cosTemplate
	extensibleobject
add nsAccountLock:
	true
add cosPriority:
	1
adding new entry "cn="cn=inactivated,cn=account inactivation,cn=accounts,dc=example,dc=com", cn=cosTemplates,cn=accounts,dc=example,dc=com"
modify complete

add objectclass:
	top
	groupofnames
adding new entry "cn=inactivated,cn=account inactivation,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	cosTemplate
	extensibleobject
add nsAccountLock:
	false
add cosPriority:
	0
adding new entry "cn="cn=activated,cn=account inactivation,cn=accounts,dc=example,dc=com", cn=cosTemplates,cn=accounts,dc=example,dc=com"
modify complete

add objectclass:
	top
	groupofnames
adding new entry "cn=Activated,cn=Account Inactivation,cn=accounts,dc=example,dc=com"
modify complete

add description:
	Password Policy based on group membership
add objectClass:
	top
	ldapsubentry
	cosSuperDefinition
	cosClassicDefinition
add cosTemplateDn:
	cn=cosTemplates,cn=accounts,dc=example,dc=com
add cosAttribute:
	krbPwdPolicyReference
add cosSpecifier:
	memberOf
adding new entry "cn=Password Policy,cn=accounts,dc=example,dc=com"
modify complete


2009-11-25 12:16:38,733 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:39,676 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpqbFkxK -f /tmp/tmp9UlG39
2009-11-25 12:16:39,677 INFO stdout=add objectClass:
	top
	nsContainer
add cn:
	rolegroups
adding new entry "cn=rolegroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	nsContainer
add cn:
	taskgroups
adding new entry "cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	helpdesk
add description:
	Helpdesk
adding new entry "cn=helpdesk,cn=rolegroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	useradmin
add description:
	User Administrators
adding new entry "cn=useradmin,cn=rolegroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	groupadmin
add description:
	Group Administrators
adding new entry "cn=groupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	hostadmin
add description:
	Host Administrators
adding new entry "cn=hostadmin,cn=rolegroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	hostgroupadmin
add description:
	Host Group Administrators
adding new entry "cn=hostgroupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	delegationadmin
add description:
	Role administration
adding new entry "cn=delegationadmin,cn=rolegroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	serviceadmin
add description:
	Service Administrators
adding new entry "cn=serviceadmin,cn=rolegroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	automountadmin
add description:
	Automount Administrators
adding new entry "cn=automountadmin,cn=rolegroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	netgroupadmin
add description:
	Netgroups Administrators
adding new entry "cn=netgroupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	dnsadmin
add description:
	DNS Administrators
adding new entry "cn=dnsadmin,cn=rolegroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	dnsserver
add description:
	DNS Servers
adding new entry "cn=dnsserver,cn=rolegroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	addusers
add description:
	Add Users
add member:
	cn=useradmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=addusers,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	change_password
add description:
	Change a user password
add member:
	cn=useradmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=change_password,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	add_user_to_default_group
add description:
	Add user to default group
add member:
	cn=useradmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=add_user_to_default_group,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	removeusers
add description:
	Remove Users
add member:
	cn=useradmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=removeusers,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	modifyusers
add description:
	Modify Users
add member:
	cn=useradmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=modifyusers,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	addgroups
add description:
	Add Groups
add member:
	cn=groupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=addgroups,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	removegroups
add description:
	Remove Groups
add member:
	cn=groupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=removegroups,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	modifygroups
add description:
	Modify Groups
add member:
	cn=groupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=modifygroups,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	modifygroupmembership
add description:
	Modify Group membership
add member:
	cn=groupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=modifygroupmembership,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	addhosts
add description:
	Add Hosts
add member:
	cn=hostadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=addhosts,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	removehosts
add description:
	Remove Hosts
add member:
	cn=hostadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=removehosts,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	modifyhosts
add description:
	Modify Hosts
add member:
	cn=hostadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=modifyhosts,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	addhostgroups
add description:
	Add Host Groups
add member:
	cn=hostgroupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=addhostgroups,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	removehostgroups
add description:
	Remove Host Groups
add member:
	cn=hostgroupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=removehostgroups,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	modifyhostgroups
add description:
	Modify Host Groups
add member:
	cn=hostgroupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=modifyhostgroups,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	modifyhostgroupmembership
add description:
	Modify Host Group membership
add member:
	cn=hostgroupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	addservices
add description:
	Add Services
add member:
	cn=serviceadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=addservices,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	removeservices
add description:
	Remove Services
add member:
	cn=serviceadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=removeservices,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	addhrole
add description:
	Add Roles
add member:
	cn=delegationadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=addroles,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	removeroles
add description:
	Remove Roles
add member:
	cn=delegationadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=removeroles,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	modifyroles
add description:
	Modify Roles
add member:
	cn=delegationadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=modifyroles,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	modifyrolegroupmembership
add description:
	Modify Role Group membership
add member:
	cn=delegationadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	modifytaskgroupmembership
add description:
	Modify Task Group membership
add member:
	cn=delegationadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	addautomount
add description:
	Add Automount maps/keys
add member:
	cn=automountadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=addautomount,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	removeautomount
add description:
	Remove Automount maps/keys
add member:
	cn=automountadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=removeautomount,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	addnetgroups
add description:
	Add netgroups
add member:
	cn=netgroupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=addnetgroups,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	removenetgroups
add description:
	Remove netgroups
add member:
	cn=netgroupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=removenetgroups,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	modifynetgroups
add description:
	Modify netgroups
add member:
	cn=netgroupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=modifynetgroups,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	modifynetgroupmembership
add description:
	Modify netgroup membership
add member:
	cn=netgroupadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	manage_host_keytab
add description:
	Manage host keytab
add member:
	cn=hostadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=manage_host_keytab,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupofnames
add cn:
	manage_host_keytab
add description:
	Updates DNS
add member:
	cn=dnsadmin,cn=rolegroups,cn=accounts,dc=example,dc=com
	cn=dnsserver,cn=rolegroups,cn=accounts,dc=example,dc=com
adding new entry "cn=update_dns,cn=taskgroups,cn=accounts,dc=example,dc=com"
modify complete


2009-11-25 12:16:39,677 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:39,719 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpMN2mBV -f /tmp/tmpjmkx4Q
2009-11-25 12:16:39,719 INFO stdout=add objectclass:
	top
	extensibleObject
add cn:
	Posix Accounts
add dnaType:
	uidNumber
add dnaNextValue:
	1818299553
add dnaInterval:
	1
add dnaMaxValue:
	1818399552
add dnaMagicRegen:
	999
add dnaFilter:
	(objectclass=posixAccount)
add dnaScope:
	dc=example,dc=com
adding new entry "cn=Posix Accounts,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
modify complete

add objectclass:
	top
	extensibleObject
add cn:
	Posix Groups
add dnaType:
	gidNumber
add dnaNextValue:
	1818299555
add dnaInterval:
	1
add dnaMaxValue:
	1818399552
add dnaMagicRegen:
	999
add dnaFilter:
	(objectclass=posixGroup)
add dnaScope:
	dc=example,dc=com
adding new entry "cn=Posix Groups,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
modify complete


2009-11-25 12:16:39,719 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:39,744 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpcQlfwx -f /tmp/tmpRKxd0F
2009-11-25 12:16:39,745 INFO stdout=add objectclass:
	top
	extensibleObject
add cn:
	fedora11.example.com
add dnabase:
	1100
add dnainterval:
	4
adding new entry "cn=fedora11.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com"
modify complete


2009-11-25 12:16:39,745 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:39,763 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpdjt0_O -f /tmp/tmpbWeo67
2009-11-25 12:16:39,764 INFO stdout=add objectClass:
	top
	extensibleObject
add cn:
	IPA install
add basedn:
	dc=example,dc=com
add filter:
	(objectclass=*)
add ttl:
	10
adding new entry "cn=IPA install 1259176588, cn=memberof task, cn=tasks, cn=config"
modify complete


2009-11-25 12:16:39,764 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:39,774 INFO args=/sbin/chkconfig --list dirsrv
2009-11-25 12:16:39,775 INFO stdout=dirsrv         	0:off	1:off	2:off	3:off	4:off	5:off	6:off

2009-11-25 12:16:39,775 INFO stderr=
2009-11-25 12:16:39,779 INFO args=/sbin/chkconfig dirsrv on
2009-11-25 12:16:39,779 INFO stdout=
2009-11-25 12:16:39,780 INFO stderr=
2009-11-25 12:16:39,851 INFO args=/sbin/service krb5kdc status 
2009-11-25 12:16:39,851 INFO stdout=krb5kdc is stopped

2009-11-25 12:16:39,851 INFO stderr=
2009-11-25 12:16:39,917 INFO args=/sbin/service krb5kdc stop 
2009-11-25 12:16:39,917 INFO stdout=Stopping Kerberos 5 KDC: [FAILED]

2009-11-25 12:16:39,917 INFO stderr=
2009-11-25 12:16:40,017 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpy0Kmds -f /tmp/tmpO4UWmV
2009-11-25 12:16:40,017 INFO stdout=add objectclass:
	account
	simplesecurityobject
add uid:
	kdc
add userPassword:
	Xl"t%3j8}VX
adding new entry "uid=kdc,cn=sysaccounts,cn=etc,dc=example,dc=com"
modify complete

add objectClass:
	krbContainer
	top
add cn:
	kerberos
add aci:
	(targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=example,dc=com";;)
adding new entry "cn=kerberos,dc=example,dc=com"
modify complete


2009-11-25 12:16:40,018 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:40,104 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0Ad5oy -f /tmp/tmphQ5Kwd
2009-11-25 12:16:40,105 INFO stdout=add aci:
	(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
	(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,dc=example,dc=com";;)
	(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";;)
	(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=example,dc=com";;)
	(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/chang...@example.com,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com";;)
	(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=example,dc=com";;)
	(targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=example,dc=com";;)
	(targetattr = "krbPrincipalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=example,dc=com";;)
	(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=example,dc=com";;)
	(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=example,dc=com";;)
	(targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType  || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";;)
modifying entry "dc=example,dc=com"
modify complete

add aci:
	(targetfilter = "(objectClass=ipaGuiConfig)")(targetattr != "aci")(version 3.0;acl "Admins can change GUI config"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=example,dc=com";;)
modifying entry "cn=ipaConfig,cn=etc,dc=example,dc=com"
modify complete

add aci:
	(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=example,dc=com";;)
	(targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=example,dc=com";;)
modifying entry "cn=accounts,dc=example,dc=com"
modify complete

add aci:
	(targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=users,cn=accounts,dc=example,dc=com || ldap:///krbprincipalname=radius/fedora11.example....@example.com,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com";;)
	(targetfilter = "(objectClass=radiusprofile)")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=example,dc=com";;)
modifying entry "cn=radius,dc=example,dc=com"
modify complete

add aci:
	(targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=example,dc=com";;)
modifying entry "cn=services,cn=accounts,dc=example,dc=com"
modify complete

add aci:
	(targetattr=userCertificate)(version 3.0; aci "Hosts can modify service userCertificate"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
modifying entry "cn=services,cn=accounts,dc=example,dc=com"
modify complete


2009-11-25 12:16:40,105 INFO stderr=ldap_initialize( ldap://127.0.0.1 )

2009-11-25 12:16:40,155 INFO args=/usr/kerberos/sbin/kdb5_ldap_util -D uid=kdc,cn=sysaccounts,cn=etc,dc=example,dc=com -w  Xl"t%3j8}VX create -s -P >grbc"/F+Sh` -r EXAMPLE.COM -subtrees dc=example,dc=com -sscope sub
2009-11-25 12:16:40,156 INFO stdout=
2009-11-25 12:16:40,156 INFO stderr=kdb5_ldap_util: Invalid credentials while initializing database

2009-11-25 12:16:40,167 INFO args=/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpdRo9BD -f /tmp/tmpdls3uk
2009-11-25 12:16:40,167 INFO stdout=add krbSupportedEncSaltTypes:
	aes256-cts:normal
	aes128-cts:normal
	des3-hmac-sha1:normal
	arcfour-hmac:normal
	des-hmac-sha1:normal
	des-cbc-md5:normal
	des-cbc-crc:normal
	des-cbc-crc:v4
	des-cbc-crc:afs3
modifying entry "cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com"


2009-11-25 12:16:40,168 INFO stderr=ldap_initialize( ldap://127.0.0.1 )
ldap_modify: No such object (32)
	matched DN: cn=kerberos,dc=example,dc=com

2009-11-25 12:16:40,168 CRITICAL Failed to load default-keytypes.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpdRo9BD -f /tmp/tmpdls3uk' returned non-zero exit status 32
2009-11-25 12:16:40,299 INFO args=/usr/kerberos/sbin/kadmin.local -q addprinc -randkey ldap/fedora11.example....@example.com
2009-11-25 12:16:40,299 INFO stdout=Authenticating as principal root/ad...@example.com with password.

2009-11-25 12:16:40,299 INFO stderr=kadmin.local: Unable to access Kerberos database while initializing kadmin.local interface

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to