On 06/04/2014 06:43 PM, Petr Viktorin wrote:
> Hello,
> I try to think about any kind of data the user might have in LDAP, but in the
> spirit of YAGNI, I'll deal with the various corner cases in IPA's historic
> default permissions as I go along.
> 
> Patch 0568 adds support for the case where the default permissions changed in
> something else than attribute lists. Needed for the 'Change User password'
> permission.
> 
> Patch 0569 converts user permissions to managed.
> 
> Patch 0570 fixes https://fedorahosted.org/freeipa/ticket/3697


1) Add aci has targetfilter part - is that intentional?

# ipa permission-show 'System: Add Users' --all --raw
...
  aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl
"permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add
Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test";)

This part IS effective though, so it may not be a bad thing at all, to keep it
in the ACI:

# ldapadd -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: f...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
dn: cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
objectclass: top
objectclass: nscontainer
cn: foo

adding new entry "cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test"
ldap_add: Insufficient access (50)
        additional info: Insufficient 'add' privilege to add the entry
'cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test'.

# ipa user-add --first=Foo --last Bar fbar2
------------------
Added user "fbar2"
------------------
  User login: fbar2
  First name: Foo
...

2) System: Add User to default group

I was wondering whether we should keep the ACI in cn=groups container or
directly with the group, but I think the group itself is a good idea. (Unless
someone deletes and recreates it).

3) System: Change User password

I hit some nasty DS error which prevented authorized user to update password.
ACI log attached. Ludwig, does that ring any bell?

The ACI itself looks OK though as after I restarted DS, it started to work.
Maybe DS did not cache the ACIs properly after upgrade?


4) When running user unit tests, I found couple issues:

a) Some attributes we may still miss in the permissions:
- krbPrincipalExpiration
- userclass
- ipaUserAuthType
- preferredLanguage

I am thinking we could base Modify Users permission on the read one and add
regular attributes there

b) Read membership ACIs for users and groups miss "member" attribute and thus
indirect/direct processing goes wrong.

This is all I could find, patches are looking good, otherwise.

Martin
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=742 (main): Allow search 
on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test):
 root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=742 (main): Allow search 
on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test):
 root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=742 (main): Allow search 
on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test):
 root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=krbtgt/mkosek-fedora20.t...@mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=743 (main): Allow search 
on entry(cn=ipaconfig,cn=etc,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(cn=ipaconfig,cn=etc,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(cn=ipaconfig,cn=etc,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(cn=ipaconfig,cn=etc,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search 
on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test):
 root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search 
on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test):
 root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search 
on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test):
 root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search 
on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test):
 root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search 
on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test):
 root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(krbprincipalname=ldap/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=745 (main): Allow search 
on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test): root 
user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=746 (main): Allow search 
on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=746 (main): Allow search 
on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=746 (main): Allow search 
on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=747 (main): Allow search 
on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test): root 
user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on 
entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - conn=87 op=4 (main): Allow write on 
entry(uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - acl_init_userGroup: found in cache 
for dn:uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - #### conn=87 op=4 
binddn="uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test"
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for 
update:uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test: container:-1
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for 
update:cn=users,cn=accounts,dc=mkosek-fedora20,dc=test: container:4
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for 
update:cn=accounts,dc=mkosek-fedora20,dc=test: container:3
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for 
update:dc=mkosek-fedora20,dc=test: container:2
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for 
update:dc=test: container:-1
[06/Jun/2014:11:17:17 +0200] NSACLPlugin -     ************ RESOURCE INFO 
STARTS *********
[06/Jun/2014:11:17:17 +0200] NSACLPlugin -     Client DN: 
uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:17 +0200] NSACLPlugin -     resource type:256(write 
target_DN )
[06/Jun/2014:11:17:17 +0200] NSACLPlugin -     Slapi_Entry DN: 
uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:17 +0200] NSACLPlugin -     ATTR: krbPrincipalKey
[06/Jun/2014:11:17:18 +0200] NSACLPlugin -     rights:write
[06/Jun/2014:11:17:18 +0200] NSACLPlugin -     ************ RESOURCE INFO ENDS  
 *********
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Using ACL Container:0 for evaluation
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Using ACL Container:1 for evaluation
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Using ACL Container:2 for evaluation
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: 
"permission:System: Change User password"]***
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACL Index:272   ACL_ELEVEL:6
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI type:(write target_attr acltxt 
allow_rule )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI RULE type:(groupdn )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Slapi_Entry 
DN:cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***END ACL 
INFO*****************************
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: 
"permission:System: Change User password"]***
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACL Index:273   ACL_ELEVEL:6
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI type:(write target_attr acltxt 
allow_rule )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI RULE type:(groupdn )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Slapi_Entry 
DN:cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***END ACL 
INFO*****************************
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: 
"selfservice:Self can write own password"]***
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACL Index:42   ACL_ELEVEL:7
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI type:(write target_attr acltxt 
allow_rule )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI RULE type:(userdn )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Slapi_Entry 
DN:dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***END ACL 
INFO*****************************
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Admins can 
write passwords"]***
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACL Index:43   ACL_ELEVEL:6
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI type:(write delete add 
target_attr acltxt allow_rule )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI RULE type:(groupdn )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Slapi_Entry 
DN:dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***END ACL 
INFO*****************************
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Num of ALLOW Handles:4, DENY 
handles:0
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Processed attr:krbPrincipalKey for 
entry:uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - 1. Evaluating ALLOW aci(272) " 
"permission:System: Change User password""
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluating user 
uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test in group cn=System: 
Change User password,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test?
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User 
Administrator,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User 
Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Read User Kerberos 
Login Attributes,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Modify 
Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in 
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in 
cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=RBAC 
Readers,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=System: Read 
Roles,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=System: Change User 
password,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - GroupEval:Looked at too many 
entries:(0, 1)
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluated ACL_DONT_KNOW
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Returning UNDEFINED for groupdn 
evaluation.
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - 2. Evaluating ALLOW aci(42) " 
"selfservice:Self can write own password""
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - 3. Evaluating ALLOW aci(273) " 
"permission:System: Change User password""
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluating user 
uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test in group cn=System: 
Change User password,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test?
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User 
Administrator,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User 
Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Read User Kerberos 
Login Attributes,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Modify 
Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in 
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in 
cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=RBAC 
Readers,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=System: Read 
Roles,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=System: Change User 
password,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - GroupEval:Looked at too many 
entries:(0, 1)
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluated ACL_DONT_KNOW
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Returning UNDEFINED for groupdn 
evaluation.
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - 4. Evaluating ALLOW aci(43) " 
"Admins can write passwords""
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluating user 
uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test in group 
cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test?
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User 
Administrator,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User 
Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Read User Kerberos 
Login Attributes,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Modify 
Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in 
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in 
cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluated ACL_FALSE
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - conn=87 op=4 (main): Deny write on 
entry(uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test).attr(krbPrincipalKey)
 to uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test: no aci matched 
the subject by aci(43): aciname= "Admins can write passwords", 
acidn="dc=mkosek-fedora20,dc=test"
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to