On 06/04/2014 06:43 PM, Petr Viktorin wrote: > Hello, > I try to think about any kind of data the user might have in LDAP, but in the > spirit of YAGNI, I'll deal with the various corner cases in IPA's historic > default permissions as I go along. > > Patch 0568 adds support for the case where the default permissions changed in > something else than attribute lists. Needed for the 'Change User password' > permission. > > Patch 0569 converts user permissions to managed. > > Patch 0570 fixes https://fedorahosted.org/freeipa/ticket/3697
1) Add aci has targetfilter part - is that intentional? # ipa permission-show 'System: Add Users' --all --raw ... aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test";) This part IS effective though, so it may not be a bad thing at all, to keep it in the ACI: # ldapadd -Y GSSAPI SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. dn: cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test objectclass: top objectclass: nscontainer cn: foo adding new entry "cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test" ldap_add: Insufficient access (50) additional info: Insufficient 'add' privilege to add the entry 'cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test'. # ipa user-add --first=Foo --last Bar fbar2 ------------------ Added user "fbar2" ------------------ User login: fbar2 First name: Foo ... 2) System: Add User to default group I was wondering whether we should keep the ACI in cn=groups container or directly with the group, but I think the group itself is a good idea. (Unless someone deletes and recreates it). 3) System: Change User password I hit some nasty DS error which prevented authorized user to update password. ACI log attached. Ludwig, does that ring any bell? The ACI itself looks OK though as after I restarted DS, it started to work. Maybe DS did not cache the ACIs properly after upgrade? 4) When running user unit tests, I found couple issues: a) Some attributes we may still miss in the permissions: - krbPrincipalExpiration - userclass - ipaUserAuthType - preferredLanguage I am thinking we could base Modify Users permission on the read one and add regular attributes there b) Read membership ACIs for users and groups miss "member" attribute and thus indirect/direct processing goes wrong. This is all I could find, patches are looking good, otherwise. Martin
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=742 (main): Allow search on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=742 (main): Allow search on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=742 (main): Allow search on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/[email protected],cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=743 (main): Allow search on entry(cn=ipaconfig,cn=etc,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=ipaconfig,cn=etc,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=ipaconfig,cn=etc,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=ipaconfig,cn=etc,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=745 (main): Allow search on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=746 (main): Allow search on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=746 (main): Allow search on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=746 (main): Allow search on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=747 (main): Allow search on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test) [06/Jun/2014:11:17:17 +0200] NSACLPlugin - conn=87 op=4 (main): Allow write on entry(uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test): root user [06/Jun/2014:11:17:17 +0200] NSACLPlugin - acl_init_userGroup: found in cache for dn:uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:17 +0200] NSACLPlugin - #### conn=87 op=4 binddn="uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test" [06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for update:uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test: container:-1 [06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for update:cn=users,cn=accounts,dc=mkosek-fedora20,dc=test: container:4 [06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for update:cn=accounts,dc=mkosek-fedora20,dc=test: container:3 [06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for update:dc=mkosek-fedora20,dc=test: container:2 [06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for update:dc=test: container:-1 [06/Jun/2014:11:17:17 +0200] NSACLPlugin - ************ RESOURCE INFO STARTS ********* [06/Jun/2014:11:17:17 +0200] NSACLPlugin - Client DN: uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:17 +0200] NSACLPlugin - resource type:256(write target_DN ) [06/Jun/2014:11:17:17 +0200] NSACLPlugin - Slapi_Entry DN: uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:17 +0200] NSACLPlugin - ATTR: krbPrincipalKey [06/Jun/2014:11:17:18 +0200] NSACLPlugin - rights:write [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ************ RESOURCE INFO ENDS ********* [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Using ACL Container:0 for evaluation [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Using ACL Container:1 for evaluation [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Using ACL Container:2 for evaluation [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: "permission:System: Change User password"]*** [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACL Index:272 ACL_ELEVEL:6 [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI type:(write target_attr acltxt allow_rule ) [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI RULE type:(groupdn ) [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Slapi_Entry DN:cn=users,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***END ACL INFO***************************** [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: "permission:System: Change User password"]*** [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACL Index:273 ACL_ELEVEL:6 [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI type:(write target_attr acltxt allow_rule ) [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI RULE type:(groupdn ) [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Slapi_Entry DN:cn=users,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***END ACL INFO***************************** [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: "selfservice:Self can write own password"]*** [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACL Index:42 ACL_ELEVEL:7 [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI type:(write target_attr acltxt allow_rule ) [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI RULE type:(userdn ) [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Slapi_Entry DN:dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***END ACL INFO***************************** [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Admins can write passwords"]*** [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACL Index:43 ACL_ELEVEL:6 [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI type:(write delete add target_attr acltxt allow_rule ) [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI RULE type:(groupdn ) [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Slapi_Entry DN:dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***END ACL INFO***************************** [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Num of ALLOW Handles:4, DENY handles:0 [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Processed attr:krbPrincipalKey for entry:uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - 1. Evaluating ALLOW aci(272) " "permission:System: Change User password"" [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluating user uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test in group cn=System: Change User password,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test? [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User Administrator,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Modify Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=RBAC Readers,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=System: Read Roles,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=System: Change User password,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - GroupEval:Looked at too many entries:(0, 1) [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluated ACL_DONT_KNOW [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Returning UNDEFINED for groupdn evaluation. [06/Jun/2014:11:17:18 +0200] NSACLPlugin - 2. Evaluating ALLOW aci(42) " "selfservice:Self can write own password"" [06/Jun/2014:11:17:18 +0200] NSACLPlugin - 3. Evaluating ALLOW aci(273) " "permission:System: Change User password"" [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluating user uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test in group cn=System: Change User password,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test? [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User Administrator,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Modify Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=RBAC Readers,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=System: Read Roles,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=System: Change User password,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - GroupEval:Looked at too many entries:(0, 1) [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluated ACL_DONT_KNOW [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Returning UNDEFINED for groupdn evaluation. [06/Jun/2014:11:17:18 +0200] NSACLPlugin - 4. Evaluating ALLOW aci(43) " "Admins can write passwords"" [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluating user uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test in group cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test? [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User Administrator,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Modify Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test [06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluated ACL_FALSE [06/Jun/2014:11:17:18 +0200] NSACLPlugin - conn=87 op=4 (main): Deny write on entry(uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test).attr(krbPrincipalKey) to uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test: no aci matched the subject by aci(43): aciname= "Admins can write passwords", acidn="dc=mkosek-fedora20,dc=test"
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
