[Freeipa-devel] [PATCHES] 0568-0570 Convert User default permissions to managed
Martin Kosek
mkosek at redhat.com
Fri Jun 6 09:38:28 UTC 2014
On 06/04/2014 06:43 PM, Petr Viktorin wrote:
> Hello,
> I try to think about any kind of data the user might have in LDAP, but in the
> spirit of YAGNI, I'll deal with the various corner cases in IPA's historic
> default permissions as I go along.
>
> Patch 0568 adds support for the case where the default permissions changed in
> something else than attribute lists. Needed for the 'Change User password'
> permission.
>
> Patch 0569 converts user permissions to managed.
>
> Patch 0570 fixes https://fedorahosted.org/freeipa/ticket/3697
1) Add aci has targetfilter part - is that intentional?
# ipa permission-show 'System: Add Users' --all --raw
...
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl
"permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add
Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test";)
This part IS effective though, so it may not be a bad thing at all, to keep it
in the ACI:
# ldapadd -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: fbar at MKOSEK-FEDORA20.TEST
SASL SSF: 56
SASL data security layer installed.
dn: cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
objectclass: top
objectclass: nscontainer
cn: foo
adding new entry "cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test"
ldap_add: Insufficient access (50)
additional info: Insufficient 'add' privilege to add the entry
'cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test'.
# ipa user-add --first=Foo --last Bar fbar2
------------------
Added user "fbar2"
------------------
User login: fbar2
First name: Foo
...
2) System: Add User to default group
I was wondering whether we should keep the ACI in cn=groups container or
directly with the group, but I think the group itself is a good idea. (Unless
someone deletes and recreates it).
3) System: Change User password
I hit some nasty DS error which prevented authorized user to update password.
ACI log attached. Ludwig, does that ring any bell?
The ACI itself looks OK though as after I restarted DS, it started to work.
Maybe DS did not cache the ACIs properly after upgrade?
4) When running user unit tests, I found couple issues:
a) Some attributes we may still miss in the permissions:
- krbPrincipalExpiration
- userclass
- ipaUserAuthType
- preferredLanguage
I am thinking we could base Modify Users permission on the read one and add
regular attributes there
b) Read membership ACIs for users and groups miss "member" attribute and thus
indirect/direct processing goes wrong.
This is all I could find, patches are looking good, otherwise.
Martin
-------------- next part --------------
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=742 (main): Allow search on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=742 (main): Allow search on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=742 (main): Allow search on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=krbtgt/mkosek-fedora20.test at mkosek-fedora20.test,cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=743 (main): Allow search on entry(cn=ipaconfig,cn=etc,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=ipaconfig,cn=etc,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=ipaconfig,cn=etc,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=ipaconfig,cn=etc,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=744 (main): Allow search on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(krbprincipalname=ldap/ipa.mkosek-fedora20.test at mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=745 (main): Allow search on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=746 (main): Allow search on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=746 (main): Allow search on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=746 (main): Allow search on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - conn=4 op=747 (main): Allow search on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:16 +0200] NSACLPlugin - Root access (read) allowed on entry(cn=mkosek-fedora20.test,cn=kerberos,dc=mkosek-fedora20,dc=test)
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - conn=87 op=4 (main): Allow write on entry(uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test): root user
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - acl_init_userGroup: found in cache for dn:uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - #### conn=87 op=4 binddn="uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test"
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for update:uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test: container:-1
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for update:cn=users,cn=accounts,dc=mkosek-fedora20,dc=test: container:4
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for update:cn=accounts,dc=mkosek-fedora20,dc=test: container:3
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for update:dc=mkosek-fedora20,dc=test: container:2
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - Searching AVL tree for update:dc=test: container:-1
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - ************ RESOURCE INFO STARTS *********
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - Client DN: uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - resource type:256(write target_DN )
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - Slapi_Entry DN: uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:17 +0200] NSACLPlugin - ATTR: krbPrincipalKey
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - rights:write
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ************ RESOURCE INFO ENDS *********
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Using ACL Container:0 for evaluation
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Using ACL Container:1 for evaluation
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Using ACL Container:2 for evaluation
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: "permission:System: Change User password"]***
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACL Index:272 ACL_ELEVEL:6
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI type:(write target_attr acltxt allow_rule )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI RULE type:(groupdn )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Slapi_Entry DN:cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***END ACL INFO*****************************
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: "permission:System: Change User password"]***
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACL Index:273 ACL_ELEVEL:6
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI type:(write target_attr acltxt allow_rule )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI RULE type:(groupdn )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Slapi_Entry DN:cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***END ACL INFO*****************************
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: "selfservice:Self can write own password"]***
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACL Index:42 ACL_ELEVEL:7
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI type:(write target_attr acltxt allow_rule )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI RULE type:(userdn )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Slapi_Entry DN:dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***END ACL INFO*****************************
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Admins can write passwords"]***
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACL Index:43 ACL_ELEVEL:6
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI type:(write delete add target_attr acltxt allow_rule )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ACI RULE type:(groupdn )
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Slapi_Entry DN:dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - ***END ACL INFO*****************************
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Num of ALLOW Handles:4, DENY handles:0
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Processed attr:krbPrincipalKey for entry:uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - 1. Evaluating ALLOW aci(272) " "permission:System: Change User password""
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluating user uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test in group cn=System: Change User password,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test?
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User Administrator,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Modify Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=RBAC Readers,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=System: Read Roles,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=System: Change User password,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - GroupEval:Looked at too many entries:(0, 1)
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluated ACL_DONT_KNOW
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Returning UNDEFINED for groupdn evaluation.
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - 2. Evaluating ALLOW aci(42) " "selfservice:Self can write own password""
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - 3. Evaluating ALLOW aci(273) " "permission:System: Change User password""
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluating user uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test in group cn=System: Change User password,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test?
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User Administrator,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Modify Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=RBAC Readers,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=System: Read Roles,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=System: Change User password,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - GroupEval:Looked at too many entries:(0, 1)
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluated ACL_DONT_KNOW
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Returning UNDEFINED for groupdn evaluation.
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - 4. Evaluating ALLOW aci(43) " "Admins can write passwords""
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluating user uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test in group cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test?
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User Administrator,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=User Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- In cn=System: Modify Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - -- Not in cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - Evaluated ACL_FALSE
[06/Jun/2014:11:17:18 +0200] NSACLPlugin - conn=87 op=4 (main): Deny write on entry(uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test).attr(krbPrincipalKey) to uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test: no aci matched the subject by aci(43): aciname= "Admins can write passwords", acidn="dc=mkosek-fedora20,dc=test"
More information about the Freeipa-devel
mailing list