[Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name

Nathaniel McCallum npmccallum at redhat.com
Thu Oct 9 16:53:34 UTC 2014 

On Thu, 2014-10-09 at 18:38 +0200, Ludwig Krispenz wrote:
> On 10/09/2014 06:32 PM, thierry bordaz wrote:
> > On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:
> >> On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:
> >>> On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:
> >>>
> >>>> The background of this email is this bug:
> >>>> https://fedorahosted.org/freeipa/ticket/4456
> >>>>
> >>>> Attached are two patches which solve this issue for admin users (not
> >>>> very helpful, I know). They depend on this fix in 389:
> >>>> https://fedorahosted.org/389/ticket/47920
> >>>>
> >>>> There are two outstanding issues:
> >>>>
> >>>> 1. 389 does not send the post read control for normal users. The
> >>>> operation itself succeeds, but no control is sent.
> >>>>
> >>>> The relevant sections from the log are attached. 389 is denying access
> >>>> to the following attributes (* = valid, ! = invalid):
> >>>> ! objectClass
> >>>> ! ipatokenOTPalgorithm
> >>>> ! ipatokenOTPdigits
> >>>> * ipatokenOTPkey
> >>>> * ipatokenHOTPcounter
> >>>> ! ipatokenOwner
> >>>> ! managedBy
> >>>> ! ipatokenUniqueID
> >>> Hello Nathaniel,
> >>>
> >>>          The post read control needs access to the modified entry to
> >>>          return it.
> >>>          This access is granted at the condition, the binddn can access
> >>>          attributes.
> >> Agreed and understood.
> >>
> >>>          My understanding is that the target entry is
> >>> ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com 
> >>> and the binddn "uid=otp,cn=users,cn=accounts,dc=example,dc=com".
> >> Correct.
> >>
> >>>          The only ACI I found that match this target is:
> >>>          aci: (targetfilter = "(objectClass=ipaToken)")
> >>>          (targetattrs = "objectclass || description || managedBy || 
> >>> ipatokenUniqueID || ipatokenDisabled
> >>>           || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor 
> >>> || ipatokenModel || ipatokenSerial || ipatokenOwner")
> >>>          (version 3.0; acl "Users/managers can read basic token 
> >>> info"; allow (read, search, compare) userattr = 
> >>> "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)
> >> Correct.
> >>
> >>>          Do you know if the target entry has 'ipatokenOwner' or
> >>>          'managedBy' with the binddn value ?
> >> Yes, both. So why is access to objectClass (et cetera) being denied?
> > Good question... 
> +1
> could you post the full aci logging not only the summary for the access 
> to the attributes ?

Attached.
-------------- next part --------------
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=anonymous-limits,cn=etc,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "uid=otp,cn=users,cn=accounts,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of service reference
[08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of service reference
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] ipa-lockout-plugin - preop returning 0: success
 
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "uid=otp,cn=users,cn=accounts,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] ipa-pwd-extop - Attempting OTP authentication for 'uid=otp,cn=users,cn=accounts,dc=example,dc=com'.
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "dc=example,dc=com" for "(&(|(objectClass=ipaTokenTOTP)(objectClass=ipaTokenHOTP))(ipatokenOwner=uid=otp,cn=users,cn=accounts,dc=example,dc=com)(|(ipatokenNotBefore<=20141008205439Z)(!(ipatokenNotBefore=*)))(|(ipatokenNotAfter>=20141008205439Z)(!(ipatokenNotAfter=*)))(|(ipatokenDisabled=FALSE)(!(ipatokenDisabled=*))))" with scope 2 (sub)
[08/Oct/2014:16:54:39 -0400] ipa-pwd-extop - kerberos key already present in user entry: uid=otp,cn=users,cn=accounts,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "uid=otp,cn=users,cn=accounts,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "uid=otp,cn=users,cn=accounts,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=anonymous-limits,cn=etc,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of service reference
[08/Oct/2014:16:54:39 -0400] - cos_cache_vattr_get: failed to get class of service reference
[08/Oct/2014:16:54:39 -0400] ipa-range-check - Not an ID range object, nothing to do.
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NSUniqueAttr - ADD target=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "uid=otp,cn=users,cn=accounts,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - #### conn=24 op=1 binddn="uid=otp,cn=users,cn=accounts,dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Allow add on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(NULL) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: allowed by aci(38): aciname= "Users can create self-managed tokens", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD target=ipaTokenUniqueID=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
[08/Oct/2014:16:54:39 -0400] DSRetroclPlugin - write_replog_db: write change record 11118 for dn: "ipaTokenUniqueID=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] DSRetroclPlugin - write_replog_db: add targetUniqueId: "32102902-4f2d11e4-a8c0ee17-25642a64"
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD target=changenumber=11118,cn=changelog
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - added "changenumber=11118,cn=changelog"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11118,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=computers"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11118,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=groups"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11118,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=ng"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11118,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=users"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11118,cn=changelog" does not belong in "ou=sudoers,dc=example,dc=com"/""
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=computers" made in ("changenumber=11118,cn=changelog") ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=groups" made in ("changenumber=11118,cn=changelog") ("" in list "cn,gidNumber,member,uid,memberUid" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - updating deref_r[0] references for "changenumber=11118,cn=changelog"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching for references to "changenumber=11118,cn=changelog" (link=1, attributes="","member")
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=groups,cn=accounts,dc=example,dc=com" for "(member=changenumber=11118,cn=changelog)" with scope 1
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=users,cn=accounts,dc=example,dc=com" for "(member=changenumber=11118,cn=changelog)" with scope 1
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - no more references to chase (link=1, attributes="","member")
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=ng" made in ("changenumber=11118,cn=changelog") ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=users" made in ("changenumber=11118,cn=changelog") ("" in list "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "ou=sudoers,dc=example,dc=com"/"" made in ("changenumber=11118,cn=changelog") ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] roles-plugin - --> roles_post_op
[08/Oct/2014:16:54:39 -0400] roles-plugin - --> roles_cache_change_notify
[08/Oct/2014:16:54:39 -0400] roles-plugin - <-- roles_cache_change_notify: not a role entry
[08/Oct/2014:16:54:39 -0400] roles-plugin - <-- roles_post_op
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - added "ipaTokenUniqueID=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" does not belong in "cn=compat,dc=example,dc=com"/"cn=computers"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" does not belong in "cn=compat,dc=example,dc=com"/"cn=groups"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" does not belong in "cn=compat,dc=example,dc=com"/"cn=ng"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" does not belong in "cn=compat,dc=example,dc=com"/"cn=users"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" does not belong in "ou=sudoers,dc=example,dc=com"/""
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=computers" made in ("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com") ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=groups" made in ("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com") ("" in list "cn,gidNumber,member,uid,memberUid" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - updating deref_r[0] references for "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching for references to "ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com" (link=1, attributes="","member")
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=groups,cn=accounts,dc=example,dc=com" for "(member=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com)" with scope 1
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=users,cn=accounts,dc=example,dc=com" for "(member=ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com)" with scope 1
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - no more references to chase (link=1, attributes="","member")
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=ng" made in ("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com") ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=users" made in ("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com") ("" in list "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "ou=sudoers,dc=example,dc=com"/"" made in ("ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com") ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com" for "objectclass=*" with scope 1 (one)
[08/Oct/2014:16:54:39 -0400] roles-plugin - --> roles_post_op
[08/Oct/2014:16:54:39 -0400] roles-plugin - --> roles_cache_change_notify
[08/Oct/2014:16:54:39 -0400] roles-plugin - <-- roles_cache_change_notify: not a role entry
[08/Oct/2014:16:54:39 -0400] roles-plugin - <-- roles_post_op
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - #### conn=24 op=1 binddn="uid=otp,cn=users,cn=accounts,dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - MODIFY begin
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(objectClass) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "uid=otp,cn=users,cn=accounts,dc=example,dc=com" for "(|(objectclass=*)(objectclass=ldapsubentry))" with scope 0 (base)
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenOTPalgorithm) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] DSRetroclPlugin - write_replog_db: write change record 11119 for dn: "uid=otp,cn=users,cn=accounts,dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] DSRetroclPlugin - write_replog_db: add targetUniqueId: "a93a1d8f-3dc411e4-aaddee17-25642a64"
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenOTPdigits) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD begin
[08/Oct/2014:16:54:39 -0400] NS7bitAttr - ADD target=changenumber=11119,cn=changelog
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenOTPkey) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenHOTPcounter) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - added "changenumber=11119,cn=changelog"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11119,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=computers"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11119,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=groups"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11119,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=ng"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11119,cn=changelog" does not belong in "cn=compat,dc=example,dc=com"/"cn=users"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - entry "changenumber=11119,cn=changelog" does not belong in "ou=sudoers,dc=example,dc=com"/""
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=computers" made in ("changenumber=11119,cn=changelog") ("" in list "" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=groups" made in ("changenumber=11119,cn=changelog") ("" in list "cn,gidNumber,member,uid,memberUid" or list empty)
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - updating deref_r[0] references for "changenumber=11119,cn=changelog"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching for references to "changenumber=11119,cn=changelog" (link=1, attributes="","member")
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=groups,cn=accounts,dc=example,dc=com" for "(member=changenumber=11119,cn=changelog)" with scope 1
[08/Oct/2014:16:54:39 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenOwner) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:39 -0400] schema-compat-plugin - searching from "cn=users,cn=accounts,dc=example,dc=com" for "(member=changenumber=11119,cn=changelog)" with scope 1
[08/Oct/2014:16:54:40 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(managedBy) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no more references to chase (link=1, attributes="","member")
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=ng" made in ("changenumber=11119,cn=changelog") ("" in list "" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=users" made in ("changenumber=11119,cn=changelog") ("" in list "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "ou=sudoers,dc=example,dc=com"/"" made in ("changenumber=11119,cn=changelog") ("" in list "" or list empty)
[08/Oct/2014:16:54:40 -0400] NSACLPlugin - conn=24 op=1 (main): Deny read on entry(ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com).attr(ipatokenUniqueID) to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci matched the subject by aci(19): aciname= "Admin can manage any entry", acidn="dc=example,dc=com"
[08/Oct/2014:16:54:40 -0400] roles-plugin - --> roles_post_op
[08/Oct/2014:16:54:40 -0400] roles-plugin - --> roles_cache_change_notify
[08/Oct/2014:16:54:40 -0400] roles-plugin - <-- roles_cache_change_notify: not a role entry
[08/Oct/2014:16:54:40 -0400] roles-plugin - <-- roles_post_op
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - modified "uid=otp,cn=users,cn=accounts,dc=example,dc=com"
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - "uid=otp,cn=users,cn=accounts,dc=example,dc=com" not in "cn=compat,dc=example,dc=com"/"cn=computers", before or after modify
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - "uid=otp,cn=users,cn=accounts,dc=example,dc=com" not in "cn=compat,dc=example,dc=com"/"cn=groups", before or after modify
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - "uid=otp,cn=users,cn=accounts,dc=example,dc=com" not in "cn=compat,dc=example,dc=com"/"cn=ng", before or after modify
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting changes for "cn=compat,dc=example,dc=com"/"cn=users" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") (replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn not in uid,cn,gidNumber,uidNumber,loginShell,homeDirectory)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - "uid=otp,cn=users,cn=accounts,dc=example,dc=com" not in "ou=sudoers,dc=example,dc=com"/"", before or after modify
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=computers" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=example,dc=com"/"cn=groups" made in "uid=otp,cn=users,cn=accounts,dc=example,dc=com" ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" not in "cn,gidNumber,member,uid,memberUid")
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=ng" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=example,dc=com"/"cn=users" made in "uid=otp,cn=users,cn=accounts,dc=example,dc=com" ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" not in "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory")
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "ou=sudoers,dc=example,dc=com"/"" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=computers" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=example,dc=com"/"cn=groups" made in "uid=otp,cn=users,cn=accounts,dc=example,dc=com" ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" not in "cn,gidNumber,member,uid,memberUid")
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "cn=compat,dc=example,dc=com"/"cn=ng" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=example,dc=com"/"cn=users" made in "uid=otp,cn=users,cn=accounts,dc=example,dc=com" ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" not in "uid,cn,gidNumber,uidNumber,loginShell,homeDirectory")
[08/Oct/2014:16:54:40 -0400] schema-compat-plugin - reference-based changes for "ou=sudoers,dc=example,dc=com"/"" made in ("uid=otp,cn=users,cn=accounts,dc=example,dc=com") ("replace:krbLastSuccessfulAuth,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
[08/Oct/2014:16:54:40 -0400] roles-plugin - --> roles_post_op
[08/Oct/2014:16:54:40 -0400] roles-plugin - --> roles_cache_change_notify
[08/Oct/2014:16:54:40 -0400] roles-plugin - <-- roles_cache_change_notify: not a role entry
[08/Oct/2014:16:54:40 -0400] roles-plugin - <-- roles_post_op
[08/Oct/2014:16:54:40 -0400] ipa-lockout-plugin - postop returning 0: success

More information about the Freeipa-devel mailing list