From taraksinha09 at gmail.com Sun Jan 1 15:29:37 2017
From: taraksinha09 at gmail.com (tarak sinha)
Date: Sun, 1 Jan 2017 20:59:37 +0530
Subject: [Freeipa-users] IPA Client not able to remove
Message-ID:
Hi FreeIPA Team,
I am not able to remove the IPA client host entry from Web UI and command
line as well. While trying to add it?s showing ?Host is already exist?.
Please give me some suggestion to get rid if this issue.
#ipa host-del xxx.example.com --updatedns
ipa: ERROR: xxx.example.com: host not found
#ipa host-show xxx.example.com
ipa: ERROR: xxx.example.com: host not found
*Thanks,*
*Tarak Nath Sinha*
*Mobile: **+91 8197522750*
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rcritten at redhat.com Mon Jan 2 01:58:30 2017
From: rcritten at redhat.com (Rob Crittenden)
Date: Sun, 1 Jan 2017 20:58:30 -0500
Subject: [Freeipa-users] IPA Client not able to remove
In-Reply-To:
References:
Message-ID: <5869B3C6.3070701@redhat.com>
tarak sinha wrote:
> Hi FreeIPA Team,
>
>
>
> I am not able to remove the IPA client host entry from Web UI and
> command line as well. While trying to add it?s showing ?Host is already
> exist?. Please give me some suggestion to get rid if this issue.
>
>
>
> #ipa host-del xxx.example.com --updatedns
>
> ipa: ERROR: xxx.example.com : host not found
>
> #ipa host-show xxx.example.com
>
> ipa: ERROR: xxx.example.com : host not found
It sounds like it is a replication conflict entry. You can confirm by
doing something like 'ipa host-find xxx.example.com --all' and look at
the DN. If it has nsuniqueid in the DN then it is a conflict entry. See
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
but given you want to remove it you can do so via ldapdelete.
rob
From rcritten at redhat.com Mon Jan 2 02:16:29 2017
From: rcritten at redhat.com (Rob Crittenden)
Date: Sun, 1 Jan 2017 21:16:29 -0500
Subject: [Freeipa-users] Ipa cert automatic renew Failing.
In-Reply-To:
References:
<689e233d-1c18-eae0-2841-3a5374f7b205@redhat.com>
Message-ID: <5869B7FD.90403@redhat.com>
Lucas Diedrich wrote:
> OK!, i got it, i just executed the second script:
>
> "sudo /usr/libexec/ipa/certmonger/renew_ra_cert "subsystemCert
> cert-pki-ca"", and fixed that problem, there another script called
> renew_ra_cert_pre, should i run this too?
No, it should be run BEFORE renew_ra_cert, but since that has executed
successfully there is no point.
rob
>
> Thanks.
>
> Em seg, 26 de dez de 2016 ?s 17:26, Lucas Diedrich
> > escreveu:
>
> Florence, at first i thought the problem was fixed, but it wasn't
> complety.
>
> So now, i'm at the CA Master, and when i try to see some
> certificates it prompts me this "[root at ipa2 ~]# ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: EXCEPTION
> (Invalid Credential.)
> "
> The same thing show over the Web Interface, i searched a little bit
> and found that probably it didn't updated the *ipara* user, but
> can't confirm that, any sugestions?
>
> Thanks,
>
> Em qui, 22 de dez de 2016 ?s 11:13, Florence Blanc-Renaud
> > escreveu:
>
> On 12/22/2016 01:15 PM, Lucas Diedrich wrote:
> > Florence, for some creepy reason the cert from pkidbuser is
> different
> > from subsystem certs, and this pkidbuser is outdated now, but
> i can't
> > manage one way to re-issue it. I had to change the CA server
> because of
> > that, and the Selinux in the old CA Server was disabled, on
> the new one
> > is in Permissive mode but doesn't a warning in
> /var/log/audit/audit.log.
> >
> > This is the pkidbuser cert:
> https://paste.fedoraproject.org/511023/24084431/
> > This is the subsystem cert:
> https://paste.fedoraproject.org/511025/14824085/
> > The ca.subsystem.cert matches the pkidbuser cert.
> >
> > lucasdiedrich.
> >
> Hi,
>
> you can try to manually call the post-save command that certmonger
> should have issued after putting the certificate in
> /etc/pki/pki-tomcat/alias:
> on the renewal master:
> $ sudo /usr/libexec/ipa/certmonger/stop_pkicad
> $ sudo /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> cert-pki-ca"
>
> Then check the journal log that should display the following if
> everything goes well:
> $ sudo journalctl --since today | grep renew_ca_cert
> [...] renew_ca_cert[6478]: Updating entry
> uid=CA-ipaserver.domain.com-8443,ou=people,o=ipaca
> [...] renew_ca_cert[6478]: Updating entry
> uid=pkidbuser,ou=people,o=ipaca
> [...] renew_ca_cert[6478]: Starting pki_tomcatd
> [...] renew_ca_cert[6478]: Started pki_tomcatd
>
> If the operation does not succeed, you will have to check the LDAP
> server logs in /etc/dirsrv/slapd-DOMAIN/access.
>
> HTH,
> Flo.
>
> > Em qui, 22 de dez de 2016 ?s 06:54, Florence Blanc-Renaud
> > >> escreveu:
> >
> > On 12/21/2016 07:52 PM, Lucas Diedrich wrote:
> > > Hello guys,
> > >
> > > I'm having some trouble with, whats is happening with my
> server is
> > that
> > > i'm hiting an old BUG
> > > (https://bugzilla.redhat.com/show_bug.cgi?id=1033273).
> Talking to
> > mbasti
> > > over irc he oriented me to send this to the email list.
> > >
> > > The problem is, i got on CA Master, so because of this
> problem the CA
> > > Master certificates couldn't be renewd, so now i
> promoted another
> > master
> > > to be the CA. And the problem still persist.
> > >
> > > This is the certs from my new CA
> > > (https://paste.fedoraproject.org/510617/14823448/),
> > > this is the certs from my old CA
> > > (https://paste.fedoraproject.org/510618/44871148/)
> > > This is the log then i restart pki-tomcat( "CA port 636
> Error
> > > netscape.ldap.LDAPException: Authentication failed (49)")
> > > This is the log from dirsrv when i restart pki-tomcat
> > > (https://paste.fedoraproject.org/510614/23446801/)
> > >
> > > Basically my CA is not working anymore...
> > >
> > > Anyway, i tried lots of thing but couldn't fix this,
> anyone has
> > some idea?
> > >
> > >
> > >
> > Hi,
> >
> > Pki-tomcat is using the LDAP server as a data store,
> meaning that it
> > needs to authenticate to LDAP. In order to do that,
> pki-tomcat is using
> > the certificate 'subsystemCert cert-pki-ca' stored in
> > /etc/pki/pki-tomcat/alias. For the authentication to
> succeed, the
> > certificate must be stored in a user entry
> > (uid=pkidbuser,ou=people,o=ipaca).
> >
> > Can you check the content of this entry, especially the
> usercertificate
> > attribute? It should match the certificate used by pki-tomcat:
> >
> > $ certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
> > cert-pki-ca' -a
> > -----BEGIN CERTIFICATE-----
> > [...]
> > -----END CERTIFICATE-----
> >
> > $ kinit admin
> > $ ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
> > uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)"
> usercertificate
> > dn: uid=pkidbuser,ou=people,o=ipaca
> > usercertificate::
> >
> > The file /etc/pki/pki-tomcat/ca/CS.cfg should also contain
> this
> > certificate in the directive ca.subsystem.cert.
> >
> >
> > A possible cause for the entries not being updated is the
> bug 1366915
> > [1] linked to SE linux on RHEL7, or bug 1365188 [2] linked
> to SE linux
> > on Fedora 24.
> >
> > Flo
> >
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1366915
> > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1365188
> >
> >
> >
>
>
>
From jhrozek at redhat.com Mon Jan 2 08:26:57 2017
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Mon, 2 Jan 2017 09:26:57 +0100
Subject: [Freeipa-users] Any good CLI methods for testing connectivity
from IPA replica to remote AD servers?
In-Reply-To: <5863C3A9.6030703@sonsorol.org>
References: <5863C3A9.6030703@sonsorol.org>
Message-ID: <20170102082657.n4tulqmnlwr35pht@hendrix>
On Wed, Dec 28, 2016 at 08:52:41AM -0500, Chris Dagdigian wrote:
>
> Hi folks,
>
> I may have network blocks between one of my IPA replicas and the *many*
> remote AD servers that need to be queried but I can only see evidence of
> this in the authentication failures and the debug level logging.
>
> Not sure how to test from the command line to verify connectivity or narrow
> down which ports may be getting blocked.
>
> Are there any common CLI techniques, ldaps:// search queries or other
> commands that could be run from an IPA replica to confirm basic
> communication with a remote AD controller?
1) kinit with the trust keytab. The exact principals depend on your IPA
and Windows realm names, in my test setup it is:
# ls /var/lib/sss/keytabs/
win.trust.test.keytab
#kinit -kt /var/lib/sss/keytabs/win.trust.test.keytab 'IPA$@WIN.TRUST.TEST'
(the principal is taken from the keytab, see klist -k
/var/lib/sss/keytabs/win.trust.test.keytab)
2) search the DC
#ldapsearch -Y GSSAPI -H ldap://dc.win.trust.test -b dc=win,dc=trust,dc=test -s base
btw at the moment it is not possible to set custom DCs to talk to. This
feature will come in the next version (sssd-1-15).
From jhrozek at redhat.com Mon Jan 2 08:28:59 2017
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Mon, 2 Jan 2017 09:28:59 +0100
Subject: [Freeipa-users] Unable to sudo with just one user on only a few
servers
In-Reply-To: <204372224.4103019.1483170200550@mail.yahoo.com>
References: <204372224.4103019.1483170200550.ref@mail.yahoo.com>
<204372224.4103019.1483170200550@mail.yahoo.com>
Message-ID: <20170102082859.zdf27c4ubw3nnekw@hendrix>
On Sat, Dec 31, 2016 at 07:43:20AM +0000, pgb205 wrote:
> I have followed troubleshooting procedure outlined hereTroubleshooting - FreeIPA
>
>
> |
> |
> |
> | | |
>
> |
>
> |
> |
> | |
> Troubleshooting - FreeIPA
> | |
>
> |
>
> |
>
>
> Additionally I have done contrast and compare with a working server for the following files/etc/hosts/etc/resolv.conf/etc/sudo-ldap.conf/etc/krb5.conf/etc/sssd.conf/etc/nssswitch.conf
> all are identical other than host specific information.
> In addition I have also enabled debug_level in sssd.conf in all stanzas, but noticed that sudo log is not being generated.I can however provide other logs.
> I have also enabled sudo_debug=2 in /etc/sudo-ldap.confbut not sure where to look for that log file.
> A and PTR records exist for problematic servers in FreeIPA DNS.
> As mentioned above the user-id can ?ssh just fine but not sudo for any command even though that id should be able to do ANY ANY.
> I have checked the the user-id is in the correct sudo groups that are applied for the host-groups for broken servers.
> To add to the oddity we somehow managed to fix the problem on several servers but as it was a lot blind trial and error we are not surewhat the corrective steps actually were.?
> Please let me know what else I can/should take a look at. I can also provide logs if needed.
> thanks
If the sudo log is not being generated at all, then I would assume that
sudo is not talking to sssd at all. Did you check the sudo logs (the
logs of the sudo binary, not the sssd-sudo responder) already?
The howto is here:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
From flo at redhat.com Mon Jan 2 09:23:34 2017
From: flo at redhat.com (Florence Blanc-Renaud)
Date: Mon, 2 Jan 2017 10:23:34 +0100
Subject: [Freeipa-users] section 2.3.6. Installing Without a CA - then
how to update expired certificates in LDAP?
In-Reply-To: <0a7ca3db-c076-c3c1-ecc4-01c86e2eef8a@use.startmail.com>
References: <0a7ca3db-c076-c3c1-ecc4-01c86e2eef8a@use.startmail.com>
Message-ID: <9eb464de-ef7c-e290-81e1-9b52b04ddd2c@redhat.com>
On 12/24/2016 05:54 AM, Josh wrote:
> I discussed this problem once before and got partial answers but I would
> like to finally resolve it.
>
> Scenario:
>
> 1. Install IPA without a CA, according to section 2.3.6 as of now in
> latest RHEL7 Linux Domain Identity, Authentication and Policy Guide.
> 2. Install a client and note certificates it receives from IPA LDAP.
> 3. Near expiration term obtain a new set of certificates (server and
> intermediate), note that intermediate certificate common name has changed.
> 4. run "ipa-server-certinstall -d -w key cert" to update all
> certificates. command asks for directory manager password, I suppose it
> should update its contents but
> 5. Install another client and observe that it receives original
> certificates and no ipa command works.
> 6. ipa-certupdate, when run, pulls original set from LDAP as if nothing
> was updated.
>
> Workaround is to manually install new intermediate certificate on all
> systems /etc/ipa/nssdb by
> certutil -d /etc/ipa/nssdb/ -A -n "StartCom Class 1 DV Server CA -
> StartCom Ltd." -t C,, -i /tmp/1_Intermediate.crt
>
> In LDAP under cn=certificates,cn=ipa,cn=etc,dc=example,dc=org I still
> see previous version of intermediate certificate with a different common
> name:
> StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital
> Certificate Signing,O=StartCom Ltd.,C=IL
>
> Please help me replace it by any means.
>
> Best Regards,
> Josh.
>
Hi Josh,
As you write that "intermediate certificate common name has changed", I
assume that the intermediate CA providing the new server certificates is
different. In this case, the command ipa-cacert-manage install must be
run to install the new intermediate CA *before* ipa-server-certinstall
is run to install the new server certificates.
Please refer to Installing a CA Certificate Manually [1] or Using 3rd
part certificates for HTTP/LDAP [2]. Do not forget to run ipa-certupdate
on all the IPA servers/clients in order to install the new intermediate
CA cert.
HTH,
Flo.
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/manual-cert-install.html
[2] http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
From flo at redhat.com Mon Jan 2 09:45:04 2017
From: flo at redhat.com (Florence Blanc-Renaud)
Date: Mon, 2 Jan 2017 10:45:04 +0100
Subject: [Freeipa-users] Asking for help with crashed freeIPA istance
In-Reply-To:
References:
<729a8aed-4f22-ba26-3089-58c675bd64e0@redhat.com>
<585A9F46.7080207@redhat.com>
Message-ID: <3f60bab0-11c7-0fe5-b88c-07d77c7e191b@redhat.com>
On 12/31/2016 07:51 PM, Daniel Schimpfoessl wrote:
> Further attempts to fix the IPA server start has revealed that the ca
> admin getStatus is returning a server error (500).
>
> This has come up during restarts and ipa-server-upgrade.
>
> ipa: DEBUG: Waiting for CA to start...
> ipa: DEBUG: request POST
> http://wwgwho01.webwim.com:8080/ca/admin/ca/getStatus
>
> ipa: DEBUG: request body ''
> ipa: DEBUG: response status 500
> ipa: DEBUG: response headers {'content-length': '2133',
> 'content-language': 'en', 'server': 'Apache-Coyote/1.1', 'connection':
> 'close', 'date': 'Sat, 31 Dec 2016 18:44:55 GMT', 'content-type':
> 'text/html;charset=utf-8'}
> ipa: DEBUG: response body 'Apache Tomcat/7.0.69 -
> Error report
> HTTP Status 500 - Subsystem unavailable
size="1" noshade="noshade">type Exception
> report
message Subsystem
> unavailable
description The server encountered an
> internal error that prevented it from fulfilling this
> request.
exception
javax.ws.rs
> .ServiceUnavailableException: Subsystem
> unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:499)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:745)\n
note
> The full stack trace of the root cause is available in the Apache
> Tomcat/7.0.69 logs.
Apache
> Tomcat/7.0.69
'
> ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving
> CA status failed with status 500
> ipa: DEBUG: Waiting for CA to start...
> ipa: DEBUG: request POST
> http://wwgwho01.webwim.com:8080/ca/admin/ca/getStatus
> ipa: DEBUG: request body ''
> ipa: DEBUG: response status 500
> ipa: DEBUG: response headers {'content-length': '2133',
> 'content-language': 'en', 'server': 'Apache-Coyote/1.1', 'connection':
> 'close', 'date': 'Sat, 31 Dec 2016 18:44:56 GMT', 'content-type':
> 'text/html;charset=utf-8'}
> ipa: DEBUG: response body 'Apache Tomcat/7.0.69 -
> Error report
> HTTP Status 500 - Subsystem unavailable
size="1" noshade="noshade">type Exception
> report
message Subsystem
> unavailable
description The server encountered an
> internal error that prevented it from fulfilling this
> request.
exception
>
javax.ws.rs.ServiceUnavailableException: Subsystem
> unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:499)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:745)\n
note
> The full stack trace of the root cause is available in the Apache
> Tomcat/7.0.69 logs.
Apache
> Tomcat/7.0.69
'
> ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving
> CA status failed with status 500
> ipa: DEBUG: Waiting for CA to start...
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA
> server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
> ipa-server-upgrade manually.
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
> return_value = self.run()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 48, in run
> raise admintool.ScriptError(str(e))
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The
> ipa-server-upgrade command failed, exception: ScriptError: CA did not
> start in 300.0s
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: CA did
> not start in 300.0s
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The
> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
> information
>
>
> with following in the syslog
> Dec 31, 2016 12:48:51 PM org.apache.catalina.core.ContainerBase
> backgroundProcess
> WARNING: Exception processing realm
> com.netscape.cms.tomcat.ProxyRealm at 38406d47 background process
> javax.ws.rs .ServiceUnavailableException: Subsystem
> unavailable
> at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
> at
> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1357)
> at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1543)
> at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553)
> at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553)
> at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1521)
> at java.lang.Thread.run(Thread.java:745)
>
>
> 2016-12-28 18:45 GMT-06:00 Daniel Schimpfoessl >:
>
> Rob/Florence,
>
> do you have any pointers on how to troubleshoot,
> reinstall/configure, update or fix the PKI server to function properly?
> Also if you know of any documentation or video that could be helpful.
> I researched the typical suspects youtube and freeipa.org
> without luck.
>
> Daniel
>
> 2016-12-22 18:08 GMT-06:00 Daniel Schimpfoessl
> >:
>
> I do not believe I changed the DM password. I know I had to
> update the admin passwords regularly.
>
> Only during the startup using ipactl start --force I am able to
> connect to the service using the password for DM and it returns:
>
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> #
> dn:
> objectClass: top
> namingContexts: cn=changelog
> namingContexts: dc=myorg,dc=com
> namingContexts: o=ipaca
> defaultnamingcontext: dc=myorg,dc=com
> supportedExtension: 2.16.840.1.113730.3.5.7
> supportedExtension: 2.16.840.1.113730.3.5.8
> supportedExtension: 2.16.840.1.113730.3.5.10
> supportedExtension: 2.16.840.1.113730.3.8.10.3
> supportedExtension: 2.16.840.1.113730.3.8.10.4
> supportedExtension: 2.16.840.1.113730.3.8.10.4.1
> supportedExtension: 1.3.6.1.4.1.4203.1.11.1
> supportedExtension: 2.16.840.1.113730.3.8.10.1
> supportedExtension: 2.16.840.1.113730.3.8.10.5
> supportedExtension: 2.16.840.1.113730.3.5.3
> supportedExtension: 2.16.840.1.113730.3.5.12
> supportedExtension: 2.16.840.1.113730.3.5.5
> supportedExtension: 2.16.840.1.113730.3.5.6
> supportedExtension: 2.16.840.1.113730.3.5.9
> supportedExtension: 2.16.840.1.113730.3.5.4
> supportedExtension: 2.16.840.1.113730.3.6.5
> supportedExtension: 2.16.840.1.113730.3.6.6
> supportedExtension: 2.16.840.1.113730.3.6.7
> supportedExtension: 2.16.840.1.113730.3.6.8
> supportedExtension: 1.3.6.1.4.1.1466.20037
> supportedControl: 2.16.840.1.113730.3.4.2
> supportedControl: 2.16.840.1.113730.3.4.3
> supportedControl: 2.16.840.1.113730.3.4.4
> supportedControl: 2.16.840.1.113730.3.4.5
> supportedControl: 1.2.840.113556.1.4.473
> supportedControl: 2.16.840.1.113730.3.4.9
> supportedControl: 2.16.840.1.113730.3.4.16
> supportedControl: 2.16.840.1.113730.3.4.15
> supportedControl: 2.16.840.1.113730.3.4.17
> supportedControl: 2.16.840.1.113730.3.4.19
> supportedControl: 1.3.6.1.1.13.1
> supportedControl: 1.3.6.1.1.13.2
> supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
> supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
> supportedControl: 1.3.6.1.4.1.4203.666.5.16
> supportedControl: 2.16.840.1.113730.3.8.10.6
> supportedControl: 2.16.840.1.113730.3.4.14
> supportedControl: 2.16.840.1.113730.3.4.20
> supportedControl: 1.3.6.1.4.1.1466.29539.12
> supportedControl: 2.16.840.1.113730.3.4.12
> supportedControl: 2.16.840.1.113730.3.4.18
> supportedControl: 2.16.840.1.113730.3.4.13
> supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: ANONYMOUS
> supportedLDAPVersion: 2
> supportedLDAPVersion: 3
> vendorName: 389 Project
> vendorVersion: 389-Directory/1.3.4.0 B2016.215.1556
> dataversion: 020161222235947020161222235947020161222235947
> netscapemdsuffix: cn=ldap://dc=wwgwho01,dc=myorg,dc=com:389
> lastusn: 8690425
> changeLog: cn=changelog
> firstchangenumber: 2752153
> lastchangenumber: 2752346
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> 2016-12-21 9:27 GMT-06:00 Rob Crittenden >:
>
> Daniel Schimpfoessl wrote:
> > Thanks for getting back to me.
> >
> > getcert list | grep expires shows dates years in the
> future for all
> > certificates
> > Inline-Bild 1
> >
> > ipactl start --force
> >
> > Eventually the system started with:
> > Forced start, ignoring pki-tomcatd Service,
> continuing normal
> > operations.
> >
> > systemctl status ipa shows: failed
>
> I don't think this is a certificate problem at all. I think
> the timing
> with your renewal is just coincidence.
>
> Did you change your Directory Manager password at some point?
>
> >
> > ldapsearch -H ldaps://localhost:636 -D "cn=directory
> manager" -w
> > password -b "" -s base
> > ldapsearch -H ldaps://localhost:636 -D "cn=directory
> manager" -w
> > *********** -b "" -s base
> > Inline-Bild 2
>
> You need the -x flag to indicate simple bind.
>
> rob
>
> > The logs have thousands of lines like it, what am I
> looking for
> > specifically?
> >
> > Daniel
> >
> >
> > 2016-12-20 4:18 GMT-06:00 Florence Blanc-Renaud
>
> > >>:
> >
> > On 12/19/2016 07:15 PM, Daniel Schimpfoessl wrote:
> >
> > Good day and happy holidays,
> >
> > I have been running a freeIPA instance for a few years and been very
> > happy. Recently the certificate expired and I updated it using the
> > documented methods. At first all seemed fine. Added a Nagios
> > monitor for
> > the certificate expiration and restarted the server (single
> > server). I
> > have weekly snapshots, daily backups (using Amanda on the entire
> > disk).
> >
> > One day the services relying on IPA failed to authenticate.
> > Looking at
> > the server the ipa service had stopped. Restarting the service
> > fails.
> > Restoring a few weeks old snapshot does not start either.
> > Resetting the
> > date to a few month back does not work either as httpd fails to
> > start .
> >
> > I am at a loss.
> >
> > Here a few details:
> > # ipa --version
> > VERSION: 4.4.0, API_VERSION: 2.213
> >
> >
> > # /usr/sbin/ipactl start
> > ...
> > out -> Failed to start pki-tomcatd Service
> > /var/log/pki/pki-tomcat/ca/debug -> Could not connect to LDAP server
> > host ipa.myorg.com
>
> > port 636 Error
> > netscape.ldap.LDAPException: Authentication failed (48)
> > 2016-12-19T03:02:16Z DEBUG The CA status is: check interrupted
> > due to
> > error: Retrieving CA status failed with status 500
> >
> > Any help would be appreciated as all connected services are now
> > down.
> >
> > Thanks,
> >
> > Daniel
> >
> >
> >
> >
> > Hi Daniel,
> >
> > more information would be required to understand what
> is going on.
> > First of all, which certificate did you renew? Can you
> check with
> > $ getcert list
> > if other certificates also expired?
> >
> > PKI fails to start and the error seems linked to the
> SSL connection
> > with the LDAP server. You may want to check if the
> LDAP server is
> > listening on the LDAPs port:
> > - start the stack with
> > $ ipactl start --force
> > - check the LDAPs port with
> > $ ldapsearch -H ldaps://localhost:636 -D "cn=directory
> manager" -w
> > password -b "" -s base
> >
> > The communication between PKI and the LDAP server is
> authenticated
> > with the certificate 'subsystemCert cert-pki-ca'
> located in
> > /etc/pki/pki-tomcat/alias, so you may also want to
> check if it is
> > still valid.
> > The directory server access logs (in
> > /var/log/dirsrv/slapd-DOMAIN-COM/access) would also
> show the
> > connection with logs similar to:
> >
> > [...] conn=47 fd=84 slot=84 SSL connection from
> 10.34.58.150 to
> > 10.34.58.150
> > [...] conn=47 TLS1.2 128-bit AES; client CN=CA
> > Subsystem,O=DOMAIN.COM
> ; issuer CN=Certificate
> > Authority,O=DOMAIN.COM
>
> > [...] conn=47 TLS1.2 client bound as
> uid=pkidbuser,ou=people,o=ipaca
> > [...] conn=47 op=0 BIND dn="" method=sasl version=3
> mech=EXTERNAL
> > [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
> > dn="uid=pkidbuser,ou=people,o=ipaca"
> >
> >
> >
> > HTH,
> > Flo
> >
> >
> >
> >
>
>
>
>
Hi Daniel,
the server error 500 means that PKI is not started. You can have a look
at /var/log/pki/pki-tomcat/ca/debug, especially the logs generated when
you try to start the service with
$ systemctl start pki-tomcatd at pki-tomcat.service
HTH,
Flo
From sjuhasz at chemaxon.com Mon Jan 2 11:53:12 2017
From: sjuhasz at chemaxon.com (Sandor Juhasz)
Date: Mon, 2 Jan 2017 12:53:12 +0100 (CET)
Subject: [Freeipa-users] modify schema - add group email
and display attribute
In-Reply-To: <1935325431.129080.1482334772814.JavaMail.zimbra@chemaxon.com>
References: <795612095.18818.1482325628676.JavaMail.zimbra@chemaxon.com>
<585A92DB.5080907@redhat.com>
<1935325431.129080.1482334772814.JavaMail.zimbra@chemaxon.com>
Message-ID: <2041148526.26477.1483357992339.JavaMail.zimbra@chemaxon.com>
I would be really happy if anybody could assign an OID for the new objectcalss
i want to use to store group mail and displayname attributes.
S?ndor Juh?sz
System Administrator
ChemAxon Ltd .
Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964
From: "Sandor Juhasz"
To: "Ludwig Krispenz"
Cc: freeipa-users at redhat.com
Sent: Wednesday, December 21, 2016 4:39:32 PM
Subject: Re: [Freeipa-users] modify schema - add group email and display attribute
That would be perfect solution.
How do i do it?
ldapmodify:
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: (
NAME 'googleGroup' SUP groupofnames
STRUCTURAL
MAY ( mail $ displayname )
X-ORIGIN 'Extending FreeIPA' )
What to use for ?
Then i just
ipa config-mod --addattr=ipaGroupObjectClasses=googleGroup
Then groupmail.py
from ipalib.plugins import group
from ipalib.parameters import Str
from ipalib import _
group.group.takes_params = group.group.takes_params + (
Str('mail?',
cli_name='mail',
label=_('mail'),
),
)
group.group.default_attributes.append('mail')
Then groupdisplayname.py
from ipalib.plugins import group
from ipalib.parameters import Str
from ipalib import _
group.group.takes_params = group.group.takes_params + (
Str('displayname?',
cli_name='displayname',
label=_('dispalayname'),
),
)
group.group.default_attributes.append('displayname')
And finally update js somehow...
S?ndor Juh?sz
System Administrator
ChemAxon Ltd .
Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964
From: "Ludwig Krispenz"
To: freeipa-users at redhat.com
Sent: Wednesday, December 21, 2016 3:34:03 PM
Subject: Re: [Freeipa-users] modify schema - add group email and display attribute
On 12/21/2016 02:07 PM, Sandor Juhasz wrote:
Hi,
i would like to modify schema to have group objects extended with email and display name attribute.
The reason is that we are trying to sync our ldap to our google apps.
I don't know how much this doc http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
can be applied to groups. Neither did i find a supported attribute syntax for email, maybe
PrintableString 1.3.6.1.4.1.1466.115.121.1.58 For values which contain strings containing alphabetic, numeral, and select punctuation characters (as defined in RFC 4517 ).
but i am not sure if that could hold email addresses.
why don't you just use the mail attribute ? only define a new auxilliary objectclass allowing mail and displayname
BQ_BEGIN
It would be pretty to have it exposed via ipalib and js plugins as well.
If someone could help me out on extending schema, i would be really happy.
S?ndor Juh?sz
System Administrator
ChemAxon Ltd .
Building Hx, GraphiSoft Park, Z?hony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964
BQ_END
--
Red Hat GmbH, http://www.de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From taraksinha09 at gmail.com Mon Jan 2 15:35:19 2017
From: taraksinha09 at gmail.com (tarak sinha)
Date: Mon, 2 Jan 2017 21:05:19 +0530
Subject: [Freeipa-users] Fwd: IPA Client not able to remove
In-Reply-To:
References:
<5869B3C6.3070701@redhat.com>
Message-ID:
Hi Team,
Please give me some suggestion to fix the below issue......
---------- Forwarded message ----------
From: tarak sinha
Date: Mon, Jan 2, 2017 at 9:03 PM
Subject: Re: [Freeipa-users] IPA Client not able to remove
To: Rob Crittenden
Thanks Rob for your suggestion...
I have another issue on my hosts. Few node's are asking password rather
than authenticated with kerberoas.
Getting below error (Unspecified GSS failure). rest of the hosts are able
to login via gssapi-with-mic method
-------------snip----------
debug1: Authentications that can continue: publickey,gssapi-with-mic,
password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
KDC has no support for encryption type
debug1: Unspecified GSS failure. Minor code may provide more information
KDC has no support for encryption type
debug1: Unspecified GSS failure. Minor code may provide more information
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,
password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /uhome/tsinha/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
------------snip-------------
Please give me some advise to login my linux nodes without any password.
Thanks,
Tarak
On Mon, Jan 2, 2017 at 7:28 AM, Rob Crittenden wrote:
> tarak sinha wrote:
> > Hi FreeIPA Team,
> >
> >
> >
> > I am not able to remove the IPA client host entry from Web UI and
> > command line as well. While trying to add it?s showing ?Host is already
> > exist?. Please give me some suggestion to get rid if this issue.
> >
> >
> >
> > #ipa host-del xxx.example.com --updatedns
> >
> > ipa: ERROR: xxx.example.com : host not found
> >
> > #ipa host-show xxx.example.com
> >
> > ipa: ERROR: xxx.example.com : host not found
>
> It sounds like it is a replication conflict entry. You can confirm by
> doing something like 'ipa host-find xxx.example.com --all' and look at
> the DN. If it has nsuniqueid in the DN then it is a conflict entry. See
> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
> ory_Server/8.2/html/Administration_Guide/Managing_Replicatio
> n-Solving_Common_Replication_Conflicts.html
> but given you want to remove it you can do so via ldapdelete.
>
> rob
>
--
*Thanks,*
*Tarak Nath Sinha*
*Mobile: **+91 8197522750*
--
*Thanks,*
*Tarak Nath Sinha*
*Mobile: **+91 8197522750*
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From nirajkumar.singh at accenture.com Mon Jan 2 15:58:56 2017
From: nirajkumar.singh at accenture.com (nirajkumar.singh at accenture.com)
Date: Mon, 2 Jan 2017 15:58:56 +0000
Subject: [Freeipa-users] Automate PPK file generation for newly created
users.
Message-ID:
Hi Team,
We have created master and client servers. We are able to create and login users with password. But our requirement is to generate ppk file for each user ,which should be used as login credentials to the users.
Question :
* Is there any way to automate key(.ppk) generation for user when user is getting created?
We don't want any manual effort in this process. Kindly suggest.
Thanks & Regards,
Niraj Kumar Singh
AWS & Oracle DB Team
Vodafone NewCo
Accenture Services Pvt. Ltd.
Voice: (+91)9663212985
Email: nirajkumar.singh at accenture.com
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From nirajkumar.singh at accenture.com Mon Jan 2 16:00:25 2017
From: nirajkumar.singh at accenture.com (nirajkumar.singh at accenture.com)
Date: Mon, 2 Jan 2017 16:00:25 +0000
Subject: [Freeipa-users] how to make email as mandatory field before user
creation
Message-ID: <47fd3579651242ed89012e664e6aa2c5@BLUPR42MB0194.048d.mgd.msft.net>
Hi Team,
Is there any way to make email as mandatory field before creating any user from WEBUI or Console?
Thanks & Regards,
Niraj Kumar Singh
AWS & Oracle DB Team
Vodafone NewCo
Accenture Services Pvt. Ltd.
Voice: (+91)9663212985
Email: nirajkumar.singh at accenture.com
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From pvoborni at redhat.com Mon Jan 2 16:50:37 2017
From: pvoborni at redhat.com (Petr Vobornik)
Date: Mon, 2 Jan 2017 17:50:37 +0100
Subject: [Freeipa-users] how to make email as mandatory field before
user creation
In-Reply-To: <47fd3579651242ed89012e664e6aa2c5@BLUPR42MB0194.048d.mgd.msft.net>
References: <47fd3579651242ed89012e664e6aa2c5@BLUPR42MB0194.048d.mgd.msft.net>
Message-ID: <63da1063-8ba6-fa41-ff44-8916c4a99c7f@redhat.com>
On 01/02/2017 05:00 PM, nirajkumar.singh at accenture.com wrote:
> Hi Team,
>
> Is there any way to make email as mandatory field before creating any user from
> WEBUI or Console?
>
> Thanks & Regards,
>
> Niraj Kumar Singh
>
Hello Niraj,
FreeIPA doesn't support such configuration out of the box.
It is theoretically possible to implement IPA server side plugin to mark
the field as required. It may not be straightforward though.
--
Petr Vobornik
From yamakasi.014 at gmail.com Mon Jan 2 17:21:56 2017
From: yamakasi.014 at gmail.com (Matt .)
Date: Mon, 2 Jan 2017 18:21:56 +0100
Subject: [Freeipa-users] how to make email as mandatory field before
user creation
In-Reply-To: <63da1063-8ba6-fa41-ff44-8916c4a99c7f@redhat.com>
References: <47fd3579651242ed89012e664e6aa2c5@BLUPR42MB0194.048d.mgd.msft.net>
<63da1063-8ba6-fa41-ff44-8916c4a99c7f@redhat.com>
Message-ID:
Doesn't get the user a default mailaddress when you add him under the
REALM domain ?
2017-01-02 17:50 GMT+01:00 Petr Vobornik :
> On 01/02/2017 05:00 PM, nirajkumar.singh at accenture.com wrote:
>> Hi Team,
>>
>> Is there any way to make email as mandatory field before creating any user from
>> WEBUI or Console?
>>
>> Thanks & Regards,
>>
>> Niraj Kumar Singh
>>
>
> Hello Niraj,
>
> FreeIPA doesn't support such configuration out of the box.
>
> It is theoretically possible to implement IPA server side plugin to mark
> the field as required. It may not be straightforward though.
>
> --
> Petr Vobornik
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
From taraksinha09 at gmail.com Mon Jan 2 17:33:36 2017
From: taraksinha09 at gmail.com (tarak sinha)
Date: Mon, 2 Jan 2017 23:03:36 +0530
Subject: [Freeipa-users] Unspecified GSS failure. Minor code may provide
more information KDC has no support for encryption type
Message-ID:
Hi Team,
I am getting below error while trying to ssh my host without password.
Unspecified GSS failure. Minor code may provide more information KDC has no
support for encryption type
Thanks in advance
*Thanks,*
*Tarak Nath Sinha*
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From b.candler at pobox.com Mon Jan 2 17:41:02 2017
From: b.candler at pobox.com (Brian Candler)
Date: Mon, 2 Jan 2017 17:41:02 +0000
Subject: [Freeipa-users] modify schema - add group email and display
attribute
In-Reply-To: <2041148526.26477.1483357992339.JavaMail.zimbra@chemaxon.com>
References: <795612095.18818.1482325628676.JavaMail.zimbra@chemaxon.com>
<585A92DB.5080907@redhat.com>
<1935325431.129080.1482334772814.JavaMail.zimbra@chemaxon.com>
<2041148526.26477.1483357992339.JavaMail.zimbra@chemaxon.com>
Message-ID: <2c9db8bb-61dd-8d99-39f8-6278b2d2a845@pobox.com>
On 02/01/2017 11:53, Sandor Juhasz wrote:
> I would be really happy if anybody could assign an OID for the new
> objectcalss
You can get your own enterprise OID for free from here:
http://pen.iana.org/pen/PenApplication.page
Note that you only get one, so it's up to you to subdivide the space.
For example: if you get 1.3.6.1.4.1.99999, then you might decide to use:
1.3.6.1.4.1.99999.1 = LDAP object classes
1.3.6.1.4.1.99999.1.1 = myMailObjectClass
1.3.6.1.4.1.99999.1.2 = someOtherObjectClass
1.3.6.1.4.1.99999.2 = LDAP attributes
1.3.6.1.4.1.99999.2.1 = mySpecialAttribute
then later you can assign under 1.3.6.1.4.1.99999.3 for something else
that needs OIDs (e.g. SNMP MIBs) and so on.
From pvoborni at redhat.com Mon Jan 2 18:08:23 2017
From: pvoborni at redhat.com (Petr Vobornik)
Date: Mon, 2 Jan 2017 19:08:23 +0100
Subject: [Freeipa-users] how to make email as mandatory field before
user creation
In-Reply-To:
References: <47fd3579651242ed89012e664e6aa2c5@BLUPR42MB0194.048d.mgd.msft.net>
<63da1063-8ba6-fa41-ff44-8916c4a99c7f@redhat.com>
Message-ID: <8b72399a-3fdd-3d7e-dbf7-e613286acba7@redhat.com>
On 01/02/2017 06:21 PM, Matt . wrote:
> Doesn't get the user a default mailaddress when you add him under the
> REALM domain ?
By default user gets an email address but there ways to skip it:
ipa user-add test2 --first Test --last Test --email=
ipa config-mod --emaildomain=
Btw, in Web UI, user adder dialog doesn't have email field. To add it
there a Web UI plugin would be needed.
>
> 2017-01-02 17:50 GMT+01:00 Petr Vobornik :
>> On 01/02/2017 05:00 PM, nirajkumar.singh at accenture.com wrote:
>>> Hi Team,
>>>
>>> Is there any way to make email as mandatory field before creating any user from
>>> WEBUI or Console?
>>>
>>> Thanks & Regards,
>>>
>>> Niraj Kumar Singh
>>>
>>
>> Hello Niraj,
>>
>> FreeIPA doesn't support such configuration out of the box.
>>
>> It is theoretically possible to implement IPA server side plugin to mark
>> the field as required. It may not be straightforward though.
>>
>> --
>> Petr Vobornik
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
--
Petr Vobornik
From daniel at schimpfoessl.com Mon Jan 2 18:24:42 2017
From: daniel at schimpfoessl.com (Daniel Schimpfoessl)
Date: Mon, 2 Jan 2017 12:24:42 -0600
Subject: [Freeipa-users] Asking for help with crashed freeIPA istance
In-Reply-To: <3f60bab0-11c7-0fe5-b88c-07d77c7e191b@redhat.com>
References:
<729a8aed-4f22-ba26-3089-58c675bd64e0@redhat.com>
<585A9F46.7080207@redhat.com>
<3f60bab0-11c7-0fe5-b88c-07d77c7e191b@redhat.com>
Message-ID:
Thanks for your reply.
This was the initial error I asked for help a while ago and did not get
resolved. Further digging showed the recent errors.
The service was running (using ipactl start --force) and only after a
restart I am getting a stack trace for two primary messages:
Could not connect to LDAP server host wwgwho01.webwim.com port 636 Error
netscape.ldap.LDAPException: Authentication failed (48)
...
Internal Database Error encountered: Could not connect to LDAP server host
wwgwho01.webwim.com port 636 Error netscape.ldap.LDAPException:
Authentication failed (48)
...
and finally:
[02/Jan/2017:12:20:34][localhost-startStop-1]: CMSEngine.shutdown()
2017-01-02 3:45 GMT-06:00 Florence Blanc-Renaud :
> systemctl start pki-tomcatd at pki-tomcat.service
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From nirajkumar.singh at accenture.com Mon Jan 2 19:46:02 2017
From: nirajkumar.singh at accenture.com (nirajkumar.singh at accenture.com)
Date: Mon, 2 Jan 2017 19:46:02 +0000
Subject: [Freeipa-users] how to make email as mandatory field before
user creation
In-Reply-To: <63da1063-8ba6-fa41-ff44-8916c4a99c7f@redhat.com>
References: <47fd3579651242ed89012e664e6aa2c5@BLUPR42MB0194.048d.mgd.msft.net>
<63da1063-8ba6-fa41-ff44-8916c4a99c7f@redhat.com>
Message-ID: <43e38bad775d4d6fa96bd26485136bc7@BLUPR42MB0194.048d.mgd.msft.net>
Hi Prtr,
Can you please suggest how to do it with plugins and which plugin I need to use and how to integrate that plugin with freeipa.
Thanks
Niraj
-----Original Message-----
From: Petr Vobornik [mailto:pvoborni at redhat.com]
Sent: 02 January 2017 22:21
To: Singh, NirajKumar ; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] how to make email as mandatory field before user creation
On 01/02/2017 05:00 PM, nirajkumar.singh at accenture.com wrote:
> Hi Team,
>
> Is there any way to make email as mandatory field before creating any
> user from WEBUI or Console?
>
> Thanks & Regards,
>
> Niraj Kumar Singh
>
Hello Niraj,
FreeIPA doesn't support such configuration out of the box.
It is theoretically possible to implement IPA server side plugin to mark the field as required. It may not be straightforward though.
--
Petr Vobornik
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
From alan at instinctualsoftware.com Mon Jan 2 22:22:49 2017
From: alan at instinctualsoftware.com (Alan Latteri)
Date: Mon, 2 Jan 2017 14:22:49 -0800
Subject: [Freeipa-users] Kerberos authentication failed: kinit: Included
profile directory could not be read while initializing Kerberos 5 library
Message-ID:
I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa to 4.4. On some clients they failed to re-authenticate post upgrade. I then did an
ipa-client-install ?uninstall , and then tried re-joining to IPA server with
ipa-client-install --mkhomedir --force-ntpd --force-join.
Now I am getting the below error, and I have no idea how to recover. Firewall is disabled.
Thanks,
Alan
User authorized to enroll computers: admin
Password for admin at XXX.LOCAL:
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root at troll ~]# systemctl status firewalld
? firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Installed Packages
ipa-client.x86_64 4.4.0-14.el7.centos @updates
ipa-client-common.noarch 4.4.0-14.el7.centos @updates
ipa-common.noarch 4.4.0-14.el7.centos @updates
From mbabinsk at redhat.com Tue Jan 3 08:16:46 2017
From: mbabinsk at redhat.com (Martin Babinsky)
Date: Tue, 3 Jan 2017 09:16:46 +0100
Subject: [Freeipa-users] Kerberos authentication failed: kinit: Included
profile directory could not be read while initializing Kerberos 5 library
In-Reply-To:
References:
Message-ID:
On 01/02/2017 11:22 PM, Alan Latteri wrote:
> I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa to 4.4. On some clients they failed to re-authenticate post upgrade. I then did an
> ipa-client-install ?uninstall , and then tried re-joining to IPA server with
> ipa-client-install --mkhomedir --force-ntpd --force-join.
>
> Now I am getting the below error, and I have no idea how to recover. Firewall is disabled.
>
> Thanks,
> Alan
>
> User authorized to enroll computers: admin
> Password for admin at XXX.LOCAL:
> Please make sure the following ports are opened in the firewall settings:
> TCP: 80, 88, 389
> UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working properly after enrollment:
> TCP: 464
> UDP: 464, 123 (if NTP enabled)
> Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
>
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> [root at troll ~]# systemctl status firewalld
> ? firewalld.service - firewalld - dynamic firewall daemon
> Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
> Active: inactive (dead)
>
> Installed Packages
> ipa-client.x86_64 4.4.0-14.el7.centos @updates
> ipa-client-common.noarch 4.4.0-14.el7.centos @updates
> ipa-common.noarch 4.4.0-14.el7.centos @updates
>
Hi Alan,
it would be nice if you could post the client install log
(/var/log/ipaclient-install.log). It is hard to tell what happens
without seeing it.
--
Martin^3 Babinsky
From Dan.Finkelstein at high5games.com Tue Jan 3 13:20:48 2017
From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com)
Date: Tue, 3 Jan 2017 13:20:48 +0000
Subject: [Freeipa-users] LDAP replication conflicts,
but no apparent data damage
Message-ID: <145020D6-0409-4651-9C76-B6F31EB62753@high5games.com>
I'm using the most recent FreeIPA 4.4.0 on CentOS 7.3 and have been cleaning up various dangling replicas and other cruft, but when I run the ipa consistency checker, it produces output that LDAP has conflicts. I then run:
ldapsearch -D "cn=Directory Manager" -W -b "dc=h5c,dc=local" "nsds5ReplConflict=*" \* nsds5ReplConflict
Which produces output as follows (which I don't know what to do with, yet):
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: nsds5ReplConflict=*
# requesting: * nsds5ReplConflict
#
# ipaservers + 9865b29e-c9a411e6-a937f721-75eb0f97, hostgroups, accounts, test.l
ocal
dn: cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=hostgroups
,cn=accounts,dc=test,dc=local
memberOf: cn=Replication Administrators,cn=privileges,cn=pbac,dc=test,dc=local
memberOf: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=h5
c,dc=local
memberOf: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=
test,dc=local
memberOf: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=test,dc
=local
memberOf: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=loca
l
memberOf: cn=ipaservers+nsuniqueid=9865b2a0-c9a411e6-a937f721-75eb0f97,cn=ng,c
n=alt,dc=test,dc=local
member: fqdn=ipa-replica-gib02.test.local,cn=computers,cn=accounts,dc=test,dc=lo
cal
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
description: IPA server hosts
cn: ipaservers
ipaUniqueID: b13812a8-c9a4-11e6-8bb5-00505684b9a0
nsds5ReplConflict: namingConflict cn=ipaservers,cn=hostgroups,cn=accounts,dc=h
5c,dc=local
# ipaservers + 9865b2a0-c9a411e6-a937f721-75eb0f97, ng, alt, test.local
dn: cn=ipaservers+nsuniqueid=9865b2a0-c9a411e6-a937f721-75eb0f97,cn=ng,cn=alt,
dc=test,dc=local
memberHost: cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=ho
stgroups,cn=accounts,dc=test,dc=local
objectClass: ipanisnetgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: ipaAssociation
objectClass: top
nisDomainName: test.local
cn: ipaservers
description: ipaNetgroup ipaservers
mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local
ipaUniqueID: b13f8506-c9a4-11e6-8bb5-00505684b9a0
nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
# domain + 9865b2a7-c9a411e6-a937f721-75eb0f97, topology, ipa, etc, test.local
dn: cn=domain+nsuniqueid=9865b2a7-c9a411e6-a937f721-75eb0f97,cn=topology,cn=ip
a,cn=etc,dc=test,dc=local
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
ternalModifyTimestamp
ipaReplTopoConfRoot: dc=test,dc=local
objectClass: top
objectClass: iparepltopoconf
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
cn: domain
nsds5ReplConflict: namingConflict cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,d
c=local
# locations + 9865b2ab-c9a411e6-a937f721-75eb0f97, etc, test.local
dn: cn=locations+nsuniqueid=9865b2ab-c9a411e6-a937f721-75eb0f97,cn=etc,dc=test,
dc=local
objectClass: nsContainer
objectClass: top
cn: locations
nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=test,dc=local
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi
ssion:System: Add IPA Locations";allow (add) groupdn = "ldap:///cn=System: Ad
d IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "description")(targetfilter = "(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Modify IPA Locations";allow (write)
groupdn = "ldap:///cn=System: Modify IPA Locations,cn=permissions,cn=pbac,dc
=test,dc=local";)
aci: (targetattr = "createtimestamp || description || entryusn || idnsname ||
modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Read IPA Locations";allow (compare,
read,search) groupdn = "ldap:///cn=System: Read IPA Locations,cn=permissions,
cn=pbac,dc=test,dc=local";)
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi
ssion:System: Remove IPA Locations";allow (delete) groupdn = "ldap:///cn=Syst
em: Remove IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
# cas + 9865b2b1-c9a411e6-a937f721-75eb0f97, ca, test.local
dn: cn=cas+nsuniqueid=9865b2b1-c9a411e6-a937f721-75eb0f97,cn=ca,dc=test,dc=loca
l
objectClass: nsContainer
objectClass: top
cn: cas
nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=test,dc=local
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=
pbac,dc=test,dc=local";)
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permis
sions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(
version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:
///cn=System: Modify CA,cn=permissions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacai
d || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targ
etfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CA
s";allow (compare,read,search) userdn = "ldap:///all";)
# custodia + 9865b2e2-c9a411e6-a937f721-75eb0f97, ipa, etc, test.local
dn: cn=custodia+nsuniqueid=9865b2e2-c9a411e6-a937f721-75eb0f97,cn=ipa,cn=etc,d
c=test,dc=local
objectClass: nsContainer
objectClass: top
cn: custodia
nsds5ReplConflict: namingConflict cn=custodia,cn=ipa,cn=etc,dc=test,dc=local
# dogtag + 9865b2e4-c9a411e6-a937f721-75eb0f97, custodia + 9865b2e2-c9a411e6-a9
37f721-75eb0f97, ipa, etc, test.local
dn: cn=dogtag+nsuniqueid=9865b2e4-c9a411e6-a937f721-75eb0f97,cn=custodia+nsuni
queid=9865b2e2-c9a411e6-a937f721-75eb0f97,cn=ipa,cn=etc,dc=test,dc=local
objectClass: nsContainer
objectClass: top
cn: dogtag
nsds5ReplConflict: namingConflict cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=test,d
c=local
# ca + 9865b2e7-c9a411e6-a937f721-75eb0f97, topology, ipa, etc, test.local
dn: cn=ca+nsuniqueid=9865b2e7-c9a411e6-a937f721-75eb0f97,cn=topology,cn=ipa,cn
=etc,dc=test,dc=local
objectClass: top
objectClass: iparepltopoconf
cn: ca
ipaReplTopoConfRoot: o=ipaca
nsds5ReplConflict: namingConflict cn=ca,cn=topology,cn=ipa,cn=etc,dc=test,dc=lo
cal
# System: Add CA + 9865b2ed-c9a411e6-a937f721-75eb0f97, permissions, pbac, test.
local
dn: cn=System: Add CA+nsuniqueid=9865b2ed-c9a411e6-a937f721-75eb0f97,cn=permis
sions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: add ca,cn=permissions,cn=pbac,dc=
test,dc=local
# System: Delete CA + 9865b2f1-c9a411e6-a937f721-75eb0f97, permissions, pbac, h
5c.local
dn: cn=System: Delete CA+nsuniqueid=9865b2f1-c9a411e6-a937f721-75eb0f97,cn=per
missions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Delete CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: delete ca,cn=permissions,cn=pbac,
dc=test,dc=local
# System: Modify CA + 9865b2f5-c9a411e6-a937f721-75eb0f97, permissions, pbac, h
5c.local
dn: cn=System: Modify CA+nsuniqueid=9865b2f5-c9a411e6-a937f721-75eb0f97,cn=per
missions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: description
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify ca,cn=permissions,cn=pbac,
dc=test,dc=local
# System: Read CAs + 9865b2f9-c9a411e6-a937f721-75eb0f97, permissions, pbac, h5
c.local
dn: cn=System: Read CAs+nsuniqueid=9865b2f9-c9a411e6-a937f721-75eb0f97,cn=perm
issions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: all
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read CAs
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacaissuerdn
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipacasubjectdn
ipaPermDefaultAttr: ipacaid
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read cas,cn=permissions,cn=pbac,d
c=test,dc=local
# System: Modify DNS Servers Configuration + 9865b2fe-c9a411e6-a937f721-75eb0f9
7, permissions, pbac, test.local
dn: cn=System: Modify DNS Servers Configuration+nsuniqueid=9865b2fe-c9a411e6-a
937f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: idnssoamname
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: idnsforwarders
ipaPermLocation: dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify dns servers configuration,
cn=permissions,cn=pbac,dc=test,dc=local
# System: Read DNS Servers Configuration + 9865b302-c9a411e6-a937f721-75eb0f97,
permissions, pbac, test.local
dn: cn=System: Read DNS Servers Configuration+nsuniqueid=9865b302-c9a411e6-a93
7f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Servers,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: idnsforwarders
ipaPermDefaultAttr: idnsserverid
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnssoamname
ipaPermLocation: dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read dns servers configuration,cn
=permissions,cn=pbac,dc=test,dc=local
# System: Manage Host Principals + 9865b329-c9a411e6-a937f721-75eb0f97, permiss
ions, pbac, test.local
dn: cn=System: Manage Host Principals+nsuniqueid=9865b329-c9a411e6-a937f721-75
eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipahost)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Host Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Host Administrators,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=computers,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage host principals,cn=permiss
ions,cn=pbac,dc=test,dc=local
# System: Add IPA Locations + 9865b33f-c9a411e6-a937f721-75eb0f97, permissions,
pbac, test.local
dn: cn=System: Add IPA Locations+nsuniqueid=9865b33f-c9a411e6-a937f721-75eb0f9
7,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: add ipa locations,cn=permissions,
cn=pbac,dc=test,dc=local
# System: Modify IPA Locations + 9865b343-c9a411e6-a937f721-75eb0f97, permissio
ns, pbac, test.local
dn: cn=System: Modify IPA Locations+nsuniqueid=9865b343-c9a411e6-a937f721-75eb
0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: description
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify ipa locations,cn=permissio
ns,cn=pbac,dc=test,dc=local
# System: Read IPA Locations + 9865b347-c9a411e6-a937f721-75eb0f97, permissions
, pbac, test.local
dn: cn=System: Read IPA Locations+nsuniqueid=9865b347-c9a411e6-a937f721-75eb0f
97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: description
ipaPermDefaultAttr: idnsname
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read ipa locations,cn=permissions
,cn=pbac,dc=test,dc=local
# System: Remove IPA Locations + 9865b34b-c9a411e6-a937f721-75eb0f97, permissio
ns, pbac, test.local
dn: cn=System: Remove IPA Locations+nsuniqueid=9865b34b-c9a411e6-a937f721-75eb
0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Remove IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: remove ipa locations,cn=permissio
ns,cn=pbac,dc=test,dc=local
# System: Read Locations of IPA Servers + 9865b34f-c9a411e6-a937f721-75eb0f97,
permissions, pbac, test.local
dn: cn=System: Read Locations of IPA Servers+nsuniqueid=9865b34f-c9a411e6-a937
f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Locations of IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaserviceweight
ipaPermDefaultAttr: ipalocation
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read locations of ipa servers,cn=
permissions,cn=pbac,dc=test,dc=local
# System: Read Status of Services on IPA Servers + 9865b353-c9a411e6-a937f721-7
5eb0f97, permissions, pbac, test.local
dn: cn=System: Read Status of Services on IPA Servers+nsuniqueid=9865b353-c9a4
11e6-a937f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Status of Services on IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaconfigstring
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read status of services on ipa se
rvers,cn=permissions,cn=pbac,dc=test,dc=local
# System: Manage Service Principals + 9865b357-c9a411e6-a937f721-75eb0f97, perm
issions, pbac, test.local
dn: cn=System: Manage Service Principals+nsuniqueid=9865b357-c9a411e6-a937f721
-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaservice)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Service Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Service Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=services,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage service principals,cn=perm
issions,cn=pbac,dc=test,dc=local
# System: Manage User Principals + 9865b364-c9a411e6-a937f721-75eb0f97, permiss
ions, pbac, test.local
dn: cn=System: Manage User Principals+nsuniqueid=9865b364-c9a411e6-a937f721-75
eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage User Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=User Administrators,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=test,dc=lo
cal
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=users,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage user principals,cn=permiss
ions,cn=pbac,dc=test,dc=local
# servers + 9865b37b-c9a411e6-a937f721-75eb0f97, dns, test.local
dn: cn=servers+nsuniqueid=9865b37b-c9a411e6-a937f721-75eb0f97,cn=dns,dc=test,dc
=local
objectClass: nsContainer
objectClass: top
cn: servers
nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=test,dc=local
# ipa + cba8431e-c9a411e6-a937f721-75eb0f97, cas + 9865b2b1-c9a411e6-a937f721-7
5eb0f97, ca, test.local
dn: cn=ipa+nsuniqueid=cba8431e-c9a411e6-a937f721-75eb0f97,cn=cas+nsuniqueid=98
65b2b1-c9a411e6-a937f721-75eb0f97,cn=ca,dc=test,dc=local
description: IPA CA
ipaCaIssuerDN: CN=Certificate Authority,O=TEST.LOCAL
objectClass: top
objectClass: ipaca
ipaCaSubjectDN: CN=Certificate Authority,O=TEST.LOCAL
ipaCaId: bcab810a-f59b-40ff-add4-560f50be04d3
cn: ipa
nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=test,dc=local
# ipaservers + 6f4721f7-c9a811e6-943e8d1c-0faa636d, hostgroups, accounts, test.l
ocal
dn: cn=ipaservers+nsuniqueid=6f4721f7-c9a811e6-943e8d1c-0faa636d,cn=hostgroups
,cn=accounts,dc=test,dc=local
memberOf: cn=Replication Administrators,cn=privileges,cn=pbac,dc=test,dc=local
memberOf: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=h5
c,dc=local
memberOf: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=
test,dc=local
memberOf: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=test,dc
=local
memberOf: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=loca
l
memberOf: cn=ipaservers+nsuniqueid=6f4721f9-c9a811e6-943e8d1c-0faa636d,cn=ng,c
n=alt,dc=test,dc=local
member: fqdn=ipa-replica-gib01.test.local,cn=computers,cn=accounts,dc=test,dc=lo
cal
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
description: IPA server hosts
cn: ipaservers
ipaUniqueID: 863f47b6-c9a8-11e6-a9b0-00505684f6ff
nsds5ReplConflict: namingConflict cn=ipaservers,cn=hostgroups,cn=accounts,dc=h
5c,dc=local
# ipaservers + 6f4721f9-c9a811e6-943e8d1c-0faa636d, ng, alt, test.local
dn: cn=ipaservers+nsuniqueid=6f4721f9-c9a811e6-943e8d1c-0faa636d,cn=ng,cn=alt,
dc=test,dc=local
memberHost: cn=ipaservers+nsuniqueid=6f4721f7-c9a811e6-943e8d1c-0faa636d,cn=ho
stgroups,cn=accounts,dc=test,dc=local
objectClass: ipanisnetgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: ipaAssociation
objectClass: top
nisDomainName: test.local
cn: ipaservers
description: ipaNetgroup ipaservers
mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local
ipaUniqueID: 864e605c-c9a8-11e6-a9b0-00505684f6ff
nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
# domain + 6f472200-c9a811e6-943e8d1c-0faa636d, topology, ipa, etc, test.local
dn: cn=domain+nsuniqueid=6f472200-c9a811e6-943e8d1c-0faa636d,cn=topology,cn=ip
a,cn=etc,dc=test,dc=local
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
ternalModifyTimestamp
ipaReplTopoConfRoot: dc=test,dc=local
objectClass: top
objectClass: iparepltopoconf
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
cn: domain
nsds5ReplConflict: namingConflict cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,d
c=local
# locations + 6f472204-c9a811e6-943e8d1c-0faa636d, etc, test.local
dn: cn=locations+nsuniqueid=6f472204-c9a811e6-943e8d1c-0faa636d,cn=etc,dc=test,
dc=local
objectClass: nsContainer
objectClass: top
cn: locations
nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=test,dc=local
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi
ssion:System: Add IPA Locations";allow (add) groupdn = "ldap:///cn=System: Ad
d IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "description")(targetfilter = "(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Modify IPA Locations";allow (write)
groupdn = "ldap:///cn=System: Modify IPA Locations,cn=permissions,cn=pbac,dc
=test,dc=local";)
aci: (targetattr = "createtimestamp || description || entryusn || idnsname ||
modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Read IPA Locations";allow (compare,
read,search) groupdn = "ldap:///cn=System: Read IPA Locations,cn=permissions,
cn=pbac,dc=test,dc=local";)
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi
ssion:System: Remove IPA Locations";allow (delete) groupdn = "ldap:///cn=Syst
em: Remove IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
# cas + 6f47220a-c9a811e6-943e8d1c-0faa636d, ca, test.local
dn: cn=cas+nsuniqueid=6f47220a-c9a811e6-943e8d1c-0faa636d,cn=ca,dc=test,dc=loca
l
objectClass: nsContainer
objectClass: top
cn: cas
nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=test,dc=local
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=
pbac,dc=test,dc=local";)
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permis
sions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(
version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:
///cn=System: Modify CA,cn=permissions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacai
d || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targ
etfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CA
s";allow (compare,read,search) userdn = "ldap:///all";)
# custodia + 6f47223b-c9a811e6-943e8d1c-0faa636d, ipa, etc, test.local
dn: cn=custodia+nsuniqueid=6f47223b-c9a811e6-943e8d1c-0faa636d,cn=ipa,cn=etc,d
c=test,dc=local
objectClass: nsContainer
objectClass: top
cn: custodia
nsds5ReplConflict: namingConflict cn=custodia,cn=ipa,cn=etc,dc=test,dc=local
# dogtag + 6f47223d-c9a811e6-943e8d1c-0faa636d, custodia + 6f47223b-c9a811e6-94
3e8d1c-0faa636d, ipa, etc, test.local
dn: cn=dogtag+nsuniqueid=6f47223d-c9a811e6-943e8d1c-0faa636d,cn=custodia+nsuni
queid=6f47223b-c9a811e6-943e8d1c-0faa636d,cn=ipa,cn=etc,dc=test,dc=local
objectClass: nsContainer
objectClass: top
cn: dogtag
nsds5ReplConflict: namingConflict cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=test,d
c=local
# ca + 6f472240-c9a811e6-943e8d1c-0faa636d, topology, ipa, etc, test.local
dn: cn=ca+nsuniqueid=6f472240-c9a811e6-943e8d1c-0faa636d,cn=topology,cn=ipa,cn
=etc,dc=test,dc=local
objectClass: top
objectClass: iparepltopoconf
cn: ca
ipaReplTopoConfRoot: o=ipaca
nsds5ReplConflict: namingConflict cn=ca,cn=topology,cn=ipa,cn=etc,dc=test,dc=lo
cal
# System: Add CA + 6f472246-c9a811e6-943e8d1c-0faa636d, permissions, pbac, test.
local
dn: cn=System: Add CA+nsuniqueid=6f472246-c9a811e6-943e8d1c-0faa636d,cn=permis
sions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: add ca,cn=permissions,cn=pbac,dc=
test,dc=local
# System: Delete CA + 6f47224a-c9a811e6-943e8d1c-0faa636d, permissions, pbac, h
5c.local
dn: cn=System: Delete CA+nsuniqueid=6f47224a-c9a811e6-943e8d1c-0faa636d,cn=per
missions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Delete CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: delete ca,cn=permissions,cn=pbac,
dc=test,dc=local
# System: Modify CA + 6f47224e-c9a811e6-943e8d1c-0faa636d, permissions, pbac, h
5c.local
dn: cn=System: Modify CA+nsuniqueid=6f47224e-c9a811e6-943e8d1c-0faa636d,cn=per
missions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: description
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify ca,cn=permissions,cn=pbac,
dc=test,dc=local
# System: Read CAs + 6f472252-c9a811e6-943e8d1c-0faa636d, permissions, pbac, h5
c.local
dn: cn=System: Read CAs+nsuniqueid=6f472252-c9a811e6-943e8d1c-0faa636d,cn=perm
issions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: all
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read CAs
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacaissuerdn
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipacasubjectdn
ipaPermDefaultAttr: ipacaid
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read cas,cn=permissions,cn=pbac,d
c=test,dc=local
# System: Modify DNS Servers Configuration + 6f472257-c9a811e6-943e8d1c-0faa636
d, permissions, pbac, test.local
dn: cn=System: Modify DNS Servers Configuration+nsuniqueid=6f472257-c9a811e6-9
43e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: idnssoamname
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: idnsforwarders
ipaPermLocation: dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify dns servers configuration,
cn=permissions,cn=pbac,dc=test,dc=local
# System: Read DNS Servers Configuration + 6f47225b-c9a811e6-943e8d1c-0faa636d,
permissions, pbac, test.local
dn: cn=System: Read DNS Servers Configuration+nsuniqueid=6f47225b-c9a811e6-943
e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Servers,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: idnsforwarders
ipaPermDefaultAttr: idnsserverid
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnssoamname
ipaPermLocation: dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read dns servers configuration,cn
=permissions,cn=pbac,dc=test,dc=local
# System: Manage Host Principals + 6f472282-c9a811e6-943e8d1c-0faa636d, permiss
ions, pbac, test.local
dn: cn=System: Manage Host Principals+nsuniqueid=6f472282-c9a811e6-943e8d1c-0f
aa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipahost)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Host Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Host Administrators,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=computers,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage host principals,cn=permiss
ions,cn=pbac,dc=test,dc=local
# System: Add IPA Locations + 6f472298-c9a811e6-943e8d1c-0faa636d, permissions,
pbac, test.local
dn: cn=System: Add IPA Locations+nsuniqueid=6f472298-c9a811e6-943e8d1c-0faa636
d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: add ipa locations,cn=permissions,
cn=pbac,dc=test,dc=local
# System: Modify IPA Locations + 6f47229c-c9a811e6-943e8d1c-0faa636d, permissio
ns, pbac, test.local
dn: cn=System: Modify IPA Locations+nsuniqueid=6f47229c-c9a811e6-943e8d1c-0faa
636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: description
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify ipa locations,cn=permissio
ns,cn=pbac,dc=test,dc=local
# System: Read IPA Locations + 6f4722a0-c9a811e6-943e8d1c-0faa636d, permissions
, pbac, test.local
dn: cn=System: Read IPA Locations+nsuniqueid=6f4722a0-c9a811e6-943e8d1c-0faa63
6d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: description
ipaPermDefaultAttr: idnsname
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read ipa locations,cn=permissions
,cn=pbac,dc=test,dc=local
# System: Remove IPA Locations + 6f4722a4-c9a811e6-943e8d1c-0faa636d, permissio
ns, pbac, test.local
dn: cn=System: Remove IPA Locations+nsuniqueid=6f4722a4-c9a811e6-943e8d1c-0faa
636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Remove IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: remove ipa locations,cn=permissio
ns,cn=pbac,dc=test,dc=local
# System: Read Locations of IPA Servers + 6f4722a8-c9a811e6-943e8d1c-0faa636d,
permissions, pbac, test.local
dn: cn=System: Read Locations of IPA Servers+nsuniqueid=6f4722a8-c9a811e6-943e
8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Locations of IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaserviceweight
ipaPermDefaultAttr: ipalocation
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read locations of ipa servers,cn=
permissions,cn=pbac,dc=test,dc=local
# System: Read Status of Services on IPA Servers + 6f4722ac-c9a811e6-943e8d1c-0
faa636d, permissions, pbac, test.local
dn: cn=System: Read Status of Services on IPA Servers+nsuniqueid=6f4722ac-c9a8
11e6-943e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Status of Services on IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaconfigstring
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read status of services on ipa se
rvers,cn=permissions,cn=pbac,dc=test,dc=local
# System: Manage Service Principals + 6f4722b0-c9a811e6-943e8d1c-0faa636d, perm
issions, pbac, test.local
dn: cn=System: Manage Service Principals+nsuniqueid=6f4722b0-c9a811e6-943e8d1c
-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaservice)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Service Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Service Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=services,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage service principals,cn=perm
issions,cn=pbac,dc=test,dc=local
# System: Manage User Principals + 6f4722bd-c9a811e6-943e8d1c-0faa636d, permiss
ions, pbac, test.local
dn: cn=System: Manage User Principals+nsuniqueid=6f4722bd-c9a811e6-943e8d1c-0f
aa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage User Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=User Administrators,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=test,dc=lo
cal
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=users,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage user principals,cn=permiss
ions,cn=pbac,dc=test,dc=local
# servers + 6f4722d4-c9a811e6-943e8d1c-0faa636d, dns, test.local
dn: cn=servers+nsuniqueid=6f4722d4-c9a811e6-943e8d1c-0faa636d,cn=dns,dc=test,dc
=local
objectClass: nsContainer
objectClass: top
cn: servers
nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=test,dc=local
# ipa + 90a80ea3-c9a811e6-943e8d1c-0faa636d, cas + 6f47220a-c9a811e6-943e8d1c-0
faa636d, ca, test.local
dn: cn=ipa+nsuniqueid=90a80ea3-c9a811e6-943e8d1c-0faa636d,cn=cas+nsuniqueid=6f
47220a-c9a811e6-943e8d1c-0faa636d,cn=ca,dc=test,dc=local
description: IPA CA
ipaCaIssuerDN: CN=Certificate Authority,O=TEST.LOCAL
objectClass: top
objectClass: ipaca
ipaCaSubjectDN: CN=Certificate Authority,O=TEST.LOCAL
ipaCaId: bcab810a-f59b-40ff-add4-560f50be04d3
cn: ipa
nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=test,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 51
# numEntries: 50
[id:image001.jpg at 01D1C26F.0E28FA60]
Daniel Alex Finkelstein| Lead Dev Ops Engineer
Dan.Finkelstein at h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the Sky
Follow us on: Facebook, Twitter, YouTube, Linkedin
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4334 bytes
Desc: image001.jpg
URL:
From mbasti at redhat.com Tue Jan 3 14:07:16 2017
From: mbasti at redhat.com (Martin Basti)
Date: Tue, 3 Jan 2017 15:07:16 +0100
Subject: [Freeipa-users] LDAP replication conflicts,
but no apparent data damage
In-Reply-To: <145020D6-0409-4651-9C76-B6F31EB62753@high5games.com>
References: <145020D6-0409-4651-9C76-B6F31EB62753@high5games.com>
Message-ID: <11390f0d-5d31-21af-dea3-54f189ae2e7c@redhat.com>
Here is a directory server documentation about replication conflicts
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
I hope it will help
Martin
On 03.01.2017 14:20, Dan.Finkelstein at high5games.com wrote:
>
> I'm using the most recent FreeIPA 4.4.0 on CentOS 7.3 and have been
> cleaning up various dangling replicas and other cruft, but when I run
> the ipa consistency checker, it produces output that LDAP has
> conflicts. I then run:
>
> ldapsearch -D "cn=Directory Manager" -W -b "dc=h5c,dc=local"
> "nsds5ReplConflict=*" \* nsds5ReplConflict
>
> Which produces output as follows (which I don't know what to do with,
> yet):
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base with scope subtree
>
> # filter: nsds5ReplConflict=*
>
> # requesting: * nsds5ReplConflict
>
> #
>
> # ipaservers + 9865b29e-c9a411e6-a937f721-75eb0f97, hostgroups,
> accounts, test.l
>
> ocal
>
> dn:
> cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=hostgroups
>
> ,cn=accounts,dc=test,dc=local
>
> memberOf: cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Add Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Modify Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Remove Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Read PassSync Managers
> Configuration,cn=permissions,cn=pbac,dc=h5
>
> c,dc=local
>
> memberOf: cn=Modify PassSync Managers
> Configuration,cn=permissions,cn=pbac,dc=
>
> test,dc=local
>
> memberOf: cn=Read LDBM Database
> Configuration,cn=permissions,cn=pbac,dc=test,dc
>
> =local
>
> memberOf: cn=Add Configuration
> Sub-Entries,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Read Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=loca
>
> l
>
> memberOf:
> cn=ipaservers+nsuniqueid=9865b2a0-c9a411e6-a937f721-75eb0f97,cn=ng,c
>
> n=alt,dc=test,dc=local
>
> member:
> fqdn=ipa-replica-gib02.test.local,cn=computers,cn=accounts,dc=test,dc=lo
>
> cal
>
> mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
>
> objectClass: top
>
> objectClass: ipahostgroup
>
> objectClass: ipaobject
>
> objectClass: groupOfNames
>
> objectClass: nestedGroup
>
> objectClass: mepOriginEntry
>
> description: IPA server hosts
>
> cn: ipaservers
>
> ipaUniqueID: b13812a8-c9a4-11e6-8bb5-00505684b9a0
>
> nsds5ReplConflict: namingConflict
> cn=ipaservers,cn=hostgroups,cn=accounts,dc=h
>
> 5c,dc=local
>
> # ipaservers + 9865b2a0-c9a411e6-a937f721-75eb0f97, ng, alt, test.local
>
> dn:
> cn=ipaservers+nsuniqueid=9865b2a0-c9a411e6-a937f721-75eb0f97,cn=ng,cn=alt,
>
> dc=test,dc=local
>
> memberHost:
> cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=ho
>
> stgroups,cn=accounts,dc=test,dc=local
>
> objectClass: ipanisnetgroup
>
> objectClass: ipaobject
>
> objectClass: mepManagedEntry
>
> objectClass: ipaAssociation
>
> objectClass: top
>
> nisDomainName: test.local
>
> cn: ipaservers
>
> description: ipaNetgroup ipaservers
>
> mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local
>
> ipaUniqueID: b13f8506-c9a4-11e6-8bb5-00505684b9a0
>
> nsds5ReplConflict: namingConflict
> cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
>
> # domain + 9865b2a7-c9a411e6-a937f721-75eb0f97, topology, ipa, etc,
> test.local
>
> dn:
> cn=domain+nsuniqueid=9865b2a7-c9a411e6-a937f721-75eb0f97,cn=topology,cn=ip
>
> a,cn=etc,dc=test,dc=local
>
> nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
> internalModifiersName in
>
> ternalModifyTimestamp
>
> ipaReplTopoConfRoot: dc=test,dc=local
>
> objectClass: top
>
> objectClass: iparepltopoconf
>
> nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn
> krblasts
>
> uccessfulauth krblastfailedauth krbloginfailedcount
>
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
>
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
>
> cn: domain
>
> nsds5ReplConflict: namingConflict
> cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,d
>
> c=local
>
> # locations + 9865b2ab-c9a411e6-a937f721-75eb0f97, etc, test.local
>
> dn:
> cn=locations+nsuniqueid=9865b2ab-c9a411e6-a937f721-75eb0f97,cn=etc,dc=test,
>
> dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: locations
>
> nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=test,dc=local
>
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
>
> ssion:System: Add IPA Locations";allow (add) groupdn =
> "ldap:///cn=System: Ad
>
> d IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "description")(targetfilter =
> "(objectclass=ipaLocationObje
>
> ct)")(version 3.0;acl "permission:System: Modify IPA Locations";allow
> (write)
>
> groupdn = "ldap:///cn=System: Modify IPA
> Locations,cn=permissions,cn=pbac,dc
>
> =test,dc=local";)
>
> aci: (targetattr = "createtimestamp || description || entryusn ||
> idnsname ||
>
> modifytimestamp || objectclass")(targetfilter =
> "(objectclass=ipaLocationObje
>
> ct)")(version 3.0;acl "permission:System: Read IPA Locations";allow
> (compare,
>
> read,search) groupdn = "ldap:///cn=System: Read IPA
> Locations,cn=permissions,
>
> cn=pbac,dc=test,dc=local";)
>
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
>
> ssion:System: Remove IPA Locations";allow (delete) groupdn =
> "ldap:///cn=Syst
>
> em: Remove IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> # cas + 9865b2b1-c9a411e6-a937f721-75eb0f97, ca, test.local
>
> dn:
> cn=cas+nsuniqueid=9865b2b1-c9a411e6-a937f721-75eb0f97,cn=ca,dc=test,dc=loca
>
> l
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: cas
>
> nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=test,dc=local
>
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
>
> : Add CA";allow (add) groupdn = "ldap:///cn=System: Add
> CA,cn=permissions,cn=
>
> pbac,dc=test,dc=local";)
>
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
>
> : Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete
> CA,cn=permis
>
> sions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "cn || description")(targetfilter =
> "(objectclass=ipaca)")(
>
> version 3.0;acl "permission:System: Modify CA";allow (write) groupdn =
> "ldap:
>
> ///cn=System: Modify CA,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "cn || createtimestamp || description || entryusn
> || ipacai
>
> d || ipacaissuerdn || ipacasubjectdn || modifytimestamp ||
> objectclass")(targ
>
> etfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System:
> Read CA
>
> s";allow (compare,read,search) userdn = "ldap:///all";)
>
> # custodia + 9865b2e2-c9a411e6-a937f721-75eb0f97, ipa, etc, test.local
>
> dn:
> cn=custodia+nsuniqueid=9865b2e2-c9a411e6-a937f721-75eb0f97,cn=ipa,cn=etc,d
>
> c=test,dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: custodia
>
> nsds5ReplConflict: namingConflict
> cn=custodia,cn=ipa,cn=etc,dc=test,dc=local
>
> # dogtag + 9865b2e4-c9a411e6-a937f721-75eb0f97, custodia +
> 9865b2e2-c9a411e6-a9
>
> 37f721-75eb0f97, ipa, etc, test.local
>
> dn:
> cn=dogtag+nsuniqueid=9865b2e4-c9a411e6-a937f721-75eb0f97,cn=custodia+nsuni
>
> queid=9865b2e2-c9a411e6-a937f721-75eb0f97,cn=ipa,cn=etc,dc=test,dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: dogtag
>
> nsds5ReplConflict: namingConflict
> cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=test,d
>
> c=local
>
> # ca + 9865b2e7-c9a411e6-a937f721-75eb0f97, topology, ipa, etc, test.local
>
> dn:
> cn=ca+nsuniqueid=9865b2e7-c9a411e6-a937f721-75eb0f97,cn=topology,cn=ipa,cn
>
> =etc,dc=test,dc=local
>
> objectClass: top
>
> objectClass: iparepltopoconf
>
> cn: ca
>
> ipaReplTopoConfRoot: o=ipaca
>
> nsds5ReplConflict: namingConflict
> cn=ca,cn=topology,cn=ipa,cn=etc,dc=test,dc=lo
>
> cal
>
> # System: Add CA + 9865b2ed-c9a411e6-a937f721-75eb0f97, permissions,
> pbac, test.
>
> local
>
> dn: cn=System: Add
> CA+nsuniqueid=9865b2ed-c9a411e6-a937f721-75eb0f97,cn=permis
>
> sions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: add
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Add CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: add
> ca,cn=permissions,cn=pbac,dc=
>
> test,dc=local
>
> # System: Delete CA + 9865b2f1-c9a411e6-a937f721-75eb0f97,
> permissions, pbac, h
>
> 5c.local
>
> dn: cn=System: Delete
> CA+nsuniqueid=9865b2f1-c9a411e6-a937f721-75eb0f97,cn=per
>
> missions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: delete
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Delete CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: delete
> ca,cn=permissions,cn=pbac,
>
> dc=test,dc=local
>
> # System: Modify CA + 9865b2f5-c9a411e6-a937f721-75eb0f97,
> permissions, pbac, h
>
> 5c.local
>
> dn: cn=System: Modify
> CA+nsuniqueid=9865b2f5-c9a411e6-a937f721-75eb0f97,cn=per
>
> missions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify
> ca,cn=permissions,cn=pbac,
>
> dc=test,dc=local
>
> # System: Read CAs + 9865b2f9-c9a411e6-a937f721-75eb0f97, permissions,
> pbac, h5
>
> c.local
>
> dn: cn=System: Read
> CAs+nsuniqueid=9865b2f9-c9a411e6-a937f721-75eb0f97,cn=perm
>
> issions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: all
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read CAs
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: ipacaissuerdn
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipacasubjectdn
>
> ipaPermDefaultAttr: ipacaid
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read
> cas,cn=permissions,cn=pbac,d
>
> c=test,dc=local
>
> # System: Modify DNS Servers Configuration +
> 9865b2fe-c9a411e6-a937f721-75eb0f9
>
> 7, permissions, pbac, test.local
>
> dn: cn=System: Modify DNS Servers
> Configuration+nsuniqueid=9865b2fe-c9a411e6-a
>
> 937f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify DNS Servers Configuration
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: idnssoamname
>
> ipaPermDefaultAttr: idnssubstitutionvariable
>
> ipaPermDefaultAttr: idnsforwardpolicy
>
> ipaPermDefaultAttr: idnsforwarders
>
> ipaPermLocation: dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify dns servers
> configuration,
>
> cn=permissions,cn=pbac,dc=test,dc=local
>
> # System: Read DNS Servers Configuration +
> 9865b302-c9a411e6-a937f721-75eb0f97,
>
> permissions, pbac, test.local
>
> dn: cn=System: Read DNS Servers
> Configuration+nsuniqueid=9865b302-c9a411e6-a93
>
> 7f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read DNS Servers Configuration
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Servers,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: idnsforwardpolicy
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: idnsforwarders
>
> ipaPermDefaultAttr: idnsserverid
>
> ipaPermDefaultAttr: idnssubstitutionvariable
>
> ipaPermDefaultAttr: idnssoamname
>
> ipaPermLocation: dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read dns servers
> configuration,cn
>
> =permissions,cn=pbac,dc=test,dc=local
>
> # System: Manage Host Principals +
> 9865b329-c9a411e6-a937f721-75eb0f97, permiss
>
> ions, pbac, test.local
>
> dn: cn=System: Manage Host
> Principals+nsuniqueid=9865b329-c9a411e6-a937f721-75
>
> eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipahost)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Host Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Host Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=computers,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage host
> principals,cn=permiss
>
> ions,cn=pbac,dc=test,dc=local
>
> # System: Add IPA Locations + 9865b33f-c9a411e6-a937f721-75eb0f97,
> permissions,
>
> pbac, test.local
>
> dn: cn=System: Add IPA
> Locations+nsuniqueid=9865b33f-c9a411e6-a937f721-75eb0f9
>
> 7,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: add
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Add IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: add ipa
> locations,cn=permissions,
>
> cn=pbac,dc=test,dc=local
>
> # System: Modify IPA Locations + 9865b343-c9a411e6-a937f721-75eb0f97,
> permissio
>
> ns, pbac, test.local
>
> dn: cn=System: Modify IPA
> Locations+nsuniqueid=9865b343-c9a411e6-a937f721-75eb
>
> 0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: description
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify ipa
> locations,cn=permissio
>
> ns,cn=pbac,dc=test,dc=local
>
> # System: Read IPA Locations + 9865b347-c9a411e6-a937f721-75eb0f97,
> permissions
>
> , pbac, test.local
>
> dn: cn=System: Read IPA
> Locations+nsuniqueid=9865b347-c9a411e6-a937f721-75eb0f
>
> 97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: idnsname
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read ipa
> locations,cn=permissions
>
> ,cn=pbac,dc=test,dc=local
>
> # System: Remove IPA Locations + 9865b34b-c9a411e6-a937f721-75eb0f97,
> permissio
>
> ns, pbac, test.local
>
> dn: cn=System: Remove IPA
> Locations+nsuniqueid=9865b34b-c9a411e6-a937f721-75eb
>
> 0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: delete
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Remove IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: remove ipa
> locations,cn=permissio
>
> ns,cn=pbac,dc=test,dc=local
>
> # System: Read Locations of IPA Servers +
> 9865b34f-c9a411e6-a937f721-75eb0f97,
>
> permissions, pbac, test.local
>
> dn: cn=System: Read Locations of IPA
> Servers+nsuniqueid=9865b34f-c9a411e6-a937
>
> f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read Locations of IPA Servers
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipaserviceweight
>
> ipaPermDefaultAttr: ipalocation
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read locations of ipa
> servers,cn=
>
> permissions,cn=pbac,dc=test,dc=local
>
> # System: Read Status of Services on IPA Servers +
> 9865b353-c9a411e6-a937f721-7
>
> 5eb0f97, permissions, pbac, test.local
>
> dn: cn=System: Read Status of Services on IPA
> Servers+nsuniqueid=9865b353-c9a4
>
> 11e6-a937f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read Status of Services on IPA Servers
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipaconfigstring
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read status of services
> on ipa se
>
> rvers,cn=permissions,cn=pbac,dc=test,dc=local
>
> # System: Manage Service Principals +
> 9865b357-c9a411e6-a937f721-75eb0f97, perm
>
> issions, pbac, test.local
>
> dn: cn=System: Manage Service
> Principals+nsuniqueid=9865b357-c9a411e6-a937f721
>
> -75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaservice)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Service Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Service Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=services,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage service
> principals,cn=perm
>
> issions,cn=pbac,dc=test,dc=local
>
> # System: Manage User Principals +
> 9865b364-c9a411e6-a937f721-75eb0f97, permiss
>
> ions, pbac, test.local
>
> dn: cn=System: Manage User
> Principals+nsuniqueid=9865b364-c9a411e6-a937f721-75
>
> eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=posixaccount)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage User Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=User Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=Modify Users and Reset
> passwords,cn=privileges,cn=pbac,dc=test,dc=lo
>
> cal
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=users,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage user
> principals,cn=permiss
>
> ions,cn=pbac,dc=test,dc=local
>
> # servers + 9865b37b-c9a411e6-a937f721-75eb0f97, dns, test.local
>
> dn:
> cn=servers+nsuniqueid=9865b37b-c9a411e6-a937f721-75eb0f97,cn=dns,dc=test,dc
>
> =local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: servers
>
> nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=test,dc=local
>
> # ipa + cba8431e-c9a411e6-a937f721-75eb0f97, cas +
> 9865b2b1-c9a411e6-a937f721-7
>
> 5eb0f97, ca, test.local
>
> dn:
> cn=ipa+nsuniqueid=cba8431e-c9a411e6-a937f721-75eb0f97,cn=cas+nsuniqueid=98
>
> 65b2b1-c9a411e6-a937f721-75eb0f97,cn=ca,dc=test,dc=local
>
> description: IPA CA
>
> ipaCaIssuerDN: CN=Certificate Authority,O=TEST.LOCAL
>
> objectClass: top
>
> objectClass: ipaca
>
> ipaCaSubjectDN: CN=Certificate Authority,O=TEST.LOCAL
>
> ipaCaId: bcab810a-f59b-40ff-add4-560f50be04d3
>
> cn: ipa
>
> nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=test,dc=local
>
> # ipaservers + 6f4721f7-c9a811e6-943e8d1c-0faa636d, hostgroups,
> accounts, test.l
>
> ocal
>
> dn:
> cn=ipaservers+nsuniqueid=6f4721f7-c9a811e6-943e8d1c-0faa636d,cn=hostgroups
>
> ,cn=accounts,dc=test,dc=local
>
> memberOf: cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Add Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Modify Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Remove Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Read PassSync Managers
> Configuration,cn=permissions,cn=pbac,dc=h5
>
> c,dc=local
>
> memberOf: cn=Modify PassSync Managers
> Configuration,cn=permissions,cn=pbac,dc=
>
> test,dc=local
>
> memberOf: cn=Read LDBM Database
> Configuration,cn=permissions,cn=pbac,dc=test,dc
>
> =local
>
> memberOf: cn=Add Configuration
> Sub-Entries,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Read Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=loca
>
> l
>
> memberOf:
> cn=ipaservers+nsuniqueid=6f4721f9-c9a811e6-943e8d1c-0faa636d,cn=ng,c
>
> n=alt,dc=test,dc=local
>
> member:
> fqdn=ipa-replica-gib01.test.local,cn=computers,cn=accounts,dc=test,dc=lo
>
> cal
>
> mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
>
> objectClass: top
>
> objectClass: ipahostgroup
>
> objectClass: ipaobject
>
> objectClass: groupOfNames
>
> objectClass: nestedGroup
>
> objectClass: mepOriginEntry
>
> description: IPA server hosts
>
> cn: ipaservers
>
> ipaUniqueID: 863f47b6-c9a8-11e6-a9b0-00505684f6ff
>
> nsds5ReplConflict: namingConflict
> cn=ipaservers,cn=hostgroups,cn=accounts,dc=h
>
> 5c,dc=local
>
> # ipaservers + 6f4721f9-c9a811e6-943e8d1c-0faa636d, ng, alt, test.local
>
> dn:
> cn=ipaservers+nsuniqueid=6f4721f9-c9a811e6-943e8d1c-0faa636d,cn=ng,cn=alt,
>
> dc=test,dc=local
>
> memberHost:
> cn=ipaservers+nsuniqueid=6f4721f7-c9a811e6-943e8d1c-0faa636d,cn=ho
>
> stgroups,cn=accounts,dc=test,dc=local
>
> objectClass: ipanisnetgroup
>
> objectClass: ipaobject
>
> objectClass: mepManagedEntry
>
> objectClass: ipaAssociation
>
> objectClass: top
>
> nisDomainName: test.local
>
> cn: ipaservers
>
> description: ipaNetgroup ipaservers
>
> mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local
>
> ipaUniqueID: 864e605c-c9a8-11e6-a9b0-00505684f6ff
>
> nsds5ReplConflict: namingConflict
> cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
>
> # domain + 6f472200-c9a811e6-943e8d1c-0faa636d, topology, ipa, etc,
> test.local
>
> dn:
> cn=domain+nsuniqueid=6f472200-c9a811e6-943e8d1c-0faa636d,cn=topology,cn=ip
>
> a,cn=etc,dc=test,dc=local
>
> nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
> internalModifiersName in
>
> ternalModifyTimestamp
>
> ipaReplTopoConfRoot: dc=test,dc=local
>
> objectClass: top
>
> objectClass: iparepltopoconf
>
> nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn
> krblasts
>
> uccessfulauth krblastfailedauth krbloginfailedcount
>
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
>
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
>
> cn: domain
>
> nsds5ReplConflict: namingConflict
> cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,d
>
> c=local
>
> # locations + 6f472204-c9a811e6-943e8d1c-0faa636d, etc, test.local
>
> dn:
> cn=locations+nsuniqueid=6f472204-c9a811e6-943e8d1c-0faa636d,cn=etc,dc=test,
>
> dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: locations
>
> nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=test,dc=local
>
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
>
> ssion:System: Add IPA Locations";allow (add) groupdn =
> "ldap:///cn=System: Ad
>
> d IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "description")(targetfilter =
> "(objectclass=ipaLocationObje
>
> ct)")(version 3.0;acl "permission:System: Modify IPA Locations";allow
> (write)
>
> groupdn = "ldap:///cn=System: Modify IPA
> Locations,cn=permissions,cn=pbac,dc
>
> =test,dc=local";)
>
> aci: (targetattr = "createtimestamp || description || entryusn ||
> idnsname ||
>
> modifytimestamp || objectclass")(targetfilter =
> "(objectclass=ipaLocationObje
>
> ct)")(version 3.0;acl "permission:System: Read IPA Locations";allow
> (compare,
>
> read,search) groupdn = "ldap:///cn=System: Read IPA
> Locations,cn=permissions,
>
> cn=pbac,dc=test,dc=local";)
>
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
>
> ssion:System: Remove IPA Locations";allow (delete) groupdn =
> "ldap:///cn=Syst
>
> em: Remove IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> # cas + 6f47220a-c9a811e6-943e8d1c-0faa636d, ca, test.local
>
> dn:
> cn=cas+nsuniqueid=6f47220a-c9a811e6-943e8d1c-0faa636d,cn=ca,dc=test,dc=loca
>
> l
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: cas
>
> nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=test,dc=local
>
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
>
> : Add CA";allow (add) groupdn = "ldap:///cn=System: Add
> CA,cn=permissions,cn=
>
> pbac,dc=test,dc=local";)
>
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
>
> : Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete
> CA,cn=permis
>
> sions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "cn || description")(targetfilter =
> "(objectclass=ipaca)")(
>
> version 3.0;acl "permission:System: Modify CA";allow (write) groupdn =
> "ldap:
>
> ///cn=System: Modify CA,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "cn || createtimestamp || description || entryusn
> || ipacai
>
> d || ipacaissuerdn || ipacasubjectdn || modifytimestamp ||
> objectclass")(targ
>
> etfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System:
> Read CA
>
> s";allow (compare,read,search) userdn = "ldap:///all";)
>
> # custodia + 6f47223b-c9a811e6-943e8d1c-0faa636d, ipa, etc, test.local
>
> dn:
> cn=custodia+nsuniqueid=6f47223b-c9a811e6-943e8d1c-0faa636d,cn=ipa,cn=etc,d
>
> c=test,dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: custodia
>
> nsds5ReplConflict: namingConflict
> cn=custodia,cn=ipa,cn=etc,dc=test,dc=local
>
> # dogtag + 6f47223d-c9a811e6-943e8d1c-0faa636d, custodia +
> 6f47223b-c9a811e6-94
>
> 3e8d1c-0faa636d, ipa, etc, test.local
>
> dn:
> cn=dogtag+nsuniqueid=6f47223d-c9a811e6-943e8d1c-0faa636d,cn=custodia+nsuni
>
> queid=6f47223b-c9a811e6-943e8d1c-0faa636d,cn=ipa,cn=etc,dc=test,dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: dogtag
>
> nsds5ReplConflict: namingConflict
> cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=test,d
>
> c=local
>
> # ca + 6f472240-c9a811e6-943e8d1c-0faa636d, topology, ipa, etc, test.local
>
> dn:
> cn=ca+nsuniqueid=6f472240-c9a811e6-943e8d1c-0faa636d,cn=topology,cn=ipa,cn
>
> =etc,dc=test,dc=local
>
> objectClass: top
>
> objectClass: iparepltopoconf
>
> cn: ca
>
> ipaReplTopoConfRoot: o=ipaca
>
> nsds5ReplConflict: namingConflict
> cn=ca,cn=topology,cn=ipa,cn=etc,dc=test,dc=lo
>
> cal
>
> # System: Add CA + 6f472246-c9a811e6-943e8d1c-0faa636d, permissions,
> pbac, test.
>
> local
>
> dn: cn=System: Add
> CA+nsuniqueid=6f472246-c9a811e6-943e8d1c-0faa636d,cn=permis
>
> sions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: add
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Add CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: add
> ca,cn=permissions,cn=pbac,dc=
>
> test,dc=local
>
> # System: Delete CA + 6f47224a-c9a811e6-943e8d1c-0faa636d,
> permissions, pbac, h
>
> 5c.local
>
> dn: cn=System: Delete
> CA+nsuniqueid=6f47224a-c9a811e6-943e8d1c-0faa636d,cn=per
>
> missions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: delete
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Delete CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: delete
> ca,cn=permissions,cn=pbac,
>
> dc=test,dc=local
>
> # System: Modify CA + 6f47224e-c9a811e6-943e8d1c-0faa636d,
> permissions, pbac, h
>
> 5c.local
>
> dn: cn=System: Modify
> CA+nsuniqueid=6f47224e-c9a811e6-943e8d1c-0faa636d,cn=per
>
> missions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify
> ca,cn=permissions,cn=pbac,
>
> dc=test,dc=local
>
> # System: Read CAs + 6f472252-c9a811e6-943e8d1c-0faa636d, permissions,
> pbac, h5
>
> c.local
>
> dn: cn=System: Read
> CAs+nsuniqueid=6f472252-c9a811e6-943e8d1c-0faa636d,cn=perm
>
> issions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: all
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read CAs
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: ipacaissuerdn
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipacasubjectdn
>
> ipaPermDefaultAttr: ipacaid
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read
> cas,cn=permissions,cn=pbac,d
>
> c=test,dc=local
>
> # System: Modify DNS Servers Configuration +
> 6f472257-c9a811e6-943e8d1c-0faa636
>
> d, permissions, pbac, test.local
>
> dn: cn=System: Modify DNS Servers
> Configuration+nsuniqueid=6f472257-c9a811e6-9
>
> 43e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify DNS Servers Configuration
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: idnssoamname
>
> ipaPermDefaultAttr: idnssubstitutionvariable
>
> ipaPermDefaultAttr: idnsforwardpolicy
>
> ipaPermDefaultAttr: idnsforwarders
>
> ipaPermLocation: dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify dns servers
> configuration,
>
> cn=permissions,cn=pbac,dc=test,dc=local
>
> # System: Read DNS Servers Configuration +
> 6f47225b-c9a811e6-943e8d1c-0faa636d,
>
> permissions, pbac, test.local
>
> dn: cn=System: Read DNS Servers
> Configuration+nsuniqueid=6f47225b-c9a811e6-943
>
> e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read DNS Servers Configuration
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Servers,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: idnsforwardpolicy
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: idnsforwarders
>
> ipaPermDefaultAttr: idnsserverid
>
> ipaPermDefaultAttr: idnssubstitutionvariable
>
> ipaPermDefaultAttr: idnssoamname
>
> ipaPermLocation: dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read dns servers
> configuration,cn
>
> =permissions,cn=pbac,dc=test,dc=local
>
> # System: Manage Host Principals +
> 6f472282-c9a811e6-943e8d1c-0faa636d, permiss
>
> ions, pbac, test.local
>
> dn: cn=System: Manage Host
> Principals+nsuniqueid=6f472282-c9a811e6-943e8d1c-0f
>
> aa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipahost)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Host Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Host Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=computers,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage host
> principals,cn=permiss
>
> ions,cn=pbac,dc=test,dc=local
>
> # System: Add IPA Locations + 6f472298-c9a811e6-943e8d1c-0faa636d,
> permissions,
>
> pbac, test.local
>
> dn: cn=System: Add IPA
> Locations+nsuniqueid=6f472298-c9a811e6-943e8d1c-0faa636
>
> d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: add
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Add IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: add ipa
> locations,cn=permissions,
>
> cn=pbac,dc=test,dc=local
>
> # System: Modify IPA Locations + 6f47229c-c9a811e6-943e8d1c-0faa636d,
> permissio
>
> ns, pbac, test.local
>
> dn: cn=System: Modify IPA
> Locations+nsuniqueid=6f47229c-c9a811e6-943e8d1c-0faa
>
> 636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: description
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify ipa
> locations,cn=permissio
>
> ns,cn=pbac,dc=test,dc=local
>
> # System: Read IPA Locations + 6f4722a0-c9a811e6-943e8d1c-0faa636d,
> permissions
>
> , pbac, test.local
>
> dn: cn=System: Read IPA
> Locations+nsuniqueid=6f4722a0-c9a811e6-943e8d1c-0faa63
>
> 6d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: idnsname
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read ipa
> locations,cn=permissions
>
> ,cn=pbac,dc=test,dc=local
>
> # System: Remove IPA Locations + 6f4722a4-c9a811e6-943e8d1c-0faa636d,
> permissio
>
> ns, pbac, test.local
>
> dn: cn=System: Remove IPA
> Locations+nsuniqueid=6f4722a4-c9a811e6-943e8d1c-0faa
>
> 636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: delete
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Remove IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: remove ipa
> locations,cn=permissio
>
> ns,cn=pbac,dc=test,dc=local
>
> # System: Read Locations of IPA Servers +
> 6f4722a8-c9a811e6-943e8d1c-0faa636d,
>
> permissions, pbac, test.local
>
> dn: cn=System: Read Locations of IPA
> Servers+nsuniqueid=6f4722a8-c9a811e6-943e
>
> 8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read Locations of IPA Servers
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipaserviceweight
>
> ipaPermDefaultAttr: ipalocation
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read locations of ipa
> servers,cn=
>
> permissions,cn=pbac,dc=test,dc=local
>
> # System: Read Status of Services on IPA Servers +
> 6f4722ac-c9a811e6-943e8d1c-0
>
> faa636d, permissions, pbac, test.local
>
> dn: cn=System: Read Status of Services on IPA
> Servers+nsuniqueid=6f4722ac-c9a8
>
> 11e6-943e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read Status of Services on IPA Servers
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipaconfigstring
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read status of services
> on ipa se
>
> rvers,cn=permissions,cn=pbac,dc=test,dc=local
>
> # System: Manage Service Principals +
> 6f4722b0-c9a811e6-943e8d1c-0faa636d, perm
>
> issions, pbac, test.local
>
> dn: cn=System: Manage Service
> Principals+nsuniqueid=6f4722b0-c9a811e6-943e8d1c
>
> -0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaservice)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Service Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Service Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=services,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage service
> principals,cn=perm
>
> issions,cn=pbac,dc=test,dc=local
>
> # System: Manage User Principals +
> 6f4722bd-c9a811e6-943e8d1c-0faa636d, permiss
>
> ions, pbac, test.local
>
> dn: cn=System: Manage User
> Principals+nsuniqueid=6f4722bd-c9a811e6-943e8d1c-0f
>
> aa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=posixaccount)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage User Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=User Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=Modify Users and Reset
> passwords,cn=privileges,cn=pbac,dc=test,dc=lo
>
> cal
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=users,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage user
> principals,cn=permiss
>
> ions,cn=pbac,dc=test,dc=local
>
> # servers + 6f4722d4-c9a811e6-943e8d1c-0faa636d, dns, test.local
>
> dn:
> cn=servers+nsuniqueid=6f4722d4-c9a811e6-943e8d1c-0faa636d,cn=dns,dc=test,dc
>
> =local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: servers
>
> nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=test,dc=local
>
> # ipa + 90a80ea3-c9a811e6-943e8d1c-0faa636d, cas +
> 6f47220a-c9a811e6-943e8d1c-0
>
> faa636d, ca, test.local
>
> dn:
> cn=ipa+nsuniqueid=90a80ea3-c9a811e6-943e8d1c-0faa636d,cn=cas+nsuniqueid=6f
>
> 47220a-c9a811e6-943e8d1c-0faa636d,cn=ca,dc=test,dc=local
>
> description: IPA CA
>
> ipaCaIssuerDN: CN=Certificate Authority,O=TEST.LOCAL
>
> objectClass: top
>
> objectClass: ipaca
>
> ipaCaSubjectDN: CN=Certificate Authority,O=TEST.LOCAL
>
> ipaCaId: bcab810a-f59b-40ff-add4-560f50be04d3
>
> cn: ipa
>
> nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=test,dc=local
>
> # search result
>
> search: 2
>
> result: 0 Success
>
> # numResponses: 51
>
> # numEntries: 50
>
> id:image001.jpg at 01D1C26F.0E28FA60
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com _ | 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com
>
> Play High 5 Casino and
> Shake the Sky
>
> Follow us on: Facebook , Twitter
> , YouTube
> , Linkedin
>
>
> //
>
> /This message and any attachments may contain confidential or
> privileged information and are only for the use of the intended
> recipient of this message. If you are not the intended recipient,
> please notify the sender by return email, and delete or destroy this
> and all copies of this message and all attachments. Any unauthorized
> disclosure, use, distribution, or reproduction of this message or any
> attachments is prohibited and may be unlawful./
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 4334 bytes
Desc: not available
URL:
From jan.karasek at elostech.cz Tue Jan 3 14:39:19 2017
From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=)
Date: Tue, 3 Jan 2017 15:39:19 +0100 (CET)
Subject: [Freeipa-users] Unable to resolve AD users from IPA clients
Message-ID: <778879914.4889.1483454359268.JavaMail.zimbra@elostech.cz>
Hi,
I have trouble with resolving AD users from my IPA clients.
Environment: 2x IPA server with trust into AD - both IPA servers and clients running latest rhel 7.3.
IPA domain: vs.example.com
AD domain: example.com, cen.example.com
All tstxxxxx users are in cen.example.com but their UPN is set to tstxxxxx at example.com
I can run id and getent passwd commands without problem from both IPA servers:
id tst99655 at example.com
uid=20018(tst99655 at cen.example.com) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group)
getent tst99655 at example.com
tst99655 at cen.example.com:*:20018:5001:ipa_test:/home/cen.example.com/tst99655:/bin/bash
But from client:
root at trh7clnt02:~# id tst99655 at example.com
id: tst99655 at example.com: no such user
root at trh7clnt02:~#getent passwd tst99655 at example.com
... no reply
But when I run on client:
getent group csunix at cen.example.com - it takes more then 30s
csunix at cen.example.com:*:5001: .... and really long list of users
Then again from client:
root at trh7clnt02:~# id tst99655 at example.com
uid=20018(tst99655 at cen.example.com) gid=5001(csunix) groups=5001(csunix)
root at trh7clnt02:~# getent passwd tst99655 at example.com
tst99655 at cen.example.com:*:20018:5001:ipatest:/home/cen.example.com/tst99655:/bin/bash
This time it works and it keeps working until I clean the sssd cache on client. Then I have to run that getent group csunix command again.
I would say it is some timeout issue with enumerating csunix group. I have tried to fix it by adding:
ldap_search_timeout = 50
into sssd.conf on both server and client(sssd restarted), but without effect.
Here is my sssd.conf from client:
[domain/vs.example.com]
debug_level = 7
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = vs.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = trh7clnt02.vs.example.com
chpass_provider = ipa
ipa_server = tidmipa01.vs.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_search_timeout = 50
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = vs.example.com
[nss]
homedir_substring = /home
debug_level = 7
[pam]
debug_level = 7
[sudo]
[autofs]
[ssh]
[pac]
debug_level = 7
[ifp]
IPA server sssd.conf:
[domain/vs.example.com]
debug_level = 7
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = vs.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = tidmipa01.vs.example.com
chpass_provider = ipa
ipa_server = tidmipa01.vs.example.com
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_id_mapping = False
ldap_search_timeout = 20
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = vs.example.com
[nss]
memcache_timeout = 600
debug_level = 7
homedir_substring = /home
[pam]
debug_level = 7
[sudo]
debug_level = 7
[autofs]
debug_level = 7
[ssh]
debug_level = 7
[pac]
debug_level = 7
[ifp]
debug_level = 7
Any suggestion how to fix that ? I can add logs from both successful and unsuccessful try but they are quite long.
Thank you.
Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From md at collective-sense.com Tue Jan 3 15:14:15 2017
From: md at collective-sense.com (Maciej Drobniuch)
Date: Tue, 3 Jan 2017 16:14:15 +0100
Subject: [Freeipa-users] LDAP - Load Balancer - SSL cert with SAN
In-Reply-To:
References:
Message-ID:
Hello Mike,
I don't know if I'm aligned with your problem, but generally I was facing a
SAN cert issue too.
Not sure if you're terminating SSL/TLS on the load balancer or not?
Usually I do SAN certs in IPA via GUI/IdM.
I am adding a service and hosts assigned to that service.
Every host has an additional https service.
Then I am simply pasting the SAN csr into the host that owns the main
service and this creates a signed SAN cert that you can upload later to
your LB.
In simple words the service is assigned to all hosts but those hosts have
also a service added(this is a hack).
Hope that makes sense and helps solving your problem.
BR
On Thu, Dec 29, 2016 at 10:48 PM, Michael Plemmons <
michael.plemmons at crosschx.com> wrote:
> I am trying to get FreeIPA LDAP to work when behind a load balancer and
> using SSL and I do not understand how I am supposed to get the server to
> use a certificate I created that has a SAN created.
>
> FreeIPA 4.4.0 on CentOS 7
>
> Here is what I have:
> ipa-master.dev.crosschx.com - master
> ipa-replica.dev.crosschx.com - replica
> ipa.dev.crosschx.com - load balancer DNS name which point to the master
> and replica servers
>
> Here is what I have done.
> ipa host-add ipa.dev.crosschx.com --random --force
>
> ipa service-add --force ldap/ipa.dev.crosschx.com
>
> ipa service-add-host ldap/ipa.dev.crosschx.com --hosts={ipa-master.dev.
> crosschx.com,ipa-replica.dev.crosschx.com}
>
> ipa service-allow-retrieve-keytab ldap/ipa.dev.crosschx.com --users=admin
>
> ipa-getcert request -d /etc/crosschx -n ipa-load-balancer -N "CN=
> ipa-master.dev.crosschx.com,O=DEV.CROSSCHX.COM" -D ipa.dev.crosschx.com
> -K ldap/ipa-master.dev.crosschx.com
>
>
> I can see the certificate is being monitored by IPA when I run ipa-getcert
> list but I am lost at the step to have this cert put into the database so
> that IPA will properly respond when I try to connect over LDAPS.
>
> I was testing the connection with the following command and I see the the
> ipa-master.dev cert being served.
>
> openssl s_client -connect ipa-master.dev.crosschx.com:636 -servername
> ipa.dev.crosschx.com
>
> Can you point me to the documentation I need to follow?
>
> Thank you.
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
> 614-741-5475 <(614)%20741-5475>
> mike.plemmons at crosschx.com
> www.crosschx.com
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From michael.plemmons at crosschx.com Tue Jan 3 15:26:29 2017
From: michael.plemmons at crosschx.com (Michael Plemmons)
Date: Tue, 3 Jan 2017 10:26:29 -0500
Subject: [Freeipa-users] LDAP - Load Balancer - SSL cert with SAN
In-Reply-To:
References:
Message-ID:
Maciej,
Thank you for the information. I am not terminating at a load balancer.
Originally, I was trying to use a Route53 DNS CNAME entry of
ipa.dev.crosschx.com but we found documentation that says the entry should
be an A record and not a CNAME. I then created an A record in FreeIPA for
ipa.dev.crosschx.com and pointed the A record to the IP addresses of
ipa-master.dev.crosschx.com and ipa-replica.dev.crosschx.com.
I guess using the phrase load balancer may be a poor choice here as I am
using FreeIPA DNS as a way to load balance the traffic.
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614-741-5475
mike.plemmons at crosschx.com
www.crosschx.com
On Tue, Jan 3, 2017 at 10:14 AM, Maciej Drobniuch
wrote:
> Hello Mike,
>
> I don't know if I'm aligned with your problem, but generally I was facing
> a SAN cert issue too.
>
> Not sure if you're terminating SSL/TLS on the load balancer or not?
>
> Usually I do SAN certs in IPA via GUI/IdM.
> I am adding a service and hosts assigned to that service.
>
> Every host has an additional https service.
>
> Then I am simply pasting the SAN csr into the host that owns the main
> service and this creates a signed SAN cert that you can upload later to
> your LB.
>
> In simple words the service is assigned to all hosts but those hosts have
> also a service added(this is a hack).
>
> Hope that makes sense and helps solving your problem.
>
> BR
>
> On Thu, Dec 29, 2016 at 10:48 PM, Michael Plemmons <
> michael.plemmons at crosschx.com> wrote:
>
>> I am trying to get FreeIPA LDAP to work when behind a load balancer and
>> using SSL and I do not understand how I am supposed to get the server to
>> use a certificate I created that has a SAN created.
>>
>> FreeIPA 4.4.0 on CentOS 7
>>
>> Here is what I have:
>> ipa-master.dev.crosschx.com - master
>> ipa-replica.dev.crosschx.com - replica
>> ipa.dev.crosschx.com - load balancer DNS name which point to the master
>> and replica servers
>>
>> Here is what I have done.
>> ipa host-add ipa.dev.crosschx.com --random --force
>>
>> ipa service-add --force ldap/ipa.dev.crosschx.com
>>
>> ipa service-add-host ldap/ipa.dev.crosschx.com --hosts={
>> ipa-master.dev.crosschx.com,ipa-replica.dev.crosschx.com}
>>
>> ipa service-allow-retrieve-keytab ldap/ipa.dev.crosschx.com --users=admin
>>
>> ipa-getcert request -d /etc/crosschx -n ipa-load-balancer -N "CN=
>> ipa-master.dev.crosschx.com,O=DEV.CROSSCHX.COM" -D ipa.dev.crosschx.com
>> -K ldap/ipa-master.dev.crosschx.com
>>
>>
>> I can see the certificate is being monitored by IPA when I run
>> ipa-getcert list but I am lost at the step to have this cert put into the
>> database so that IPA will properly respond when I try to connect over LDAPS.
>>
>> I was testing the connection with the following command and I see the the
>> ipa-master.dev cert being served.
>>
>> openssl s_client -connect ipa-master.dev.crosschx.com:636 -servername
>> ipa.dev.crosschx.com
>>
>> Can you point me to the documentation I need to follow?
>>
>> Thank you.
>>
>>
>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
>> 614-741-5475 <(614)%20741-5475>
>> mike.plemmons at crosschx.com
>> www.crosschx.com
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
> --
> Best regards
>
> Maciej Drobniuch
> Network Security Engineer
> Collective-Sense,LLC
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From md at collective-sense.com Tue Jan 3 15:28:50 2017
From: md at collective-sense.com (Maciej Drobniuch)
Date: Tue, 3 Jan 2017 16:28:50 +0100
Subject: [Freeipa-users] 2FA and AllowNTHash
Message-ID:
Hi All,
We have a topo with 3x IPA servers + freeradius.
Freeradius is being used to do mschap with wifi APs. Freeradius connects
over ldap to IPA.
In order to do the challange-response thing, freeipa has AllowNTHash
enabled.
So I wanted to enable 2FA/OTP but leave the NTHash as is for wifi auth.
In the moment I disallow Password auth for a user and enable OTP the wifi
auth stopps working, but the hash clearly stays in ldap.
The goal is to stay with password on freeradius but for everything else:
kerberos/sssd related use password+code.
How can I disable password login for user but still make freeradius work
with ldap, so when it asks for users hash it gets one.
Freeradius ldap mod snippet:
"base_dn = "cn=users,cn=accounts,dc=cs,dc=com""
Thank You
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From Michael.Sean.Conley at raytheon.com Tue Jan 3 15:28:25 2017
From: Michael.Sean.Conley at raytheon.com (Sean Conley)
Date: Tue, 3 Jan 2017 15:28:25 +0000
Subject: [Freeipa-users] FIPS 140-2 Compliance
Message-ID: <1a98c67f52f449ff833740851bdadac3@DM2PR0601MB028.008f.mgd2.msft.net>
Good Morning!
Happy New Year to you, and any news on getting to FIPS Compliance?
Michael Sean Conley
Principal Systems Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From md at collective-sense.com Tue Jan 3 15:38:15 2017
From: md at collective-sense.com (Maciej Drobniuch)
Date: Tue, 3 Jan 2017 16:38:15 +0100
Subject: [Freeipa-users] LDAP - Load Balancer - SSL cert with SAN
In-Reply-To:
References:
Message-ID:
I see.
Generally the SAN thing I mentioned does the job but definitely not in your
case.
A IPA power user is needed here.
On Tue, Jan 3, 2017 at 4:26 PM, Michael Plemmons <
michael.plemmons at crosschx.com> wrote:
> Maciej,
> Thank you for the information. I am not terminating at a load
> balancer. Originally, I was trying to use a Route53 DNS CNAME entry of
> ipa.dev.crosschx.com but we found documentation that says the entry
> should be an A record and not a CNAME. I then created an A record in
> FreeIPA for ipa.dev.crosschx.com and pointed the A record to the IP
> addresses of ipa-master.dev.crosschx.com and ipa-replica.dev.crosschx.com.
>
> I guess using the phrase load balancer may be a poor choice here as I am
> using FreeIPA DNS as a way to load balance the traffic.
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
> 614-741-5475 <(614)%20741-5475>
> mike.plemmons at crosschx.com
> www.crosschx.com
>
> On Tue, Jan 3, 2017 at 10:14 AM, Maciej Drobniuch > wrote:
>
>> Hello Mike,
>>
>> I don't know if I'm aligned with your problem, but generally I was facing
>> a SAN cert issue too.
>>
>> Not sure if you're terminating SSL/TLS on the load balancer or not?
>>
>> Usually I do SAN certs in IPA via GUI/IdM.
>> I am adding a service and hosts assigned to that service.
>>
>> Every host has an additional https service.
>>
>> Then I am simply pasting the SAN csr into the host that owns the main
>> service and this creates a signed SAN cert that you can upload later to
>> your LB.
>>
>> In simple words the service is assigned to all hosts but those hosts have
>> also a service added(this is a hack).
>>
>> Hope that makes sense and helps solving your problem.
>>
>> BR
>>
>> On Thu, Dec 29, 2016 at 10:48 PM, Michael Plemmons <
>> michael.plemmons at crosschx.com> wrote:
>>
>>> I am trying to get FreeIPA LDAP to work when behind a load balancer and
>>> using SSL and I do not understand how I am supposed to get the server to
>>> use a certificate I created that has a SAN created.
>>>
>>> FreeIPA 4.4.0 on CentOS 7
>>>
>>> Here is what I have:
>>> ipa-master.dev.crosschx.com - master
>>> ipa-replica.dev.crosschx.com - replica
>>> ipa.dev.crosschx.com - load balancer DNS name which point to the master
>>> and replica servers
>>>
>>> Here is what I have done.
>>> ipa host-add ipa.dev.crosschx.com --random --force
>>>
>>> ipa service-add --force ldap/ipa.dev.crosschx.com
>>>
>>> ipa service-add-host ldap/ipa.dev.crosschx.com --hosts={
>>> ipa-master.dev.crosschx.com,ipa-replica.dev.crosschx.com}
>>>
>>> ipa service-allow-retrieve-keytab ldap/ipa.dev.crosschx.com
>>> --users=admin
>>>
>>> ipa-getcert request -d /etc/crosschx -n ipa-load-balancer -N "CN=
>>> ipa-master.dev.crosschx.com,O=DEV.CROSSCHX.COM" -D ipa.dev.crosschx.com
>>> -K ldap/ipa-master.dev.crosschx.com
>>>
>>>
>>> I can see the certificate is being monitored by IPA when I run
>>> ipa-getcert list but I am lost at the step to have this cert put into the
>>> database so that IPA will properly respond when I try to connect over LDAPS.
>>>
>>> I was testing the connection with the following command and I see the
>>> the ipa-master.dev cert being served.
>>>
>>> openssl s_client -connect ipa-master.dev.crosschx.com:636 -servername
>>> ipa.dev.crosschx.com
>>>
>>> Can you point me to the documentation I need to follow?
>>>
>>> Thank you.
>>>
>>>
>>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
>>> 614-741-5475 <(614)%20741-5475>
>>> mike.plemmons at crosschx.com
>>> www.crosschx.com
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>>
>> --
>> Best regards
>>
>> Maciej Drobniuch
>> Network Security Engineer
>> Collective-Sense,LLC
>>
>
>
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From Grant.Janssen at efilm.com Tue Jan 3 15:22:33 2017
From: Grant.Janssen at efilm.com (Grant Janssen)
Date: Tue, 3 Jan 2017 15:22:33 +0000
Subject: [Freeipa-users] os-x sierra + FreeIPA
Message-ID: <14A23044-6ECD-4FBF-85E1-97EECB40368F@efilm.com>
I am experiencing difficulty dragging this over the finish line. I have many CentOS hosts authenticating to IPA, but have hit the wall on OS-X.
I consider myself pretty strong on os-x, and have run OpenDirectory (though that was ten years ago). My issue appears to be the LDAP mapping between OD and IPA.
System Intregrity Protection is disabled. Users can pull tickets fine, this snag is in login/createhomedir.
I initially posted this on the bug list, and was redirected here.
You will find the details of this issue easiest to digest on the bug list (wiki markup is better that what this maling list would retain).
Please take a glance and let me know what you think.
Thank You for your attention.
- grant
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From pvoborni at redhat.com Tue Jan 3 15:52:16 2017
From: pvoborni at redhat.com (Petr Vobornik)
Date: Tue, 3 Jan 2017 16:52:16 +0100
Subject: [Freeipa-users] FIPS 140-2 Compliance
In-Reply-To: <1a98c67f52f449ff833740851bdadac3@DM2PR0601MB028.008f.mgd2.msft.net>
References: <1a98c67f52f449ff833740851bdadac3@DM2PR0601MB028.008f.mgd2.msft.net>
Message-ID:
On 01/03/2017 04:28 PM, Sean Conley wrote:
> Good Morning!
>
> Happy New Year to you, and any news on getting to FIPS Compliance?
>
> *Michael Sean Conley*
>
> Principal Systems Engineer
>
>
>
Hello Sean,
It's being actively developed and support of it will most likely be part
of FreeIPA 4.5.
--
Petr Vobornik
From Dan.Finkelstein at high5games.com Tue Jan 3 16:08:03 2017
From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com)
Date: Tue, 3 Jan 2017 16:08:03 +0000
Subject: [Freeipa-users] LDAP replication conflicts,
but no apparent data damage
In-Reply-To: <11390f0d-5d31-21af-dea3-54f189ae2e7c@redhat.com>
References: <145020D6-0409-4651-9C76-B6F31EB62753@high5games.com>
<11390f0d-5d31-21af-dea3-54f189ae2e7c@redhat.com>
Message-ID:
I've read through that page before, just last week, but I confess it's gone over my head. Could you give me an example of how to fix one of the conflicts below? I think when I see how it's done, I can do the rest.
Thanks,
Dan
[id:image001.jpg at 01D1C26F.0E28FA60]
Daniel Alex Finkelstein| Lead Dev Ops Engineer
Dan.Finkelstein at h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the Sky
Follow us on: Facebook, Twitter, YouTube, Linkedin
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
From: Martin Basti
Date: Tuesday, January 3, 2017 at 09:07
To: Dan Finkelstein , "freeipa-users at redhat.com"
Subject: Re: [Freeipa-users] LDAP replication conflicts, but no apparent data damage
Here is a directory server documentation about replication conflicts https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
I hope it will help
Martin
On 03.01.2017 14:20, Dan.Finkelstein at high5games.com wrote:
I'm using the most recent FreeIPA 4.4.0 on CentOS 7.3 and have been cleaning up various dangling replicas and other cruft, but when I run the ipa consistency checker, it produces output that LDAP has conflicts. I then run:
ldapsearch -D "cn=Directory Manager" -W -b "dc=h5c,dc=local" "nsds5ReplConflict=*" \* nsds5ReplConflict
Which produces output as follows (which I don't know what to do with, yet):
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: nsds5ReplConflict=*
# requesting: * nsds5ReplConflict
#
# ipaservers + 9865b29e-c9a411e6-a937f721-75eb0f97, hostgroups, accounts, test.l
ocal
dn: cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=hostgroups
,cn=accounts,dc=test,dc=local
memberOf: cn=Replication Administrators,cn=privileges,cn=pbac,dc=test,dc=local
memberOf: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=h5
c,dc=local
memberOf: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=
test,dc=local
memberOf: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=test,dc
=local
memberOf: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=loca
l
memberOf: cn=ipaservers+nsuniqueid=9865b2a0-c9a411e6-a937f721-75eb0f97,cn=ng,c
n=alt,dc=test,dc=local
member: fqdn=ipa-replica-gib02.test.local,cn=computers,cn=accounts,dc=test,dc=lo
cal
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
description: IPA server hosts
cn: ipaservers
ipaUniqueID: b13812a8-c9a4-11e6-8bb5-00505684b9a0
nsds5ReplConflict: namingConflict cn=ipaservers,cn=hostgroups,cn=accounts,dc=h
5c,dc=local
# ipaservers + 9865b2a0-c9a411e6-a937f721-75eb0f97, ng, alt, test.local
dn: cn=ipaservers+nsuniqueid=9865b2a0-c9a411e6-a937f721-75eb0f97,cn=ng,cn=alt,
dc=test,dc=local
memberHost: cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=ho
stgroups,cn=accounts,dc=test,dc=local
objectClass: ipanisnetgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: ipaAssociation
objectClass: top
nisDomainName: test.local
cn: ipaservers
description: ipaNetgroup ipaservers
mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local
ipaUniqueID: b13f8506-c9a4-11e6-8bb5-00505684b9a0
nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
# domain + 9865b2a7-c9a411e6-a937f721-75eb0f97, topology, ipa, etc, test.local
dn: cn=domain+nsuniqueid=9865b2a7-c9a411e6-a937f721-75eb0f97,cn=topology,cn=ip
a,cn=etc,dc=test,dc=local
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
ternalModifyTimestamp
ipaReplTopoConfRoot: dc=test,dc=local
objectClass: top
objectClass: iparepltopoconf
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
cn: domain
nsds5ReplConflict: namingConflict cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,d
c=local
# locations + 9865b2ab-c9a411e6-a937f721-75eb0f97, etc, test.local
dn: cn=locations+nsuniqueid=9865b2ab-c9a411e6-a937f721-75eb0f97,cn=etc,dc=test,
dc=local
objectClass: nsContainer
objectClass: top
cn: locations
nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=test,dc=local
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi
ssion:System: Add IPA Locations";allow (add) groupdn = "ldap:///cn=System: Ad
d IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "description")(targetfilter = "(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Modify IPA Locations";allow (write)
groupdn = "ldap:///cn=System: Modify IPA Locations,cn=permissions,cn=pbac,dc
=test,dc=local";)
aci: (targetattr = "createtimestamp || description || entryusn || idnsname ||
modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Read IPA Locations";allow (compare,
read,search) groupdn = "ldap:///cn=System: Read IPA Locations,cn=permissions,
cn=pbac,dc=test,dc=local";)
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi
ssion:System: Remove IPA Locations";allow (delete) groupdn = "ldap:///cn=Syst
em: Remove IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
# cas + 9865b2b1-c9a411e6-a937f721-75eb0f97, ca, test.local
dn: cn=cas+nsuniqueid=9865b2b1-c9a411e6-a937f721-75eb0f97,cn=ca,dc=test,dc=loca
l
objectClass: nsContainer
objectClass: top
cn: cas
nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=test,dc=local
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=
pbac,dc=test,dc=local";)
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permis
sions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(
version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:
///cn=System: Modify CA,cn=permissions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacai
d || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targ
etfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CA
s";allow (compare,read,search) userdn = "ldap:///all";)
# custodia + 9865b2e2-c9a411e6-a937f721-75eb0f97, ipa, etc, test.local
dn: cn=custodia+nsuniqueid=9865b2e2-c9a411e6-a937f721-75eb0f97,cn=ipa,cn=etc,d
c=test,dc=local
objectClass: nsContainer
objectClass: top
cn: custodia
nsds5ReplConflict: namingConflict cn=custodia,cn=ipa,cn=etc,dc=test,dc=local
# dogtag + 9865b2e4-c9a411e6-a937f721-75eb0f97, custodia + 9865b2e2-c9a411e6-a9
37f721-75eb0f97, ipa, etc, test.local
dn: cn=dogtag+nsuniqueid=9865b2e4-c9a411e6-a937f721-75eb0f97,cn=custodia+nsuni
queid=9865b2e2-c9a411e6-a937f721-75eb0f97,cn=ipa,cn=etc,dc=test,dc=local
objectClass: nsContainer
objectClass: top
cn: dogtag
nsds5ReplConflict: namingConflict cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=test,d
c=local
# ca + 9865b2e7-c9a411e6-a937f721-75eb0f97, topology, ipa, etc, test.local
dn: cn=ca+nsuniqueid=9865b2e7-c9a411e6-a937f721-75eb0f97,cn=topology,cn=ipa,cn
=etc,dc=test,dc=local
objectClass: top
objectClass: iparepltopoconf
cn: ca
ipaReplTopoConfRoot: o=ipaca
nsds5ReplConflict: namingConflict cn=ca,cn=topology,cn=ipa,cn=etc,dc=test,dc=lo
cal
# System: Add CA + 9865b2ed-c9a411e6-a937f721-75eb0f97, permissions, pbac, test.
local
dn: cn=System: Add CA+nsuniqueid=9865b2ed-c9a411e6-a937f721-75eb0f97,cn=permis
sions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: add ca,cn=permissions,cn=pbac,dc=
test,dc=local
# System: Delete CA + 9865b2f1-c9a411e6-a937f721-75eb0f97, permissions, pbac, h
5c.local
dn: cn=System: Delete CA+nsuniqueid=9865b2f1-c9a411e6-a937f721-75eb0f97,cn=per
missions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Delete CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: delete ca,cn=permissions,cn=pbac,
dc=test,dc=local
# System: Modify CA + 9865b2f5-c9a411e6-a937f721-75eb0f97, permissions, pbac, h
5c.local
dn: cn=System: Modify CA+nsuniqueid=9865b2f5-c9a411e6-a937f721-75eb0f97,cn=per
missions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: description
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify ca,cn=permissions,cn=pbac,
dc=test,dc=local
# System: Read CAs + 9865b2f9-c9a411e6-a937f721-75eb0f97, permissions, pbac, h5
c.local
dn: cn=System: Read CAs+nsuniqueid=9865b2f9-c9a411e6-a937f721-75eb0f97,cn=perm
issions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: all
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read CAs
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacaissuerdn
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipacasubjectdn
ipaPermDefaultAttr: ipacaid
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read cas,cn=permissions,cn=pbac,d
c=test,dc=local
# System: Modify DNS Servers Configuration + 9865b2fe-c9a411e6-a937f721-75eb0f9
7, permissions, pbac, test.local
dn: cn=System: Modify DNS Servers Configuration+nsuniqueid=9865b2fe-c9a411e6-a
937f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: idnssoamname
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: idnsforwarders
ipaPermLocation: dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify dns servers configuration,
cn=permissions,cn=pbac,dc=test,dc=local
# System: Read DNS Servers Configuration + 9865b302-c9a411e6-a937f721-75eb0f97,
permissions, pbac, test.local
dn: cn=System: Read DNS Servers Configuration+nsuniqueid=9865b302-c9a411e6-a93
7f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Servers,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: idnsforwarders
ipaPermDefaultAttr: idnsserverid
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnssoamname
ipaPermLocation: dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read dns servers configuration,cn
=permissions,cn=pbac,dc=test,dc=local
# System: Manage Host Principals + 9865b329-c9a411e6-a937f721-75eb0f97, permiss
ions, pbac, test.local
dn: cn=System: Manage Host Principals+nsuniqueid=9865b329-c9a411e6-a937f721-75
eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipahost)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Host Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Host Administrators,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=computers,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage host principals,cn=permiss
ions,cn=pbac,dc=test,dc=local
# System: Add IPA Locations + 9865b33f-c9a411e6-a937f721-75eb0f97, permissions,
pbac, test.local
dn: cn=System: Add IPA Locations+nsuniqueid=9865b33f-c9a411e6-a937f721-75eb0f9
7,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: add ipa locations,cn=permissions,
cn=pbac,dc=test,dc=local
# System: Modify IPA Locations + 9865b343-c9a411e6-a937f721-75eb0f97, permissio
ns, pbac, test.local
dn: cn=System: Modify IPA Locations+nsuniqueid=9865b343-c9a411e6-a937f721-75eb
0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: description
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify ipa locations,cn=permissio
ns,cn=pbac,dc=test,dc=local
# System: Read IPA Locations + 9865b347-c9a411e6-a937f721-75eb0f97, permissions
, pbac, test.local
dn: cn=System: Read IPA Locations+nsuniqueid=9865b347-c9a411e6-a937f721-75eb0f
97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: description
ipaPermDefaultAttr: idnsname
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read ipa locations,cn=permissions
,cn=pbac,dc=test,dc=local
# System: Remove IPA Locations + 9865b34b-c9a411e6-a937f721-75eb0f97, permissio
ns, pbac, test.local
dn: cn=System: Remove IPA Locations+nsuniqueid=9865b34b-c9a411e6-a937f721-75eb
0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Remove IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: remove ipa locations,cn=permissio
ns,cn=pbac,dc=test,dc=local
# System: Read Locations of IPA Servers + 9865b34f-c9a411e6-a937f721-75eb0f97,
permissions, pbac, test.local
dn: cn=System: Read Locations of IPA Servers+nsuniqueid=9865b34f-c9a411e6-a937
f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Locations of IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaserviceweight
ipaPermDefaultAttr: ipalocation
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read locations of ipa servers,cn=
permissions,cn=pbac,dc=test,dc=local
# System: Read Status of Services on IPA Servers + 9865b353-c9a411e6-a937f721-7
5eb0f97, permissions, pbac, test.local
dn: cn=System: Read Status of Services on IPA Servers+nsuniqueid=9865b353-c9a4
11e6-a937f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Status of Services on IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaconfigstring
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read status of services on ipa se
rvers,cn=permissions,cn=pbac,dc=test,dc=local
# System: Manage Service Principals + 9865b357-c9a411e6-a937f721-75eb0f97, perm
issions, pbac, test.local
dn: cn=System: Manage Service Principals+nsuniqueid=9865b357-c9a411e6-a937f721
-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaservice)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Service Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Service Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=services,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage service principals,cn=perm
issions,cn=pbac,dc=test,dc=local
# System: Manage User Principals + 9865b364-c9a411e6-a937f721-75eb0f97, permiss
ions, pbac, test.local
dn: cn=System: Manage User Principals+nsuniqueid=9865b364-c9a411e6-a937f721-75
eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage User Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=User Administrators,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=test,dc=lo
cal
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=users,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage user principals,cn=permiss
ions,cn=pbac,dc=test,dc=local
# servers + 9865b37b-c9a411e6-a937f721-75eb0f97, dns, test.local
dn: cn=servers+nsuniqueid=9865b37b-c9a411e6-a937f721-75eb0f97,cn=dns,dc=test,dc
=local
objectClass: nsContainer
objectClass: top
cn: servers
nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=test,dc=local
# ipa + cba8431e-c9a411e6-a937f721-75eb0f97, cas + 9865b2b1-c9a411e6-a937f721-7
5eb0f97, ca, test.local
dn: cn=ipa+nsuniqueid=cba8431e-c9a411e6-a937f721-75eb0f97,cn=cas+nsuniqueid=98
65b2b1-c9a411e6-a937f721-75eb0f97,cn=ca,dc=test,dc=local
description: IPA CA
ipaCaIssuerDN: CN=Certificate Authority,O=TEST.LOCAL
objectClass: top
objectClass: ipaca
ipaCaSubjectDN: CN=Certificate Authority,O=TEST.LOCAL
ipaCaId: bcab810a-f59b-40ff-add4-560f50be04d3
cn: ipa
nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=test,dc=local
# ipaservers + 6f4721f7-c9a811e6-943e8d1c-0faa636d, hostgroups, accounts, test.l
ocal
dn: cn=ipaservers+nsuniqueid=6f4721f7-c9a811e6-943e8d1c-0faa636d,cn=hostgroups
,cn=accounts,dc=test,dc=local
memberOf: cn=Replication Administrators,cn=privileges,cn=pbac,dc=test,dc=local
memberOf: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=h5
c,dc=local
memberOf: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=
test,dc=local
memberOf: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=test,dc
=local
memberOf: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=loca
l
memberOf: cn=ipaservers+nsuniqueid=6f4721f9-c9a811e6-943e8d1c-0faa636d,cn=ng,c
n=alt,dc=test,dc=local
member: fqdn=ipa-replica-gib01.test.local,cn=computers,cn=accounts,dc=test,dc=lo
cal
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
description: IPA server hosts
cn: ipaservers
ipaUniqueID: 863f47b6-c9a8-11e6-a9b0-00505684f6ff
nsds5ReplConflict: namingConflict cn=ipaservers,cn=hostgroups,cn=accounts,dc=h
5c,dc=local
# ipaservers + 6f4721f9-c9a811e6-943e8d1c-0faa636d, ng, alt, test.local
dn: cn=ipaservers+nsuniqueid=6f4721f9-c9a811e6-943e8d1c-0faa636d,cn=ng,cn=alt,
dc=test,dc=local
memberHost: cn=ipaservers+nsuniqueid=6f4721f7-c9a811e6-943e8d1c-0faa636d,cn=ho
stgroups,cn=accounts,dc=test,dc=local
objectClass: ipanisnetgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: ipaAssociation
objectClass: top
nisDomainName: test.local
cn: ipaservers
description: ipaNetgroup ipaservers
mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local
ipaUniqueID: 864e605c-c9a8-11e6-a9b0-00505684f6ff
nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
# domain + 6f472200-c9a811e6-943e8d1c-0faa636d, topology, ipa, etc, test.local
dn: cn=domain+nsuniqueid=6f472200-c9a811e6-943e8d1c-0faa636d,cn=topology,cn=ip
a,cn=etc,dc=test,dc=local
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
ternalModifyTimestamp
ipaReplTopoConfRoot: dc=test,dc=local
objectClass: top
objectClass: iparepltopoconf
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
cn: domain
nsds5ReplConflict: namingConflict cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,d
c=local
# locations + 6f472204-c9a811e6-943e8d1c-0faa636d, etc, test.local
dn: cn=locations+nsuniqueid=6f472204-c9a811e6-943e8d1c-0faa636d,cn=etc,dc=test,
dc=local
objectClass: nsContainer
objectClass: top
cn: locations
nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=test,dc=local
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi
ssion:System: Add IPA Locations";allow (add) groupdn = "ldap:///cn=System: Ad
d IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "description")(targetfilter = "(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Modify IPA Locations";allow (write)
groupdn = "ldap:///cn=System: Modify IPA Locations,cn=permissions,cn=pbac,dc
=test,dc=local";)
aci: (targetattr = "createtimestamp || description || entryusn || idnsname ||
modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Read IPA Locations";allow (compare,
read,search) groupdn = "ldap:///cn=System: Read IPA Locations,cn=permissions,
cn=pbac,dc=test,dc=local";)
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi
ssion:System: Remove IPA Locations";allow (delete) groupdn = "ldap:///cn=Syst
em: Remove IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
# cas + 6f47220a-c9a811e6-943e8d1c-0faa636d, ca, test.local
dn: cn=cas+nsuniqueid=6f47220a-c9a811e6-943e8d1c-0faa636d,cn=ca,dc=test,dc=loca
l
objectClass: nsContainer
objectClass: top
cn: cas
nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=test,dc=local
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=
pbac,dc=test,dc=local";)
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permis
sions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(
version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:
///cn=System: Modify CA,cn=permissions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacai
d || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targ
etfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CA
s";allow (compare,read,search) userdn = "ldap:///all";)
# custodia + 6f47223b-c9a811e6-943e8d1c-0faa636d, ipa, etc, test.local
dn: cn=custodia+nsuniqueid=6f47223b-c9a811e6-943e8d1c-0faa636d,cn=ipa,cn=etc,d
c=test,dc=local
objectClass: nsContainer
objectClass: top
cn: custodia
nsds5ReplConflict: namingConflict cn=custodia,cn=ipa,cn=etc,dc=test,dc=local
# dogtag + 6f47223d-c9a811e6-943e8d1c-0faa636d, custodia + 6f47223b-c9a811e6-94
3e8d1c-0faa636d, ipa, etc, test.local
dn: cn=dogtag+nsuniqueid=6f47223d-c9a811e6-943e8d1c-0faa636d,cn=custodia+nsuni
queid=6f47223b-c9a811e6-943e8d1c-0faa636d,cn=ipa,cn=etc,dc=test,dc=local
objectClass: nsContainer
objectClass: top
cn: dogtag
nsds5ReplConflict: namingConflict cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=test,d
c=local
# ca + 6f472240-c9a811e6-943e8d1c-0faa636d, topology, ipa, etc, test.local
dn: cn=ca+nsuniqueid=6f472240-c9a811e6-943e8d1c-0faa636d,cn=topology,cn=ipa,cn
=etc,dc=test,dc=local
objectClass: top
objectClass: iparepltopoconf
cn: ca
ipaReplTopoConfRoot: o=ipaca
nsds5ReplConflict: namingConflict cn=ca,cn=topology,cn=ipa,cn=etc,dc=test,dc=lo
cal
# System: Add CA + 6f472246-c9a811e6-943e8d1c-0faa636d, permissions, pbac, test.
local
dn: cn=System: Add CA+nsuniqueid=6f472246-c9a811e6-943e8d1c-0faa636d,cn=permis
sions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: add ca,cn=permissions,cn=pbac,dc=
test,dc=local
# System: Delete CA + 6f47224a-c9a811e6-943e8d1c-0faa636d, permissions, pbac, h
5c.local
dn: cn=System: Delete CA+nsuniqueid=6f47224a-c9a811e6-943e8d1c-0faa636d,cn=per
missions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Delete CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: delete ca,cn=permissions,cn=pbac,
dc=test,dc=local
# System: Modify CA + 6f47224e-c9a811e6-943e8d1c-0faa636d, permissions, pbac, h
5c.local
dn: cn=System: Modify CA+nsuniqueid=6f47224e-c9a811e6-943e8d1c-0faa636d,cn=per
missions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: description
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify ca,cn=permissions,cn=pbac,
dc=test,dc=local
# System: Read CAs + 6f472252-c9a811e6-943e8d1c-0faa636d, permissions, pbac, h5
c.local
dn: cn=System: Read CAs+nsuniqueid=6f472252-c9a811e6-943e8d1c-0faa636d,cn=perm
issions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: all
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read CAs
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacaissuerdn
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipacasubjectdn
ipaPermDefaultAttr: ipacaid
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read cas,cn=permissions,cn=pbac,d
c=test,dc=local
# System: Modify DNS Servers Configuration + 6f472257-c9a811e6-943e8d1c-0faa636
d, permissions, pbac, test.local
dn: cn=System: Modify DNS Servers Configuration+nsuniqueid=6f472257-c9a811e6-9
43e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: idnssoamname
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: idnsforwarders
ipaPermLocation: dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify dns servers configuration,
cn=permissions,cn=pbac,dc=test,dc=local
# System: Read DNS Servers Configuration + 6f47225b-c9a811e6-943e8d1c-0faa636d,
permissions, pbac, test.local
dn: cn=System: Read DNS Servers Configuration+nsuniqueid=6f47225b-c9a811e6-943
e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Servers,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: idnsforwarders
ipaPermDefaultAttr: idnsserverid
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnssoamname
ipaPermLocation: dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read dns servers configuration,cn
=permissions,cn=pbac,dc=test,dc=local
# System: Manage Host Principals + 6f472282-c9a811e6-943e8d1c-0faa636d, permiss
ions, pbac, test.local
dn: cn=System: Manage Host Principals+nsuniqueid=6f472282-c9a811e6-943e8d1c-0f
aa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipahost)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Host Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Host Administrators,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=computers,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage host principals,cn=permiss
ions,cn=pbac,dc=test,dc=local
# System: Add IPA Locations + 6f472298-c9a811e6-943e8d1c-0faa636d, permissions,
pbac, test.local
dn: cn=System: Add IPA Locations+nsuniqueid=6f472298-c9a811e6-943e8d1c-0faa636
d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: add ipa locations,cn=permissions,
cn=pbac,dc=test,dc=local
# System: Modify IPA Locations + 6f47229c-c9a811e6-943e8d1c-0faa636d, permissio
ns, pbac, test.local
dn: cn=System: Modify IPA Locations+nsuniqueid=6f47229c-c9a811e6-943e8d1c-0faa
636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: description
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify ipa locations,cn=permissio
ns,cn=pbac,dc=test,dc=local
# System: Read IPA Locations + 6f4722a0-c9a811e6-943e8d1c-0faa636d, permissions
, pbac, test.local
dn: cn=System: Read IPA Locations+nsuniqueid=6f4722a0-c9a811e6-943e8d1c-0faa63
6d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: description
ipaPermDefaultAttr: idnsname
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read ipa locations,cn=permissions
,cn=pbac,dc=test,dc=local
# System: Remove IPA Locations + 6f4722a4-c9a811e6-943e8d1c-0faa636d, permissio
ns, pbac, test.local
dn: cn=System: Remove IPA Locations+nsuniqueid=6f4722a4-c9a811e6-943e8d1c-0faa
636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Remove IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: remove ipa locations,cn=permissio
ns,cn=pbac,dc=test,dc=local
# System: Read Locations of IPA Servers + 6f4722a8-c9a811e6-943e8d1c-0faa636d,
permissions, pbac, test.local
dn: cn=System: Read Locations of IPA Servers+nsuniqueid=6f4722a8-c9a811e6-943e
8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Locations of IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaserviceweight
ipaPermDefaultAttr: ipalocation
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read locations of ipa servers,cn=
permissions,cn=pbac,dc=test,dc=local
# System: Read Status of Services on IPA Servers + 6f4722ac-c9a811e6-943e8d1c-0
faa636d, permissions, pbac, test.local
dn: cn=System: Read Status of Services on IPA Servers+nsuniqueid=6f4722ac-c9a8
11e6-943e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Status of Services on IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaconfigstring
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read status of services on ipa se
rvers,cn=permissions,cn=pbac,dc=test,dc=local
# System: Manage Service Principals + 6f4722b0-c9a811e6-943e8d1c-0faa636d, perm
issions, pbac, test.local
dn: cn=System: Manage Service Principals+nsuniqueid=6f4722b0-c9a811e6-943e8d1c
-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaservice)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Service Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Service Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=services,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage service principals,cn=perm
issions,cn=pbac,dc=test,dc=local
# System: Manage User Principals + 6f4722bd-c9a811e6-943e8d1c-0faa636d, permiss
ions, pbac, test.local
dn: cn=System: Manage User Principals+nsuniqueid=6f4722bd-c9a811e6-943e8d1c-0f
aa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage User Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=User Administrators,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=test,dc=lo
cal
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=users,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage user principals,cn=permiss
ions,cn=pbac,dc=test,dc=local
# servers + 6f4722d4-c9a811e6-943e8d1c-0faa636d, dns, test.local
dn: cn=servers+nsuniqueid=6f4722d4-c9a811e6-943e8d1c-0faa636d,cn=dns,dc=test,dc
=local
objectClass: nsContainer
objectClass: top
cn: servers
nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=test,dc=local
# ipa + 90a80ea3-c9a811e6-943e8d1c-0faa636d, cas + 6f47220a-c9a811e6-943e8d1c-0
faa636d, ca, test.local
dn: cn=ipa+nsuniqueid=90a80ea3-c9a811e6-943e8d1c-0faa636d,cn=cas+nsuniqueid=6f
47220a-c9a811e6-943e8d1c-0faa636d,cn=ca,dc=test,dc=local
description: IPA CA
ipaCaIssuerDN: CN=Certificate Authority,O=TEST.LOCAL
objectClass: top
objectClass: ipaca
ipaCaSubjectDN: CN=Certificate Authority,O=TEST.LOCAL
ipaCaId: bcab810a-f59b-40ff-add4-560f50be04d3
cn: ipa
nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=test,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 51
# numEntries: 50
[cid:image002.jpg at 01D265B1.A40B5AB0]
Daniel Alex Finkelstein| Lead Dev Ops Engineer
Dan.Finkelstein at h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the Sky
Follow us on: Facebook, Twitter, YouTube, Linkedin
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4334 bytes
Desc: image001.jpg
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 4335 bytes
Desc: image002.jpg
URL:
From schogan at us.ibm.com Tue Jan 3 17:15:00 2017
From: schogan at us.ibm.com (Sean Hogan)
Date: Tue, 3 Jan 2017 10:15:00 -0700
Subject: [Freeipa-users] Minimum SSSD version for 2 factor
Message-ID:
Morning,
Hope the Holidays went well for you all.
I have been trying to find documentation on the required min sssd
version needed to run otp (2 factor) with no luck. Was hoping you all
might know.
I see RHEL 6.8 comes with 1.13 SSSD so was wondering if that would be high
enough version to work with IPA 4.X OTP.
Thank You
Sean Hogan
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 08798274.jpg
Type: image/jpeg
Size: 27085 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 08750289.gif
Type: image/gif
Size: 1650 bytes
Desc: not available
URL:
From Dan.Finkelstein at high5games.com Tue Jan 3 17:20:22 2017
From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com)
Date: Tue, 3 Jan 2017 17:20:22 +0000
Subject: [Freeipa-users] LDAP replication conflicts,
but no apparent data damage
In-Reply-To:
References: <145020D6-0409-4651-9C76-B6F31EB62753@high5games.com>
<11390f0d-5d31-21af-dea3-54f189ae2e7c@redhat.com>
Message-ID: <09E0FF83-D51C-46B8-93C9-B13B5B13E61D@high5games.com>
Also, after attempting to rename one of the duplicated attributes, I get this in the error logs:
03/Jan/2017:17:19:30.605440097 +0000] retrocl-plugin - retrocl_postob: operation failure [68]
[03/Jan/2017:17:19:32.056965127 +0000] DSRetroclPlugin - replog: an error occured while adding change number 4799286, dn = changenumber=4799286,cn=changelog: Already exists.
[03/Jan/2017:17:19:32.058077520 +0000] retrocl-plugin - retrocl_postob: operation failure [68]
[03/Jan/2017:17:19:32.297145459 +0000] DSRetroclPlugin - replog: an error occured while adding change number 4799286, dn = changenumber=4799286,cn=changelog: Already exists.
[03/Jan/2017:17:19:32.298205569 +0000] retrocl-plugin - retrocl_postob: operation failure [68]
[id:image001.jpg at 01D1C26F.0E28FA60]
Daniel Alex Finkelstein| Lead Dev Ops Engineer
Dan.Finkelstein at h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the Sky
Follow us on: Facebook, Twitter, YouTube, Linkedin
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
From: on behalf of Dan Finkelstein
Date: Tuesday, January 3, 2017 at 11:08
To: "mbasti at redhat.com" , "freeipa-users at redhat.com"
Subject: Re: [Freeipa-users] LDAP replication conflicts, but no apparent data damage
I've read through that page before, just last week, but I confess it's gone over my head. Could you give me an example of how to fix one of the conflicts below? I think when I see how it's done, I can do the rest.
Thanks,
Dan
[cid:image002.jpg at 01D265BB.BE45A250]
Daniel Alex Finkelstein| Lead Dev Ops Engineer
Dan.Finkelstein at h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the Sky
Follow us on: Facebook, Twitter, YouTube, Linkedin
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
From: Martin Basti
Date: Tuesday, January 3, 2017 at 09:07
To: Dan Finkelstein , "freeipa-users at redhat.com"
Subject: Re: [Freeipa-users] LDAP replication conflicts, but no apparent data damage
Here is a directory server documentation about replication conflicts https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
I hope it will help
Martin
On 03.01.2017 14:20, Dan.Finkelstein at high5games.com wrote:
I'm using the most recent FreeIPA 4.4.0 on CentOS 7.3 and have been cleaning up various dangling replicas and other cruft, but when I run the ipa consistency checker, it produces output that LDAP has conflicts. I then run:
ldapsearch -D "cn=Directory Manager" -W -b "dc=h5c,dc=local" "nsds5ReplConflict=*" \* nsds5ReplConflict
Which produces output as follows (which I don't know what to do with, yet):
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: nsds5ReplConflict=*
# requesting: * nsds5ReplConflict
#
# ipaservers + 9865b29e-c9a411e6-a937f721-75eb0f97, hostgroups, accounts, test.l
ocal
dn: cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=hostgroups
,cn=accounts,dc=test,dc=local
memberOf: cn=Replication Administrators,cn=privileges,cn=pbac,dc=test,dc=local
memberOf: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=h5
c,dc=local
memberOf: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=
test,dc=local
memberOf: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=test,dc
=local
memberOf: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=loca
l
memberOf: cn=ipaservers+nsuniqueid=9865b2a0-c9a411e6-a937f721-75eb0f97,cn=ng,c
n=alt,dc=test,dc=local
member: fqdn=ipa-replica-gib02.test.local,cn=computers,cn=accounts,dc=test,dc=lo
cal
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
description: IPA server hosts
cn: ipaservers
ipaUniqueID: b13812a8-c9a4-11e6-8bb5-00505684b9a0
nsds5ReplConflict: namingConflict cn=ipaservers,cn=hostgroups,cn=accounts,dc=h
5c,dc=local
# ipaservers + 9865b2a0-c9a411e6-a937f721-75eb0f97, ng, alt, test.local
dn: cn=ipaservers+nsuniqueid=9865b2a0-c9a411e6-a937f721-75eb0f97,cn=ng,cn=alt,
dc=test,dc=local
memberHost: cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=ho
stgroups,cn=accounts,dc=test,dc=local
objectClass: ipanisnetgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: ipaAssociation
objectClass: top
nisDomainName: test.local
cn: ipaservers
description: ipaNetgroup ipaservers
mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local
ipaUniqueID: b13f8506-c9a4-11e6-8bb5-00505684b9a0
nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
# domain + 9865b2a7-c9a411e6-a937f721-75eb0f97, topology, ipa, etc, test.local
dn: cn=domain+nsuniqueid=9865b2a7-c9a411e6-a937f721-75eb0f97,cn=topology,cn=ip
a,cn=etc,dc=test,dc=local
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
ternalModifyTimestamp
ipaReplTopoConfRoot: dc=test,dc=local
objectClass: top
objectClass: iparepltopoconf
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
cn: domain
nsds5ReplConflict: namingConflict cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,d
c=local
# locations + 9865b2ab-c9a411e6-a937f721-75eb0f97, etc, test.local
dn: cn=locations+nsuniqueid=9865b2ab-c9a411e6-a937f721-75eb0f97,cn=etc,dc=test,
dc=local
objectClass: nsContainer
objectClass: top
cn: locations
nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=test,dc=local
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi
ssion:System: Add IPA Locations";allow (add) groupdn = "ldap:///cn=System: Ad
d IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "description")(targetfilter = "(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Modify IPA Locations";allow (write)
groupdn = "ldap:///cn=System: Modify IPA Locations,cn=permissions,cn=pbac,dc
=test,dc=local";)
aci: (targetattr = "createtimestamp || description || entryusn || idnsname ||
modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Read IPA Locations";allow (compare,
read,search) groupdn = "ldap:///cn=System: Read IPA Locations,cn=permissions,
cn=pbac,dc=test,dc=local";)
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi
ssion:System: Remove IPA Locations";allow (delete) groupdn = "ldap:///cn=Syst
em: Remove IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
# cas + 9865b2b1-c9a411e6-a937f721-75eb0f97, ca, test.local
dn: cn=cas+nsuniqueid=9865b2b1-c9a411e6-a937f721-75eb0f97,cn=ca,dc=test,dc=loca
l
objectClass: nsContainer
objectClass: top
cn: cas
nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=test,dc=local
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=
pbac,dc=test,dc=local";)
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permis
sions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(
version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:
///cn=System: Modify CA,cn=permissions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacai
d || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targ
etfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CA
s";allow (compare,read,search) userdn = "ldap:///all";)
# custodia + 9865b2e2-c9a411e6-a937f721-75eb0f97, ipa, etc, test.local
dn: cn=custodia+nsuniqueid=9865b2e2-c9a411e6-a937f721-75eb0f97,cn=ipa,cn=etc,d
c=test,dc=local
objectClass: nsContainer
objectClass: top
cn: custodia
nsds5ReplConflict: namingConflict cn=custodia,cn=ipa,cn=etc,dc=test,dc=local
# dogtag + 9865b2e4-c9a411e6-a937f721-75eb0f97, custodia + 9865b2e2-c9a411e6-a9
37f721-75eb0f97, ipa, etc, test.local
dn: cn=dogtag+nsuniqueid=9865b2e4-c9a411e6-a937f721-75eb0f97,cn=custodia+nsuni
queid=9865b2e2-c9a411e6-a937f721-75eb0f97,cn=ipa,cn=etc,dc=test,dc=local
objectClass: nsContainer
objectClass: top
cn: dogtag
nsds5ReplConflict: namingConflict cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=test,d
c=local
# ca + 9865b2e7-c9a411e6-a937f721-75eb0f97, topology, ipa, etc, test.local
dn: cn=ca+nsuniqueid=9865b2e7-c9a411e6-a937f721-75eb0f97,cn=topology,cn=ipa,cn
=etc,dc=test,dc=local
objectClass: top
objectClass: iparepltopoconf
cn: ca
ipaReplTopoConfRoot: o=ipaca
nsds5ReplConflict: namingConflict cn=ca,cn=topology,cn=ipa,cn=etc,dc=test,dc=lo
cal
# System: Add CA + 9865b2ed-c9a411e6-a937f721-75eb0f97, permissions, pbac, test.
local
dn: cn=System: Add CA+nsuniqueid=9865b2ed-c9a411e6-a937f721-75eb0f97,cn=permis
sions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: add ca,cn=permissions,cn=pbac,dc=
test,dc=local
# System: Delete CA + 9865b2f1-c9a411e6-a937f721-75eb0f97, permissions, pbac, h
5c.local
dn: cn=System: Delete CA+nsuniqueid=9865b2f1-c9a411e6-a937f721-75eb0f97,cn=per
missions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Delete CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: delete ca,cn=permissions,cn=pbac,
dc=test,dc=local
# System: Modify CA + 9865b2f5-c9a411e6-a937f721-75eb0f97, permissions, pbac, h
5c.local
dn: cn=System: Modify CA+nsuniqueid=9865b2f5-c9a411e6-a937f721-75eb0f97,cn=per
missions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: description
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify ca,cn=permissions,cn=pbac,
dc=test,dc=local
# System: Read CAs + 9865b2f9-c9a411e6-a937f721-75eb0f97, permissions, pbac, h5
c.local
dn: cn=System: Read CAs+nsuniqueid=9865b2f9-c9a411e6-a937f721-75eb0f97,cn=perm
issions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: all
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read CAs
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacaissuerdn
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipacasubjectdn
ipaPermDefaultAttr: ipacaid
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read cas,cn=permissions,cn=pbac,d
c=test,dc=local
# System: Modify DNS Servers Configuration + 9865b2fe-c9a411e6-a937f721-75eb0f9
7, permissions, pbac, test.local
dn: cn=System: Modify DNS Servers Configuration+nsuniqueid=9865b2fe-c9a411e6-a
937f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: idnssoamname
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: idnsforwarders
ipaPermLocation: dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify dns servers configuration,
cn=permissions,cn=pbac,dc=test,dc=local
# System: Read DNS Servers Configuration + 9865b302-c9a411e6-a937f721-75eb0f97,
permissions, pbac, test.local
dn: cn=System: Read DNS Servers Configuration+nsuniqueid=9865b302-c9a411e6-a93
7f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Servers,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: idnsforwarders
ipaPermDefaultAttr: idnsserverid
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnssoamname
ipaPermLocation: dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read dns servers configuration,cn
=permissions,cn=pbac,dc=test,dc=local
# System: Manage Host Principals + 9865b329-c9a411e6-a937f721-75eb0f97, permiss
ions, pbac, test.local
dn: cn=System: Manage Host Principals+nsuniqueid=9865b329-c9a411e6-a937f721-75
eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipahost)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Host Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Host Administrators,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=computers,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage host principals,cn=permiss
ions,cn=pbac,dc=test,dc=local
# System: Add IPA Locations + 9865b33f-c9a411e6-a937f721-75eb0f97, permissions,
pbac, test.local
dn: cn=System: Add IPA Locations+nsuniqueid=9865b33f-c9a411e6-a937f721-75eb0f9
7,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: add ipa locations,cn=permissions,
cn=pbac,dc=test,dc=local
# System: Modify IPA Locations + 9865b343-c9a411e6-a937f721-75eb0f97, permissio
ns, pbac, test.local
dn: cn=System: Modify IPA Locations+nsuniqueid=9865b343-c9a411e6-a937f721-75eb
0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: description
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify ipa locations,cn=permissio
ns,cn=pbac,dc=test,dc=local
# System: Read IPA Locations + 9865b347-c9a411e6-a937f721-75eb0f97, permissions
, pbac, test.local
dn: cn=System: Read IPA Locations+nsuniqueid=9865b347-c9a411e6-a937f721-75eb0f
97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: description
ipaPermDefaultAttr: idnsname
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read ipa locations,cn=permissions
,cn=pbac,dc=test,dc=local
# System: Remove IPA Locations + 9865b34b-c9a411e6-a937f721-75eb0f97, permissio
ns, pbac, test.local
dn: cn=System: Remove IPA Locations+nsuniqueid=9865b34b-c9a411e6-a937f721-75eb
0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Remove IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: remove ipa locations,cn=permissio
ns,cn=pbac,dc=test,dc=local
# System: Read Locations of IPA Servers + 9865b34f-c9a411e6-a937f721-75eb0f97,
permissions, pbac, test.local
dn: cn=System: Read Locations of IPA Servers+nsuniqueid=9865b34f-c9a411e6-a937
f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Locations of IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaserviceweight
ipaPermDefaultAttr: ipalocation
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read locations of ipa servers,cn=
permissions,cn=pbac,dc=test,dc=local
# System: Read Status of Services on IPA Servers + 9865b353-c9a411e6-a937f721-7
5eb0f97, permissions, pbac, test.local
dn: cn=System: Read Status of Services on IPA Servers+nsuniqueid=9865b353-c9a4
11e6-a937f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Status of Services on IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaconfigstring
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read status of services on ipa se
rvers,cn=permissions,cn=pbac,dc=test,dc=local
# System: Manage Service Principals + 9865b357-c9a411e6-a937f721-75eb0f97, perm
issions, pbac, test.local
dn: cn=System: Manage Service Principals+nsuniqueid=9865b357-c9a411e6-a937f721
-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaservice)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Service Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Service Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=services,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage service principals,cn=perm
issions,cn=pbac,dc=test,dc=local
# System: Manage User Principals + 9865b364-c9a411e6-a937f721-75eb0f97, permiss
ions, pbac, test.local
dn: cn=System: Manage User Principals+nsuniqueid=9865b364-c9a411e6-a937f721-75
eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage User Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=User Administrators,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=test,dc=lo
cal
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=users,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage user principals,cn=permiss
ions,cn=pbac,dc=test,dc=local
# servers + 9865b37b-c9a411e6-a937f721-75eb0f97, dns, test.local
dn: cn=servers+nsuniqueid=9865b37b-c9a411e6-a937f721-75eb0f97,cn=dns,dc=test,dc
=local
objectClass: nsContainer
objectClass: top
cn: servers
nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=test,dc=local
# ipa + cba8431e-c9a411e6-a937f721-75eb0f97, cas + 9865b2b1-c9a411e6-a937f721-7
5eb0f97, ca, test.local
dn: cn=ipa+nsuniqueid=cba8431e-c9a411e6-a937f721-75eb0f97,cn=cas+nsuniqueid=98
65b2b1-c9a411e6-a937f721-75eb0f97,cn=ca,dc=test,dc=local
description: IPA CA
ipaCaIssuerDN: CN=Certificate Authority,O=TEST.LOCAL
objectClass: top
objectClass: ipaca
ipaCaSubjectDN: CN=Certificate Authority,O=TEST.LOCAL
ipaCaId: bcab810a-f59b-40ff-add4-560f50be04d3
cn: ipa
nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=test,dc=local
# ipaservers + 6f4721f7-c9a811e6-943e8d1c-0faa636d, hostgroups, accounts, test.l
ocal
dn: cn=ipaservers+nsuniqueid=6f4721f7-c9a811e6-943e8d1c-0faa636d,cn=hostgroups
,cn=accounts,dc=test,dc=local
memberOf: cn=Replication Administrators,cn=privileges,cn=pbac,dc=test,dc=local
memberOf: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=h5
c,dc=local
memberOf: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=
test,dc=local
memberOf: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=test,dc
=local
memberOf: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=test,dc=lo
cal
memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
memberOf: cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=test,dc=loca
l
memberOf: cn=ipaservers+nsuniqueid=6f4721f9-c9a811e6-943e8d1c-0faa636d,cn=ng,c
n=alt,dc=test,dc=local
member: fqdn=ipa-replica-gib01.test.local,cn=computers,cn=accounts,dc=test,dc=lo
cal
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
description: IPA server hosts
cn: ipaservers
ipaUniqueID: 863f47b6-c9a8-11e6-a9b0-00505684f6ff
nsds5ReplConflict: namingConflict cn=ipaservers,cn=hostgroups,cn=accounts,dc=h
5c,dc=local
# ipaservers + 6f4721f9-c9a811e6-943e8d1c-0faa636d, ng, alt, test.local
dn: cn=ipaservers+nsuniqueid=6f4721f9-c9a811e6-943e8d1c-0faa636d,cn=ng,cn=alt,
dc=test,dc=local
memberHost: cn=ipaservers+nsuniqueid=6f4721f7-c9a811e6-943e8d1c-0faa636d,cn=ho
stgroups,cn=accounts,dc=test,dc=local
objectClass: ipanisnetgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: ipaAssociation
objectClass: top
nisDomainName: test.local
cn: ipaservers
description: ipaNetgroup ipaservers
mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local
ipaUniqueID: 864e605c-c9a8-11e6-a9b0-00505684f6ff
nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
# domain + 6f472200-c9a811e6-943e8d1c-0faa636d, topology, ipa, etc, test.local
dn: cn=domain+nsuniqueid=6f472200-c9a811e6-943e8d1c-0faa636d,cn=topology,cn=ip
a,cn=etc,dc=test,dc=local
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
ternalModifyTimestamp
ipaReplTopoConfRoot: dc=test,dc=local
objectClass: top
objectClass: iparepltopoconf
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
cn: domain
nsds5ReplConflict: namingConflict cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,d
c=local
# locations + 6f472204-c9a811e6-943e8d1c-0faa636d, etc, test.local
dn: cn=locations+nsuniqueid=6f472204-c9a811e6-943e8d1c-0faa636d,cn=etc,dc=test,
dc=local
objectClass: nsContainer
objectClass: top
cn: locations
nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=test,dc=local
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi
ssion:System: Add IPA Locations";allow (add) groupdn = "ldap:///cn=System: Ad
d IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "description")(targetfilter = "(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Modify IPA Locations";allow (write)
groupdn = "ldap:///cn=System: Modify IPA Locations,cn=permissions,cn=pbac,dc
=test,dc=local";)
aci: (targetattr = "createtimestamp || description || entryusn || idnsname ||
modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationObje
ct)")(version 3.0;acl "permission:System: Read IPA Locations";allow (compare,
read,search) groupdn = "ldap:///cn=System: Read IPA Locations,cn=permissions,
cn=pbac,dc=test,dc=local";)
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permi
ssion:System: Remove IPA Locations";allow (delete) groupdn = "ldap:///cn=Syst
em: Remove IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
# cas + 6f47220a-c9a811e6-943e8d1c-0faa636d, ca, test.local
dn: cn=cas+nsuniqueid=6f47220a-c9a811e6-943e8d1c-0faa636d,cn=ca,dc=test,dc=loca
l
objectClass: nsContainer
objectClass: top
cn: cas
nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=test,dc=local
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=
pbac,dc=test,dc=local";)
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permis
sions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(
version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:
///cn=System: Modify CA,cn=permissions,cn=pbac,dc=test,dc=local";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacai
d || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targ
etfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CA
s";allow (compare,read,search) userdn = "ldap:///all";)
# custodia + 6f47223b-c9a811e6-943e8d1c-0faa636d, ipa, etc, test.local
dn: cn=custodia+nsuniqueid=6f47223b-c9a811e6-943e8d1c-0faa636d,cn=ipa,cn=etc,d
c=test,dc=local
objectClass: nsContainer
objectClass: top
cn: custodia
nsds5ReplConflict: namingConflict cn=custodia,cn=ipa,cn=etc,dc=test,dc=local
# dogtag + 6f47223d-c9a811e6-943e8d1c-0faa636d, custodia + 6f47223b-c9a811e6-94
3e8d1c-0faa636d, ipa, etc, test.local
dn: cn=dogtag+nsuniqueid=6f47223d-c9a811e6-943e8d1c-0faa636d,cn=custodia+nsuni
queid=6f47223b-c9a811e6-943e8d1c-0faa636d,cn=ipa,cn=etc,dc=test,dc=local
objectClass: nsContainer
objectClass: top
cn: dogtag
nsds5ReplConflict: namingConflict cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=test,d
c=local
# ca + 6f472240-c9a811e6-943e8d1c-0faa636d, topology, ipa, etc, test.local
dn: cn=ca+nsuniqueid=6f472240-c9a811e6-943e8d1c-0faa636d,cn=topology,cn=ipa,cn
=etc,dc=test,dc=local
objectClass: top
objectClass: iparepltopoconf
cn: ca
ipaReplTopoConfRoot: o=ipaca
nsds5ReplConflict: namingConflict cn=ca,cn=topology,cn=ipa,cn=etc,dc=test,dc=lo
cal
# System: Add CA + 6f472246-c9a811e6-943e8d1c-0faa636d, permissions, pbac, test.
local
dn: cn=System: Add CA+nsuniqueid=6f472246-c9a811e6-943e8d1c-0faa636d,cn=permis
sions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: add ca,cn=permissions,cn=pbac,dc=
test,dc=local
# System: Delete CA + 6f47224a-c9a811e6-943e8d1c-0faa636d, permissions, pbac, h
5c.local
dn: cn=System: Delete CA+nsuniqueid=6f47224a-c9a811e6-943e8d1c-0faa636d,cn=per
missions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Delete CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: delete ca,cn=permissions,cn=pbac,
dc=test,dc=local
# System: Modify CA + 6f47224e-c9a811e6-943e8d1c-0faa636d, permissions, pbac, h
5c.local
dn: cn=System: Modify CA+nsuniqueid=6f47224e-c9a811e6-943e8d1c-0faa636d,cn=per
missions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: description
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify ca,cn=permissions,cn=pbac,
dc=test,dc=local
# System: Read CAs + 6f472252-c9a811e6-943e8d1c-0faa636d, permissions, pbac, h5
c.local
dn: cn=System: Read CAs+nsuniqueid=6f472252-c9a811e6-943e8d1c-0faa636d,cn=perm
issions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: all
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read CAs
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacaissuerdn
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipacasubjectdn
ipaPermDefaultAttr: ipacaid
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read cas,cn=permissions,cn=pbac,d
c=test,dc=local
# System: Modify DNS Servers Configuration + 6f472257-c9a811e6-943e8d1c-0faa636
d, permissions, pbac, test.local
dn: cn=System: Modify DNS Servers Configuration+nsuniqueid=6f472257-c9a811e6-9
43e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: idnssoamname
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: idnsforwarders
ipaPermLocation: dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify dns servers configuration,
cn=permissions,cn=pbac,dc=test,dc=local
# System: Read DNS Servers Configuration + 6f47225b-c9a811e6-943e8d1c-0faa636d,
permissions, pbac, test.local
dn: cn=System: Read DNS Servers Configuration+nsuniqueid=6f47225b-c9a811e6-943
e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Servers,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: idnsforwarders
ipaPermDefaultAttr: idnsserverid
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnssoamname
ipaPermLocation: dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read dns servers configuration,cn
=permissions,cn=pbac,dc=test,dc=local
# System: Manage Host Principals + 6f472282-c9a811e6-943e8d1c-0faa636d, permiss
ions, pbac, test.local
dn: cn=System: Manage Host Principals+nsuniqueid=6f472282-c9a811e6-943e8d1c-0f
aa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipahost)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Host Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Host Administrators,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=computers,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage host principals,cn=permiss
ions,cn=pbac,dc=test,dc=local
# System: Add IPA Locations + 6f472298-c9a811e6-943e8d1c-0faa636d, permissions,
pbac, test.local
dn: cn=System: Add IPA Locations+nsuniqueid=6f472298-c9a811e6-943e8d1c-0faa636
d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: add ipa locations,cn=permissions,
cn=pbac,dc=test,dc=local
# System: Modify IPA Locations + 6f47229c-c9a811e6-943e8d1c-0faa636d, permissio
ns, pbac, test.local
dn: cn=System: Modify IPA Locations+nsuniqueid=6f47229c-c9a811e6-943e8d1c-0faa
636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: description
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: modify ipa locations,cn=permissio
ns,cn=pbac,dc=test,dc=local
# System: Read IPA Locations + 6f4722a0-c9a811e6-943e8d1c-0faa636d, permissions
, pbac, test.local
dn: cn=System: Read IPA Locations+nsuniqueid=6f4722a0-c9a811e6-943e8d1c-0faa63
6d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: description
ipaPermDefaultAttr: idnsname
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read ipa locations,cn=permissions
,cn=pbac,dc=test,dc=local
# System: Remove IPA Locations + 6f4722a4-c9a811e6-943e8d1c-0faa636d, permissio
ns, pbac, test.local
dn: cn=System: Remove IPA Locations+nsuniqueid=6f4722a4-c9a811e6-943e8d1c-0faa
636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaLocationObject)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Remove IPA Locations
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: remove ipa locations,cn=permissio
ns,cn=pbac,dc=test,dc=local
# System: Read Locations of IPA Servers + 6f4722a8-c9a811e6-943e8d1c-0faa636d,
permissions, pbac, test.local
dn: cn=System: Read Locations of IPA Servers+nsuniqueid=6f4722a8-c9a811e6-943e
8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Locations of IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaserviceweight
ipaPermDefaultAttr: ipalocation
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read locations of ipa servers,cn=
permissions,cn=pbac,dc=test,dc=local
# System: Read Status of Services on IPA Servers + 6f4722ac-c9a811e6-943e8d1c-0
faa636d, permissions, pbac, test.local
dn: cn=System: Read Status of Services on IPA Servers+nsuniqueid=6f4722ac-c9a8
11e6-943e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read Status of Services on IPA Servers
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipaconfigstring
ipaPermDefaultAttr: cn
ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: read status of services on ipa se
rvers,cn=permissions,cn=pbac,dc=test,dc=local
# System: Manage Service Principals + 6f4722b0-c9a811e6-943e8d1c-0faa636d, perm
issions, pbac, test.local
dn: cn=System: Manage Service Principals+nsuniqueid=6f4722b0-c9a811e6-943e8d1c
-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=ipaservice)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage Service Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=Service Administrators,cn=privileges,cn=pbac,dc=test,dc=local
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=services,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage service principals,cn=perm
issions,cn=pbac,dc=test,dc=local
# System: Manage User Principals + 6f4722bd-c9a811e6-943e8d1c-0faa636d, permiss
ions, pbac, test.local
dn: cn=System: Manage User Principals+nsuniqueid=6f4722bd-c9a811e6-943e8d1c-0f
aa636d,cn=permissions,cn=pbac,dc=test,dc=local
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Manage User Principals
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=User Administrators,cn=privileges,cn=pbac,dc=test,dc=local
member: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=test,dc=lo
cal
ipaPermDefaultAttr: krbprincipalname
ipaPermDefaultAttr: krbcanonicalname
ipaPermLocation: cn=users,cn=accounts,dc=test,dc=local
nsds5ReplConflict: namingConflict cn=system: manage user principals,cn=permiss
ions,cn=pbac,dc=test,dc=local
# servers + 6f4722d4-c9a811e6-943e8d1c-0faa636d, dns, test.local
dn: cn=servers+nsuniqueid=6f4722d4-c9a811e6-943e8d1c-0faa636d,cn=dns,dc=test,dc
=local
objectClass: nsContainer
objectClass: top
cn: servers
nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=test,dc=local
# ipa + 90a80ea3-c9a811e6-943e8d1c-0faa636d, cas + 6f47220a-c9a811e6-943e8d1c-0
faa636d, ca, test.local
dn: cn=ipa+nsuniqueid=90a80ea3-c9a811e6-943e8d1c-0faa636d,cn=cas+nsuniqueid=6f
47220a-c9a811e6-943e8d1c-0faa636d,cn=ca,dc=test,dc=local
description: IPA CA
ipaCaIssuerDN: CN=Certificate Authority,O=TEST.LOCAL
objectClass: top
objectClass: ipaca
ipaCaSubjectDN: CN=Certificate Authority,O=TEST.LOCAL
ipaCaId: bcab810a-f59b-40ff-add4-560f50be04d3
cn: ipa
nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=test,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 51
# numEntries: 50
[cid:image003.jpg at 01D265BB.BE45A250]
Daniel Alex Finkelstein| Lead Dev Ops Engineer
Dan.Finkelstein at h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the Sky
Follow us on: Facebook, Twitter, YouTube, Linkedin
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4334 bytes
Desc: image001.jpg
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 4335 bytes
Desc: image002.jpg
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 4336 bytes
Desc: image003.jpg
URL:
From schogan at us.ibm.com Tue Jan 3 17:31:09 2017
From: schogan at us.ibm.com (Sean Hogan)
Date: Tue, 3 Jan 2017 10:31:09 -0700
Subject: [Freeipa-users] Minimum SSSD version for 2 factor
In-Reply-To:
References:
Message-ID:
Disregard... apparently I am blind. Min is 1.12 per IPA docs.
Sean Hogan
From: Sean Hogan/Durham/IBM
To: freeipa-users
Date: 01/03/2017 10:15 AM
Subject: Minimum SSSD version for 2 factor
Morning,
Hope the Holidays went well for you all.
I have been trying to find documentation on the required min sssd
version needed to run otp (2 factor) with no luck. Was hoping you all
might know.
I see RHEL 6.8 comes with 1.13 SSSD so was wondering if that would be high
enough version to work with IPA 4.X OTP.
Thank You
Sean Hogan
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 6E753547.jpg
Type: image/jpeg
Size: 27085 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 6E816720.gif
Type: image/gif
Size: 1650 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL:
From jochen at jochen.org Tue Jan 3 17:41:05 2017
From: jochen at jochen.org (Jochen Hein)
Date: Tue, 03 Jan 2017 18:41:05 +0100
Subject: [Freeipa-users] Minimum SSSD version for 2 factor
In-Reply-To:
(Sean Hogan's message of "Tue, 3 Jan 2017 10:15:00 -0700")
References:
Message-ID: <837f6cxcr2.fsf@echidna.jochen.org>
"Sean Hogan" writes:
> I have been trying to find documentation on the required min sssd
> version needed to run otp (2 factor) with no luck. Was hoping you all
> might know.
> I see RHEL 6.8 comes with 1.13 SSSD so was wondering if that would be high
> enough version to work with IPA 4.X OTP.
I'm running 2FA/OTP on Ubuntu 14.04 with the following sssd:
ii sssd 1.12.5-1~trusty1 i386
System Security Services Daemon -- metapackage
What you miss is the prompt "First Factor"/"Second Factor" and you must
concatenate password and OTP at the password prompt. Otherwise it works
fine.
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
From pvoborni at redhat.com Tue Jan 3 17:45:13 2017
From: pvoborni at redhat.com (Petr Vobornik)
Date: Tue, 3 Jan 2017 18:45:13 +0100
Subject: [Freeipa-users] how to make email as mandatory field before
user creation
In-Reply-To: <43e38bad775d4d6fa96bd26485136bc7@BLUPR42MB0194.048d.mgd.msft.net>
References: <47fd3579651242ed89012e664e6aa2c5@BLUPR42MB0194.048d.mgd.msft.net>
<63da1063-8ba6-fa41-ff44-8916c4a99c7f@redhat.com>
<43e38bad775d4d6fa96bd26485136bc7@BLUPR42MB0194.048d.mgd.msft.net>
Message-ID: <770ce4c9-6882-8bbd-5a26-fcd937baab97@redhat.com>
On 01/02/2017 08:46 PM, nirajkumar.singh at accenture.com wrote:
> Hi Prtr,
>
> Can you please suggest how to do it with plugins and which plugin I need to use and how to integrate that plugin with freeipa.
>
> Thanks
> Niraj
Disclaimer: the example below is not really save because it doesn't
handle e.g. stageusers and it might not work with later releases of
FreeIPA because IPA doesn't provide any supported plugin API yet.
Example: https://pvoborni.fedorapeople.org/plugins/backend/zuserplugin.py
Old(FreeIPA 3.3) extending guide:
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
>
> -----Original Message-----
> From: Petr Vobornik [mailto:pvoborni at redhat.com]
> Sent: 02 January 2017 22:21
> To: Singh, NirajKumar ; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] how to make email as mandatory field before user creation
>
> On 01/02/2017 05:00 PM, nirajkumar.singh at accenture.com wrote:
>> Hi Team,
>>
>> Is there any way to make email as mandatory field before creating any
>> user from WEBUI or Console?
>>
>> Thanks & Regards,
>>
>> Niraj Kumar Singh
>>
>
> Hello Niraj,
>
> FreeIPA doesn't support such configuration out of the box.
>
> It is theoretically possible to implement IPA server side plugin to mark the field as required. It may not be straightforward though.
>
> --
> Petr Vobornik
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
> ______________________________________________________________________________________
>
> www.accenture.com
>
--
Petr Vobornik
From lslebodn at redhat.com Tue Jan 3 17:51:45 2017
From: lslebodn at redhat.com (Lukas Slebodnik)
Date: Tue, 3 Jan 2017 18:51:45 +0100
Subject: [Freeipa-users] Minimum SSSD version for 2 factor
In-Reply-To:
References:
Message-ID: <20170103175144.GA18895@10.4.128.1>
On (03/01/17 10:15), Sean Hogan wrote:
>
>Morning,
>
> Hope the Holidays went well for you all.
>
> I have been trying to find documentation on the required min sssd
>version needed to run otp (2 factor) with no luck. Was hoping you all
>might know.
>I see RHEL 6.8 comes with 1.13 SSSD so was wondering if that would be high
>enough version to work with IPA 4.X OTP.
>
sssd 1.13 could handle OTP but there is old MIT krb5
and therefore sssd is compiled without OTP feature in rhel6
LS
From b.candler at pobox.com Tue Jan 3 18:02:51 2017
From: b.candler at pobox.com (Brian Candler)
Date: Tue, 3 Jan 2017 18:02:51 +0000
Subject: [Freeipa-users] 2FA and AllowNTHash
In-Reply-To:
References:
Message-ID:
On 03/01/2017 15:28, Maciej Drobniuch wrote:
> We have a topo with 3x IPA servers + freeradius.
>
> Freeradius is being used to do mschap with wifi APs. Freeradius
> connects over ldap to IPA.
>
> In order to do the challange-response thing, freeipa has AllowNTHash
> enabled.
>
> So I wanted to enable 2FA/OTP but leave the NTHash as is for wifi auth.
>
> In the moment I disallow Password auth for a user and enable OTP the
> wifi auth stopps working, but the hash clearly stays in ldap.
How are you actually authenticating the user? Are you just reading the
ipaNTHash out of the LDAP database and letting FreeRADIUS check it? Then
AFAICS it shouldn't make any different whether OTP is enabled or not.
Can you show more of your RADIUS config, and the debug output from the
part which authenticates the user?
I don't use OTP myself, but I wouldn't expect the ipaNTHash to change
depending on whether OTP is enabled or not (and you're saying the hash
stays put).
I have what sounds like a similar setup to yours, using FreeRADIUS
3.0.12 talking to FreeIPA 4.4.0, using a service user which has
permissions to read out the ipaNTHash directly, based on this blog post:
http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html
ldap config:
base_dn = 'cn=users,cn=accounts,dc=ipa,dc=example,dc=com'
sasl {
mech = 'GSSAPI'
realm = 'IPA.EXAMPLE.COM'
}
update {
control:NT-Password := 'ipaNTHash'
control:Tmp-String-9 := 'krbPasswordExpiration'
}
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "one"
}
group {
membership_attribute = 'memberOf'
name_attributes = 'cn'
cacheable_dn = 'yes'
cacheable_name = 'no'
}
default and inner-tunnel authentication is then just:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
Also you need to put the service user's keytab somewhere, and set a
couple of environment variables when it starts, if you want to use
Kerberos to protect the LDAP connection. Using systemd override:
[Unit]
Requires=dirsrv.target
After=dirsrv.target
[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/radiusd.keytab
Environment=KRB5CCNAME=MEMORY:
Restart=always
RestartSec=5
(Otherwise you can bind with a specific dn and password, but then you
also need to sort out TLS to secure the LDAP traffic)
There is more magic you can do with the krbPasswordExpiration attribute
to force the user to do a password change over MSCHAP - but that's now
straying a long way from what's relevant on a FreeIPA mailing list.
HTH,
Brian.
From Dan.Finkelstein at high5games.com Tue Jan 3 19:49:53 2017
From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com)
Date: Tue, 3 Jan 2017 19:49:53 +0000
Subject: [Freeipa-users] ldap_rename: Operations error (1)
Message-ID: <4BCF9E1B-AC0B-49FC-810D-93144BD30AAE@high5games.com>
I'm running FreeIPA 4.4.0 on CentOS 7.3 and I almost succeeded in renaming a duplicate, but then this happens:
modifying rdn of entry "cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=hostgroups,cn=accounts,dc=test,dc=local"
ldap_rename: Operations error (1)
The commands were:
$ ldapmodify -D "cn=directory manager" -W -p 389 -h ipa.test.local -x
Enter LDAP Password:
dn: cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=hostgroups,cn=accounts,dc=test,dc=local
changetype: modrdn
newrdn: cn=9865b29e
deleteoldrdn: 0
Any ideas?
[id:image001.jpg at 01D1C26F.0E28FA60]
Daniel Alex Finkelstein| Lead Dev Ops Engineer
Dan.Finkelstein at h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the Sky
Follow us on: Facebook, Twitter, YouTube, Linkedin
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4334 bytes
Desc: image001.jpg
URL:
From alan at instinctualsoftware.com Tue Jan 3 21:02:21 2017
From: alan at instinctualsoftware.com (Alan Latteri)
Date: Tue, 3 Jan 2017 13:02:21 -0800
Subject: [Freeipa-users] Kerberos authentication failed: kinit: Included
profile directory could not be read while initializing Kerberos 5 library
In-Reply-To:
References:
Message-ID: <30192950-AE2A-4E18-8B7E-05A62E62EBD7@instinctualsoftware.com>
Log is attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipaclient-install.log
Type: application/octet-stream
Size: 7487 bytes
Desc: not available
URL:
-------------- next part --------------
> On Jan 3, 2017, at 12:16 AM, Martin Babinsky wrote:
>
> On 01/02/2017 11:22 PM, Alan Latteri wrote:
>> I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa to 4.4. On some clients they failed to re-authenticate post upgrade. I then did an
>> ipa-client-install ?uninstall , and then tried re-joining to IPA server with
>> ipa-client-install --mkhomedir --force-ntpd --force-join.
>>
>> Now I am getting the below error, and I have no idea how to recover. Firewall is disabled.
>>
>> Thanks,
>> Alan
>>
>> User authorized to enroll computers: admin
>> Password for admin at XXX.LOCAL:
>> Please make sure the following ports are opened in the firewall settings:
>> TCP: 80, 88, 389
>> UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
>> Also note that following ports are necessary for ipa-client working properly after enrollment:
>> TCP: 464
>> UDP: 464, 123 (if NTP enabled)
>> Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
>>
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>>
>> [root at troll ~]# systemctl status firewalld
>> ? firewalld.service - firewalld - dynamic firewall daemon
>> Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
>> Active: inactive (dead)
>>
>> Installed Packages
>> ipa-client.x86_64 4.4.0-14.el7.centos @updates
>> ipa-client-common.noarch 4.4.0-14.el7.centos @updates
>> ipa-common.noarch 4.4.0-14.el7.centos @updates
>>
>
> Hi Alan,
>
> it would be nice if you could post the client install log (/var/log/ipaclient-install.log). It is hard to tell what happens without seeing it.
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
From rcritten at redhat.com Tue Jan 3 21:25:31 2017
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 3 Jan 2017 16:25:31 -0500
Subject: [Freeipa-users] Kerberos authentication failed: kinit: Included
profile directory could not be read while initializing Kerberos 5 library
In-Reply-To: <30192950-AE2A-4E18-8B7E-05A62E62EBD7@instinctualsoftware.com>
References:
<30192950-AE2A-4E18-8B7E-05A62E62EBD7@instinctualsoftware.com>
Message-ID: <586C16CB.4030202@redhat.com>
Alan Latteri wrote:
> Log is attached.
Look and see if /etc/krb5.conf.d/ and
/var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
filesystem perms are an issue but who knows.
You can also brute force things using strace -f to find out exactly what
can't be read.
rob
From alan at instinctualsoftware.com Tue Jan 3 21:44:27 2017
From: alan at instinctualsoftware.com (Alan Latteri)
Date: Tue, 3 Jan 2017 13:44:27 -0800
Subject: [Freeipa-users] Kerberos authentication failed: kinit: Included
profile directory could not be read while initializing Kerberos 5 library
In-Reply-To: <586C16CB.4030202@redhat.com>
References:
<30192950-AE2A-4E18-8B7E-05A62E62EBD7@instinctualsoftware.com>
<586C16CB.4030202@redhat.com>
Message-ID:
Thanks Rob.
/etc/krb5.conf.d/ was in fact missing from the client, which is still on CentOS 7.2 for reasons out of our control.
Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the /etc/krb5.conf.d/ directory, but are running fine. So maybe the 4.4 client requires that dir but is not making it on upgrade and the cause of the failure?
Alan
> On Jan 3, 2017, at 1:25 PM, Rob Crittenden wrote:
>
> Alan Latteri wrote:
>> Log is attached.
>
> Look and see if /etc/krb5.conf.d/ and
> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
> filesystem perms are an issue but who knows.
>
> You can also brute force things using strace -f to find out exactly what
> can't be read.
>
> rob
>
From jhrozek at redhat.com Tue Jan 3 22:06:26 2017
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Tue, 3 Jan 2017 23:06:26 +0100
Subject: [Freeipa-users] Unable to resolve AD users from IPA clients
In-Reply-To: <778879914.4889.1483454359268.JavaMail.zimbra@elostech.cz>
References: <778879914.4889.1483454359268.JavaMail.zimbra@elostech.cz>
Message-ID: <20170103220626.xqwbyuvrlvwvwrew@hendrix>
On Tue, Jan 03, 2017 at 03:39:19PM +0100, Jan Kar?sek wrote:
> Hi,
>
> I have trouble with resolving AD users from my IPA clients.
>
> Environment: 2x IPA server with trust into AD - both IPA servers and clients running latest rhel 7.3.
>
> IPA domain: vs.example.com
> AD domain: example.com, cen.example.com
>
> All tstxxxxx users are in cen.example.com but their UPN is set to tstxxxxx at example.com
>
> I can run id and getent passwd commands without problem from both IPA servers:
>
> id tst99655 at example.com
> uid=20018(tst99655 at cen.example.com) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group)
>
> getent tst99655 at example.com
> tst99655 at cen.example.com:*:20018:5001:ipa_test:/home/cen.example.com/tst99655:/bin/bash
>
> But from client:
>
> root at trh7clnt02:~# id tst99655 at example.com
> id: tst99655 at example.com: no such user
> root at trh7clnt02:~#getent passwd tst99655 at example.com
> ... no reply
>
>
> But when I run on client:
> getent group csunix at cen.example.com - it takes more then 30s
> csunix at cen.example.com:*:5001: .... and really long list of users
>
> Then again from client:
>
> root at trh7clnt02:~# id tst99655 at example.com
> uid=20018(tst99655 at cen.example.com) gid=5001(csunix) groups=5001(csunix)
>
> root at trh7clnt02:~# getent passwd tst99655 at example.com
> tst99655 at cen.example.com:*:20018:5001:ipatest:/home/cen.example.com/tst99655:/bin/bash
>
> This time it works and it keeps working until I clean the sssd cache on client. Then I have to run that getent group csunix command again.
>
> I would say it is some timeout issue with enumerating csunix group. I have tried to fix it by adding:
>
> ldap_search_timeout = 50
I don't think this would be related to the searches timing out but
probably parsing and storing the entries on the server and the client.
Could you try adding this on the server side's sssd.conf?
[domain/domname]
subdomain_inherit = ignore_group_members
ignore_group_members = True
By the way, did you install 7.3 cleanly or did you upgrade? And if you
upgraded, did you ever removed the cache post-upgrade on the server?
There's been some improvements related to performance in 7.3 and even
more are coming in 7.4.
From alan at instinctualsoftware.com Wed Jan 4 01:33:39 2017
From: alan at instinctualsoftware.com (Alan Latteri)
Date: Tue, 3 Jan 2017 17:33:39 -0800
Subject: [Freeipa-users] Kerberos authentication failed: kinit: Included
profile directory could not be read while initializing Kerberos 5 library
In-Reply-To:
References:
<30192950-AE2A-4E18-8B7E-05A62E62EBD7@instinctualsoftware.com>
<586C16CB.4030202@redhat.com>
Message-ID: <75A314FC-94AC-4A60-8835-F47ED7C2FD7B@instinctualsoftware.com>
Further investigation.
On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is missing, and therefore initial setup will fail unless manual creation of /etc/krb5.conf.d/
Maybe the install script for the client can be updated to check for and create?
Thanks,
Alan
> On Jan 3, 2017, at 1:44 PM, Alan Latteri wrote:
>
> Thanks Rob.
>
> /etc/krb5.conf.d/ was in fact missing from the client, which is still on CentOS 7.2 for reasons out of our control.
> Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the /etc/krb5.conf.d/ directory, but are running fine. So maybe the 4.4 client requires that dir but is not making it on upgrade and the cause of the failure?
>
> Alan
>
>> On Jan 3, 2017, at 1:25 PM, Rob Crittenden wrote:
>>
>> Alan Latteri wrote:
>>> Log is attached.
>>
>> Look and see if /etc/krb5.conf.d/ and
>> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
>> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
>> filesystem perms are an issue but who knows.
>>
>> You can also brute force things using strace -f to find out exactly what
>> can't be read.
>>
>> rob
>>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
From peter at peterlarsen.org Wed Jan 4 04:11:28 2017
From: peter at peterlarsen.org (Peter Larsen)
Date: Tue, 3 Jan 2017 23:11:28 -0500
Subject: [Freeipa-users] Migrate from FreeIPA 3 to 4
Message-ID: <4fe618ef-2fbb-789a-29fb-038ab270f39f@peterlarsen.org>
I'm attempting to migrate my IDM server from RHEL6 to RHEL7. Ie. from
IPA 3 to IPA 4. My IPA 3 installation does not manage DNS - but other
than that, it's a very basic installation on a very small set of servers
(less than 50).
To start the migration I run
# ipa-replica-prepare ipa.peterlarsen.org
(ipa is the name of the new RHEL7 server). My intention is to setup a
replica on that server, and once fully established remove the old
installation.
I'm prompted for the dirsrv password and once entered it's accepted. It
also gets accepted if I use the --password=blabla option. However, the
process doesn't get far and terminates with:
ipa-replica-prepare ipa.peterlarsen.org
Preparing replica for ipa.peterlarsen.org from idm.peterlarsen.org
preparation of replica failed: Insufficient access: Invalid credentials
Insufficient access: Invalid credentials
File "/usr/sbin/ipa-replica-prepare", line 529, in
main()
File "/usr/sbin/ipa-replica-prepare", line 391, in main
update_pki_admin_password(dirman_password)
File "/usr/sbin/ipa-replica-prepare", line 247, in
update_pki_admin_password
bind_pw=dirman_password
File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 846, in create_connection
self.handle_errors(e)
File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 712, in handle_errors
raise errors.ACIError(info="%s %s" % (info, desc))
=====
I'm not sure the "invalid credentials" error message can be trusted (as
it does do a successful bind initially). Here's the log from the PKI-IPA:
[03/Jan/2017:23:08:26 -0500] conn=36 fd=73 slot=73 connection from
192.168.11.xxx to 192.168.11.xxx
[03/Jan/2017:23:08:26 -0500] conn=36 op=0 BIND dn="cn=Directory Manager"
method=128 version=2
[03/Jan/2017:23:08:26 -0500] conn=36 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[03/Jan/2017:23:08:26 -0500] conn=36 op=1 SRCH
base="ou=sessions,ou=Security Domain,o=ipaca" scope=2
filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[03/Jan/2017:23:08:26 -0500] conn=36 op=1 RESULT err=32 tag=101
nentries=0 etime=0
[03/Jan/2017:23:08:26 -0500] conn=36 op=2 UNBIND
[03/Jan/2017:23:08:26 -0500] conn=36 op=2 fd=73 closed - U1
[03/Jan/2017:23:08:27 -0500] conn=6 op=40 MOD
dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca"
[03/Jan/2017:23:08:27 -0500] conn=6 op=40 RESULT err=0 tag=103
nentries=0 etime=0
[03/Jan/2017:23:09:04 -0500] conn=37 fd=73 slot=73 SSL connection from
192.168.11.xxx to 192.168.11.xxx
[03/Jan/2017:23:09:04 -0500] conn=37 TLS1.2 256-bit AES
[03/Jan/2017:23:09:04 -0500] conn=37 op=0 BIND dn="cn=directory manager"
method=128 version=3
[03/Jan/2017:23:09:04 -0500] conn=37 op=0 RESULT err=49 tag=97
nentries=0 etime=0 - Invalid credentials
[03/Jan/2017:23:09:04 -0500] conn=37 op=1 UNBIND
[03/Jan/2017:23:09:04 -0500] conn=37 op=1 fd=73 closed - U1
Looks more like a structural issue?
--
Regards
Peter Larsen
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rcritten at redhat.com Wed Jan 4 04:33:47 2017
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 3 Jan 2017 23:33:47 -0500
Subject: [Freeipa-users] Kerberos authentication failed: kinit: Included
profile directory could not be read while initializing Kerberos 5 library
In-Reply-To: <75A314FC-94AC-4A60-8835-F47ED7C2FD7B@instinctualsoftware.com>
References:
<30192950-AE2A-4E18-8B7E-05A62E62EBD7@instinctualsoftware.com>
<586C16CB.4030202@redhat.com>
<75A314FC-94AC-4A60-8835-F47ED7C2FD7B@instinctualsoftware.com>
Message-ID: <586C7B2B.5030601@redhat.com>
Alan Latteri wrote:
> Further investigation.
>
> On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is missing, and therefore initial setup will fail unless manual creation of /etc/krb5.conf.d/
> Maybe the install script for the client can be updated to check for and create?
Is there a reason you're running 7.3 packages on a 7.2 system? I suspect
that is the problem. AFAIU in 7.3 this directory is provided by krb5-libs.
Is there some feature you need in the 4.4 client installer on 7.2?
rob
>
> Thanks,
> Alan
>
>> On Jan 3, 2017, at 1:44 PM, Alan Latteri wrote:
>>
>> Thanks Rob.
>>
>> /etc/krb5.conf.d/ was in fact missing from the client, which is still on CentOS 7.2 for reasons out of our control.
>> Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the /etc/krb5.conf.d/ directory, but are running fine. So maybe the 4.4 client requires that dir but is not making it on upgrade and the cause of the failure?
>>
>> Alan
>>
>>> On Jan 3, 2017, at 1:25 PM, Rob Crittenden wrote:
>>>
>>> Alan Latteri wrote:
>>>> Log is attached.
>>>
>>> Look and see if /etc/krb5.conf.d/ and
>>> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
>>> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
>>> filesystem perms are an issue but who knows.
>>>
>>> You can also brute force things using strace -f to find out exactly what
>>> can't be read.
>>>
>>> rob
>>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
From alan at instinctualsoftware.com Wed Jan 4 04:35:59 2017
From: alan at instinctualsoftware.com (Alan Latteri)
Date: Tue, 3 Jan 2017 20:35:59 -0800
Subject: [Freeipa-users] Kerberos authentication failed: kinit: Included
profile directory could not be read while initializing Kerberos 5 library
In-Reply-To: <586C7B2B.5030601@redhat.com>
References:
<30192950-AE2A-4E18-8B7E-05A62E62EBD7@instinctualsoftware.com>
<586C16CB.4030202@redhat.com>
<75A314FC-94AC-4A60-8835-F47ED7C2FD7B@instinctualsoftware.com>
<586C7B2B.5030601@redhat.com>
Message-ID: <7AAAC935-2110-4160-8275-E9BFD8B4F8D6@instinctualsoftware.com>
Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is the version provided.
Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is out of our control.
Alan
> On Jan 3, 2017, at 8:33 PM, Rob Crittenden wrote:
>
> Alan Latteri wrote:
>> Further investigation.
>>
>> On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is missing, and therefore initial setup will fail unless manual creation of /etc/krb5.conf.d/
>> Maybe the install script for the client can be updated to check for and create?
>
> Is there a reason you're running 7.3 packages on a 7.2 system? I suspect
> that is the problem. AFAIU in 7.3 this directory is provided by krb5-libs.
>
> Is there some feature you need in the 4.4 client installer on 7.2?
>
> rob
>
>>
>> Thanks,
>> Alan
>>
>>> On Jan 3, 2017, at 1:44 PM, Alan Latteri wrote:
>>>
>>> Thanks Rob.
>>>
>>> /etc/krb5.conf.d/ was in fact missing from the client, which is still on CentOS 7.2 for reasons out of our control.
>>> Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the /etc/krb5.conf.d/ directory, but are running fine. So maybe the 4.4 client requires that dir but is not making it on upgrade and the cause of the failure?
>>>
>>> Alan
>>>
>>>> On Jan 3, 2017, at 1:25 PM, Rob Crittenden wrote:
>>>>
>>>> Alan Latteri wrote:
>>>>> Log is attached.
>>>>
>>>> Look and see if /etc/krb5.conf.d/ and
>>>> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
>>>> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
>>>> filesystem perms are an issue but who knows.
>>>>
>>>> You can also brute force things using strace -f to find out exactly what
>>>> can't be read.
>>>>
>>>> rob
>>>>
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>
From ianh at brownpapertickets.com Wed Jan 4 04:37:43 2017
From: ianh at brownpapertickets.com (Ian Harding)
Date: Tue, 3 Jan 2017 20:37:43 -0800
Subject: [Freeipa-users] Topology -> IPA Servers
Message-ID:
I have finally had some luck expunging the remnants of long removed IPA
servers now that I have upgraded to FreeIPA 4.4.
However, when I look at the IPA Servers list under Topology, I now have
three records like so:
Server name Min domain level Max domain level Managed suffixes
freeipa-dal.bpt.rocks
freeipa-sea.bpt.rocks 0 1 domain, ca
seattlenfs.bpt.rocks 0 0 domain
Showing 1 to 3 of 3 entries.
And an error dialog pops up which says "freeipa-dal.bpt.rocks: server
not found" which is true, it's long dead.
[root at freeipa-sea ianh]# ipa-replica-manage del --force --cleanup
freeipa-dal.bpt.rocks
Cleaning a master is irreversible.
This should not normally be require, so use cautiously.
Continue to clean master? [no]: yes
[root at freeipa-sea ianh]# ipa host-find freeipa-dal.bpt.rocks --all
---------------
0 hosts matched
---------------
----------------------------
Number of entries returned 0
----------------------------
[root at freeipa-sea ianh]# ipa-replica-manage list
seattlenfs.bpt.rocks: master
freeipa-dal.bpt.rocks: master
freeipa-sea.bpt.rocks: master
[root at freeipa-sea ianh]# ipa-replica-manage list-ruv
Directory Manager password:
Replica Update Vectors:
seattlenfs.bpt.rocks:389: 21
freeipa-sea.bpt.rocks:389: 20
Certificate Server Replica Update Vectors:
freeipa-sea.bpt.rocks:389: 1065
Any ideas how to make that ghost finally go away? I'm trying to change
the domain level of freeipa-sea.bpt.rocks, but when I do I get
"Domain Level cannot be raised to 1, server freeipa-dal.bpt.rocks does
not support it."
Thanks!
--
Ian Harding
IT Director
Brown Paper Tickets
1-800-838-3006 ext 7186
http://www.brownpapertickets.com
From bentech4you at gmail.com Wed Jan 4 06:21:28 2017
From: bentech4you at gmail.com (Ben .T.George)
Date: Wed, 4 Jan 2017 09:21:28 +0300
Subject: [Freeipa-users] ipa replica installation help
Message-ID:
HI
while trying to create ipa replica, i am getting below error,
Replica creation using 'ipa-replica-prepare' to generate replica file
is supported only in 0-level IPA domain.
The current IPA domain level is 1 and thus the replica must
be created by promoting an existing IPA client.
To set up a replica use the following procedure:
1.) set up a client on the host using 'ipa-client-install'
2.) promote the client to replica running 'ipa-replica-install'
*without* replica file specified
'ipa-replica-prepare' is allowed only in domain level 0
The ipa-replica-prepare command failed.
i have IPA master server without AD integration and DNS is managed by 3rd
party appliances.
Regards,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mbabinsk at redhat.com Wed Jan 4 08:19:18 2017
From: mbabinsk at redhat.com (Martin Babinsky)
Date: Wed, 4 Jan 2017 09:19:18 +0100
Subject: [Freeipa-users] ipa replica installation help
In-Reply-To:
References:
Message-ID: <0be000dd-f1b5-ebc2-42da-7d71885caae1@redhat.com>
On 01/04/2017 07:21 AM, Ben .T.George wrote:
> HI
>
> while trying to create ipa replica, i am getting below error,
>
> Replica creation using 'ipa-replica-prepare' to generate replica file
> is supported only in 0-level IPA domain.
>
> The current IPA domain level is 1 and thus the replica must
> be created by promoting an existing IPA client.
>
> To set up a replica use the following procedure:
> 1.) set up a client on the host using 'ipa-client-install'
> 2.) promote the client to replica running 'ipa-replica-install'
> *without* replica file specified
>
> 'ipa-replica-prepare' is allowed only in domain level 0
> The ipa-replica-prepare command failed.
>
>
> i have IPA master server without AD integration and DNS is managed by
> 3rd party appliances.
>
>
>
> Regards,
> Ben
>
>
Hi Ben,
If you installed IPA 4.4 server then domain level 1 is the default. This
domain level uses different mechanism to stand up replicas. See the
latest IdM documentation[1] for more details.
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html
--
Martin^3 Babinsky
From flo at redhat.com Wed Jan 4 08:48:17 2017
From: flo at redhat.com (Florence Blanc-Renaud)
Date: Wed, 4 Jan 2017 09:48:17 +0100
Subject: [Freeipa-users] Asking for help with crashed freeIPA istance
In-Reply-To:
References:
<729a8aed-4f22-ba26-3089-58c675bd64e0@redhat.com>
<585A9F46.7080207@redhat.com>
<3f60bab0-11c7-0fe5-b88c-07d77c7e191b@redhat.com>
Message-ID: <0f7a6cc9-ae57-d957-d255-ab79033373e6@redhat.com>
On 01/02/2017 07:24 PM, Daniel Schimpfoessl wrote:
> Thanks for your reply.
>
> This was the initial error I asked for help a while ago and did not get
> resolved. Further digging showed the recent errors.
> The service was running (using ipactl start --force) and only after a
> restart I am getting a stack trace for two primary messages:
>
> Could not connect to LDAP server host wwgwho01.webwim.com
> port 636 Error netscape.ldap.LDAPException:
> Authentication failed (48)
> ...
>
> Internal Database Error encountered: Could not connect to LDAP server
> host wwgwho01.webwim.com port 636 Error
> netscape.ldap.LDAPException: Authentication failed (48)
> ...
>
> and finally:
> [02/Jan/2017:12:20:34][localhost-startStop-1]: CMSEngine.shutdown()
>
>
> 2017-01-02 3:45 GMT-06:00 Florence Blanc-Renaud >:
>
> systemctl start pki-tomcatd at pki-tomcat.service
>
>
>
Hi Daniel,
the next step would be to understand the root cause of this
"Authentication failed (48)" error. Note the exact time of this log and
look for a corresponding log in the LDAP server logs
(/var/log/dirsrv/slapd-DOMAIN-COM/access), probably a failing BIND with
err=48. This may help diagnose the issue (if we can see which
certificate is used for the bind or if there is a specific error message).
For the record, a successful bind over SSL would produce this type of
log where we can see the certificate subject and the user mapped to this
certificate:
[...] conn=47 fd=84 slot=84 SSL connection from 10.34.58.150 to 10.34.58.150
[...] conn=47 TLS1.2 128-bit AES; client CN=CA Subsystem,O=DOMAIN.COM;
issuer CN=Certificate Authority,O=DOMAIN.COM
[...] conn=47 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca
[...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
[...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
dn="uid=pkidbuser,ou=people,o=ipaca"
Flo
From flo at redhat.com Wed Jan 4 09:09:28 2017
From: flo at redhat.com (Florence Blanc-Renaud)
Date: Wed, 4 Jan 2017 10:09:28 +0100
Subject: [Freeipa-users] updating certificates
In-Reply-To: <16f61b80-8f88-c861-bd40-3a8bdb48c093@use.startmail.com>
References: <961a039c237577e3b3a460ab3a33e6d5.startmail@www.startmail.com>
<57728EB8.2050805@redhat.com>
<5783A8E6.4010407@redhat.com>
<16f61b80-8f88-c861-bd40-3a8bdb48c093@use.startmail.com>
Message-ID: <1257d02b-c25d-074d-99cf-dd4e59713c9b@redhat.com>
On 12/24/2016 01:58 AM, Josh wrote:
> Hi Rob,
>
> I'd like to really clarify renew certificate process. I can successfully
> update certificates in /etc/dirsrv/slapd-domain and /etc/httpd/alias but
> any new ipa client gets expired certificate still present someplace in
> LDAP. I was trying to use ipa-server-certinstall, described in
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/third-party-certs-http-ldap.html
> but document does not cover the case where intermediate certificate is
> required.
Hi Josh,
if the HTTP and LDAP certificates were signed by an intermediate CA,
then you need to install both the root CA and the intermediate CA with
ipa-cacert-manage install:
1/ install the root CA (if not already done)
ipa-cacert-manage install rootcert.pem
ipa-certupdate (on all the servers and clients)
2/ install the intermediate CA (if not already done)
ipa-cacert-manage install intermediatecert.pem
ipa-certupdate (on all the servers and clients)
3/ install the HTTP and LDAP certificates
ipa-server-certinstall ...
HTH,
Flo
>
> Josh.
>
> On 07/11/2016 10:10 AM, Rob Crittenden wrote:
>> jcnt at use.startmail.com wrote:
>>> On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden
>>> wrote:
>>>> jcnt at use.startmail.com wrote:
>>>>> Greetings,
>>>>>
>>>>> About a year ago I installed my freeipa server with certificates from
>>>>> startssl using command line options --dirsrv-cert-file
>>>>> --http-cert-file
>>>>> etc.
>>>>> The certificate is about to expire, what is the proper way to
>>>>> update it
>>>>> in all places?
>>>>
>>>> It depends on whether you kept the original CSR or not. If you kept the
>>>> original CSR and are just renewing the certificate(s) then when you get
>>>> the new one, use certutil to add the updated cert to the appropriate
>>>> NSS
>>>> database like:
>>>>
>>>> # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i
>>>> /path/to/new.crt
>>>>
>>>
>>> Rob,
>>>
>>> Thank you, that worked just fine, except that I had to update an
>>> intermediate certificate as well.
>>>
>>> Two questions, please:
>>>
>>> 1. I noticed a strange discrepancy in behavior between
>>> /etc/httpd/alias and /etc/dirsrv/slapd-domain.
>>> In both places original intermediate certificate is listed with empty
>>> ",," trust attributes so I initially added new intermediate
>>> certificate with empty attributes as well.
>>> certutils -V showed valid certificate in /etc/httpd/alias and not
>>> trusted in /etc/dirsrv/slapd-domain so I had to modify intermediate
>>> certificate with -t "C,,"
>>
>> Hmm, not sure. Did the CA chain change in between the issuance of the
>> two certs?
>>
>> Adding a new certificate shouldn't affect the trust of any other certs
>> so I'm not sure what happened. It could be that those subordinate CAs
>> were loaded the first time incorrectly but weren't used so it wasn't
>> noticed, I'm not really sure.
>>
>>> 2. Just out of curiosity I wanted to list private keys and is
>>> prompted for a password:
>>> # certutil -K -d /etc/httpd/alias/
>>> certutil: Checking token "NSS Certificate DB" in slot "NSS User
>>> Private Key and Certificate Services"
>>> Enter Password or Pin for "NSS Certificate DB":
>>>
>>> Which one of the many provided by a user passwords is used by
>>> ipa-server-install command during NSS database initialization?
>>
>> In each NSS directory there is a pwdfile.txt which contains the PIN
>> for the internal token. You can add -f /etc/httpd/alias/pwdfile.txt to
>> your command to list the private keys.
>>
>> rob
>
From jamesaharrisonuk at yahoo.co.uk Wed Jan 4 09:28:45 2017
From: jamesaharrisonuk at yahoo.co.uk (James Harrison)
Date: Wed, 4 Jan 2017 09:28:45 +0000 (UTC)
Subject: [Freeipa-users] Manually configuring Freeipa bind configs to host
secondary zones
References: <1289829626.10354110.1483522125234.ref@mail.yahoo.com>
Message-ID: <1289829626.10354110.1483522125234@mail.yahoo.com>
Hi All,I realise Free IPA doesn't yet support secondary zones in the web interface or command line tools (I might be wrong :) ) When I talk about secondary zones I mean a zone replicated from Windows DNS masters.
Can the Free IPA bind configs be manually altered to host secondary zones. Is it supported or will they just be over-written by Freeipa?
I've been hunting for an answer online, but found nothing about this.
Many thanks,James Harrison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: