[Freeipa-users] LDAP replication conflicts, but no apparent data damage
Martin Basti
mbasti at redhat.com
Wed Jan 4 11:28:50 UTC 2017
Probably entries already exists
for example for ipaserversdo you have following entry
cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local on the replica?
Martin
On 03.01.2017 18:20, Dan.Finkelstein at high5games.com wrote:
>
> Also, after attempting to rename one of the duplicated attributes, I
> get this in the error logs:
>
> 03/Jan/2017:17:19:30.605440097 +0000] retrocl-plugin - retrocl_postob:
> operation failure [68]
>
> [03/Jan/2017:17:19:32.056965127 +0000] DSRetroclPlugin - replog: an
> error occured while adding change number 4799286, dn =
> changenumber=4799286,cn=changelog: Already exists.
>
> [03/Jan/2017:17:19:32.058077520 +0000] retrocl-plugin -
> retrocl_postob: operation failure [68]
>
> [03/Jan/2017:17:19:32.297145459 +0000] DSRetroclPlugin - replog: an
> error occured while adding change number 4799286, dn =
> changenumber=4799286,cn=changelog: Already exists.
>
> [03/Jan/2017:17:19:32.298205569 +0000] retrocl-plugin -
> retrocl_postob: operation failure [68]
>
> id:image001.jpg at 01D1C26F.0E28FA60 <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_ | 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and
> Shake the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or
> privileged information and are only for the use of the intended
> recipient of this message. If you are not the intended recipient,
> please notify the sender by return email, and delete or destroy this
> and all copies of this message and all attachments. Any unauthorized
> disclosure, use, distribution, or reproduction of this message or any
> attachments is prohibited and may be unlawful./
>
> *From: *<freeipa-users-bounces at redhat.com> on behalf of Dan
> Finkelstein <Dan.Finkelstein at high5games.com>
> *Date: *Tuesday, January 3, 2017 at 11:08
> *To: *"mbasti at redhat.com" <mbasti at redhat.com>,
> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] LDAP replication conflicts, but no
> apparent data damage
>
> I've read through that page before, just last week, but I confess it's
> gone over my head. Could you give me an example of how to fix /one/ of
> the conflicts below? I think when I see how it's done, I can do the rest.
>
> Thanks,
>
> Dan
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_ | 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and
> Shake the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or
> privileged information and are only for the use of the intended
> recipient of this message. If you are not the intended recipient,
> please notify the sender by return email, and delete or destroy this
> and all copies of this message and all attachments. Any unauthorized
> disclosure, use, distribution, or reproduction of this message or any
> attachments is prohibited and may be unlawful./
>
> *From: *Martin Basti <mbasti at redhat.com>
> *Date: *Tuesday, January 3, 2017 at 09:07
> *To: *Dan Finkelstein <Dan.Finkelstein at high5games.com>,
> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] LDAP replication conflicts, but no
> apparent data damage
>
> Here is a directory server documentation about replication conflicts
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>
> I hope it will help
>
> Martin
>
> On 03.01.2017 14:20, Dan.Finkelstein at high5games.com
> <mailto:Dan.Finkelstein at high5games.com> wrote:
>
> I'm using the most recent FreeIPA 4.4.0 on CentOS 7.3 and have
> been cleaning up various dangling replicas and other cruft, but
> when I run the ipa consistency checker, it produces output that
> LDAP has conflicts. I then run:
>
> ldapsearch -D "cn=Directory Manager" -W -b "dc=h5c,dc=local"
> "nsds5ReplConflict=*" \* nsds5ReplConflict
>
> Which produces output as follows (which I don't know what to do
> with, yet):
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <dc=test,dc=local> with scope subtree
>
> # filter: nsds5ReplConflict=*
>
> # requesting: * nsds5ReplConflict
>
> #
>
> # ipaservers + 9865b29e-c9a411e6-a937f721-75eb0f97, hostgroups,
> accounts, test.l
>
> ocal
>
> dn:
> cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=hostgroups
>
> ,cn=accounts,dc=test,dc=local
>
> memberOf: cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Add Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Modify Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Remove Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Read PassSync Managers
> Configuration,cn=permissions,cn=pbac,dc=h5
>
> c,dc=local
>
> memberOf: cn=Modify PassSync Managers
> Configuration,cn=permissions,cn=pbac,dc=
>
> test,dc=local
>
> memberOf: cn=Read LDBM Database
> Configuration,cn=permissions,cn=pbac,dc=test,dc
>
> =local
>
> memberOf: cn=Add Configuration
> Sub-Entries,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Read Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=loca
>
> l
>
> memberOf:
> cn=ipaservers+nsuniqueid=9865b2a0-c9a411e6-a937f721-75eb0f97,cn=ng,c
>
> n=alt,dc=test,dc=local
>
> member:
> fqdn=ipa-replica-gib02.test.local,cn=computers,cn=accounts,dc=test,dc=lo
>
> cal
>
> mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
>
> objectClass: top
>
> objectClass: ipahostgroup
>
> objectClass: ipaobject
>
> objectClass: groupOfNames
>
> objectClass: nestedGroup
>
> objectClass: mepOriginEntry
>
> description: IPA server hosts
>
> cn: ipaservers
>
> ipaUniqueID: b13812a8-c9a4-11e6-8bb5-00505684b9a0
>
> nsds5ReplConflict: namingConflict
> cn=ipaservers,cn=hostgroups,cn=accounts,dc=h
>
> 5c,dc=local
>
> # ipaservers + 9865b2a0-c9a411e6-a937f721-75eb0f97, ng, alt,
> test.local
>
> dn:
> cn=ipaservers+nsuniqueid=9865b2a0-c9a411e6-a937f721-75eb0f97,cn=ng,cn=alt,
>
> dc=test,dc=local
>
> memberHost:
> cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=ho
>
> stgroups,cn=accounts,dc=test,dc=local
>
> objectClass: ipanisnetgroup
>
> objectClass: ipaobject
>
> objectClass: mepManagedEntry
>
> objectClass: ipaAssociation
>
> objectClass: top
>
> nisDomainName: test.local
>
> cn: ipaservers
>
> description: ipaNetgroup ipaservers
>
> mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local
>
> ipaUniqueID: b13f8506-c9a4-11e6-8bb5-00505684b9a0
>
> nsds5ReplConflict: namingConflict
> cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
>
> # domain + 9865b2a7-c9a411e6-a937f721-75eb0f97, topology, ipa,
> etc, test.local
>
> dn:
> cn=domain+nsuniqueid=9865b2a7-c9a411e6-a937f721-75eb0f97,cn=topology,cn=ip
>
> a,cn=etc,dc=test,dc=local
>
> nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
> internalModifiersName in
>
> ternalModifyTimestamp
>
> ipaReplTopoConfRoot: dc=test,dc=local
>
> objectClass: top
>
> objectClass: iparepltopoconf
>
> nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE
> entryusn krblasts
>
> uccessfulauth krblastfailedauth krbloginfailedcount
>
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
>
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
>
> cn: domain
>
> nsds5ReplConflict: namingConflict
> cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,d
>
> c=local
>
> # locations + 9865b2ab-c9a411e6-a937f721-75eb0f97, etc, test.local
>
> dn:
> cn=locations+nsuniqueid=9865b2ab-c9a411e6-a937f721-75eb0f97,cn=etc,dc=test,
>
> dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: locations
>
> nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=test,dc=local
>
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
>
> ssion:System: Add IPA Locations";allow (add) groupdn =
> "ldap:///cn=System <ldap://cn=System>: Ad
>
> d IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "description")(targetfilter =
> "(objectclass=ipaLocationObje
>
> ct)")(version 3.0;acl "permission:System: Modify IPA
> Locations";allow (write)
>
> groupdn = "ldap:///cn=System <ldap://cn=System>: Modify IPA
> Locations,cn=permissions,cn=pbac,dc
>
> =test,dc=local";)
>
> aci: (targetattr = "createtimestamp || description || entryusn ||
> idnsname ||
>
> modifytimestamp || objectclass")(targetfilter =
> "(objectclass=ipaLocationObje
>
> ct)")(version 3.0;acl "permission:System: Read IPA
> Locations";allow (compare,
>
> read,search) groupdn = "ldap:///cn=System <ldap://cn=System>: Read
> IPA Locations,cn=permissions,
>
> cn=pbac,dc=test,dc=local";)
>
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
>
> ssion:System: Remove IPA Locations";allow (delete) groupdn =
> "ldap:///cn=Syst <ldap://cn=Syst>
>
> em: Remove IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> # cas + 9865b2b1-c9a411e6-a937f721-75eb0f97, ca, test.local
>
> dn:
> cn=cas+nsuniqueid=9865b2b1-c9a411e6-a937f721-75eb0f97,cn=ca,dc=test,dc=loca
>
> l
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: cas
>
> nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=test,dc=local
>
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
>
> : Add CA";allow (add) groupdn = "ldap:///cn=System
> <ldap://cn=System>: Add CA,cn=permissions,cn=
>
> pbac,dc=test,dc=local";)
>
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
>
> : Delete CA";allow (delete) groupdn = "ldap:///cn=System
> <ldap://cn=System>: Delete CA,cn=permis
>
> sions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "cn || description")(targetfilter =
> "(objectclass=ipaca)")(
>
> version 3.0;acl "permission:System: Modify CA";allow (write)
> groupdn = "ldap:
>
> ///cn=System: Modify CA,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "cn || createtimestamp || description ||
> entryusn || ipacai
>
> d || ipacaissuerdn || ipacasubjectdn || modifytimestamp ||
> objectclass")(targ
>
> etfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System: Read CA
>
> s";allow (compare,read,search) userdn = "ldap:///all" <ldap://all>;)
>
> # custodia + 9865b2e2-c9a411e6-a937f721-75eb0f97, ipa, etc, test.local
>
> dn:
> cn=custodia+nsuniqueid=9865b2e2-c9a411e6-a937f721-75eb0f97,cn=ipa,cn=etc,d
>
> c=test,dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: custodia
>
> nsds5ReplConflict: namingConflict
> cn=custodia,cn=ipa,cn=etc,dc=test,dc=local
>
> # dogtag + 9865b2e4-c9a411e6-a937f721-75eb0f97, custodia +
> 9865b2e2-c9a411e6-a9
>
> 37f721-75eb0f97, ipa, etc, test.local
>
> dn:
> cn=dogtag+nsuniqueid=9865b2e4-c9a411e6-a937f721-75eb0f97,cn=custodia+nsuni
>
> queid=9865b2e2-c9a411e6-a937f721-75eb0f97,cn=ipa,cn=etc,dc=test,dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: dogtag
>
> nsds5ReplConflict: namingConflict
> cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=test,d
>
> c=local
>
> # ca + 9865b2e7-c9a411e6-a937f721-75eb0f97, topology, ipa, etc,
> test.local
>
> dn:
> cn=ca+nsuniqueid=9865b2e7-c9a411e6-a937f721-75eb0f97,cn=topology,cn=ipa,cn
>
> =etc,dc=test,dc=local
>
> objectClass: top
>
> objectClass: iparepltopoconf
>
> cn: ca
>
> ipaReplTopoConfRoot: o=ipaca
>
> nsds5ReplConflict: namingConflict
> cn=ca,cn=topology,cn=ipa,cn=etc,dc=test,dc=lo
>
> cal
>
> # System: Add CA + 9865b2ed-c9a411e6-a937f721-75eb0f97,
> permissions, pbac, test.
>
> local
>
> dn: cn=System: Add
> CA+nsuniqueid=9865b2ed-c9a411e6-a937f721-75eb0f97,cn=permis
>
> sions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: add
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Add CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: add
> ca,cn=permissions,cn=pbac,dc=
>
> test,dc=local
>
> # System: Delete CA + 9865b2f1-c9a411e6-a937f721-75eb0f97,
> permissions, pbac, h
>
> 5c.local
>
> dn: cn=System: Delete
> CA+nsuniqueid=9865b2f1-c9a411e6-a937f721-75eb0f97,cn=per
>
> missions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: delete
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Delete CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: delete
> ca,cn=permissions,cn=pbac,
>
> dc=test,dc=local
>
> # System: Modify CA + 9865b2f5-c9a411e6-a937f721-75eb0f97,
> permissions, pbac, h
>
> 5c.local
>
> dn: cn=System: Modify
> CA+nsuniqueid=9865b2f5-c9a411e6-a937f721-75eb0f97,cn=per
>
> missions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify
> ca,cn=permissions,cn=pbac,
>
> dc=test,dc=local
>
> # System: Read CAs + 9865b2f9-c9a411e6-a937f721-75eb0f97,
> permissions, pbac, h5
>
> c.local
>
> dn: cn=System: Read
> CAs+nsuniqueid=9865b2f9-c9a411e6-a937f721-75eb0f97,cn=perm
>
> issions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: all
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read CAs
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: ipacaissuerdn
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipacasubjectdn
>
> ipaPermDefaultAttr: ipacaid
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read
> cas,cn=permissions,cn=pbac,d
>
> c=test,dc=local
>
> # System: Modify DNS Servers Configuration +
> 9865b2fe-c9a411e6-a937f721-75eb0f9
>
> 7, permissions, pbac, test.local
>
> dn: cn=System: Modify DNS Servers
> Configuration+nsuniqueid=9865b2fe-c9a411e6-a
>
> 937f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify DNS Servers Configuration
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: idnssoamname
>
> ipaPermDefaultAttr: idnssubstitutionvariable
>
> ipaPermDefaultAttr: idnsforwardpolicy
>
> ipaPermDefaultAttr: idnsforwarders
>
> ipaPermLocation: dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify dns servers
> configuration,
>
> cn=permissions,cn=pbac,dc=test,dc=local
>
> # System: Read DNS Servers Configuration +
> 9865b302-c9a411e6-a937f721-75eb0f97,
>
> permissions, pbac, test.local
>
> dn: cn=System: Read DNS Servers
> Configuration+nsuniqueid=9865b302-c9a411e6-a93
>
> 7f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read DNS Servers Configuration
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Servers,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: idnsforwardpolicy
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: idnsforwarders
>
> ipaPermDefaultAttr: idnsserverid
>
> ipaPermDefaultAttr: idnssubstitutionvariable
>
> ipaPermDefaultAttr: idnssoamname
>
> ipaPermLocation: dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read dns servers
> configuration,cn
>
> =permissions,cn=pbac,dc=test,dc=local
>
> # System: Manage Host Principals +
> 9865b329-c9a411e6-a937f721-75eb0f97, permiss
>
> ions, pbac, test.local
>
> dn: cn=System: Manage Host
> Principals+nsuniqueid=9865b329-c9a411e6-a937f721-75
>
> eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipahost)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Host Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Host Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=computers,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage host
> principals,cn=permiss
>
> ions,cn=pbac,dc=test,dc=local
>
> # System: Add IPA Locations + 9865b33f-c9a411e6-a937f721-75eb0f97,
> permissions,
>
> pbac, test.local
>
> dn: cn=System: Add IPA
> Locations+nsuniqueid=9865b33f-c9a411e6-a937f721-75eb0f9
>
> 7,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: add
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Add IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: add ipa
> locations,cn=permissions,
>
> cn=pbac,dc=test,dc=local
>
> # System: Modify IPA Locations +
> 9865b343-c9a411e6-a937f721-75eb0f97, permissio
>
> ns, pbac, test.local
>
> dn: cn=System: Modify IPA
> Locations+nsuniqueid=9865b343-c9a411e6-a937f721-75eb
>
> 0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: description
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify ipa
> locations,cn=permissio
>
> ns,cn=pbac,dc=test,dc=local
>
> # System: Read IPA Locations +
> 9865b347-c9a411e6-a937f721-75eb0f97, permissions
>
> , pbac, test.local
>
> dn: cn=System: Read IPA
> Locations+nsuniqueid=9865b347-c9a411e6-a937f721-75eb0f
>
> 97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: idnsname
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read ipa
> locations,cn=permissions
>
> ,cn=pbac,dc=test,dc=local
>
> # System: Remove IPA Locations +
> 9865b34b-c9a411e6-a937f721-75eb0f97, permissio
>
> ns, pbac, test.local
>
> dn: cn=System: Remove IPA
> Locations+nsuniqueid=9865b34b-c9a411e6-a937f721-75eb
>
> 0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: delete
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Remove IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: remove ipa
> locations,cn=permissio
>
> ns,cn=pbac,dc=test,dc=local
>
> # System: Read Locations of IPA Servers +
> 9865b34f-c9a411e6-a937f721-75eb0f97,
>
> permissions, pbac, test.local
>
> dn: cn=System: Read Locations of IPA
> Servers+nsuniqueid=9865b34f-c9a411e6-a937
>
> f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read Locations of IPA Servers
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipaserviceweight
>
> ipaPermDefaultAttr: ipalocation
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read locations of ipa
> servers,cn=
>
> permissions,cn=pbac,dc=test,dc=local
>
> # System: Read Status of Services on IPA Servers +
> 9865b353-c9a411e6-a937f721-7
>
> 5eb0f97, permissions, pbac, test.local
>
> dn: cn=System: Read Status of Services on IPA
> Servers+nsuniqueid=9865b353-c9a4
>
> 11e6-a937f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read Status of Services on IPA Servers
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipaconfigstring
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read status of
> services on ipa se
>
> rvers,cn=permissions,cn=pbac,dc=test,dc=local
>
> # System: Manage Service Principals +
> 9865b357-c9a411e6-a937f721-75eb0f97, perm
>
> issions, pbac, test.local
>
> dn: cn=System: Manage Service
> Principals+nsuniqueid=9865b357-c9a411e6-a937f721
>
> -75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaservice)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Service Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Service
> Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=services,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage service
> principals,cn=perm
>
> issions,cn=pbac,dc=test,dc=local
>
> # System: Manage User Principals +
> 9865b364-c9a411e6-a937f721-75eb0f97, permiss
>
> ions, pbac, test.local
>
> dn: cn=System: Manage User
> Principals+nsuniqueid=9865b364-c9a411e6-a937f721-75
>
> eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=posixaccount)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage User Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=User Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=Modify Users and Reset
> passwords,cn=privileges,cn=pbac,dc=test,dc=lo
>
> cal
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=users,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage user
> principals,cn=permiss
>
> ions,cn=pbac,dc=test,dc=local
>
> # servers + 9865b37b-c9a411e6-a937f721-75eb0f97, dns, test.local
>
> dn:
> cn=servers+nsuniqueid=9865b37b-c9a411e6-a937f721-75eb0f97,cn=dns,dc=test,dc
>
> =local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: servers
>
> nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=test,dc=local
>
> # ipa + cba8431e-c9a411e6-a937f721-75eb0f97, cas +
> 9865b2b1-c9a411e6-a937f721-7
>
> 5eb0f97, ca, test.local
>
> dn:
> cn=ipa+nsuniqueid=cba8431e-c9a411e6-a937f721-75eb0f97,cn=cas+nsuniqueid=98
>
> 65b2b1-c9a411e6-a937f721-75eb0f97,cn=ca,dc=test,dc=local
>
> description: IPA CA
>
> ipaCaIssuerDN: CN=Certificate Authority,O=TEST.LOCAL
>
> objectClass: top
>
> objectClass: ipaca
>
> ipaCaSubjectDN: CN=Certificate Authority,O=TEST.LOCAL
>
> ipaCaId: bcab810a-f59b-40ff-add4-560f50be04d3
>
> cn: ipa
>
> nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=test,dc=local
>
> # ipaservers + 6f4721f7-c9a811e6-943e8d1c-0faa636d, hostgroups,
> accounts, test.l
>
> ocal
>
> dn:
> cn=ipaservers+nsuniqueid=6f4721f7-c9a811e6-943e8d1c-0faa636d,cn=hostgroups
>
> ,cn=accounts,dc=test,dc=local
>
> memberOf: cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Add Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Modify Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Remove Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Read PassSync Managers
> Configuration,cn=permissions,cn=pbac,dc=h5
>
> c,dc=local
>
> memberOf: cn=Modify PassSync Managers
> Configuration,cn=permissions,cn=pbac,dc=
>
> test,dc=local
>
> memberOf: cn=Read LDBM Database
> Configuration,cn=permissions,cn=pbac,dc=test,dc
>
> =local
>
> memberOf: cn=Add Configuration
> Sub-Entries,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Read Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=loca
>
> l
>
> memberOf:
> cn=ipaservers+nsuniqueid=6f4721f9-c9a811e6-943e8d1c-0faa636d,cn=ng,c
>
> n=alt,dc=test,dc=local
>
> member:
> fqdn=ipa-replica-gib01.test.local,cn=computers,cn=accounts,dc=test,dc=lo
>
> cal
>
> mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
>
> objectClass: top
>
> objectClass: ipahostgroup
>
> objectClass: ipaobject
>
> objectClass: groupOfNames
>
> objectClass: nestedGroup
>
> objectClass: mepOriginEntry
>
> description: IPA server hosts
>
> cn: ipaservers
>
> ipaUniqueID: 863f47b6-c9a8-11e6-a9b0-00505684f6ff
>
> nsds5ReplConflict: namingConflict
> cn=ipaservers,cn=hostgroups,cn=accounts,dc=h
>
> 5c,dc=local
>
> # ipaservers + 6f4721f9-c9a811e6-943e8d1c-0faa636d, ng, alt,
> test.local
>
> dn:
> cn=ipaservers+nsuniqueid=6f4721f9-c9a811e6-943e8d1c-0faa636d,cn=ng,cn=alt,
>
> dc=test,dc=local
>
> memberHost:
> cn=ipaservers+nsuniqueid=6f4721f7-c9a811e6-943e8d1c-0faa636d,cn=ho
>
> stgroups,cn=accounts,dc=test,dc=local
>
> objectClass: ipanisnetgroup
>
> objectClass: ipaobject
>
> objectClass: mepManagedEntry
>
> objectClass: ipaAssociation
>
> objectClass: top
>
> nisDomainName: test.local
>
> cn: ipaservers
>
> description: ipaNetgroup ipaservers
>
> mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local
>
> ipaUniqueID: 864e605c-c9a8-11e6-a9b0-00505684f6ff
>
> nsds5ReplConflict: namingConflict
> cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
>
> # domain + 6f472200-c9a811e6-943e8d1c-0faa636d, topology, ipa,
> etc, test.local
>
> dn:
> cn=domain+nsuniqueid=6f472200-c9a811e6-943e8d1c-0faa636d,cn=topology,cn=ip
>
> a,cn=etc,dc=test,dc=local
>
> nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
> internalModifiersName in
>
> ternalModifyTimestamp
>
> ipaReplTopoConfRoot: dc=test,dc=local
>
> objectClass: top
>
> objectClass: iparepltopoconf
>
> nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE
> entryusn krblasts
>
> uccessfulauth krblastfailedauth krbloginfailedcount
>
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
>
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
>
> cn: domain
>
> nsds5ReplConflict: namingConflict
> cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,d
>
> c=local
>
> # locations + 6f472204-c9a811e6-943e8d1c-0faa636d, etc, test.local
>
> dn:
> cn=locations+nsuniqueid=6f472204-c9a811e6-943e8d1c-0faa636d,cn=etc,dc=test,
>
> dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: locations
>
> nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=test,dc=local
>
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
>
> ssion:System: Add IPA Locations";allow (add) groupdn =
> "ldap:///cn=System <ldap://cn=System>: Ad
>
> d IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "description")(targetfilter =
> "(objectclass=ipaLocationObje
>
> ct)")(version 3.0;acl "permission:System: Modify IPA
> Locations";allow (write)
>
> groupdn = "ldap:///cn=System <ldap://cn=System>: Modify IPA
> Locations,cn=permissions,cn=pbac,dc
>
> =test,dc=local";)
>
> aci: (targetattr = "createtimestamp || description || entryusn ||
> idnsname ||
>
> modifytimestamp || objectclass")(targetfilter =
> "(objectclass=ipaLocationObje
>
> ct)")(version 3.0;acl "permission:System: Read IPA
> Locations";allow (compare,
>
> read,search) groupdn = "ldap:///cn=System <ldap://cn=System>: Read
> IPA Locations,cn=permissions,
>
> cn=pbac,dc=test,dc=local";)
>
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
>
> ssion:System: Remove IPA Locations";allow (delete) groupdn =
> "ldap:///cn=Syst <ldap://cn=Syst>
>
> em: Remove IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> # cas + 6f47220a-c9a811e6-943e8d1c-0faa636d, ca, test.local
>
> dn:
> cn=cas+nsuniqueid=6f47220a-c9a811e6-943e8d1c-0faa636d,cn=ca,dc=test,dc=loca
>
> l
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: cas
>
> nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=test,dc=local
>
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
>
> : Add CA";allow (add) groupdn = "ldap:///cn=System
> <ldap://cn=System>: Add CA,cn=permissions,cn=
>
> pbac,dc=test,dc=local";)
>
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
>
> : Delete CA";allow (delete) groupdn = "ldap:///cn=System
> <ldap://cn=System>: Delete CA,cn=permis
>
> sions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "cn || description")(targetfilter =
> "(objectclass=ipaca)")(
>
> version 3.0;acl "permission:System: Modify CA";allow (write)
> groupdn = "ldap:
>
> ///cn=System: Modify CA,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "cn || createtimestamp || description ||
> entryusn || ipacai
>
> d || ipacaissuerdn || ipacasubjectdn || modifytimestamp ||
> objectclass")(targ
>
> etfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System: Read CA
>
> s";allow (compare,read,search) userdn = "ldap:///all" <ldap://all>;)
>
> # custodia + 6f47223b-c9a811e6-943e8d1c-0faa636d, ipa, etc, test.local
>
> dn:
> cn=custodia+nsuniqueid=6f47223b-c9a811e6-943e8d1c-0faa636d,cn=ipa,cn=etc,d
>
> c=test,dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: custodia
>
> nsds5ReplConflict: namingConflict
> cn=custodia,cn=ipa,cn=etc,dc=test,dc=local
>
> # dogtag + 6f47223d-c9a811e6-943e8d1c-0faa636d, custodia +
> 6f47223b-c9a811e6-94
>
> 3e8d1c-0faa636d, ipa, etc, test.local
>
> dn:
> cn=dogtag+nsuniqueid=6f47223d-c9a811e6-943e8d1c-0faa636d,cn=custodia+nsuni
>
> queid=6f47223b-c9a811e6-943e8d1c-0faa636d,cn=ipa,cn=etc,dc=test,dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: dogtag
>
> nsds5ReplConflict: namingConflict
> cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=test,d
>
> c=local
>
> # ca + 6f472240-c9a811e6-943e8d1c-0faa636d, topology, ipa, etc,
> test.local
>
> dn:
> cn=ca+nsuniqueid=6f472240-c9a811e6-943e8d1c-0faa636d,cn=topology,cn=ipa,cn
>
> =etc,dc=test,dc=local
>
> objectClass: top
>
> objectClass: iparepltopoconf
>
> cn: ca
>
> ipaReplTopoConfRoot: o=ipaca
>
> nsds5ReplConflict: namingConflict
> cn=ca,cn=topology,cn=ipa,cn=etc,dc=test,dc=lo
>
> cal
>
> # System: Add CA + 6f472246-c9a811e6-943e8d1c-0faa636d,
> permissions, pbac, test.
>
> local
>
> dn: cn=System: Add
> CA+nsuniqueid=6f472246-c9a811e6-943e8d1c-0faa636d,cn=permis
>
> sions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: add
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Add CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: add
> ca,cn=permissions,cn=pbac,dc=
>
> test,dc=local
>
> # System: Delete CA + 6f47224a-c9a811e6-943e8d1c-0faa636d,
> permissions, pbac, h
>
> 5c.local
>
> dn: cn=System: Delete
> CA+nsuniqueid=6f47224a-c9a811e6-943e8d1c-0faa636d,cn=per
>
> missions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: delete
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Delete CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: delete
> ca,cn=permissions,cn=pbac,
>
> dc=test,dc=local
>
> # System: Modify CA + 6f47224e-c9a811e6-943e8d1c-0faa636d,
> permissions, pbac, h
>
> 5c.local
>
> dn: cn=System: Modify
> CA+nsuniqueid=6f47224e-c9a811e6-943e8d1c-0faa636d,cn=per
>
> missions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify
> ca,cn=permissions,cn=pbac,
>
> dc=test,dc=local
>
> # System: Read CAs + 6f472252-c9a811e6-943e8d1c-0faa636d,
> permissions, pbac, h5
>
> c.local
>
> dn: cn=System: Read
> CAs+nsuniqueid=6f472252-c9a811e6-943e8d1c-0faa636d,cn=perm
>
> issions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: all
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read CAs
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: ipacaissuerdn
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipacasubjectdn
>
> ipaPermDefaultAttr: ipacaid
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read
> cas,cn=permissions,cn=pbac,d
>
> c=test,dc=local
>
> # System: Modify DNS Servers Configuration +
> 6f472257-c9a811e6-943e8d1c-0faa636
>
> d, permissions, pbac, test.local
>
> dn: cn=System: Modify DNS Servers
> Configuration+nsuniqueid=6f472257-c9a811e6-9
>
> 43e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify DNS Servers Configuration
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: idnssoamname
>
> ipaPermDefaultAttr: idnssubstitutionvariable
>
> ipaPermDefaultAttr: idnsforwardpolicy
>
> ipaPermDefaultAttr: idnsforwarders
>
> ipaPermLocation: dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify dns servers
> configuration,
>
> cn=permissions,cn=pbac,dc=test,dc=local
>
> # System: Read DNS Servers Configuration +
> 6f47225b-c9a811e6-943e8d1c-0faa636d,
>
> permissions, pbac, test.local
>
> dn: cn=System: Read DNS Servers
> Configuration+nsuniqueid=6f47225b-c9a811e6-943
>
> e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read DNS Servers Configuration
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Servers,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: idnsforwardpolicy
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: idnsforwarders
>
> ipaPermDefaultAttr: idnsserverid
>
> ipaPermDefaultAttr: idnssubstitutionvariable
>
> ipaPermDefaultAttr: idnssoamname
>
> ipaPermLocation: dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read dns servers
> configuration,cn
>
> =permissions,cn=pbac,dc=test,dc=local
>
> # System: Manage Host Principals +
> 6f472282-c9a811e6-943e8d1c-0faa636d, permiss
>
> ions, pbac, test.local
>
> dn: cn=System: Manage Host
> Principals+nsuniqueid=6f472282-c9a811e6-943e8d1c-0f
>
> aa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipahost)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Host Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Host Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=computers,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage host
> principals,cn=permiss
>
> ions,cn=pbac,dc=test,dc=local
>
> # System: Add IPA Locations + 6f472298-c9a811e6-943e8d1c-0faa636d,
> permissions,
>
> pbac, test.local
>
> dn: cn=System: Add IPA
> Locations+nsuniqueid=6f472298-c9a811e6-943e8d1c-0faa636
>
> d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: add
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Add IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: add ipa
> locations,cn=permissions,
>
> cn=pbac,dc=test,dc=local
>
> # System: Modify IPA Locations +
> 6f47229c-c9a811e6-943e8d1c-0faa636d, permissio
>
> ns, pbac, test.local
>
> dn: cn=System: Modify IPA
> Locations+nsuniqueid=6f47229c-c9a811e6-943e8d1c-0faa
>
> 636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: description
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify ipa
> locations,cn=permissio
>
> ns,cn=pbac,dc=test,dc=local
>
> # System: Read IPA Locations +
> 6f4722a0-c9a811e6-943e8d1c-0faa636d, permissions
>
> , pbac, test.local
>
> dn: cn=System: Read IPA
> Locations+nsuniqueid=6f4722a0-c9a811e6-943e8d1c-0faa63
>
> 6d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: idnsname
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read ipa
> locations,cn=permissions
>
> ,cn=pbac,dc=test,dc=local
>
> # System: Remove IPA Locations +
> 6f4722a4-c9a811e6-943e8d1c-0faa636d, permissio
>
> ns, pbac, test.local
>
> dn: cn=System: Remove IPA
> Locations+nsuniqueid=6f4722a4-c9a811e6-943e8d1c-0faa
>
> 636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: delete
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Remove IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: remove ipa
> locations,cn=permissio
>
> ns,cn=pbac,dc=test,dc=local
>
> # System: Read Locations of IPA Servers +
> 6f4722a8-c9a811e6-943e8d1c-0faa636d,
>
> permissions, pbac, test.local
>
> dn: cn=System: Read Locations of IPA
> Servers+nsuniqueid=6f4722a8-c9a811e6-943e
>
> 8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read Locations of IPA Servers
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipaserviceweight
>
> ipaPermDefaultAttr: ipalocation
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read locations of ipa
> servers,cn=
>
> permissions,cn=pbac,dc=test,dc=local
>
> # System: Read Status of Services on IPA Servers +
> 6f4722ac-c9a811e6-943e8d1c-0
>
> faa636d, permissions, pbac, test.local
>
> dn: cn=System: Read Status of Services on IPA
> Servers+nsuniqueid=6f4722ac-c9a8
>
> 11e6-943e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read Status of Services on IPA Servers
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipaconfigstring
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read status of
> services on ipa se
>
> rvers,cn=permissions,cn=pbac,dc=test,dc=local
>
> # System: Manage Service Principals +
> 6f4722b0-c9a811e6-943e8d1c-0faa636d, perm
>
> issions, pbac, test.local
>
> dn: cn=System: Manage Service
> Principals+nsuniqueid=6f4722b0-c9a811e6-943e8d1c
>
> -0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaservice)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Service Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Service
> Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=services,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage service
> principals,cn=perm
>
> issions,cn=pbac,dc=test,dc=local
>
> # System: Manage User Principals +
> 6f4722bd-c9a811e6-943e8d1c-0faa636d, permiss
>
> ions, pbac, test.local
>
> dn: cn=System: Manage User
> Principals+nsuniqueid=6f4722bd-c9a811e6-943e8d1c-0f
>
> aa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=posixaccount)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage User Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=User Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=Modify Users and Reset
> passwords,cn=privileges,cn=pbac,dc=test,dc=lo
>
> cal
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=users,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage user
> principals,cn=permiss
>
> ions,cn=pbac,dc=test,dc=local
>
> # servers + 6f4722d4-c9a811e6-943e8d1c-0faa636d, dns, test.local
>
> dn:
> cn=servers+nsuniqueid=6f4722d4-c9a811e6-943e8d1c-0faa636d,cn=dns,dc=test,dc
>
> =local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: servers
>
> nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=test,dc=local
>
> # ipa + 90a80ea3-c9a811e6-943e8d1c-0faa636d, cas +
> 6f47220a-c9a811e6-943e8d1c-0
>
> faa636d, ca, test.local
>
> dn:
> cn=ipa+nsuniqueid=90a80ea3-c9a811e6-943e8d1c-0faa636d,cn=cas+nsuniqueid=6f
>
> 47220a-c9a811e6-943e8d1c-0faa636d,cn=ca,dc=test,dc=local
>
> description: IPA CA
>
> ipaCaIssuerDN: CN=Certificate Authority,O=TEST.LOCAL
>
> objectClass: top
>
> objectClass: ipaca
>
> ipaCaSubjectDN: CN=Certificate Authority,O=TEST.LOCAL
>
> ipaCaId: bcab810a-f59b-40ff-add4-560f50be04d3
>
> cn: ipa
>
> nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=test,dc=local
>
> # search result
>
> search: 2
>
> result: 0 Success
>
> # numResponses: 51
>
> # numEntries: 50
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_ |
> 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and
> Shake the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>,
> Twitter <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or
> privileged information and are only for the use of the intended
> recipient of this message. If you are not the intended recipient,
> please notify the sender by return email, and delete or destroy
> this and all copies of this message and all attachments. Any
> unauthorized disclosure, use, distribution, or reproduction of
> this message or any attachments is prohibited and may be unlawful./
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170104/cd38e4fa/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 4334 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170104/cd38e4fa/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 4335 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170104/cd38e4fa/attachment-0001.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 4336 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170104/cd38e4fa/attachment-0002.jpe>
More information about the Freeipa-users
mailing list