[Freeipa-users] LDAP replication conflicts, but no apparent data damage
thierry bordaz
tbordaz at redhat.com
Wed Jan 4 14:57:18 UTC 2017
Hello,
I fail to reproduce the problem with retroCL. The error means that the
changelog index was back in the past. I have no clue how it happened. Do
you know if it happened at the same time of the attempts to rename
conflict entries ?
I reproduced failure to rename a conflict entry. This is a new bug.
The problem comes from the access to rdn attribute 'nsuniqueid' that the
server prevents to update.
Curriously it looking there are two bugs, as the deleteoldrdn is not
taken into consideration and access to the attribute is tested even if
the deletion of the oldrdn is not requested.
I will open a ticket for it.
regards
thierry
On 01/03/2017 06:20 PM, Dan.Finkelstein at high5games.com wrote:
>
> Also, after attempting to rename one of the duplicated attributes, I
> get this in the error logs:
>
> 03/Jan/2017:17:19:30.605440097 +0000] retrocl-plugin - retrocl_postob:
> operation failure [68]
>
> [03/Jan/2017:17:19:32.056965127 +0000] DSRetroclPlugin - replog: an
> error occured while adding change number 4799286, dn =
> changenumber=4799286,cn=changelog: Already exists.
>
> [03/Jan/2017:17:19:32.058077520 +0000] retrocl-plugin -
> retrocl_postob: operation failure [68]
>
> [03/Jan/2017:17:19:32.297145459 +0000] DSRetroclPlugin - replog: an
> error occured while adding change number 4799286, dn =
> changenumber=4799286,cn=changelog: Already exists.
>
> [03/Jan/2017:17:19:32.298205569 +0000] retrocl-plugin -
> retrocl_postob: operation failure [68]
>
> id:image001.jpg at 01D1C26F.0E28FA60 <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_ | 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and
> Shake the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or
> privileged information and are only for the use of the intended
> recipient of this message. If you are not the intended recipient,
> please notify the sender by return email, and delete or destroy this
> and all copies of this message and all attachments. Any unauthorized
> disclosure, use, distribution, or reproduction of this message or any
> attachments is prohibited and may be unlawful./
>
> *From: *<freeipa-users-bounces at redhat.com> on behalf of Dan
> Finkelstein <Dan.Finkelstein at high5games.com>
> *Date: *Tuesday, January 3, 2017 at 11:08
> *To: *"mbasti at redhat.com" <mbasti at redhat.com>,
> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] LDAP replication conflicts, but no
> apparent data damage
>
> I've read through that page before, just last week, but I confess it's
> gone over my head. Could you give me an example of how to fix /one/ of
> the conflicts below? I think when I see how it's done, I can do the rest.
>
> Thanks,
>
> Dan
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_ | 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and
> Shake the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or
> privileged information and are only for the use of the intended
> recipient of this message. If you are not the intended recipient,
> please notify the sender by return email, and delete or destroy this
> and all copies of this message and all attachments. Any unauthorized
> disclosure, use, distribution, or reproduction of this message or any
> attachments is prohibited and may be unlawful./
>
> *From: *Martin Basti <mbasti at redhat.com>
> *Date: *Tuesday, January 3, 2017 at 09:07
> *To: *Dan Finkelstein <Dan.Finkelstein at high5games.com>,
> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] LDAP replication conflicts, but no
> apparent data damage
>
> Here is a directory server documentation about replication conflicts
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>
> I hope it will help
>
> Martin
>
> On 03.01.2017 14:20, Dan.Finkelstein at high5games.com
> <mailto:Dan.Finkelstein at high5games.com> wrote:
>
> I'm using the most recent FreeIPA 4.4.0 on CentOS 7.3 and have
> been cleaning up various dangling replicas and other cruft, but
> when I run the ipa consistency checker, it produces output that
> LDAP has conflicts. I then run:
>
> ldapsearch -D "cn=Directory Manager" -W -b "dc=h5c,dc=local"
> "nsds5ReplConflict=*" \* nsds5ReplConflict
>
> Which produces output as follows (which I don't know what to do
> with, yet):
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <dc=test,dc=local> with scope subtree
>
> # filter: nsds5ReplConflict=*
>
> # requesting: * nsds5ReplConflict
>
> #
>
> # ipaservers + 9865b29e-c9a411e6-a937f721-75eb0f97, hostgroups,
> accounts, test.l
>
> ocal
>
> dn:
> cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=hostgroups
>
> ,cn=accounts,dc=test,dc=local
>
> memberOf: cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Add Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Modify Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Remove Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Read PassSync Managers
> Configuration,cn=permissions,cn=pbac,dc=h5
>
> c,dc=local
>
> memberOf: cn=Modify PassSync Managers
> Configuration,cn=permissions,cn=pbac,dc=
>
> test,dc=local
>
> memberOf: cn=Read LDBM Database
> Configuration,cn=permissions,cn=pbac,dc=test,dc
>
> =local
>
> memberOf: cn=Add Configuration
> Sub-Entries,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Read Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=loca
>
> l
>
> memberOf:
> cn=ipaservers+nsuniqueid=9865b2a0-c9a411e6-a937f721-75eb0f97,cn=ng,c
>
> n=alt,dc=test,dc=local
>
> member:
> fqdn=ipa-replica-gib02.test.local,cn=computers,cn=accounts,dc=test,dc=lo
>
> cal
>
> mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
>
> objectClass: top
>
> objectClass: ipahostgroup
>
> objectClass: ipaobject
>
> objectClass: groupOfNames
>
> objectClass: nestedGroup
>
> objectClass: mepOriginEntry
>
> description: IPA server hosts
>
> cn: ipaservers
>
> ipaUniqueID: b13812a8-c9a4-11e6-8bb5-00505684b9a0
>
> nsds5ReplConflict: namingConflict
> cn=ipaservers,cn=hostgroups,cn=accounts,dc=h
>
> 5c,dc=local
>
> # ipaservers + 9865b2a0-c9a411e6-a937f721-75eb0f97, ng, alt,
> test.local
>
> dn:
> cn=ipaservers+nsuniqueid=9865b2a0-c9a411e6-a937f721-75eb0f97,cn=ng,cn=alt,
>
> dc=test,dc=local
>
> memberHost:
> cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=ho
>
> stgroups,cn=accounts,dc=test,dc=local
>
> objectClass: ipanisnetgroup
>
> objectClass: ipaobject
>
> objectClass: mepManagedEntry
>
> objectClass: ipaAssociation
>
> objectClass: top
>
> nisDomainName: test.local
>
> cn: ipaservers
>
> description: ipaNetgroup ipaservers
>
> mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local
>
> ipaUniqueID: b13f8506-c9a4-11e6-8bb5-00505684b9a0
>
> nsds5ReplConflict: namingConflict
> cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
>
> # domain + 9865b2a7-c9a411e6-a937f721-75eb0f97, topology, ipa,
> etc, test.local
>
> dn:
> cn=domain+nsuniqueid=9865b2a7-c9a411e6-a937f721-75eb0f97,cn=topology,cn=ip
>
> a,cn=etc,dc=test,dc=local
>
> nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
> internalModifiersName in
>
> ternalModifyTimestamp
>
> ipaReplTopoConfRoot: dc=test,dc=local
>
> objectClass: top
>
> objectClass: iparepltopoconf
>
> nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE
> entryusn krblasts
>
> uccessfulauth krblastfailedauth krbloginfailedcount
>
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
>
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
>
> cn: domain
>
> nsds5ReplConflict: namingConflict
> cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,d
>
> c=local
>
> # locations + 9865b2ab-c9a411e6-a937f721-75eb0f97, etc, test.local
>
> dn:
> cn=locations+nsuniqueid=9865b2ab-c9a411e6-a937f721-75eb0f97,cn=etc,dc=test,
>
> dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: locations
>
> nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=test,dc=local
>
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
>
> ssion:System: Add IPA Locations";allow (add) groupdn =
> "ldap:///cn=System <ldap://cn=System>: Ad
>
> d IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "description")(targetfilter =
> "(objectclass=ipaLocationObje
>
> ct)")(version 3.0;acl "permission:System: Modify IPA
> Locations";allow (write)
>
> groupdn = "ldap:///cn=System <ldap://cn=System>: Modify IPA
> Locations,cn=permissions,cn=pbac,dc
>
> =test,dc=local";)
>
> aci: (targetattr = "createtimestamp || description || entryusn ||
> idnsname ||
>
> modifytimestamp || objectclass")(targetfilter =
> "(objectclass=ipaLocationObje
>
> ct)")(version 3.0;acl "permission:System: Read IPA
> Locations";allow (compare,
>
> read,search) groupdn = "ldap:///cn=System <ldap://cn=System>: Read
> IPA Locations,cn=permissions,
>
> cn=pbac,dc=test,dc=local";)
>
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
>
> ssion:System: Remove IPA Locations";allow (delete) groupdn =
> "ldap:///cn=Syst <ldap://cn=Syst>
>
> em: Remove IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> # cas + 9865b2b1-c9a411e6-a937f721-75eb0f97, ca, test.local
>
> dn:
> cn=cas+nsuniqueid=9865b2b1-c9a411e6-a937f721-75eb0f97,cn=ca,dc=test,dc=loca
>
> l
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: cas
>
> nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=test,dc=local
>
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
>
> : Add CA";allow (add) groupdn = "ldap:///cn=System
> <ldap://cn=System>: Add CA,cn=permissions,cn=
>
> pbac,dc=test,dc=local";)
>
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
>
> : Delete CA";allow (delete) groupdn = "ldap:///cn=System
> <ldap://cn=System>: Delete CA,cn=permis
>
> sions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "cn || description")(targetfilter =
> "(objectclass=ipaca)")(
>
> version 3.0;acl "permission:System: Modify CA";allow (write)
> groupdn = "ldap:
>
> ///cn=System: Modify CA,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "cn || createtimestamp || description ||
> entryusn || ipacai
>
> d || ipacaissuerdn || ipacasubjectdn || modifytimestamp ||
> objectclass")(targ
>
> etfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System: Read CA
>
> s";allow (compare,read,search) userdn = "ldap:///all" <ldap://all>;)
>
> # custodia + 9865b2e2-c9a411e6-a937f721-75eb0f97, ipa, etc, test.local
>
> dn:
> cn=custodia+nsuniqueid=9865b2e2-c9a411e6-a937f721-75eb0f97,cn=ipa,cn=etc,d
>
> c=test,dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: custodia
>
> nsds5ReplConflict: namingConflict
> cn=custodia,cn=ipa,cn=etc,dc=test,dc=local
>
> # dogtag + 9865b2e4-c9a411e6-a937f721-75eb0f97, custodia +
> 9865b2e2-c9a411e6-a9
>
> 37f721-75eb0f97, ipa, etc, test.local
>
> dn:
> cn=dogtag+nsuniqueid=9865b2e4-c9a411e6-a937f721-75eb0f97,cn=custodia+nsuni
>
> queid=9865b2e2-c9a411e6-a937f721-75eb0f97,cn=ipa,cn=etc,dc=test,dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: dogtag
>
> nsds5ReplConflict: namingConflict
> cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=test,d
>
> c=local
>
> # ca + 9865b2e7-c9a411e6-a937f721-75eb0f97, topology, ipa, etc,
> test.local
>
> dn:
> cn=ca+nsuniqueid=9865b2e7-c9a411e6-a937f721-75eb0f97,cn=topology,cn=ipa,cn
>
> =etc,dc=test,dc=local
>
> objectClass: top
>
> objectClass: iparepltopoconf
>
> cn: ca
>
> ipaReplTopoConfRoot: o=ipaca
>
> nsds5ReplConflict: namingConflict
> cn=ca,cn=topology,cn=ipa,cn=etc,dc=test,dc=lo
>
> cal
>
> # System: Add CA + 9865b2ed-c9a411e6-a937f721-75eb0f97,
> permissions, pbac, test.
>
> local
>
> dn: cn=System: Add
> CA+nsuniqueid=9865b2ed-c9a411e6-a937f721-75eb0f97,cn=permis
>
> sions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: add
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Add CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: add
> ca,cn=permissions,cn=pbac,dc=
>
> test,dc=local
>
> # System: Delete CA + 9865b2f1-c9a411e6-a937f721-75eb0f97,
> permissions, pbac, h
>
> 5c.local
>
> dn: cn=System: Delete
> CA+nsuniqueid=9865b2f1-c9a411e6-a937f721-75eb0f97,cn=per
>
> missions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: delete
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Delete CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: delete
> ca,cn=permissions,cn=pbac,
>
> dc=test,dc=local
>
> # System: Modify CA + 9865b2f5-c9a411e6-a937f721-75eb0f97,
> permissions, pbac, h
>
> 5c.local
>
> dn: cn=System: Modify
> CA+nsuniqueid=9865b2f5-c9a411e6-a937f721-75eb0f97,cn=per
>
> missions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify
> ca,cn=permissions,cn=pbac,
>
> dc=test,dc=local
>
> # System: Read CAs + 9865b2f9-c9a411e6-a937f721-75eb0f97,
> permissions, pbac, h5
>
> c.local
>
> dn: cn=System: Read
> CAs+nsuniqueid=9865b2f9-c9a411e6-a937f721-75eb0f97,cn=perm
>
> issions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: all
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read CAs
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: ipacaissuerdn
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipacasubjectdn
>
> ipaPermDefaultAttr: ipacaid
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read
> cas,cn=permissions,cn=pbac,d
>
> c=test,dc=local
>
> # System: Modify DNS Servers Configuration +
> 9865b2fe-c9a411e6-a937f721-75eb0f9
>
> 7, permissions, pbac, test.local
>
> dn: cn=System: Modify DNS Servers
> Configuration+nsuniqueid=9865b2fe-c9a411e6-a
>
> 937f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify DNS Servers Configuration
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: idnssoamname
>
> ipaPermDefaultAttr: idnssubstitutionvariable
>
> ipaPermDefaultAttr: idnsforwardpolicy
>
> ipaPermDefaultAttr: idnsforwarders
>
> ipaPermLocation: dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify dns servers
> configuration,
>
> cn=permissions,cn=pbac,dc=test,dc=local
>
> # System: Read DNS Servers Configuration +
> 9865b302-c9a411e6-a937f721-75eb0f97,
>
> permissions, pbac, test.local
>
> dn: cn=System: Read DNS Servers
> Configuration+nsuniqueid=9865b302-c9a411e6-a93
>
> 7f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read DNS Servers Configuration
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Servers,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: idnsforwardpolicy
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: idnsforwarders
>
> ipaPermDefaultAttr: idnsserverid
>
> ipaPermDefaultAttr: idnssubstitutionvariable
>
> ipaPermDefaultAttr: idnssoamname
>
> ipaPermLocation: dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read dns servers
> configuration,cn
>
> =permissions,cn=pbac,dc=test,dc=local
>
> # System: Manage Host Principals +
> 9865b329-c9a411e6-a937f721-75eb0f97, permiss
>
> ions, pbac, test.local
>
> dn: cn=System: Manage Host
> Principals+nsuniqueid=9865b329-c9a411e6-a937f721-75
>
> eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipahost)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Host Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Host Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=computers,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage host
> principals,cn=permiss
>
> ions,cn=pbac,dc=test,dc=local
>
> # System: Add IPA Locations + 9865b33f-c9a411e6-a937f721-75eb0f97,
> permissions,
>
> pbac, test.local
>
> dn: cn=System: Add IPA
> Locations+nsuniqueid=9865b33f-c9a411e6-a937f721-75eb0f9
>
> 7,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: add
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Add IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: add ipa
> locations,cn=permissions,
>
> cn=pbac,dc=test,dc=local
>
> # System: Modify IPA Locations +
> 9865b343-c9a411e6-a937f721-75eb0f97, permissio
>
> ns, pbac, test.local
>
> dn: cn=System: Modify IPA
> Locations+nsuniqueid=9865b343-c9a411e6-a937f721-75eb
>
> 0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: description
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify ipa
> locations,cn=permissio
>
> ns,cn=pbac,dc=test,dc=local
>
> # System: Read IPA Locations +
> 9865b347-c9a411e6-a937f721-75eb0f97, permissions
>
> , pbac, test.local
>
> dn: cn=System: Read IPA
> Locations+nsuniqueid=9865b347-c9a411e6-a937f721-75eb0f
>
> 97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: idnsname
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read ipa
> locations,cn=permissions
>
> ,cn=pbac,dc=test,dc=local
>
> # System: Remove IPA Locations +
> 9865b34b-c9a411e6-a937f721-75eb0f97, permissio
>
> ns, pbac, test.local
>
> dn: cn=System: Remove IPA
> Locations+nsuniqueid=9865b34b-c9a411e6-a937f721-75eb
>
> 0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: delete
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Remove IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: remove ipa
> locations,cn=permissio
>
> ns,cn=pbac,dc=test,dc=local
>
> # System: Read Locations of IPA Servers +
> 9865b34f-c9a411e6-a937f721-75eb0f97,
>
> permissions, pbac, test.local
>
> dn: cn=System: Read Locations of IPA
> Servers+nsuniqueid=9865b34f-c9a411e6-a937
>
> f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read Locations of IPA Servers
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipaserviceweight
>
> ipaPermDefaultAttr: ipalocation
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read locations of ipa
> servers,cn=
>
> permissions,cn=pbac,dc=test,dc=local
>
> # System: Read Status of Services on IPA Servers +
> 9865b353-c9a411e6-a937f721-7
>
> 5eb0f97, permissions, pbac, test.local
>
> dn: cn=System: Read Status of Services on IPA
> Servers+nsuniqueid=9865b353-c9a4
>
> 11e6-a937f721-75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read Status of Services on IPA Servers
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipaconfigstring
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read status of
> services on ipa se
>
> rvers,cn=permissions,cn=pbac,dc=test,dc=local
>
> # System: Manage Service Principals +
> 9865b357-c9a411e6-a937f721-75eb0f97, perm
>
> issions, pbac, test.local
>
> dn: cn=System: Manage Service
> Principals+nsuniqueid=9865b357-c9a411e6-a937f721
>
> -75eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaservice)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Service Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Service
> Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=services,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage service
> principals,cn=perm
>
> issions,cn=pbac,dc=test,dc=local
>
> # System: Manage User Principals +
> 9865b364-c9a411e6-a937f721-75eb0f97, permiss
>
> ions, pbac, test.local
>
> dn: cn=System: Manage User
> Principals+nsuniqueid=9865b364-c9a411e6-a937f721-75
>
> eb0f97,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=posixaccount)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage User Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=User Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=Modify Users and Reset
> passwords,cn=privileges,cn=pbac,dc=test,dc=lo
>
> cal
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=users,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage user
> principals,cn=permiss
>
> ions,cn=pbac,dc=test,dc=local
>
> # servers + 9865b37b-c9a411e6-a937f721-75eb0f97, dns, test.local
>
> dn:
> cn=servers+nsuniqueid=9865b37b-c9a411e6-a937f721-75eb0f97,cn=dns,dc=test,dc
>
> =local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: servers
>
> nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=test,dc=local
>
> # ipa + cba8431e-c9a411e6-a937f721-75eb0f97, cas +
> 9865b2b1-c9a411e6-a937f721-7
>
> 5eb0f97, ca, test.local
>
> dn:
> cn=ipa+nsuniqueid=cba8431e-c9a411e6-a937f721-75eb0f97,cn=cas+nsuniqueid=98
>
> 65b2b1-c9a411e6-a937f721-75eb0f97,cn=ca,dc=test,dc=local
>
> description: IPA CA
>
> ipaCaIssuerDN: CN=Certificate Authority,O=TEST.LOCAL
>
> objectClass: top
>
> objectClass: ipaca
>
> ipaCaSubjectDN: CN=Certificate Authority,O=TEST.LOCAL
>
> ipaCaId: bcab810a-f59b-40ff-add4-560f50be04d3
>
> cn: ipa
>
> nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=test,dc=local
>
> # ipaservers + 6f4721f7-c9a811e6-943e8d1c-0faa636d, hostgroups,
> accounts, test.l
>
> ocal
>
> dn:
> cn=ipaservers+nsuniqueid=6f4721f7-c9a811e6-943e8d1c-0faa636d,cn=hostgroups
>
> ,cn=accounts,dc=test,dc=local
>
> memberOf: cn=Replication
> Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Add Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Modify Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Remove Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Read PassSync Managers
> Configuration,cn=permissions,cn=pbac,dc=h5
>
> c,dc=local
>
> memberOf: cn=Modify PassSync Managers
> Configuration,cn=permissions,cn=pbac,dc=
>
> test,dc=local
>
> memberOf: cn=Read LDBM Database
> Configuration,cn=permissions,cn=pbac,dc=test,dc
>
> =local
>
> memberOf: cn=Add Configuration
> Sub-Entries,cn=permissions,cn=pbac,dc=test,dc=lo
>
> cal
>
> memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=test,dc=local
>
> memberOf: cn=Read Replication
> Agreements,cn=permissions,cn=pbac,dc=test,dc=loca
>
> l
>
> memberOf:
> cn=ipaservers+nsuniqueid=6f4721f9-c9a811e6-943e8d1c-0faa636d,cn=ng,c
>
> n=alt,dc=test,dc=local
>
> member:
> fqdn=ipa-replica-gib01.test.local,cn=computers,cn=accounts,dc=test,dc=lo
>
> cal
>
> mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
>
> objectClass: top
>
> objectClass: ipahostgroup
>
> objectClass: ipaobject
>
> objectClass: groupOfNames
>
> objectClass: nestedGroup
>
> objectClass: mepOriginEntry
>
> description: IPA server hosts
>
> cn: ipaservers
>
> ipaUniqueID: 863f47b6-c9a8-11e6-a9b0-00505684f6ff
>
> nsds5ReplConflict: namingConflict
> cn=ipaservers,cn=hostgroups,cn=accounts,dc=h
>
> 5c,dc=local
>
> # ipaservers + 6f4721f9-c9a811e6-943e8d1c-0faa636d, ng, alt,
> test.local
>
> dn:
> cn=ipaservers+nsuniqueid=6f4721f9-c9a811e6-943e8d1c-0faa636d,cn=ng,cn=alt,
>
> dc=test,dc=local
>
> memberHost:
> cn=ipaservers+nsuniqueid=6f4721f7-c9a811e6-943e8d1c-0faa636d,cn=ho
>
> stgroups,cn=accounts,dc=test,dc=local
>
> objectClass: ipanisnetgroup
>
> objectClass: ipaobject
>
> objectClass: mepManagedEntry
>
> objectClass: ipaAssociation
>
> objectClass: top
>
> nisDomainName: test.local
>
> cn: ipaservers
>
> description: ipaNetgroup ipaservers
>
> mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=test,dc=local
>
> ipaUniqueID: 864e605c-c9a8-11e6-a9b0-00505684f6ff
>
> nsds5ReplConflict: namingConflict
> cn=ipaservers,cn=ng,cn=alt,dc=test,dc=local
>
> # domain + 6f472200-c9a811e6-943e8d1c-0faa636d, topology, ipa,
> etc, test.local
>
> dn:
> cn=domain+nsuniqueid=6f472200-c9a811e6-943e8d1c-0faa636d,cn=topology,cn=ip
>
> a,cn=etc,dc=test,dc=local
>
> nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
> internalModifiersName in
>
> ternalModifyTimestamp
>
> ipaReplTopoConfRoot: dc=test,dc=local
>
> objectClass: top
>
> objectClass: iparepltopoconf
>
> nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE
> entryusn krblasts
>
> uccessfulauth krblastfailedauth krbloginfailedcount
>
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
>
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
>
> cn: domain
>
> nsds5ReplConflict: namingConflict
> cn=domain,cn=topology,cn=ipa,cn=etc,dc=test,d
>
> c=local
>
> # locations + 6f472204-c9a811e6-943e8d1c-0faa636d, etc, test.local
>
> dn:
> cn=locations+nsuniqueid=6f472204-c9a811e6-943e8d1c-0faa636d,cn=etc,dc=test,
>
> dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: locations
>
> nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=test,dc=local
>
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
>
> ssion:System: Add IPA Locations";allow (add) groupdn =
> "ldap:///cn=System <ldap://cn=System>: Ad
>
> d IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "description")(targetfilter =
> "(objectclass=ipaLocationObje
>
> ct)")(version 3.0;acl "permission:System: Modify IPA
> Locations";allow (write)
>
> groupdn = "ldap:///cn=System <ldap://cn=System>: Modify IPA
> Locations,cn=permissions,cn=pbac,dc
>
> =test,dc=local";)
>
> aci: (targetattr = "createtimestamp || description || entryusn ||
> idnsname ||
>
> modifytimestamp || objectclass")(targetfilter =
> "(objectclass=ipaLocationObje
>
> ct)")(version 3.0;acl "permission:System: Read IPA
> Locations";allow (compare,
>
> read,search) groupdn = "ldap:///cn=System <ldap://cn=System>: Read
> IPA Locations,cn=permissions,
>
> cn=pbac,dc=test,dc=local";)
>
> aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
> 3.0;acl "permi
>
> ssion:System: Remove IPA Locations";allow (delete) groupdn =
> "ldap:///cn=Syst <ldap://cn=Syst>
>
> em: Remove IPA Locations,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> # cas + 6f47220a-c9a811e6-943e8d1c-0faa636d, ca, test.local
>
> dn:
> cn=cas+nsuniqueid=6f47220a-c9a811e6-943e8d1c-0faa636d,cn=ca,dc=test,dc=loca
>
> l
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: cas
>
> nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=test,dc=local
>
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
>
> : Add CA";allow (add) groupdn = "ldap:///cn=System
> <ldap://cn=System>: Add CA,cn=permissions,cn=
>
> pbac,dc=test,dc=local";)
>
> aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System
>
> : Delete CA";allow (delete) groupdn = "ldap:///cn=System
> <ldap://cn=System>: Delete CA,cn=permis
>
> sions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "cn || description")(targetfilter =
> "(objectclass=ipaca)")(
>
> version 3.0;acl "permission:System: Modify CA";allow (write)
> groupdn = "ldap:
>
> ///cn=System: Modify CA,cn=permissions,cn=pbac,dc=test,dc=local";)
>
> aci: (targetattr = "cn || createtimestamp || description ||
> entryusn || ipacai
>
> d || ipacaissuerdn || ipacasubjectdn || modifytimestamp ||
> objectclass")(targ
>
> etfilter = "(objectclass=ipaca)")(version 3.0;acl
> "permission:System: Read CA
>
> s";allow (compare,read,search) userdn = "ldap:///all" <ldap://all>;)
>
> # custodia + 6f47223b-c9a811e6-943e8d1c-0faa636d, ipa, etc, test.local
>
> dn:
> cn=custodia+nsuniqueid=6f47223b-c9a811e6-943e8d1c-0faa636d,cn=ipa,cn=etc,d
>
> c=test,dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: custodia
>
> nsds5ReplConflict: namingConflict
> cn=custodia,cn=ipa,cn=etc,dc=test,dc=local
>
> # dogtag + 6f47223d-c9a811e6-943e8d1c-0faa636d, custodia +
> 6f47223b-c9a811e6-94
>
> 3e8d1c-0faa636d, ipa, etc, test.local
>
> dn:
> cn=dogtag+nsuniqueid=6f47223d-c9a811e6-943e8d1c-0faa636d,cn=custodia+nsuni
>
> queid=6f47223b-c9a811e6-943e8d1c-0faa636d,cn=ipa,cn=etc,dc=test,dc=local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: dogtag
>
> nsds5ReplConflict: namingConflict
> cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=test,d
>
> c=local
>
> # ca + 6f472240-c9a811e6-943e8d1c-0faa636d, topology, ipa, etc,
> test.local
>
> dn:
> cn=ca+nsuniqueid=6f472240-c9a811e6-943e8d1c-0faa636d,cn=topology,cn=ipa,cn
>
> =etc,dc=test,dc=local
>
> objectClass: top
>
> objectClass: iparepltopoconf
>
> cn: ca
>
> ipaReplTopoConfRoot: o=ipaca
>
> nsds5ReplConflict: namingConflict
> cn=ca,cn=topology,cn=ipa,cn=etc,dc=test,dc=lo
>
> cal
>
> # System: Add CA + 6f472246-c9a811e6-943e8d1c-0faa636d,
> permissions, pbac, test.
>
> local
>
> dn: cn=System: Add
> CA+nsuniqueid=6f472246-c9a811e6-943e8d1c-0faa636d,cn=permis
>
> sions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: add
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Add CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: add
> ca,cn=permissions,cn=pbac,dc=
>
> test,dc=local
>
> # System: Delete CA + 6f47224a-c9a811e6-943e8d1c-0faa636d,
> permissions, pbac, h
>
> 5c.local
>
> dn: cn=System: Delete
> CA+nsuniqueid=6f47224a-c9a811e6-943e8d1c-0faa636d,cn=per
>
> missions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: delete
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Delete CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: delete
> ca,cn=permissions,cn=pbac,
>
> dc=test,dc=local
>
> # System: Modify CA + 6f47224e-c9a811e6-943e8d1c-0faa636d,
> permissions, pbac, h
>
> 5c.local
>
> dn: cn=System: Modify
> CA+nsuniqueid=6f47224e-c9a811e6-943e8d1c-0faa636d,cn=per
>
> missions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify CA
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify
> ca,cn=permissions,cn=pbac,
>
> dc=test,dc=local
>
> # System: Read CAs + 6f472252-c9a811e6-943e8d1c-0faa636d,
> permissions, pbac, h5
>
> c.local
>
> dn: cn=System: Read
> CAs+nsuniqueid=6f472252-c9a811e6-943e8d1c-0faa636d,cn=perm
>
> issions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaca)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: all
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read CAs
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: ipacaissuerdn
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipacasubjectdn
>
> ipaPermDefaultAttr: ipacaid
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=cas,cn=ca,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read
> cas,cn=permissions,cn=pbac,d
>
> c=test,dc=local
>
> # System: Modify DNS Servers Configuration +
> 6f472257-c9a811e6-943e8d1c-0faa636
>
> d, permissions, pbac, test.local
>
> dn: cn=System: Modify DNS Servers
> Configuration+nsuniqueid=6f472257-c9a811e6-9
>
> 43e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify DNS Servers Configuration
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: idnssoamname
>
> ipaPermDefaultAttr: idnssubstitutionvariable
>
> ipaPermDefaultAttr: idnsforwardpolicy
>
> ipaPermDefaultAttr: idnsforwarders
>
> ipaPermLocation: dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify dns servers
> configuration,
>
> cn=permissions,cn=pbac,dc=test,dc=local
>
> # System: Read DNS Servers Configuration +
> 6f47225b-c9a811e6-943e8d1c-0faa636d,
>
> permissions, pbac, test.local
>
> dn: cn=System: Read DNS Servers
> Configuration+nsuniqueid=6f47225b-c9a811e6-943
>
> e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read DNS Servers Configuration
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Servers,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: idnsforwardpolicy
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: idnsforwarders
>
> ipaPermDefaultAttr: idnsserverid
>
> ipaPermDefaultAttr: idnssubstitutionvariable
>
> ipaPermDefaultAttr: idnssoamname
>
> ipaPermLocation: dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read dns servers
> configuration,cn
>
> =permissions,cn=pbac,dc=test,dc=local
>
> # System: Manage Host Principals +
> 6f472282-c9a811e6-943e8d1c-0faa636d, permiss
>
> ions, pbac, test.local
>
> dn: cn=System: Manage Host
> Principals+nsuniqueid=6f472282-c9a811e6-943e8d1c-0f
>
> aa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipahost)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Host Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Host Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=Host Enrollment,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=computers,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage host
> principals,cn=permiss
>
> ions,cn=pbac,dc=test,dc=local
>
> # System: Add IPA Locations + 6f472298-c9a811e6-943e8d1c-0faa636d,
> permissions,
>
> pbac, test.local
>
> dn: cn=System: Add IPA
> Locations+nsuniqueid=6f472298-c9a811e6-943e8d1c-0faa636
>
> d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: add
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Add IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: add ipa
> locations,cn=permissions,
>
> cn=pbac,dc=test,dc=local
>
> # System: Modify IPA Locations +
> 6f47229c-c9a811e6-943e8d1c-0faa636d, permissio
>
> ns, pbac, test.local
>
> dn: cn=System: Modify IPA
> Locations+nsuniqueid=6f47229c-c9a811e6-943e8d1c-0faa
>
> 636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Modify IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: description
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: modify ipa
> locations,cn=permissio
>
> ns,cn=pbac,dc=test,dc=local
>
> # System: Read IPA Locations +
> 6f4722a0-c9a811e6-943e8d1c-0faa636d, permissions
>
> , pbac, test.local
>
> dn: cn=System: Read IPA
> Locations+nsuniqueid=6f4722a0-c9a811e6-943e8d1c-0faa63
>
> 6d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: description
>
> ipaPermDefaultAttr: idnsname
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read ipa
> locations,cn=permissions
>
> ,cn=pbac,dc=test,dc=local
>
> # System: Remove IPA Locations +
> 6f4722a4-c9a811e6-943e8d1c-0faa636d, permissio
>
> ns, pbac, test.local
>
> dn: cn=System: Remove IPA
> Locations+nsuniqueid=6f4722a4-c9a811e6-943e8d1c-0faa
>
> 636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaLocationObject)
>
> ipaPermRight: delete
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Remove IPA Locations
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermLocation: cn=locations,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: remove ipa
> locations,cn=permissio
>
> ns,cn=pbac,dc=test,dc=local
>
> # System: Read Locations of IPA Servers +
> 6f4722a8-c9a811e6-943e8d1c-0faa636d,
>
> permissions, pbac, test.local
>
> dn: cn=System: Read Locations of IPA
> Servers+nsuniqueid=6f4722a8-c9a811e6-943e
>
> 8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read Locations of IPA Servers
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipaserviceweight
>
> ipaPermDefaultAttr: ipalocation
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read locations of ipa
> servers,cn=
>
> permissions,cn=pbac,dc=test,dc=local
>
> # System: Read Status of Services on IPA Servers +
> 6f4722ac-c9a811e6-943e8d1c-0
>
> faa636d, permissions, pbac, test.local
>
> dn: cn=System: Read Status of Services on IPA
> Servers+nsuniqueid=6f4722ac-c9a8
>
> 11e6-943e8d1c-0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaConfigObject)
>
> ipaPermRight: read
>
> ipaPermRight: compare
>
> ipaPermRight: search
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Read Status of Services on IPA Servers
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: objectclass
>
> ipaPermDefaultAttr: ipaconfigstring
>
> ipaPermDefaultAttr: cn
>
> ipaPermLocation: cn=masters,cn=ipa,cn=etc,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: read status of
> services on ipa se
>
> rvers,cn=permissions,cn=pbac,dc=test,dc=local
>
> # System: Manage Service Principals +
> 6f4722b0-c9a811e6-943e8d1c-0faa636d, perm
>
> issions, pbac, test.local
>
> dn: cn=System: Manage Service
> Principals+nsuniqueid=6f4722b0-c9a811e6-943e8d1c
>
> -0faa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=ipaservice)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage Service Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=Service
> Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=services,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage service
> principals,cn=perm
>
> issions,cn=pbac,dc=test,dc=local
>
> # System: Manage User Principals +
> 6f4722bd-c9a811e6-943e8d1c-0faa636d, permiss
>
> ions, pbac, test.local
>
> dn: cn=System: Manage User
> Principals+nsuniqueid=6f4722bd-c9a811e6-943e8d1c-0f
>
> aa636d,cn=permissions,cn=pbac,dc=test,dc=local
>
> ipaPermTargetFilter: (objectclass=posixaccount)
>
> ipaPermRight: write
>
> ipaPermBindRuleType: permission
>
> ipaPermissionType: V2
>
> ipaPermissionType: MANAGED
>
> ipaPermissionType: SYSTEM
>
> cn: System: Manage User Principals
>
> objectClass: ipapermission
>
> objectClass: top
>
> objectClass: groupofnames
>
> objectClass: ipapermissionv2
>
> member: cn=User Administrators,cn=privileges,cn=pbac,dc=test,dc=local
>
> member: cn=Modify Users and Reset
> passwords,cn=privileges,cn=pbac,dc=test,dc=lo
>
> cal
>
> ipaPermDefaultAttr: krbprincipalname
>
> ipaPermDefaultAttr: krbcanonicalname
>
> ipaPermLocation: cn=users,cn=accounts,dc=test,dc=local
>
> nsds5ReplConflict: namingConflict cn=system: manage user
> principals,cn=permiss
>
> ions,cn=pbac,dc=test,dc=local
>
> # servers + 6f4722d4-c9a811e6-943e8d1c-0faa636d, dns, test.local
>
> dn:
> cn=servers+nsuniqueid=6f4722d4-c9a811e6-943e8d1c-0faa636d,cn=dns,dc=test,dc
>
> =local
>
> objectClass: nsContainer
>
> objectClass: top
>
> cn: servers
>
> nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=test,dc=local
>
> # ipa + 90a80ea3-c9a811e6-943e8d1c-0faa636d, cas +
> 6f47220a-c9a811e6-943e8d1c-0
>
> faa636d, ca, test.local
>
> dn:
> cn=ipa+nsuniqueid=90a80ea3-c9a811e6-943e8d1c-0faa636d,cn=cas+nsuniqueid=6f
>
> 47220a-c9a811e6-943e8d1c-0faa636d,cn=ca,dc=test,dc=local
>
> description: IPA CA
>
> ipaCaIssuerDN: CN=Certificate Authority,O=TEST.LOCAL
>
> objectClass: top
>
> objectClass: ipaca
>
> ipaCaSubjectDN: CN=Certificate Authority,O=TEST.LOCAL
>
> ipaCaId: bcab810a-f59b-40ff-add4-560f50be04d3
>
> cn: ipa
>
> nsds5ReplConflict: namingConflict cn=ipa,cn=cas,cn=ca,dc=test,dc=local
>
> # search result
>
> search: 2
>
> result: 0 Success
>
> # numResponses: 51
>
> # numEntries: 50
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_ |
> 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and
> Shake the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>,
> Twitter <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or
> privileged information and are only for the use of the intended
> recipient of this message. If you are not the intended recipient,
> please notify the sender by return email, and delete or destroy
> this and all copies of this message and all attachments. Any
> unauthorized disclosure, use, distribution, or reproduction of
> this message or any attachments is prohibited and may be unlawful./
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170104/e5673f23/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 4334 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170104/e5673f23/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 4335 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170104/e5673f23/attachment-0001.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 4336 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170104/e5673f23/attachment-0002.jpe>
More information about the Freeipa-users
mailing list