Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 836335 Details for
Bug 1041732
Segfault crash of 389 after ipa-adtrust-install
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
Log from the ipa-server-install and ipa-adtrust-install
ipaserver-install.log (text/x-log), 3.61 MB, created by
Tomas Babej
on 2013-12-13 13:58:30 UTC
(
hide
)
Description:
Log from the ipa-server-install and ipa-adtrust-install
Filename:
MIME Type:
Creator:
Tomas Babej
Created:
2013-12-13 13:58:30 UTC
Size:
3.61 MB
patch
obsolete
>2013-12-13T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:13:48Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:13:48Z DEBUG httpd is not configured >2013-12-13T13:13:48Z DEBUG kadmin is not configured >2013-12-13T13:13:48Z DEBUG dirsrv is not configured >2013-12-13T13:13:48Z DEBUG pki-cad is not configured >2013-12-13T13:13:48Z DEBUG pki-tomcatd is not configured >2013-12-13T13:13:48Z DEBUG install is not configured >2013-12-13T13:13:48Z DEBUG krb5kdc is not configured >2013-12-13T13:13:48Z DEBUG ntpd is not configured >2013-12-13T13:13:48Z DEBUG named is not configured >2013-12-13T13:13:48Z DEBUG ipa_memcached is not configured >2013-12-13T13:13:48Z DEBUG filestore is tracking no files >2013-12-13T13:13:48Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' >2013-12-13T13:13:48Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'reverse_zone': None, 'setup_pkinit': True, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders': False, 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': True, 'pkinit_pkcs12': None, 'trust_sshfp': False, 'external_ca_file': None, 'no_host_dns': False, 'http_pkcs12': None, 'realm_name': 'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', 'forwarders': [CheckedIPAddress('8.8.8.8')], 'idstart': 346000000, 'external_ca': False, 'ip_address': None, 'conf_ssh': True, 'zonemgr': None, 'root_ca_file': None, 'setup_dns': True, 'host_name': None, 'debug': False, 'external_cert_file': None, 'uninstall': False, 'pkinit_pin': None} >2013-12-13T13:13:48Z DEBUG missing options might be asked for interactively later > >2013-12-13T13:13:48Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:13:48Z DEBUG Starting external process >2013-12-13T13:13:48Z DEBUG args=/bin/systemctl is-enabled chronyd.service >2013-12-13T13:13:48Z DEBUG Process finished, return code=1 >2013-12-13T13:13:48Z DEBUG stdout= >2013-12-13T13:13:48Z DEBUG stderr=Failed to issue method call: No such file or directory > >2013-12-13T13:13:48Z DEBUG Starting external process >2013-12-13T13:13:48Z DEBUG args=/bin/systemctl is-active chronyd.service >2013-12-13T13:13:48Z DEBUG Process finished, return code=3 >2013-12-13T13:13:48Z DEBUG stdout=unknown > >2013-12-13T13:13:48Z DEBUG stderr= >2013-12-13T13:13:48Z DEBUG Starting external process >2013-12-13T13:13:48Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS >2013-12-13T13:13:48Z DEBUG Process finished, return code=0 >2013-12-13T13:13:48Z DEBUG stdout=VirtualHost configuration: >*:8443 is a NameVirtualHost > default server vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com (/etc/httpd/conf.d/nss.conf:86) > port 8443 namevhost vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com (/etc/httpd/conf.d/nss.conf:86) > port 8443 namevhost vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com (/etc/httpd/conf.d/nss.conf:86) > >2013-12-13T13:13:48Z DEBUG stderr= >2013-12-13T13:13:48Z DEBUG Check if vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com is a primary hostname for localhost >2013-12-13T13:13:48Z DEBUG Primary hostname for localhost: vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:13:48Z DEBUG will use host_name: vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com > >2013-12-13T13:13:48Z DEBUG read domain_name: dom227.jenkinsad.idm.lab.eng.brq.redhat.com > >2013-12-13T13:13:48Z DEBUG Starting external process >2013-12-13T13:13:48Z DEBUG args=/sbin/ip -family inet -oneline address show >2013-12-13T13:13:48Z DEBUG Process finished, return code=0 >2013-12-13T13:13:48Z DEBUG stdout=1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever >2: eth0 inet 10.34.47.227/24 brd 10.34.47.255 scope global eth0\ valid_lft forever preferred_lft forever > >2013-12-13T13:13:48Z DEBUG stderr= >2013-12-13T13:13:48Z DEBUG will use dns_forwarders: [CheckedIPAddress('8.8.8.8')] > >2013-12-13T13:13:48Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' >2013-12-13T13:13:48Z DEBUG Starting external process >2013-12-13T13:13:48Z DEBUG args=klist -V >2013-12-13T13:13:48Z DEBUG Process finished, return code=0 >2013-12-13T13:13:48Z DEBUG stdout=Kerberos 5 version 1.11.3 > >2013-12-13T13:13:48Z DEBUG stderr= >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py' >2013-12-13T13:13:48Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipaserver/install/plugins'... >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/baseupdate.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_replica_agreements.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/rename_managed.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_anonymous_aci.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_idranges.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_pacs.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_services.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' >2013-12-13T13:13:48Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' >2013-12-13T13:13:49Z DEBUG Adding DS group dirsrv >2013-12-13T13:13:49Z DEBUG Starting external process >2013-12-13T13:13:49Z DEBUG args=/usr/sbin/groupadd -r dirsrv >2013-12-13T13:13:50Z DEBUG Process finished, return code=0 >2013-12-13T13:13:50Z DEBUG stdout= >2013-12-13T13:13:50Z DEBUG stderr= >2013-12-13T13:13:50Z DEBUG Done adding DS group >2013-12-13T13:13:50Z DEBUG Starting external process >2013-12-13T13:13:50Z DEBUG args=/bin/systemctl is-enabled chronyd.service >2013-12-13T13:13:50Z DEBUG Process finished, return code=1 >2013-12-13T13:13:50Z DEBUG stdout= >2013-12-13T13:13:50Z DEBUG stderr=Failed to issue method call: No such file or directory > >2013-12-13T13:13:50Z DEBUG Starting external process >2013-12-13T13:13:50Z DEBUG args=/bin/systemctl is-active chronyd.service >2013-12-13T13:13:50Z DEBUG Process finished, return code=3 >2013-12-13T13:13:50Z DEBUG stdout=unknown > >2013-12-13T13:13:50Z DEBUG stderr= >2013-12-13T13:13:50Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:13:50Z DEBUG Configuring NTP daemon (ntpd) >2013-12-13T13:13:50Z DEBUG [1/4]: stopping ntpd >2013-12-13T13:13:50Z DEBUG Starting external process >2013-12-13T13:13:50Z DEBUG args=/bin/systemctl is-active ntpd.service >2013-12-13T13:13:50Z DEBUG Process finished, return code=3 >2013-12-13T13:13:50Z DEBUG stdout=unknown > >2013-12-13T13:13:50Z DEBUG stderr= >2013-12-13T13:13:50Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:13:50Z DEBUG Starting external process >2013-12-13T13:13:50Z DEBUG args=/bin/systemctl stop ntpd.service >2013-12-13T13:13:50Z DEBUG Process finished, return code=0 >2013-12-13T13:13:50Z DEBUG stdout= >2013-12-13T13:13:50Z DEBUG stderr= >2013-12-13T13:13:50Z DEBUG duration: 0 seconds >2013-12-13T13:13:50Z DEBUG [2/4]: writing configuration >2013-12-13T13:13:50Z DEBUG Backing up system configuration file '/etc/ntp.conf' >2013-12-13T13:13:50Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:13:50Z DEBUG Backing up system configuration file '/etc/sysconfig/ntpd' >2013-12-13T13:13:50Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:13:50Z DEBUG duration: 0 seconds >2013-12-13T13:13:50Z DEBUG [3/4]: configuring ntpd to start on boot >2013-12-13T13:13:50Z DEBUG Starting external process >2013-12-13T13:13:50Z DEBUG args=/bin/systemctl is-enabled ntpd.service >2013-12-13T13:13:50Z DEBUG Process finished, return code=1 >2013-12-13T13:13:50Z DEBUG stdout=disabled > >2013-12-13T13:13:50Z DEBUG stderr= >2013-12-13T13:13:50Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:13:50Z DEBUG Starting external process >2013-12-13T13:13:50Z DEBUG args=/bin/systemctl enable ntpd.service >2013-12-13T13:13:50Z DEBUG Process finished, return code=0 >2013-12-13T13:13:50Z DEBUG stdout= >2013-12-13T13:13:50Z DEBUG stderr=ln -s '/usr/lib/systemd/system/ntpd.service' '/etc/systemd/system/multi-user.target.wants/ntpd.service' > >2013-12-13T13:13:50Z DEBUG duration: 0 seconds >2013-12-13T13:13:50Z DEBUG [4/4]: starting ntpd >2013-12-13T13:13:50Z DEBUG Starting external process >2013-12-13T13:13:50Z DEBUG args=/bin/systemctl start ntpd.service >2013-12-13T13:13:50Z DEBUG Process finished, return code=0 >2013-12-13T13:13:50Z DEBUG stdout= >2013-12-13T13:13:50Z DEBUG stderr= >2013-12-13T13:13:50Z DEBUG Starting external process >2013-12-13T13:13:50Z DEBUG args=/bin/systemctl is-active ntpd.service >2013-12-13T13:13:50Z DEBUG Process finished, return code=0 >2013-12-13T13:13:50Z DEBUG stdout=active > >2013-12-13T13:13:50Z DEBUG stderr= >2013-12-13T13:13:50Z DEBUG duration: 0 seconds >2013-12-13T13:13:50Z DEBUG Done configuring NTP daemon (ntpd). >2013-12-13T13:13:50Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:13:50Z DEBUG Configuring directory server (dirsrv): Estimated time 1 minute >2013-12-13T13:13:50Z DEBUG [1/38]: creating directory server user >2013-12-13T13:13:50Z DEBUG Adding DS user dirsrv >2013-12-13T13:13:50Z DEBUG Starting external process >2013-12-13T13:13:50Z DEBUG args=/usr/sbin/useradd -g dirsrv -c DS System User -d /var/lib/dirsrv -s /sbin/nologin -M -r dirsrv >2013-12-13T13:13:51Z DEBUG Process finished, return code=0 >2013-12-13T13:13:51Z DEBUG stdout= >2013-12-13T13:13:51Z DEBUG stderr= >2013-12-13T13:13:51Z DEBUG Done adding DS user >2013-12-13T13:13:51Z DEBUG duration: 0 seconds >2013-12-13T13:13:51Z DEBUG [2/38]: creating directory server instance >2013-12-13T13:13:51Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:13:51Z DEBUG Backing up system configuration file '/etc/sysconfig/dirsrv' >2013-12-13T13:13:51Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:13:51Z DEBUG >dn: dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >objectClass: top >objectClass: domain >objectClass: pilotObject >dc: dom227 >info: IPA V2.0 > >2013-12-13T13:13:51Z DEBUG writing inf template >2013-12-13T13:13:51Z DEBUG >[General] >FullMachineName= vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >SuiteSpotUserID= dirsrv >SuiteSpotGroup= dirsrv >ServerRoot= /usr/lib64/dirsrv >[slapd] >ServerPort= 389 >ServerIdentifier= DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >Suffix= dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >RootDN= cn=Directory Manager >InstallLdifFile= /var/lib/dirsrv/boot.ldif >inst_dir= /var/lib/dirsrv/scripts-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM > >2013-12-13T13:13:51Z DEBUG calling setup-ds.pl >2013-12-13T13:13:51Z DEBUG Starting external process >2013-12-13T13:13:51Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpyyn0cp >2013-12-13T13:13:57Z DEBUG Process finished, return code=0 >2013-12-13T13:13:57Z DEBUG stdout=[13/12/13:14:13:57] - [Setup] Info Your new DS instance 'DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM' was successfully created. >Your new DS instance 'DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM' was successfully created. >[13/12/13:14:13:57] - [Setup] Success Exiting . . . >Log file is '-' > >Exiting . . . >Log file is '-' > > >2013-12-13T13:13:57Z DEBUG stderr= >2013-12-13T13:13:57Z DEBUG completed creating ds instance >2013-12-13T13:13:57Z DEBUG restarting ds instance >2013-12-13T13:13:57Z DEBUG Starting external process >2013-12-13T13:13:57Z DEBUG args=/bin/systemctl --system daemon-reload >2013-12-13T13:13:57Z DEBUG Process finished, return code=0 >2013-12-13T13:13:57Z DEBUG stdout= >2013-12-13T13:13:57Z DEBUG stderr= >2013-12-13T13:13:57Z DEBUG Starting external process >2013-12-13T13:13:57Z DEBUG args=/bin/systemctl restart dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:13:59Z DEBUG Process finished, return code=0 >2013-12-13T13:13:59Z DEBUG stdout= >2013-12-13T13:13:59Z DEBUG stderr= >2013-12-13T13:13:59Z DEBUG Starting external process >2013-12-13T13:13:59Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:13:59Z DEBUG Process finished, return code=0 >2013-12-13T13:13:59Z DEBUG stdout=active > >2013-12-13T13:13:59Z DEBUG stderr= >2013-12-13T13:13:59Z DEBUG wait_for_open_ports: localhost [389] timeout 120 >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=active > >2013-12-13T13:14:00Z DEBUG stderr= >2013-12-13T13:14:00Z DEBUG done restarting ds instance >2013-12-13T13:14:00Z DEBUG duration: 8 seconds >2013-12-13T13:14:00Z DEBUG [3/38]: adding default schema >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [4/38]: enabling memberof plugin >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /usr/share/ipa/memberof-conf.ldif -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpKm46c_ >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=replace nsslapd-pluginenabled: > on >add memberofgroupattr: > memberUser >add memberofgroupattr: > memberHost >modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [5/38]: enabling winsync plugin >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /usr/share/ipa/ipa-winsync-conf.ldif -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmp4UNvmh >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add objectclass: > top > nsSlapdPlugin > extensibleObject >add cn: > ipa-winsync >add nsslapd-pluginpath: > libipa_winsync >add nsslapd-plugininitfunc: > ipa_winsync_plugin_init >add nsslapd-pluginDescription: > Allows IPA to work with the DS windows sync feature >add nsslapd-pluginid: > ipa-winsync >add nsslapd-pluginversion: > 1.0 >add nsslapd-pluginvendor: > Red Hat >add nsslapd-plugintype: > preoperation >add nsslapd-pluginenabled: > on >add nsslapd-plugin-depends-on-type: > database >add ipaWinSyncRealmFilter: > (objectclass=krbRealmContainer) >add ipaWinSyncRealmAttr: > cn >add ipaWinSyncNewEntryFilter: > (cn=ipaConfig) >add ipaWinSyncNewUserOCAttr: > ipauserobjectclasses >add ipaWinSyncUserFlatten: > true >add ipaWinsyncHomeDirAttr: > ipaHomesRootDir >add ipaWinsyncLoginShellAttr: > ipaDefaultLoginShell >add ipaWinSyncDefaultGroupAttr: > ipaDefaultPrimaryGroup >add ipaWinSyncDefaultGroupFilter: > (gidNumber=*)(objectclass=posixGroup)(objectclass=groupOfNames) >add ipaWinSyncAcctDisable: > both >add ipaWinSyncForceSync: > true >add ipaWinSyncUserAttr: > uidNumber -1 > gidNumber -1 >adding new entry "cn=ipa-winsync,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [6/38]: configuring replication version plugin >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /usr/share/ipa/version-conf.ldif -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpS9I8ho >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add objectclass: > top > nsSlapdPlugin > extensibleObject >add cn: > IPA Version Replication >add nsslapd-pluginpath: > libipa_repl_version >add nsslapd-plugininitfunc: > repl_version_plugin_init >add nsslapd-plugintype: > preoperation >add nsslapd-pluginenabled: > off >add nsslapd-pluginid: > ipa_repl_version >add nsslapd-pluginversion: > 1.0 >add nsslapd-pluginvendor: > Red Hat, Inc. >add nsslapd-plugindescription: > IPA Replication version plugin >add nsslapd-plugin-depends-on-type: > database >add nsslapd-plugin-depends-on-named: > Multimaster Replication Plugin >adding new entry "cn=IPA Version Replication,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [7/38]: enabling IPA enrollment plugin >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpw8MqjV -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpjpA4uD >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add objectclass: > top > nsSlapdPlugin > extensibleObject >add cn: > ipa_enrollment_extop >add nsslapd-pluginpath: > libipa_enrollment_extop >add nsslapd-plugininitfunc: > ipaenrollment_init >add nsslapd-plugintype: > extendedop >add nsslapd-pluginenabled: > on >add nsslapd-pluginid: > ipa_enrollment_extop >add nsslapd-pluginversion: > 1.0 >add nsslapd-pluginvendor: > RedHat >add nsslapd-plugindescription: > Enroll hosts into the IPA domain >add nsslapd-plugin-depends-on-type: > database >add nsslapd-realmTree: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=ipa_enrollment_extop,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [8/38]: enabling ldapi >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpDNr6by -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmp2JgDLM >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=replace nsslapd-ldapilisten: > on >modifying entry "cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [9/38]: configuring uniqueness plugin >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpbX8ynd -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpzEjORr >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add objectClass: > top > nsSlapdPlugin > extensibleObject >add cn: > krbPrincipalName uniqueness >add nsslapd-pluginPath: > libattr-unique-plugin >add nsslapd-pluginInitfunc: > NSUniqueAttr_Init >add nsslapd-pluginType: > preoperation >add nsslapd-pluginEnabled: > on >add nsslapd-pluginarg0: > krbPrincipalName >add nsslapd-pluginarg1: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add nsslapd-plugin-depends-on-type: > database >add nsslapd-pluginId: > NSUniqueAttr >add nsslapd-pluginVersion: > 1.1.0 >add nsslapd-pluginVendor: > Fedora Project >add nsslapd-pluginDescription: > Enforce unique attribute values >adding new entry "cn=krbPrincipalName uniqueness,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsSlapdPlugin > extensibleObject >add cn: > krbCanonicalName uniqueness >add nsslapd-pluginPath: > libattr-unique-plugin >add nsslapd-pluginInitfunc: > NSUniqueAttr_Init >add nsslapd-pluginType: > preoperation >add nsslapd-pluginEnabled: > on >add nsslapd-pluginarg0: > krbCanonicalName >add nsslapd-pluginarg1: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add nsslapd-plugin-depends-on-type: > database >add nsslapd-pluginId: > NSUniqueAttr >add nsslapd-pluginVersion: > 1.1.0 >add nsslapd-pluginVendor: > Fedora Project >add nsslapd-pluginDescription: > Enforce unique attribute values >adding new entry "cn=krbCanonicalName uniqueness,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsSlapdPlugin > extensibleObject >add cn: > netgroup uniqueness >add nsslapd-pluginPath: > libattr-unique-plugin >add nsslapd-pluginInitfunc: > NSUniqueAttr_Init >add nsslapd-pluginType: > preoperation >add nsslapd-pluginEnabled: > on >add nsslapd-pluginarg0: > cn >add nsslapd-pluginarg1: > cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add nsslapd-plugin-depends-on-type: > database >add nsslapd-pluginId: > NSUniqueAttr >add nsslapd-pluginVersion: > 1.1.0 >add nsslapd-pluginVendor: > Fedora Project >add nsslapd-pluginDescription: > Enforce unique attribute values >adding new entry "cn=netgroup uniqueness,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsSlapdPlugin > extensibleObject >add cn: > ipaUniqueID uniqueness >add nsslapd-pluginPath: > libattr-unique-plugin >add nsslapd-pluginInitfunc: > NSUniqueAttr_Init >add nsslapd-pluginType: > preoperation >add nsslapd-pluginEnabled: > on >add nsslapd-pluginarg0: > ipaUniqueID >add nsslapd-pluginarg1: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add nsslapd-plugin-depends-on-type: > database >add nsslapd-pluginId: > NSUniqueAttr >add nsslapd-pluginVersion: > 1.1.0 >add nsslapd-pluginVendor: > Fedora Project >add nsslapd-pluginDescription: > Enforce unique attribute values >adding new entry "cn=ipaUniqueID uniqueness,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsSlapdPlugin > extensibleObject >add cn: > sudorule name uniqueness >add nsslapd-pluginDescription: > Enforce unique attribute values >add nsslapd-pluginPath: > libattr-unique-plugin >add nsslapd-pluginInitfunc: > NSUniqueAttr_Init >add nsslapd-pluginType: > preoperation >add nsslapd-pluginEnabled: > on >add nsslapd-pluginarg0: > cn >add nsslapd-pluginarg1: > cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add nsslapd-plugin-depends-on-type: > database >add nsslapd-pluginId: > NSUniqueAttr >add nsslapd-pluginVersion: > 1.1.0 >add nsslapd-pluginVendor: > Fedora Project >adding new entry "cn=sudorule name uniqueness,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [10/38]: configuring uuid plugin >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /usr/share/ipa/uuid-conf.ldif -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpMME2bX >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add objectclass: > top > nsSlapdPlugin > extensibleObject >add cn: > IPA UUID >add nsslapd-pluginpath: > libipa_uuid >add nsslapd-plugininitfunc: > ipauuid_init >add nsslapd-plugintype: > preoperation >add nsslapd-pluginenabled: > on >add nsslapd-pluginid: > ipauuid_version >add nsslapd-pluginversion: > 1.0 >add nsslapd-pluginvendor: > Red Hat, Inc. >add nsslapd-plugindescription: > IPA UUID plugin >add nsslapd-plugin-depends-on-type: > database >adding new entry "cn=IPA UUID,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmptqGL7S -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpKrjZnM >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add objectclass: > top > extensibleObject >add cn: > IPA Unique IDs >add ipaUuidAttr: > ipaUniqueID >add ipaUuidMagicRegen: > autogenerate >add ipaUuidFilter: > (|(objectclass=ipaObject)(objectclass=ipaAssociation)) >add ipaUuidScope: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add ipaUuidEnforce: > TRUE >adding new entry "cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [11/38]: configuring modrdn plugin >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /usr/share/ipa/modrdn-conf.ldif -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpiX_2pw >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add objectclass: > top > nsSlapdPlugin > extensibleObject >add cn: > IPA MODRDN >add nsslapd-pluginpath: > libipa_modrdn >add nsslapd-plugininitfunc: > ipamodrdn_init >add nsslapd-plugintype: > betxnpostoperation >add nsslapd-pluginenabled: > on >add nsslapd-pluginid: > ipamodrdn_version >add nsslapd-pluginversion: > 1.0 >add nsslapd-pluginvendor: > Red Hat, Inc. >add nsslapd-plugindescription: > IPA MODRDN plugin >add nsslapd-plugin-depends-on-type: > database >add nsslapd-pluginPrecedence: > 60 >adding new entry "cn=IPA MODRDN,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpZxvNx3 -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpOtDBjL >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add objectclass: > top > extensibleObject >add cn: > Kerberos Principal Name >add ipaModRDNsourceAttr: > uid >add ipaModRDNtargetAttr: > krbPrincipalName >add ipaModRDNsuffix: > @DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >add ipaModRDNfilter: > (&(objectclass=posixaccount)(objectclass=krbPrincipalAux)) >add ipaModRDNscope: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [12/38]: configuring DNS plugin >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /usr/share/ipa/ipa-dns-conf.ldif -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpRx_6de >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add objectclass: > top > nsslapdPlugin > extensibleObject >add cn: > IPA DNS >add nsslapd-plugindescription: > IPA DNS support plugin >add nsslapd-pluginenabled: > on >add nsslapd-pluginid: > ipa_dns >add nsslapd-plugininitfunc: > ipadns_init >add nsslapd-pluginpath: > libipa_dns.so >add nsslapd-plugintype: > preoperation >add nsslapd-pluginvendor: > Red Hat, Inc. >add nsslapd-pluginversion: > 1.0 >add nsslapd-plugin-depends-on-type: > database >adding new entry "cn=IPA DNS,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [13/38]: enabling entryUSN plugin >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /usr/share/ipa/entryusn.ldif -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmp3bw9_O >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=replace nsslapd-entryusn-global: > on >modifying entry "cn=config" >modify complete > >replace nsslapd-entryusn-import-initval: > next >modifying entry "cn=config" >modify complete > >replace nsslapd-pluginenabled: > on >modifying entry "cn=USN,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [14/38]: configuring lockout plugin >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /usr/share/ipa/lockout-conf.ldif -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpsMt3_D >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add objectclass: > top > nsSlapdPlugin > extensibleObject >add cn: > IPA Lockout >add nsslapd-pluginpath: > libipa_lockout >add nsslapd-plugininitfunc: > ipalockout_init >add nsslapd-plugintype: > object >add nsslapd-pluginenabled: > on >add nsslapd-pluginid: > ipalockout_version >add nsslapd-pluginversion: > 1.0 >add nsslapd-pluginvendor: > Red Hat, Inc. >add nsslapd-plugindescription: > IPA Lockout plugin >add nsslapd-plugin-depends-on-type: > database >adding new entry "cn=IPA Lockout,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [15/38]: creating indices >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /usr/share/ipa/indices.ldif -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmps47Hdv >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add objectClass: > top > nsIndex >add cn: > krbPrincipalName >add nsSystemIndex: > false >add nsIndexType: > eq > sub >adding new entry "cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsIndex >add cn: > ou >add nsSystemIndex: > false >add nsIndexType: > eq > sub >adding new entry "cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsIndex >add cn: > carLicense >add nsSystemIndex: > false >add nsIndexType: > eq > sub >adding new entry "cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsIndex >add cn: > title >add nsSystemIndex: > false >add nsIndexType: > eq > sub >adding new entry "cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsIndex >add cn: > manager >add nsSystemIndex: > false >add nsIndexType: > eq > pres > sub >adding new entry "cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsIndex >add cn: > secretary >add nsSystemIndex: > false >add nsIndexType: > eq > pres > sub >adding new entry "cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsIndex >add cn: > displayname >add nsSystemIndex: > false >add nsIndexType: > eq > sub >adding new entry "cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add nsIndexType: > sub >modifying entry "cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsIndex >add cn: > uidnumber >add nsSystemIndex: > false >add nsIndexType: > eq >add nsMatchingRule: > integerOrderingMatch >adding new entry "cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsIndex >add cn: > gidnumber >add nsSystemIndex: > false >add nsIndexType: > eq >add nsMatchingRule: > integerOrderingMatch >adding new entry "cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >replace nsIndexType: > eq,pres >modifying entry "cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >replace nsIndexType: > eq,pres >modifying entry "cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add ObjectClass: > top > nsIndex >add cn: > fqdn >add nsSystemIndex: > false >add nsIndexType: > eq > pres >adding new entry "cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add ObjectClass: > top > nsIndex >add cn: > macAddress >add nsSystemIndex: > false >add nsIndexType: > eq > pres >adding new entry "cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add cn: > memberHost >add ObjectClass: > top > nsIndex >add nsSystemIndex: > false >add nsIndexType: > eq > pres > sub >adding new entry "cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add cn: > memberUser >add ObjectClass: > top > nsIndex >add nsSystemIndex: > false >add nsIndexType: > eq > pres > sub >adding new entry "cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add cn: > sourcehost >add ObjectClass: > top > nsIndex >add nsSystemIndex: > false >add nsIndexType: > eq > pres > sub >adding new entry "cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add cn: > memberservice >add ObjectClass: > top > nsIndex >add nsSystemIndex: > false >add nsIndexType: > eq > pres > sub >adding new entry "cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add cn: > managedby >add ObjectClass: > top > nsIndex >add nsSystemIndex: > false >add nsIndexType: > eq > pres > sub >adding new entry "cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add cn: > memberallowcmd >add ObjectClass: > top > nsIndex >add nsSystemIndex: > false >add nsIndexType: > eq > pres > sub >adding new entry "cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add cn: > memberdenycmd >add ObjectClass: > top > nsIndex >add nsSystemIndex: > false >add nsIndexType: > eq > pres > sub >adding new entry "cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add cn: > ipasudorunas >add ObjectClass: > top > nsIndex >add nsSystemIndex: > false >add nsIndexType: > eq > pres > sub >adding new entry "cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add cn: > ipasudorunasgroup >add ObjectClass: > top > nsIndex >add nsSystemIndex: > false >add nsIndexType: > eq > pres > sub >adding new entry "cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add cn: > automountkey >add ObjectClass: > top > nsIndex >add nsSystemIndex: > false >add nsIndexType: > eq >adding new entry "cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add cn: > ipakrbprincipalalias >add ObjectClass: > top > nsIndex >add nsSystemIndex: > false >add nsIndexType: > eq >adding new entry "cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add cn: > ipauniqueid >add ObjectClass: > top > nsIndex >add nsSystemIndex: > false >add nsIndexType: > eq >adding new entry "cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [16/38]: enabling referential integrity plugin >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /usr/share/ipa/referint-conf.ldif -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmp3miX0n >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=replace nsslapd-pluginenabled: > on >add nsslapd-pluginArg7: > manager >add nsslapd-pluginArg8: > secretary >add nsslapd-pluginArg9: > memberuser >add nsslapd-pluginArg10: > memberhost >add nsslapd-pluginArg11: > sourcehost >add nsslapd-pluginArg12: > memberservice >add nsslapd-pluginArg13: > managedby >add nsslapd-pluginArg14: > memberallowcmd >add nsslapd-pluginArg15: > memberdenycmd >add nsslapd-pluginArg16: > ipasudorunas >add nsslapd-pluginArg17: > ipasudorunasgroup >modifying entry "cn=referential integrity postoperation,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [17/38]: configuring certmap.conf >2013-12-13T13:14:00Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [18/38]: configure autobind for root >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /usr/share/ipa/root-autobind.ldif -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmp7UIK1p >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add objectClass: > extensibleObject > top >add cn: > root-autobind >add uidNumber: > 0 >add gidNumber: > 0 >adding new entry "cn=root-autobind,cn=config" >modify complete > >replace nsslapd-ldapiautobind: > on >modifying entry "cn=config" >modify complete > >replace nsslapd-ldapimaptoentries: > on >modifying entry "cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [19/38]: configure new location for managed entries >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpH9JbTz -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpjDb6V6 >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=add nsslapd-pluginConfigArea: > cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >modifying entry "cn=Managed Entries,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [20/38]: configure dirsrv ccache >2013-12-13T13:14:00Z DEBUG Backing up system configuration file '/etc/sysconfig/dirsrv' >2013-12-13T13:14:00Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/sbin/selinuxenabled >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout= >2013-12-13T13:14:00Z DEBUG stderr= >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/sbin/restorecon /etc/sysconfig/dirsrv >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout= >2013-12-13T13:14:00Z DEBUG stderr= >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [21/38]: enable SASL mapping fallback >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpMt1CNq -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpWVbdoA >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout=replace nsslapd-sasl-mapping-fallback: > on >modifying entry "cn=config" >modify complete > > >2013-12-13T13:14:00Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:00Z DEBUG duration: 0 seconds >2013-12-13T13:14:00Z DEBUG [22/38]: restarting directory server >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/bin/systemctl --system daemon-reload >2013-12-13T13:14:00Z DEBUG Process finished, return code=0 >2013-12-13T13:14:00Z DEBUG stdout= >2013-12-13T13:14:00Z DEBUG stderr= >2013-12-13T13:14:00Z DEBUG Starting external process >2013-12-13T13:14:00Z DEBUG args=/bin/systemctl restart dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:14:01Z DEBUG Process finished, return code=0 >2013-12-13T13:14:01Z DEBUG stdout= >2013-12-13T13:14:01Z DEBUG stderr= >2013-12-13T13:14:01Z DEBUG Starting external process >2013-12-13T13:14:01Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:14:01Z DEBUG Process finished, return code=0 >2013-12-13T13:14:01Z DEBUG stdout=active > >2013-12-13T13:14:01Z DEBUG stderr= >2013-12-13T13:14:01Z DEBUG wait_for_open_ports: localhost [389] timeout 120 >2013-12-13T13:14:02Z DEBUG Starting external process >2013-12-13T13:14:02Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:14:02Z DEBUG Process finished, return code=0 >2013-12-13T13:14:02Z DEBUG stdout=active > >2013-12-13T13:14:02Z DEBUG stderr= >2013-12-13T13:14:02Z DEBUG duration: 1 seconds >2013-12-13T13:14:02Z DEBUG [23/38]: adding default layout >2013-12-13T13:14:02Z DEBUG Starting external process >2013-12-13T13:14:02Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpASJaMS -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpWPFQL9 >2013-12-13T13:14:05Z DEBUG Process finished, return code=0 >2013-12-13T13:14:05Z DEBUG stdout=add objectClass: > top > nsContainer >add cn: > accounts >adding new entry "cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > users >adding new entry "cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > groups >adding new entry "cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > services >adding new entry "cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > computers >adding new entry "cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > hostgroups >adding new entry "cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer >add cn: > alt >adding new entry "cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer >add cn: > ng >adding new entry "cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer >add cn: > automount >adding new entry "cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer >add cn: > default >adding new entry "cn=default,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > automountMap >add automountMapName: > auto.master >adding new entry "automountmapname=auto.master,cn=default,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > automountMap >add automountMapName: > auto.direct >adding new entry "automountmapname=auto.direct,cn=default,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > automount >add automountKey: > /- >add automountInformation: > auto.direct >add description: > /- auto.direct >adding new entry "description=/- auto.direct,automountmapname=auto.master,cn=default,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > hbac >adding new entry "cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > hbacservices >adding new entry "cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > hbacservicegroups >adding new entry "cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > sudo >adding new entry "cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > sudocmds >adding new entry "cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > sudocmdgroups >adding new entry "cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > sudorules >adding new entry "cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer > top >add cn: > etc >adding new entry "cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer > top >add cn: > sysaccounts >adding new entry "cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer > top >add cn: > ipa >adding new entry "cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer > top >add cn: > masters >adding new entry "cn=masters,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer > top >add cn: > replicas >adding new entry "cn=replicas,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer > top >add cn: > dna >adding new entry "cn=dna,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer > top >add cn: > posix-ids >adding new entry "cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer > top >add cn: > ca_renewal >adding new entry "cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer > top >add cn: > s4u2proxy >adding new entry "cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > ipaKrb5DelegationACL > groupOfPrincipals > top >add cn: > ipa-http-delegation >add memberPrincipal: > HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >add ipaAllowedTarget: > cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > groupOfPrincipals > top >add cn: > ipa-ldap-delegation-targets >add memberPrincipal: > ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >adding new entry "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > groupOfPrincipals > top >add cn: > ipa-cifs-delegation-targets >adding new entry "cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > person > posixaccount > krbprincipalaux > krbticketpolicyaux > inetuser > ipaobject > ipasshuser >add uid: > admin >add krbPrincipalName: > admin@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >add cn: > Administrator >add sn: > Administrator >add uidNumber: > 346000000 >add gidNumber: > 346000000 >add homeDirectory: > /home/admin >add loginShell: > /bin/bash >add gecos: > Administrator >add nsAccountLock: > FALSE >add ipaUniqueID: > autogenerate >adding new entry "uid=admin,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > posixgroup > ipausergroup > ipaobject >add cn: > admins >add description: > Account administrators group >add gidNumber: > 346000000 >add member: > uid=admin,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add nsAccountLock: > FALSE >add ipaUniqueID: > autogenerate >adding new entry "cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup > ipausergroup > ipaobject >add description: > Default group for all users >add cn: > ipausers >add ipaUniqueID: > autogenerate >adding new entry "cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > posixgroup > ipausergroup > ipaobject >add gidNumber: > 346000002 >add description: > Limited admins who can edit other users >add cn: > editors >add ipaUniqueID: > autogenerate >adding new entry "cn=editors,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > ipahbacservice > ipaobject >add cn: > sshd >add description: > sshd >add ipauniqueid: > autogenerate >adding new entry "cn=sshd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > ipahbacservice > ipaobject >add cn: > ftp >add description: > ftp >add ipauniqueid: > autogenerate >adding new entry "cn=ftp,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > ipahbacservice > ipaobject >add cn: > su >add description: > su >add ipauniqueid: > autogenerate >adding new entry "cn=su,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > ipahbacservice > ipaobject >add cn: > login >add description: > login >add ipauniqueid: > autogenerate >adding new entry "cn=login,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > ipahbacservice > ipaobject >add cn: > su-l >add description: > su with login shell >add ipauniqueid: > autogenerate >adding new entry "cn=su-l,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > ipahbacservice > ipaobject >add cn: > sudo >add description: > sudo >add ipauniqueid: > autogenerate >adding new entry "cn=sudo,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > ipahbacservice > ipaobject >add cn: > sudo-i >add description: > sudo-i >add ipauniqueid: > autogenerate >adding new entry "cn=sudo-i,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > ipahbacservice > ipaobject >add cn: > gdm >add description: > gdm >add ipauniqueid: > autogenerate >adding new entry "cn=gdm,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > ipahbacservice > ipaobject >add cn: > gdm-password >add description: > gdm-password >add ipauniqueid: > autogenerate >adding new entry "cn=gdm-password,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > ipahbacservice > ipaobject >add cn: > kdm >add description: > kdm >add ipauniqueid: > autogenerate >adding new entry "cn=kdm,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > ipaobject > ipahbacservicegroup > nestedGroup > groupOfNames > top >add cn: > Sudo >add ipauniqueid: > autogenerate >add description: > Default group of Sudo related services >add member: > cn=sudo,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > cn=sudo-i,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer > top > ipaGuiConfig > ipaConfigObject >add ipaUserSearchFields: > uid,givenname,sn,telephonenumber,ou,title >add ipaGroupSearchFields: > cn,description >add ipaSearchTimeLimit: > 2 >add ipaSearchRecordsLimit: > 100 >add ipaHomesRootDir: > /home >add ipaDefaultLoginShell: > /bin/sh >add ipaDefaultPrimaryGroup: > ipausers >add ipaMaxUsernameLength: > 32 >add ipaPwdExpAdvNotify: > 4 >add ipaGroupObjectClasses: > top > groupofnames > nestedgroup > ipausergroup > ipaobject >add ipaUserObjectClasses: > top > person > organizationalperson > inetorgperson > inetuser > posixaccount > krbprincipalaux > krbticketpolicyaux > ipaobject > ipasshuser >add ipaDefaultEmailDomain: > dom227.jenkinsad.idm.lab.eng.brq.redhat.com >add ipaMigrationEnabled: > FALSE >add ipaConfigString: > AllowNThash >add ipaSELinuxUserMapOrder: > guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 >add ipaSELinuxUserMapDefault: > unconfined_u:s0-s0:c0.c1023 >adding new entry "cn=ipaConfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > top > nsContainer >add cn: > cosTemplates >adding new entry "cn=cosTemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add description: > Password Policy based on group membership >add objectClass: > top > ldapsubentry > cosSuperDefinition > cosClassicDefinition >add cosTemplateDn: > cn=cosTemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add cosAttribute: > krbPwdPolicyReference override >add cosSpecifier: > memberOf >adding new entry "cn=Password Policy,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > selinux >adding new entry "cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > usermap >adding new entry "cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > ranges >adding new entry "cn=ranges,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > ipaIDrange > ipaDomainIDRange >add cn: > DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range >add ipaBaseID: > 346000000 >add ipaIDRangeSize: > 200000 >add ipaRangeType: > ipa-local >adding new entry "cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range,cn=ranges,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:14:05Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:05Z DEBUG duration: 3 seconds >2013-12-13T13:14:05Z DEBUG [24/38]: adding delegation layout >2013-12-13T13:14:05Z DEBUG Starting external process >2013-12-13T13:14:05Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpFdbELL -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpQSBuMU >2013-12-13T13:14:14Z DEBUG Process finished, return code=0 >2013-12-13T13:14:14Z DEBUG stdout=add objectClass: > top > nsContainer >add cn: > roles >adding new entry "cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > pbac >adding new entry "cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > privileges >adding new entry "cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > permissions >adding new entry "cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > helpdesk >add description: > Helpdesk >adding new entry "cn=helpdesk,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > User Administrators >add description: > User Administrators >adding new entry "cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > Group Administrators >add description: > Group Administrators >adding new entry "cn=Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > Host Administrators >add description: > Host Administrators >adding new entry "cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > Host Group Administrators >add description: > Host Group Administrators >adding new entry "cn=Host Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > Delegation Administrator >add description: > Role administration >adding new entry "cn=Delegation Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > Service Administrators >add description: > Service Administrators >adding new entry "cn=Service Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > Automount Administrators >add description: > Automount Administrators >adding new entry "cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > Netgroups Administrators >add description: > Netgroups Administrators >adding new entry "cn=Netgroups Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > Certificate Administrators >add description: > Certificate Administrators >adding new entry "cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > Replication Administrators >add description: > Replication Administrators >add member: > cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Replication Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > Host Enrollment >add description: > Host Enrollment >adding new entry "cn=Host Enrollment,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Add Users >add member: > cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Change a user password >add member: > cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Add user to default group >add member: > cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > top > groupofnames > ipapermission >add cn: > Unlock user accounts >add member: > cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Remove Users >add member: > cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify Users >add member: > cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Manage User SSH Public Keys >add member: > cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Add Groups >add member: > cn=Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Remove Groups >add member: > cn=Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify Groups >add member: > cn=Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify Group membership >add member: > cn=Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Add Hosts >add member: > cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Remove Hosts >add member: > cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify Hosts >add member: > cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Manage Host SSH Public Keys >add member: > cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Add Hostgroups >add member: > cn=Host Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Remove Hostgroups >add member: > cn=Host Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify Hostgroups >add member: > cn=Host Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify Hostgroup membership >add member: > cn=Host Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Add Services >add member: > cn=Service Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Remove Services >add member: > cn=Service Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify Services >add member: > cn=Service Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Add Roles >add member: > cn=Delegation Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Remove Roles >add member: > cn=Delegation Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify Roles >add member: > cn=Delegation Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify Role membership >add member: > cn=Delegation Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify privilege membership >add member: > cn=Delegation Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Add Automount maps >add member: > cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Remove Automount maps >add member: > cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify Automount maps >add member: > cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Add Automount keys >add member: > cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify Automount keys >add member: > cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Remove Automount keys >add member: > cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Add netgroups >add member: > cn=Netgroups Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Remove netgroups >add member: > cn=Netgroups Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify netgroups >add member: > cn=Netgroups Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify netgroup membership >add member: > cn=Netgroups Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Manage host keytab >add member: > cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > cn=Host Enrollment,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Manage service keytab >add member: > cn=Service Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Enroll a host >add member: > cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > cn=Host Enrollment,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Add Replication Agreements >add ipapermissiontype: > SYSTEM >add member: > cn=Replication Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify Replication Agreements >add ipapermissiontype: > SYSTEM >add member: > cn=Replication Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Remove Replication Agreements >add ipapermissiontype: > SYSTEM >add member: > cn=Replication Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Modify DNA Range >add ipapermissiontype: > SYSTEM >add member: > cn=Replication Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > virtual operations >adding new entry "cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > retrieve certificate >adding new entry "cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Retrieve Certificates from the CA >add member: > cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > request certificate >adding new entry "cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Request Certificate >add member: > cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > request certificate different host >adding new entry "cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Request Certificates from a different host >add member: > cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > certificate status >adding new entry "cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Get Certificates status from the CA >add member: > cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > revoke certificate >adding new entry "cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Revoke Certificate >add member: > cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer >add cn: > certificate remove hold >adding new entry "cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Certificate Remove Hold >add member: > cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:14:14Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:14Z DEBUG duration: 8 seconds >2013-12-13T13:14:14Z DEBUG [25/38]: creating container for managed entries >2013-12-13T13:14:14Z DEBUG Starting external process >2013-12-13T13:14:14Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpRWOMT0 -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpYCpxHW >2013-12-13T13:14:14Z DEBUG Process finished, return code=0 >2013-12-13T13:14:14Z DEBUG stdout=add objectClass: > nsContainer > top >add cn: > Managed Entries >adding new entry "cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer > top >add cn: > Templates >adding new entry "cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > nsContainer > top >add cn: > Definitions >adding new entry "cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:14:14Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:14Z DEBUG duration: 0 seconds >2013-12-13T13:14:14Z DEBUG [26/38]: configuring user private groups >2013-12-13T13:14:14Z DEBUG Starting external process >2013-12-13T13:14:14Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpeBkFD4 -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmp_TAGYh >2013-12-13T13:14:14Z DEBUG Process finished, return code=0 >2013-12-13T13:14:14Z DEBUG stdout=add objectclass: > mepTemplateEntry >add cn: > UPG Template >add mepRDNAttr: > cn >add mepStaticAttr: > objectclass: posixgroup > objectclass: ipaobject > ipaUniqueId: autogenerate >add mepMappedAttr: > cn: $uid > gidNumber: $uidNumber > description: User private group for $uid >adding new entry "cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > extensibleObject >add cn: > UPG Definition >add originScope: > cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add originFilter: > (&(objectclass=posixAccount)(!(description=__no_upg__))) >add managedBase: > cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add managedTemplate: > cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:14:14Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:14Z DEBUG duration: 0 seconds >2013-12-13T13:14:14Z DEBUG [27/38]: configuring netgroups from hostgroups >2013-12-13T13:14:14Z DEBUG Starting external process >2013-12-13T13:14:14Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpmFamTQ -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpb7RaMB >2013-12-13T13:14:14Z DEBUG Process finished, return code=0 >2013-12-13T13:14:14Z DEBUG stdout=add objectclass: > mepTemplateEntry >add cn: > NGP HGP Template >add mepRDNAttr: > cn >add mepStaticAttr: > ipaUniqueId: autogenerate > objectclass: ipanisnetgroup > objectclass: ipaobject > nisDomainName: dom227.jenkinsad.idm.lab.eng.brq.redhat.com >add mepMappedAttr: > cn: $cn > memberHost: $dn > description: ipaNetgroup $cn >adding new entry "cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > extensibleObject >add cn: > NGP Definition >add originScope: > cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add originFilter: > objectclass=ipahostgroup >add managedBase: > cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add managedTemplate: > cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:14:14Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:14Z DEBUG duration: 0 seconds >2013-12-13T13:14:14Z DEBUG [28/38]: creating default Sudo bind user >2013-12-13T13:14:14Z DEBUG Starting external process >2013-12-13T13:14:14Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpQQQA95 -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpeFV3oK >2013-12-13T13:14:14Z DEBUG Process finished, return code=0 >2013-12-13T13:14:14Z DEBUG stdout=add objectclass: > account > simplesecurityobject >add uid: > sudo >add userPassword: > XXXXXXXX >add passwordExpirationTime: > 20380119031407Z >add nsIdleTimeout: > 0 >adding new entry "uid=sudo,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:14:14Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:14Z DEBUG duration: 0 seconds >2013-12-13T13:14:14Z DEBUG [29/38]: creating default Auto Member layout >2013-12-13T13:14:14Z DEBUG Starting external process >2013-12-13T13:14:14Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmp0J3vBv -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmp3pQrRR >2013-12-13T13:14:14Z DEBUG Process finished, return code=0 >2013-12-13T13:14:14Z DEBUG stdout=add nsslapd-pluginConfigArea: > cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >modifying entry "cn=Auto Membership Plugin,cn=plugins,cn=config" >modify complete > >add objectClass: > top > nsContainer >add cn: > automember >adding new entry "cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > autoMemberDefinition >add cn: > Hostgroup >add autoMemberScope: > cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add autoMemberFilter: > objectclass=ipaHost >add autoMemberGroupingAttr: > member:dn >adding new entry "cn=Hostgroup,cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectclass: > autoMemberDefinition >add cn: > Group >add autoMemberScope: > cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add autoMemberFilter: > objectclass=posixAccount >add autoMemberGroupingAttr: > member:dn >adding new entry "cn=Group,cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:14:14Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:14Z DEBUG duration: 0 seconds >2013-12-13T13:14:14Z DEBUG [30/38]: adding range check plugin >2013-12-13T13:14:14Z DEBUG Starting external process >2013-12-13T13:14:14Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpjUYCSe -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpsUe6Qg >2013-12-13T13:14:14Z DEBUG Process finished, return code=0 >2013-12-13T13:14:14Z DEBUG stdout=add objectclass: > top > nsSlapdPlugin > extensibleObject >add cn: > IPA Range-Check >add nsslapd-pluginpath: > libipa_range_check >add nsslapd-plugininitfunc: > ipa_range_check_init >add nsslapd-plugintype: > preoperation >add nsslapd-pluginenabled: > on >add nsslapd-pluginid: > ipa_range_check_version >add nsslapd-pluginversion: > 1.0 >add nsslapd-pluginvendor: > Red Hat, Inc. >add nsslapd-plugindescription: > IPA Range-Check plugin >add nsslapd-plugin-depends-on-type: > database >add nsslapd-basedn: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=IPA Range-Check,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:14Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:14Z DEBUG duration: 0 seconds >2013-12-13T13:14:14Z DEBUG [31/38]: creating default HBAC rule allow_all >2013-12-13T13:14:14Z DEBUG Starting external process >2013-12-13T13:14:14Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpkczfO2 -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpJj4MPI >2013-12-13T13:14:14Z DEBUG Process finished, return code=0 >2013-12-13T13:14:14Z DEBUG stdout=add objectclass: > ipaassociation > ipahbacrule >add cn: > allow_all >add accessruletype: > allow >add usercategory: > all >add hostcategory: > all >add sourcehostcategory: > all >add servicecategory: > all >add ipaenabledflag: > TRUE >add description: > Allow all users to access any host from any host >add ipauniqueid: > autogenerate >adding new entry "ipauniqueid=autogenerate,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:14:14Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:14Z DEBUG duration: 0 seconds >2013-12-13T13:14:14Z DEBUG [32/38]: initializing group membership >2013-12-13T13:14:14Z DEBUG Starting external process >2013-12-13T13:14:14Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpdxZ4ml -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpAf9364 >2013-12-13T13:14:14Z DEBUG Process finished, return code=0 >2013-12-13T13:14:14Z DEBUG stdout=add objectClass: > top > extensibleObject >add cn: > IPA install >add basedn: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add filter: > (objectclass=*) >add ttl: > 10 >adding new entry "cn=IPA install 1386940430, cn=memberof task, cn=tasks, cn=config" >modify complete > > >2013-12-13T13:14:14Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:14Z DEBUG Waiting for memberof task to complete. >2013-12-13T13:14:14Z DEBUG flushing ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 from SchemaCache >2013-12-13T13:14:14Z DEBUG retrieving schema for SchemaCache url=ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x1ed0bd8> >2013-12-13T13:14:15Z DEBUG duration: 1 seconds >2013-12-13T13:14:15Z DEBUG [33/38]: adding master entry >2013-12-13T13:14:15Z DEBUG Starting external process >2013-12-13T13:14:15Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpx2KJRy -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpnNVRx7 >2013-12-13T13:14:15Z DEBUG Process finished, return code=0 >2013-12-13T13:14:15Z DEBUG stdout=add objectclass: > top > nsContainer >add cn: > vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >adding new entry "cn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:14:15Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:15Z DEBUG duration: 0 seconds >2013-12-13T13:14:15Z DEBUG [34/38]: configuring Posix uid/gid generation >2013-12-13T13:14:15Z DEBUG Starting external process >2013-12-13T13:14:15Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpfGSAjn -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpg6Ctxo >2013-12-13T13:14:15Z DEBUG Process finished, return code=0 >2013-12-13T13:14:15Z DEBUG stdout=add objectclass: > top > extensibleObject >add cn: > Posix IDs >add dnaType: > uidNumber > gidNumber >add dnaNextValue: > 346000000 >add dnaMaxValue: > 346199999 >add dnaMagicRegen: > -1 >add dnaFilter: > (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject)) >add dnaScope: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add dnaThreshold: > 500 >add dnaSharedCfgDN: > cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:14:15Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:15Z DEBUG duration: 0 seconds >2013-12-13T13:14:15Z DEBUG [35/38]: adding replication acis >2013-12-13T13:14:15Z DEBUG Starting external process >2013-12-13T13:14:15Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpX0RI2d -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpSKyxMv >2013-12-13T13:14:16Z DEBUG Process finished, return code=0 >2013-12-13T13:14:16Z DEBUG stdout=add aci: > (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn=config" >modify complete > >add aci: > (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn="dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com",cn=mapping tree,cn=config" >modify complete > >add aci: > (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn="dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com",cn=mapping tree,cn=config" >modify complete > >add aci: > (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn="dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com",cn=mapping tree,cn=config" >modify complete > >add aci: > (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" >modify complete > >add aci: > (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn=userRoot,cn=ldbm database,cn=plugins,cn=config" >modify complete > >add aci: > (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn=tasks,cn=config" >modify complete > > >2013-12-13T13:14:16Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:16Z DEBUG duration: 0 seconds >2013-12-13T13:14:16Z DEBUG [36/38]: enabling compatibility plugin >2013-12-13T13:14:46Z INFO Parsing update file '/usr/share/ipa/schema_compat.uldif' >2013-12-13T13:14:46Z DEBUG flushing ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 from SchemaCache >2013-12-13T13:14:46Z DEBUG retrieving schema for SchemaCache url=ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x3560488> >2013-12-13T13:14:46Z INFO New entry: cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Initial value >2013-12-13T13:14:46Z DEBUG dn: cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG nsslapd-pluginbetxn: >2013-12-13T13:14:46Z DEBUG on >2013-12-13T13:14:46Z DEBUG cn: >2013-12-13T13:14:46Z DEBUG Schema Compatibility >2013-12-13T13:14:46Z DEBUG objectclass: >2013-12-13T13:14:46Z DEBUG top >2013-12-13T13:14:46Z DEBUG nsSlapdPlugin >2013-12-13T13:14:46Z DEBUG extensibleObject >2013-12-13T13:14:46Z DEBUG nsslapd-plugindescription: >2013-12-13T13:14:46Z DEBUG Schema Compatibility Plugin >2013-12-13T13:14:46Z DEBUG nsslapd-pluginenabled: >2013-12-13T13:14:46Z DEBUG on >2013-12-13T13:14:46Z DEBUG nsslapd-pluginid: >2013-12-13T13:14:46Z DEBUG schema-compat-plugin >2013-12-13T13:14:46Z DEBUG nsslapd-pluginversion: >2013-12-13T13:14:46Z DEBUG 0.8 >2013-12-13T13:14:46Z DEBUG nsslapd-pluginpath: >2013-12-13T13:14:46Z DEBUG /usr/lib64/dirsrv/plugins/schemacompat-plugin.so >2013-12-13T13:14:46Z DEBUG nsslapd-plugininitfunc: >2013-12-13T13:14:46Z DEBUG schema_compat_plugin_init >2013-12-13T13:14:46Z DEBUG nsslapd-plugintype: >2013-12-13T13:14:46Z DEBUG object >2013-12-13T13:14:46Z DEBUG nsslapd-pluginvendor: >2013-12-13T13:14:46Z DEBUG redhat.com >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Final value after applying updates >2013-12-13T13:14:46Z DEBUG dn: cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG nsslapd-pluginbetxn: >2013-12-13T13:14:46Z DEBUG on >2013-12-13T13:14:46Z DEBUG cn: >2013-12-13T13:14:46Z DEBUG Schema Compatibility >2013-12-13T13:14:46Z DEBUG objectclass: >2013-12-13T13:14:46Z DEBUG top >2013-12-13T13:14:46Z DEBUG nsSlapdPlugin >2013-12-13T13:14:46Z DEBUG extensibleObject >2013-12-13T13:14:46Z DEBUG nsslapd-plugindescription: >2013-12-13T13:14:46Z DEBUG Schema Compatibility Plugin >2013-12-13T13:14:46Z DEBUG nsslapd-pluginenabled: >2013-12-13T13:14:46Z DEBUG on >2013-12-13T13:14:46Z DEBUG nsslapd-pluginid: >2013-12-13T13:14:46Z DEBUG schema-compat-plugin >2013-12-13T13:14:46Z DEBUG nsslapd-pluginversion: >2013-12-13T13:14:46Z DEBUG 0.8 >2013-12-13T13:14:46Z DEBUG nsslapd-pluginpath: >2013-12-13T13:14:46Z DEBUG /usr/lib64/dirsrv/plugins/schemacompat-plugin.so >2013-12-13T13:14:46Z DEBUG nsslapd-plugininitfunc: >2013-12-13T13:14:46Z DEBUG schema_compat_plugin_init >2013-12-13T13:14:46Z DEBUG nsslapd-plugintype: >2013-12-13T13:14:46Z DEBUG object >2013-12-13T13:14:46Z DEBUG nsslapd-pluginvendor: >2013-12-13T13:14:46Z DEBUG redhat.com >2013-12-13T13:14:46Z INFO Updating existing entry: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Initial value >2013-12-13T13:14:46Z DEBUG dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >2013-12-13T13:14:46Z DEBUG objectClass: >2013-12-13T13:14:46Z DEBUG top >2013-12-13T13:14:46Z DEBUG directoryServerFeature >2013-12-13T13:14:46Z DEBUG aci: >2013-12-13T13:14:46Z DEBUG (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///all";) >2013-12-13T13:14:46Z DEBUG oid: >2013-12-13T13:14:46Z DEBUG 2.16.840.1.113730.3.4.9 >2013-12-13T13:14:46Z DEBUG cn: >2013-12-13T13:14:46Z DEBUG VLV Request Control >2013-12-13T13:14:46Z DEBUG only: set aci to '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )', current value [u'(targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///all";)'] >2013-12-13T13:14:46Z DEBUG only: updated value [u'(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )'] >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Final value after applying updates >2013-12-13T13:14:46Z DEBUG dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >2013-12-13T13:14:46Z DEBUG objectClass: >2013-12-13T13:14:46Z DEBUG top >2013-12-13T13:14:46Z DEBUG directoryServerFeature >2013-12-13T13:14:46Z DEBUG aci: >2013-12-13T13:14:46Z DEBUG (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; ) >2013-12-13T13:14:46Z DEBUG oid: >2013-12-13T13:14:46Z DEBUG 2.16.840.1.113730.3.4.9 >2013-12-13T13:14:46Z DEBUG cn: >2013-12-13T13:14:46Z DEBUG VLV Request Control >2013-12-13T13:14:46Z DEBUG [(0, u'aci', ['(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )']), (1, u'aci', ['(targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///all";)'])] >2013-12-13T13:14:46Z DEBUG Live 1, updated 1 >2013-12-13T13:14:46Z INFO Done >2013-12-13T13:14:46Z INFO New entry: cn=users,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Initial value >2013-12-13T13:14:46Z DEBUG dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG cn: >2013-12-13T13:14:46Z DEBUG users >2013-12-13T13:14:46Z DEBUG objectClass: >2013-12-13T13:14:46Z DEBUG top >2013-12-13T13:14:46Z DEBUG extensibleObject >2013-12-13T13:14:46Z DEBUG schema-compat-container-group: >2013-12-13T13:14:46Z DEBUG cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-search-filter: >2013-12-13T13:14:46Z DEBUG objectclass=posixAccount >2013-12-13T13:14:46Z DEBUG schema-compat-container-rdn: >2013-12-13T13:14:46Z DEBUG cn=users >2013-12-13T13:14:46Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:14:46Z DEBUG uid=%{uid} >2013-12-13T13:14:46Z DEBUG schema-compat-search-base: >2013-12-13T13:14:46Z DEBUG cn=users, cn=accounts, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:14:46Z DEBUG objectclass=posixAccount >2013-12-13T13:14:46Z DEBUG gecos=%{cn} >2013-12-13T13:14:46Z DEBUG cn=%{cn} >2013-12-13T13:14:46Z DEBUG uidNumber=%{uidNumber} >2013-12-13T13:14:46Z DEBUG gidNumber=%{gidNumber} >2013-12-13T13:14:46Z DEBUG loginShell=%{loginShell} >2013-12-13T13:14:46Z DEBUG homeDirectory=%{homeDirectory} >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Final value after applying updates >2013-12-13T13:14:46Z DEBUG dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG cn: >2013-12-13T13:14:46Z DEBUG users >2013-12-13T13:14:46Z DEBUG objectClass: >2013-12-13T13:14:46Z DEBUG top >2013-12-13T13:14:46Z DEBUG extensibleObject >2013-12-13T13:14:46Z DEBUG schema-compat-container-group: >2013-12-13T13:14:46Z DEBUG cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-search-filter: >2013-12-13T13:14:46Z DEBUG objectclass=posixAccount >2013-12-13T13:14:46Z DEBUG schema-compat-container-rdn: >2013-12-13T13:14:46Z DEBUG cn=users >2013-12-13T13:14:46Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:14:46Z DEBUG uid=%{uid} >2013-12-13T13:14:46Z DEBUG schema-compat-search-base: >2013-12-13T13:14:46Z DEBUG cn=users, cn=accounts, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:14:46Z DEBUG objectclass=posixAccount >2013-12-13T13:14:46Z DEBUG gecos=%{cn} >2013-12-13T13:14:46Z DEBUG cn=%{cn} >2013-12-13T13:14:46Z DEBUG uidNumber=%{uidNumber} >2013-12-13T13:14:46Z DEBUG gidNumber=%{gidNumber} >2013-12-13T13:14:46Z DEBUG loginShell=%{loginShell} >2013-12-13T13:14:46Z DEBUG homeDirectory=%{homeDirectory} >2013-12-13T13:14:46Z INFO New entry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Initial value >2013-12-13T13:14:46Z DEBUG dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG add: 'top' to objectClass, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'top'] >2013-12-13T13:14:46Z DEBUG add: 'extensibleObject' to objectClass, current value [u'top'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'top', u'extensibleObject'] >2013-12-13T13:14:46Z DEBUG add: 'sudoers' to cn, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'sudoers'] >2013-12-13T13:14:46Z DEBUG add: 'ou=SUDOers, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to schema-compat-container-group, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'ou=SUDOers, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'] >2013-12-13T13:14:46Z DEBUG add: 'cn=sudorules, cn=sudo, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to schema-compat-search-base, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'cn=sudorules, cn=sudo, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'] >2013-12-13T13:14:46Z DEBUG add: '(&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))' to schema-compat-search-filter, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'(&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))'] >2013-12-13T13:14:46Z DEBUG add: '%ifeq("ipaEnabledFlag"' to schema-compat-entry-rdn, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'%ifeq("ipaEnabledFlag"'] >2013-12-13T13:14:46Z DEBUG add: 'FALSE' to schema-compat-entry-rdn, current value [u'%ifeq("ipaEnabledFlag"'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'%ifeq("ipaEnabledFlag"', u'FALSE'] >2013-12-13T13:14:46Z DEBUG add: 'DISABLED' to schema-compat-entry-rdn, current value [u'%ifeq("ipaEnabledFlag"', u'FALSE'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'%ifeq("ipaEnabledFlag"', u'FALSE', u'DISABLED'] >2013-12-13T13:14:46Z DEBUG add: 'cn=%{cn})' to schema-compat-entry-rdn, current value [u'%ifeq("ipaEnabledFlag"', u'FALSE', u'DISABLED'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'%ifeq("ipaEnabledFlag"', u'FALSE', u'DISABLED', u'cn=%{cn})'] >2013-12-13T13:14:46Z DEBUG add: 'objectclass=sudoRole' to schema-compat-entry-attribute, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole'] >2013-12-13T13:14:46Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', u'sudoRunAsUser=%{ipaSudoRunAsExtUser}'] >2013-12-13T13:14:46Z DEBUG add: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', u'sudoRunAsUser=%{ipaSudoRunAsExtUser}'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', u'sudoRunAsUser=%{ipaSudoRunAsExtUser}', u'sudoRunAsUser=%deref("ipaSudoRunAs","uid")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', u'sudoRunAsUser=%{ipaSudoRunAsExtUser}', u'sudoRunAsUser=%deref("ipaSudoRunAs","uid")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', u'sudoRunAsUser=%{ipaSudoRunAsExtUser}', u'sudoRunAsUser=%deref("ipaSudoRunAs","uid")', u'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', u'sudoRunAsUser=%{ipaSudoRunAsExtUser}', u'sudoRunAsUser=%deref("ipaSudoRunAs","uid")', u'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', u'sudoRunAsUser=%{ipaSudoRunAsExtUser}', u'sudoRunAsUser=%deref("ipaSudoRunAs","uid")', u'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}'] >2013-12-13T13:14:46Z DEBUG add: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', u'sudoRunAsUser=%{ipaSudoRunAsExtUser}', u'sudoRunAsUser=%deref("ipaSudoRunAs","uid")', u'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', u'sudoRunAsUser=%{ipaSudoRunAsExtUser}', u'sudoRunAsUser=%deref("ipaSudoRunAs","uid")', u'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}', u'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")'] >2013-12-13T13:14:46Z DEBUG add: 'sudoOption=%{ipaSudoOpt}' to schema-compat-entry-attribute, current value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', u'sudoRunAsUser=%{ipaSudoRunAsExtUser}', u'sudoRunAsUser=%deref("ipaSudoRunAs","uid")', u'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}', u'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=sudoRole', u'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', u'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', u'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', u'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', u'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', u'sudoRunAsUser=%{ipaSudoRunAsExtUser}', u'sudoRunAsUser=%deref("ipaSudoRunAs","uid")', u'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', u'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}', u'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")', u'sudoOption=%{ipaSudoOpt}'] >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Final value after applying updates >2013-12-13T13:14:46Z DEBUG dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:14:46Z DEBUG objectclass=sudoRole >2013-12-13T13:14:46Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}") >2013-12-13T13:14:46Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") >2013-12-13T13:14:46Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")") >2013-12-13T13:14:46Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") >2013-12-13T13:14:46Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") >2013-12-13T13:14:46Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}") >2013-12-13T13:14:46Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") >2013-12-13T13:14:46Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")") >2013-12-13T13:14:46Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")") >2013-12-13T13:14:46Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") >2013-12-13T13:14:46Z DEBUG sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")") >2013-12-13T13:14:46Z DEBUG sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") >2013-12-13T13:14:46Z DEBUG sudoCommand=!%deref("memberDenyCmd","sudoCmd") >2013-12-13T13:14:46Z DEBUG sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd") >2013-12-13T13:14:46Z DEBUG sudoRunAsUser=%{ipaSudoRunAsExtUser} >2013-12-13T13:14:46Z DEBUG sudoRunAsUser=%deref("ipaSudoRunAs","uid") >2013-12-13T13:14:46Z DEBUG sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")") >2013-12-13T13:14:46Z DEBUG sudoRunAsGroup=%{ipaSudoRunAsExtGroup} >2013-12-13T13:14:46Z DEBUG sudoRunAsGroup=%deref("ipaSudoRunAs","cn") >2013-12-13T13:14:46Z DEBUG sudoOption=%{ipaSudoOpt} >2013-12-13T13:14:46Z DEBUG cn: >2013-12-13T13:14:46Z DEBUG sudoers >2013-12-13T13:14:46Z DEBUG objectClass: >2013-12-13T13:14:46Z DEBUG top >2013-12-13T13:14:46Z DEBUG extensibleObject >2013-12-13T13:14:46Z DEBUG schema-compat-search-filter: >2013-12-13T13:14:46Z DEBUG (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) >2013-12-13T13:14:46Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:14:46Z DEBUG %ifeq("ipaEnabledFlag" >2013-12-13T13:14:46Z DEBUG FALSE >2013-12-13T13:14:46Z DEBUG DISABLED >2013-12-13T13:14:46Z DEBUG cn=%{cn}) >2013-12-13T13:14:46Z DEBUG schema-compat-search-base: >2013-12-13T13:14:46Z DEBUG cn=sudorules, cn=sudo, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-container-group: >2013-12-13T13:14:46Z DEBUG ou=SUDOers, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z INFO New entry: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Initial value >2013-12-13T13:14:46Z DEBUG dn: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG cn: >2013-12-13T13:14:46Z DEBUG computers >2013-12-13T13:14:46Z DEBUG objectClass: >2013-12-13T13:14:46Z DEBUG top >2013-12-13T13:14:46Z DEBUG extensibleObject >2013-12-13T13:14:46Z DEBUG schema-compat-container-group: >2013-12-13T13:14:46Z DEBUG cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-search-filter: >2013-12-13T13:14:46Z DEBUG (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) >2013-12-13T13:14:46Z DEBUG schema-compat-container-rdn: >2013-12-13T13:14:46Z DEBUG cn=computers >2013-12-13T13:14:46Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:14:46Z DEBUG cn=%first("%{fqdn}") >2013-12-13T13:14:46Z DEBUG schema-compat-search-base: >2013-12-13T13:14:46Z DEBUG cn=computers, cn=accounts, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:14:46Z DEBUG objectclass=device >2013-12-13T13:14:46Z DEBUG objectclass=ieee802Device >2013-12-13T13:14:46Z DEBUG cn=%{fqdn} >2013-12-13T13:14:46Z DEBUG macAddress=%{macAddress} >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Final value after applying updates >2013-12-13T13:14:46Z DEBUG dn: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG cn: >2013-12-13T13:14:46Z DEBUG computers >2013-12-13T13:14:46Z DEBUG objectClass: >2013-12-13T13:14:46Z DEBUG top >2013-12-13T13:14:46Z DEBUG extensibleObject >2013-12-13T13:14:46Z DEBUG schema-compat-container-group: >2013-12-13T13:14:46Z DEBUG cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-search-filter: >2013-12-13T13:14:46Z DEBUG (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) >2013-12-13T13:14:46Z DEBUG schema-compat-container-rdn: >2013-12-13T13:14:46Z DEBUG cn=computers >2013-12-13T13:14:46Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:14:46Z DEBUG cn=%first("%{fqdn}") >2013-12-13T13:14:46Z DEBUG schema-compat-search-base: >2013-12-13T13:14:46Z DEBUG cn=computers, cn=accounts, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:14:46Z DEBUG objectclass=device >2013-12-13T13:14:46Z DEBUG objectclass=ieee802Device >2013-12-13T13:14:46Z DEBUG cn=%{fqdn} >2013-12-13T13:14:46Z DEBUG macAddress=%{macAddress} >2013-12-13T13:14:46Z INFO New entry: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Initial value >2013-12-13T13:14:46Z DEBUG dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG add: 'top' to objectClass, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'top'] >2013-12-13T13:14:46Z DEBUG add: 'extensibleObject' to objectClass, current value [u'top'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'top', u'extensibleObject'] >2013-12-13T13:14:46Z DEBUG add: 'ng' to cn, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'ng'] >2013-12-13T13:14:46Z DEBUG add: 'cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to schema-compat-container-group, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'] >2013-12-13T13:14:46Z DEBUG add: 'cn=ng' to schema-compat-container-rdn, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'cn=ng'] >2013-12-13T13:14:46Z DEBUG add: 'yes' to schema-compat-check-access, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'yes'] >2013-12-13T13:14:46Z DEBUG add: 'cn=ng, cn=alt, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to schema-compat-search-base, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'cn=ng, cn=alt, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'] >2013-12-13T13:14:46Z DEBUG add: '(objectclass=ipaNisNetgroup)' to schema-compat-search-filter, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'(objectclass=ipaNisNetgroup)'] >2013-12-13T13:14:46Z DEBUG add: 'cn=%{cn}' to schema-compat-entry-rdn, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'cn=%{cn}'] >2013-12-13T13:14:46Z DEBUG add: 'objectclass=nisNetgroup' to schema-compat-entry-attribute, current value [] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=nisNetgroup'] >2013-12-13T13:14:46Z DEBUG add: 'memberNisNetgroup=%deref_r("member","cn")' to schema-compat-entry-attribute, current value [u'objectclass=nisNetgroup'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=nisNetgroup', u'memberNisNetgroup=%deref_r("member","cn")'] >2013-12-13T13:14:46Z DEBUG add: 'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})' to schema-compat-entry-attribute, current value [u'objectclass=nisNetgroup', u'memberNisNetgroup=%deref_r("member","cn")'] >2013-12-13T13:14:46Z DEBUG add: updated value [u'objectclass=nisNetgroup', u'memberNisNetgroup=%deref_r("member","cn")', u'nisNetgroupTriple=(%link("%ifeq(\\"hostCategory\\",\\"all\\",\\"\\",\\"%collect(\\\\\\"%{externalHost}\\\\\\",\\\\\\"%deref(\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\")\\\\\\",\\\\\\"%deref_r(\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\")\\\\\\",\\\\\\"%deref_r(\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\")\\\\\\")\\")","-",",","%ifeq(\\"userCategory\\",\\"all\\",\\"\\",\\"%collect(\\\\\\"%deref(\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\")\\\\\\",\\\\\\"%deref_r(\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\")\\\\\\",\\\\\\"%deref_r(\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\")\\\\\\")\\")","-"),%{nisDomainName:-})'] >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Final value after applying updates >2013-12-13T13:14:46Z DEBUG dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:14:46Z DEBUG objectclass=nisNetgroup >2013-12-13T13:14:46Z DEBUG memberNisNetgroup=%deref_r("member","cn") >2013-12-13T13:14:46Z DEBUG nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) >2013-12-13T13:14:46Z DEBUG schema-compat-check-access: >2013-12-13T13:14:46Z DEBUG yes >2013-12-13T13:14:46Z DEBUG cn: >2013-12-13T13:14:46Z DEBUG ng >2013-12-13T13:14:46Z DEBUG objectClass: >2013-12-13T13:14:46Z DEBUG top >2013-12-13T13:14:46Z DEBUG extensibleObject >2013-12-13T13:14:46Z DEBUG schema-compat-search-filter: >2013-12-13T13:14:46Z DEBUG (objectclass=ipaNisNetgroup) >2013-12-13T13:14:46Z DEBUG schema-compat-container-rdn: >2013-12-13T13:14:46Z DEBUG cn=ng >2013-12-13T13:14:46Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:14:46Z DEBUG cn=%{cn} >2013-12-13T13:14:46Z DEBUG schema-compat-search-base: >2013-12-13T13:14:46Z DEBUG cn=ng, cn=alt, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-container-group: >2013-12-13T13:14:46Z DEBUG cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z INFO New entry: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Initial value >2013-12-13T13:14:46Z DEBUG dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG cn: >2013-12-13T13:14:46Z DEBUG groups >2013-12-13T13:14:46Z DEBUG objectClass: >2013-12-13T13:14:46Z DEBUG top >2013-12-13T13:14:46Z DEBUG extensibleObject >2013-12-13T13:14:46Z DEBUG schema-compat-container-group: >2013-12-13T13:14:46Z DEBUG cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-search-filter: >2013-12-13T13:14:46Z DEBUG objectclass=posixGroup >2013-12-13T13:14:46Z DEBUG schema-compat-container-rdn: >2013-12-13T13:14:46Z DEBUG cn=groups >2013-12-13T13:14:46Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:14:46Z DEBUG cn=%{cn} >2013-12-13T13:14:46Z DEBUG schema-compat-search-base: >2013-12-13T13:14:46Z DEBUG cn=groups, cn=accounts, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:14:46Z DEBUG objectclass=posixGroup >2013-12-13T13:14:46Z DEBUG gidNumber=%{gidNumber} >2013-12-13T13:14:46Z DEBUG memberUid=%{memberUid} >2013-12-13T13:14:46Z DEBUG memberUid=%deref_r("member","uid") >2013-12-13T13:14:46Z DEBUG --------------------------------------------- >2013-12-13T13:14:46Z DEBUG Final value after applying updates >2013-12-13T13:14:46Z DEBUG dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:14:46Z DEBUG cn: >2013-12-13T13:14:46Z DEBUG groups >2013-12-13T13:14:46Z DEBUG objectClass: >2013-12-13T13:14:46Z DEBUG top >2013-12-13T13:14:46Z DEBUG extensibleObject >2013-12-13T13:14:46Z DEBUG schema-compat-container-group: >2013-12-13T13:14:46Z DEBUG cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-search-filter: >2013-12-13T13:14:46Z DEBUG objectclass=posixGroup >2013-12-13T13:14:46Z DEBUG schema-compat-container-rdn: >2013-12-13T13:14:46Z DEBUG cn=groups >2013-12-13T13:14:46Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:14:46Z DEBUG cn=%{cn} >2013-12-13T13:14:46Z DEBUG schema-compat-search-base: >2013-12-13T13:14:46Z DEBUG cn=groups, cn=accounts, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:14:46Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:14:46Z DEBUG objectclass=posixGroup >2013-12-13T13:14:46Z DEBUG gidNumber=%{gidNumber} >2013-12-13T13:14:46Z DEBUG memberUid=%{memberUid} >2013-12-13T13:14:46Z DEBUG memberUid=%deref_r("member","uid") >2013-12-13T13:14:46Z DEBUG duration: 30 seconds >2013-12-13T13:14:46Z DEBUG [37/38]: tuning directory server >2013-12-13T13:14:46Z DEBUG Starting external process >2013-12-13T13:14:46Z DEBUG args=/usr/sbin/selinuxenabled >2013-12-13T13:14:46Z DEBUG Process finished, return code=0 >2013-12-13T13:14:46Z DEBUG stdout= >2013-12-13T13:14:46Z DEBUG stderr= >2013-12-13T13:14:46Z DEBUG Starting external process >2013-12-13T13:14:46Z DEBUG args=/usr/sbin/restorecon /etc/sysconfig/dirsrv.systemd >2013-12-13T13:14:46Z DEBUG Process finished, return code=0 >2013-12-13T13:14:46Z DEBUG stdout= >2013-12-13T13:14:46Z DEBUG stderr= >2013-12-13T13:14:46Z DEBUG Starting external process >2013-12-13T13:14:46Z DEBUG args=/bin/systemctl --system daemon-reload >2013-12-13T13:14:46Z DEBUG Process finished, return code=0 >2013-12-13T13:14:46Z DEBUG stdout= >2013-12-13T13:14:46Z DEBUG stderr= >2013-12-13T13:14:46Z DEBUG Starting external process >2013-12-13T13:14:46Z DEBUG args=/bin/systemctl --system daemon-reload >2013-12-13T13:14:46Z DEBUG Process finished, return code=0 >2013-12-13T13:14:46Z DEBUG stdout= >2013-12-13T13:14:46Z DEBUG stderr= >2013-12-13T13:14:46Z DEBUG Starting external process >2013-12-13T13:14:46Z DEBUG args=/bin/systemctl restart dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:14:49Z DEBUG Process finished, return code=0 >2013-12-13T13:14:49Z DEBUG stdout= >2013-12-13T13:14:49Z DEBUG stderr= >2013-12-13T13:14:49Z DEBUG Starting external process >2013-12-13T13:14:49Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:14:49Z DEBUG Process finished, return code=0 >2013-12-13T13:14:49Z DEBUG stdout=active > >2013-12-13T13:14:49Z DEBUG stderr= >2013-12-13T13:14:49Z DEBUG wait_for_open_ports: localhost [389] timeout 120 >2013-12-13T13:14:50Z DEBUG Starting external process >2013-12-13T13:14:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:14:50Z DEBUG Process finished, return code=0 >2013-12-13T13:14:50Z DEBUG stdout=active > >2013-12-13T13:14:50Z DEBUG stderr= >2013-12-13T13:14:50Z DEBUG Starting external process >2013-12-13T13:14:50Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpuOhiE1 -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpJNhkRc >2013-12-13T13:14:50Z DEBUG Process finished, return code=0 >2013-12-13T13:14:50Z DEBUG stdout=replace nsslapd-maxdescriptors: > 8192 >replace nsslapd-reservedescriptors: > 64 >modifying entry "cn=config" >modify complete > > >2013-12-13T13:14:50Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:14:50Z DEBUG duration: 3 seconds >2013-12-13T13:14:50Z DEBUG [38/38]: configuring directory to start on boot >2013-12-13T13:14:50Z DEBUG Starting external process >2013-12-13T13:14:50Z DEBUG args=/bin/systemctl is-enabled dirsrv.target >2013-12-13T13:14:50Z DEBUG Process finished, return code=1 >2013-12-13T13:14:50Z DEBUG stdout=disabled > >2013-12-13T13:14:50Z DEBUG stderr= >2013-12-13T13:14:50Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:14:50Z DEBUG Starting external process >2013-12-13T13:14:50Z DEBUG args=/bin/systemctl disable dirsrv.target >2013-12-13T13:14:50Z DEBUG Process finished, return code=0 >2013-12-13T13:14:50Z DEBUG stdout= >2013-12-13T13:14:50Z DEBUG stderr= >2013-12-13T13:14:50Z DEBUG duration: 0 seconds >2013-12-13T13:14:50Z DEBUG Done configuring directory server (dirsrv). >2013-12-13T13:14:50Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:14:50Z DEBUG Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds >2013-12-13T13:14:50Z DEBUG [1/22]: creating certificate server user >2013-12-13T13:14:50Z DEBUG adding ca user pkiuser >2013-12-13T13:14:50Z DEBUG Starting external process >2013-12-13T13:14:50Z DEBUG args=/usr/sbin/useradd -c CA System User -d /var/lib -s /sbin/nologin -M -r pkiuser >2013-12-13T13:14:50Z DEBUG Process finished, return code=0 >2013-12-13T13:14:50Z DEBUG stdout= >2013-12-13T13:14:50Z DEBUG stderr= >2013-12-13T13:14:50Z DEBUG done adding user >2013-12-13T13:14:50Z DEBUG duration: 0 seconds >2013-12-13T13:14:50Z DEBUG [2/22]: configuring certificate server instance >2013-12-13T13:14:50Z DEBUG Contents of pkispawn configuration file (/tmp/tmpIMxUsM): >[CA] >pki_security_domain_name = IPA >pki_enable_proxy = True >pki_restart_configured_instance = False >pki_backup_keys = True >pki_backup_password = XXXXXXXX >pki_client_database_dir = /tmp/tmp-Wu5lth >pki_client_database_password = XXXXXXXX >pki_client_database_purge = False >pki_client_pkcs12_password = XXXXXXXX >pki_admin_name = admin >pki_admin_uid = admin >pki_admin_email = root@localhost >pki_admin_password = XXXXXXXX >pki_admin_nickname = ipa-ca-agent >pki_admin_subject_dn = cn=ipa-ca-agent,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >pki_client_admin_cert_p12 = /root/ca-agent.p12 >pki_ds_ldap_port = 389 >pki_ds_password = XXXXXXXX >pki_ds_base_dn = o=ipaca >pki_ds_database = ipaca >pki_subsystem_subject_dn = cn=CA Subsystem,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >pki_ssl_server_subject_dn = cn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >pki_audit_signing_subject_dn = cn=CA Audit,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >pki_ca_signing_subject_dn = cn=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >pki_subsystem_nickname = subsystemCert cert-pki-ca >pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca >pki_ssl_server_nickname = Server-Cert cert-pki-ca >pki_audit_signing_nickname = auditSigningCert cert-pki-ca >pki_ca_signing_nickname = caSigningCert cert-pki-ca > > >2013-12-13T13:14:50Z DEBUG Starting external process >2013-12-13T13:14:50Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpIMxUsM >2013-12-13T13:16:09Z DEBUG Process finished, return code=0 >2013-12-13T13:16:09Z DEBUG stdout=Loading deployment configuration from /tmp/tmpIMxUsM. >Installing CA into /var/lib/pki/pki-tomcat. >Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > ========================================================================== > INSTALLATION SUMMARY > ========================================================================== > > Administrator's username: admin > Administrator's PKCS #12 file: > /root/ca-agent.p12 > > Administrator's certificate nickname: > ipa-ca-agent > Administrator's certificate database: > /tmp/tmp-Wu5lth > > To check the status of the subsystem: > systemctl status pki-tomcatd@pki-tomcat.service > To restart the subsystem: > systemctl restart pki-tomcatd@pki-tomcat.service > The URL for the subsystem is: > https://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:8443/ca > > ========================================================================== > > >2013-12-13T13:16:09Z DEBUG stderr=Notice: Trust flag u is set automatically if the private key is present. > >2013-12-13T13:16:09Z DEBUG completed creating ca instance >2013-12-13T13:16:09Z DEBUG duration: 78 seconds >2013-12-13T13:16:09Z DEBUG [3/22]: stopping certificate server instance to update CS.cfg >2013-12-13T13:16:09Z DEBUG Starting external process >2013-12-13T13:16:09Z DEBUG args=/bin/systemctl stop pki-tomcatd.target >2013-12-13T13:16:10Z DEBUG Process finished, return code=0 >2013-12-13T13:16:10Z DEBUG stdout= >2013-12-13T13:16:10Z DEBUG stderr= >2013-12-13T13:16:10Z DEBUG duration: 1 seconds >2013-12-13T13:16:10Z DEBUG [4/22]: disabling nonces >2013-12-13T13:16:10Z DEBUG duration: 0 seconds >2013-12-13T13:16:10Z DEBUG [5/22]: set up CRL publishing >2013-12-13T13:16:10Z DEBUG Starting external process >2013-12-13T13:16:10Z DEBUG args=/usr/sbin/selinuxenabled >2013-12-13T13:16:10Z DEBUG Process finished, return code=0 >2013-12-13T13:16:10Z DEBUG stdout= >2013-12-13T13:16:10Z DEBUG stderr= >2013-12-13T13:16:10Z DEBUG Starting external process >2013-12-13T13:16:10Z DEBUG args=/usr/sbin/restorecon /var/lib/ipa/pki-ca/publish >2013-12-13T13:16:10Z DEBUG Process finished, return code=0 >2013-12-13T13:16:10Z DEBUG stdout= >2013-12-13T13:16:10Z DEBUG stderr= >2013-12-13T13:16:10Z DEBUG duration: 0 seconds >2013-12-13T13:16:10Z DEBUG [6/22]: starting certificate server instance >2013-12-13T13:16:10Z DEBUG Starting external process >2013-12-13T13:16:10Z DEBUG args=/bin/systemctl start pki-tomcatd.target >2013-12-13T13:16:10Z DEBUG Process finished, return code=0 >2013-12-13T13:16:10Z DEBUG stdout= >2013-12-13T13:16:10Z DEBUG stderr= >2013-12-13T13:16:10Z DEBUG Starting external process >2013-12-13T13:16:10Z DEBUG args=/bin/systemctl is-active pki-tomcatd.target >2013-12-13T13:16:10Z DEBUG Process finished, return code=0 >2013-12-13T13:16:10Z DEBUG stdout=active > >2013-12-13T13:16:10Z DEBUG stderr= >2013-12-13T13:16:10Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 120 >2013-12-13T13:16:13Z DEBUG The httpd proxy is not installed, wait on local port >2013-12-13T13:16:13Z DEBUG Waiting until the CA is running >2013-12-13T13:16:13Z DEBUG request 'https://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:8443/ca/admin/ca/getStatus' >2013-12-13T13:16:13Z DEBUG request body '' >2013-12-13T13:16:24Z DEBUG request status 200 >2013-12-13T13:16:24Z DEBUG request reason_phrase u'OK' >2013-12-13T13:16:24Z DEBUG request headers {'date': 'Fri, 13 Dec 2013 13:16:24 GMT', 'content-length': '168', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} >2013-12-13T13:16:24Z DEBUG request body '<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.1.0-1.fc20</Version></XMLResponse>' >2013-12-13T13:16:24Z DEBUG The CA status is: running >2013-12-13T13:16:24Z DEBUG duration: 13 seconds >2013-12-13T13:16:24Z DEBUG [7/22]: creating RA agent certificate database >2013-12-13T13:16:24Z DEBUG Starting external process >2013-12-13T13:16:24Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -N >2013-12-13T13:16:24Z DEBUG Process finished, return code=0 >2013-12-13T13:16:24Z DEBUG stdout= >2013-12-13T13:16:24Z DEBUG stderr= >2013-12-13T13:16:24Z DEBUG duration: 0 seconds >2013-12-13T13:16:24Z DEBUG [8/22]: importing CA chain to RA certificate database >2013-12-13T13:16:24Z DEBUG Starting external process >2013-12-13T13:16:24Z DEBUG args=/usr/bin/openssl pkcs7 -inform DER -print_certs >2013-12-13T13:16:24Z DEBUG Process finished, return code=0 >2013-12-13T13:16:24Z DEBUG stdout=subject=/O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority >issuer=/O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority >-----BEGIN CERTIFICATE----- >MIID7jCCAtagAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMTQwMgYDVQQKDCtET00y >MjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQD >DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMTMxNTU4WhcNMzMxMjEz >MTMxNTU4WjBWMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5H >LkJSUS5SRURIQVQuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw >ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmsLTpVPDxxXGox6Fx4lP3 >9oZD5AGj0GLfa0VRkWqMHQOWLYjVHJFc1XzwCijrggTYUHYEeWqV8LQj/EMZJ9Fh >o7e2spE/VOJRt82nQEUCi0/PXAnMzvi4g1BtN7oDNE2sjadQ0rZcRdt0tQ5q/Pp1 >oiuQryrXh4eFWAo1/1/HZo6+cxD/S/5jWKfFpc5KP+w5dvkSKb5hJA9Gee4rzVGZ >wzvGe8C+5wImbYT+U0uw7Jpd/k54Q67UxCC8av5uyaG4JzUNQwwniAvacXH0Ub4y >yN6UwtyklOM1l5V/8sI5GdfUvsBqDn4Z1WO79zmiArgYbQGvai1FH8N7cUVUzYAf >AgMBAAGjgcYwgcMwHwYDVR0jBBgwFoAUZ1LMCp2AxM3H3k7PxQB5j/+ETRIwDwYD >VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFGdSzAqdgMTN >x95Oz8UAeY//hE0SMGAGCCsGAQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDov >L3ZtLTIyNy5kb20yMjcuamVua2luc2FkLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQu >Y29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAKO8Ac5pQyc14xs6lQtm >5R8UZsaxDB6CJRe/q/RHsNUvq95uuC9CEpTrkaNtBaOm09DLr1tVoKVsH6Prd0ag >/vzmvGKxW0puoJfp1Kiv1t+Yh1VM68OKPEC8c93zWftDc38SD7aNR+TUHe0Ln9G6 >L+8i74qCe7p4RPQ0hWjhckL7OAfQ+MxwLjpApoHFsDdHHiThT7UZf+9KM+K9imbF >SRfh7ge9B0d+LTHYMSRdwNdTA4YPUnr+th1CaO8SdgVaeT96dho5SINKjQKNpkxB >TrS83zYua+Nf//Yv3r93iS5Y5CPpXHsgJevcnylzeTvrfTOC93jSLWj/1OfyPSB1 >aJw= >-----END CERTIFICATE----- > > >2013-12-13T13:16:24Z DEBUG stderr= >2013-12-13T13:16:24Z DEBUG Starting external process >2013-12-13T13:16:24Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -A -t CT,C,C -n DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a -i /tmp/tmpPoLvvE >2013-12-13T13:16:24Z DEBUG Process finished, return code=0 >2013-12-13T13:16:24Z DEBUG stdout= >2013-12-13T13:16:24Z DEBUG stderr= >2013-12-13T13:16:24Z DEBUG duration: 0 seconds >2013-12-13T13:16:24Z DEBUG [9/22]: fixing RA database permissions >2013-12-13T13:16:24Z DEBUG duration: 0 seconds >2013-12-13T13:16:24Z DEBUG [10/22]: setting up signing cert profile >2013-12-13T13:16:24Z DEBUG duration: 0 seconds >2013-12-13T13:16:24Z DEBUG [11/22]: set certificate subject base >2013-12-13T13:16:24Z DEBUG duration: 0 seconds >2013-12-13T13:16:24Z DEBUG [12/22]: enabling Subject Key Identifier >2013-12-13T13:16:24Z DEBUG duration: 0 seconds >2013-12-13T13:16:24Z DEBUG [13/22]: enabling CRL and OCSP extensions for certificates >2013-12-13T13:16:24Z DEBUG duration: 0 seconds >2013-12-13T13:16:24Z DEBUG [14/22]: setting audit signing renewal to 2 years >2013-12-13T13:16:24Z DEBUG caSignedLogCert.cfg profile validity range is 720 >2013-12-13T13:16:24Z DEBUG duration: 0 seconds >2013-12-13T13:16:24Z DEBUG [15/22]: configuring certificate server to start on boot >2013-12-13T13:16:24Z DEBUG Starting external process >2013-12-13T13:16:24Z DEBUG args=/bin/systemctl is-enabled pki-tomcatd.target >2013-12-13T13:16:24Z DEBUG Process finished, return code=1 >2013-12-13T13:16:24Z DEBUG stdout=disabled > >2013-12-13T13:16:24Z DEBUG stderr= >2013-12-13T13:16:24Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:16:24Z DEBUG duration: 0 seconds >2013-12-13T13:16:24Z DEBUG [16/22]: restarting certificate server >2013-12-13T13:16:24Z DEBUG Starting external process >2013-12-13T13:16:24Z DEBUG args=/bin/systemctl restart pki-tomcatd@pki-tomcat.service >2013-12-13T13:16:26Z DEBUG Process finished, return code=0 >2013-12-13T13:16:26Z DEBUG stdout= >2013-12-13T13:16:26Z DEBUG stderr= >2013-12-13T13:16:26Z DEBUG Starting external process >2013-12-13T13:16:26Z DEBUG args=/bin/systemctl is-active pki-tomcatd@pki-tomcat.service >2013-12-13T13:16:26Z DEBUG Process finished, return code=0 >2013-12-13T13:16:26Z DEBUG stdout=active > >2013-12-13T13:16:26Z DEBUG stderr= >2013-12-13T13:16:26Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 120 >2013-12-13T13:16:29Z DEBUG The httpd proxy is not installed, wait on local port >2013-12-13T13:16:29Z DEBUG Waiting until the CA is running >2013-12-13T13:16:29Z DEBUG request 'https://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:8443/ca/admin/ca/getStatus' >2013-12-13T13:16:29Z DEBUG request body '' >2013-12-13T13:16:39Z DEBUG request status 200 >2013-12-13T13:16:39Z DEBUG request reason_phrase u'OK' >2013-12-13T13:16:39Z DEBUG request headers {'date': 'Fri, 13 Dec 2013 13:16:39 GMT', 'content-length': '168', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} >2013-12-13T13:16:39Z DEBUG request body '<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.1.0-1.fc20</Version></XMLResponse>' >2013-12-13T13:16:39Z DEBUG The CA status is: running >2013-12-13T13:16:39Z DEBUG duration: 14 seconds >2013-12-13T13:16:39Z DEBUG [17/22]: requesting RA certificate from CA >2013-12-13T13:16:39Z DEBUG Starting external process >2013-12-13T13:16:39Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -R -k rsa -g 2048 -s CN=IPA RA,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -z /tmp/tmpGNrN_L -a >2013-12-13T13:16:40Z DEBUG Process finished, return code=0 >2013-12-13T13:16:40Z DEBUG stdout= >Certificate request generated by Netscape certutil >Phone: (not specified) > >Common Name: IPA RA >Email: (not specified) >Organization: DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >State: (not specified) >Country: (not specified) > >-----BEGIN NEW CERTIFICATE REQUEST----- >MIICjDCCAXQCAQAwRzE0MDIGA1UEChMrRE9NMjI3LkpFTktJTlNBRC5JRE0uTEFC >LkVORy5CUlEuUkVESEFULkNPTTEPMA0GA1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG >9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1FR+D703q88PB3dcDtm4mfgN1Rjsc0huKTL2 >dRWs5tXhSGoPdDoiYtvNfFcUiwkYjjGDXjYnPe02Pvq8/dH3Q0f8ar72sk+16/r7 >JoQpCa4WhSgni4EQQHPeIvbO3soSU/7dMrIEMtO5JCytpkq4Tac5gZCuuS5O0+0p >ledQIBHUpc8l5que+YIw1oSHJo+vPdyRdH3qnOH/lQsgCCj265W3ZSzw6X/L2YBD >8xc+Ldt6j9rlTXJ55No9gBoKZuBk92zsJkiVC2O6gZ6vYDFm3KQKCaGM1J1OrN2W >jh3QXv4B1diVtTVnBZ0iMDkN34RHfJplPit8y4z1GhZYrauOFwIDAQABoAAwDQYJ >KoZIhvcNAQEFBQADggEBABdgT/CPKlPbQaA3yxCDCnn3T7ZjQwVNvd849T1bH8fw >8lIg5XaD3mTibr0+StZtG6/wuNUCUXvmHFwL8Y/erZC0uHoDkj17/R1JTgpP0783 >cEMe8R4akzFAXCTyN3W8gtujWskaAB0DGKt9nppIIW8AV8q0hkwgIAhbsBTHVhic >BQVgCO5idw42J8NzHogY6zxAuacMu4753i2qJPC3rHeB1aWM0a7P8oxMQ9VyFOk4 >yVQ4pGqKTbQHwyHjhL09OwDZBiB5LxmD+N6OpQAGl6jeu3OVRnpQgQl+AMMtcFJu >j9oiLbKU/60dk57M+tdfI4X1L+3satrWYi48GUZV1lQ= >-----END NEW CERTIFICATE REQUEST----- > >2013-12-13T13:16:40Z DEBUG stderr= > >Generating key. This may take a few moments... > > >2013-12-13T13:16:41Z DEBUG duration: 1 seconds >2013-12-13T13:16:41Z DEBUG [18/22]: issuing RA agent certificate >2013-12-13T13:16:41Z DEBUG Starting external process >2013-12-13T13:16:41Z DEBUG args=/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-Wu5lth -r /ca/agent/ca/profileReview?requestId=7 vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:8443 >2013-12-13T13:16:41Z DEBUG Process finished, return code=0 >2013-12-13T13:16:41Z DEBUG stdout=HTTP/1.1 200 OK >Server: Apache-Coyote/1.1 >Content-Type: text/html;charset=UTF-8 >Date: Fri, 13 Dec 2013 13:16:41 GMT >Connection: close > ><!-- --- BEGIN COPYRIGHT BLOCK --- > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License as published by > the Free Software Foundation; version 2 of the License. > > This program is distributed in the hope that it will be useful, > but WITHOUT ANY WARRANTY; without even the implied warranty of > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > GNU General Public License for more details. > > You should have received a copy of the GNU General Public License along > with this program; if not, write to the Free Software Foundation, Inc., > 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. > > Copyright (C) 2007 Red Hat, Inc. > All rights reserved. > --- END COPYRIGHT BLOCK --- --> ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> ><html> ><script type="text/javascript"> >requestNotes=""; >requestType="enrollment"; >recordSet = new Array; >record = new Object; >record.conDesc="This constraint accepts the subject name that matches .*CN=.*"; >record.policyId="1"; >record.defListSet = new Array; >defList = new Object; >defList.defId="name"; >defList.defConstraint="null"; >defList.defName="Subject Name"; >defList.defSyntax="string"; >defList.defVal="CN=IPA RA,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM"; >record.defListSet[0] = defList; >record.defDesc="This default populates a User-Supplied Certificate Subject Name to the request."; >recordSet[0] = record; >record = new Object; >record.conDesc="This constraint rejects the validity that is not between 720 days."; >record.policyId="2"; >record.defListSet = new Array; >defList = new Object; >defList.defId="notBefore"; >defList.defConstraint="null"; >defList.defName="Not Before"; >defList.defSyntax="string"; >defList.defVal="2013-12-13 14:16:40"; >record.defListSet[0] = defList; >defList = new Object; >defList.defId="notAfter"; >defList.defConstraint="null"; >defList.defName="Not After"; >defList.defSyntax="string"; >defList.defVal="2015-12-03 14:16:40"; >record.defListSet[1] = defList; >record.defDesc="This default populates a Certificate Validity to the request. The default values are Range=720 in days"; >recordSet[1] = record; >record = new Object; >record.conDesc="This constraint accepts the key only if Key Type=-, Key Parameters =1024,2048,3072,4096,nistp256,nistp384,nistp521"; >record.policyId="3"; >record.defListSet = new Array; >defList = new Object; >defList.defId="TYPE"; >defList.defConstraint="readonly"; >defList.defName="Key Type"; >defList.defSyntax="string"; >defList.defVal="RSA - 1.2.840.113549.1.1.1"; >record.defListSet[0] = defList; >defList = new Object; >defList.defId="LEN"; >defList.defConstraint="readonly"; >defList.defName="Key Length"; >defList.defSyntax="string"; >defList.defVal="2048"; >record.defListSet[1] = defList; >defList = new Object; >defList.defId="KEY"; >defList.defConstraint="readonly"; >defList.defName="Key"; >defList.defSyntax="string"; >defList.defVal="30:82:01:0A:02:82:01:01:00:D4:54:7E:0F:BD:37:AB:\nCF:0F:07:77:5C:0E:D9:B8:99:F8:0D:D5:18:EC:73:48:\n6E:29:32:F6:75:15:AC:E6:D5:E1:48:6A:0F:74:3A:22:\n62:DB:CD:7C:57:14:8B:09:18:8E:31:83:5E:36:27:3D:\nED:36:3E:FA:BC:FD:D1:F7:43:47:FC:6A:BE:F6:B2:4F:\nB5:EB:FA:FB:26:84:29:09:AE:16:85:28:27:8B:81:10:\n40:73:DE:22:F6:CE:DE:CA:12:53:FE:DD:32:B2:04:32:\nD3:B9:24:2C:AD:A6:4A:B8:4D:A7:39:81:90:AE:B9:2E:\n4E:D3:ED:29:95:E7:50:20:11:D4:A5:CF:25:E6:AB:9E:\nF9:82:30:D6:84:87:26:8F:AF:3D:DC:91:74:7D:EA:9C:\nE1:FF:95:0B:20:08:28:F6:EB:95:B7:65:2C:F0:E9:7F:\nCB:D9:80:43:F3:17:3E:2D:DB:7A:8F:DA:E5:4D:72:79:\nE4:DA:3D:80:1A:0A:66:E0:64:F7:6C:EC:26:48:95:0B:\n63:BA:81:9E:AF:60:31:66:DC:A4:0A:09:A1:8C:D4:9D:\n4E:AC:DD:96:8E:1D:D0:5E:FE:01:D5:D8:95:B5:35:67:\n05:9D:22:30:39:0D:DF:84:47:7C:9A:65:3E:2B:7C:CB:\n8C:F5:1A:16:58:AD:AB:8E:17:02:03:01:00:01\n"; >record.defListSet[2] = defList; >record.defDesc="This default populates a User-Supplied Certificate Key to the request."; >recordSet[2] = record; >record = new Object; >record.conDesc="No Constraint"; >record.policyId="4"; >record.defListSet = new Array; >defList = new Object; >defList.defId="critical"; >defList.defConstraint="readonly"; >defList.defName="Criticality"; >defList.defSyntax="string"; >defList.defVal="false"; >record.defListSet[0] = defList; >defList = new Object; >defList.defId="keyid"; >defList.defConstraint="readonly"; >defList.defName="Key ID"; >defList.defSyntax="string"; >defList.defVal="67:52:CC:0A:9D:80:C4:CD:C7:DE:4E:CF:C5:00:79:8F:\nFF:84:4D:12\n"; >record.defListSet[1] = defList; >record.defDesc="This default populates an Authority Key Identifier Extension (2.5.29.35) to the request."; >recordSet[3] = record; >record = new Object; >record.conDesc="No Constraint"; >record.policyId="5"; >record.defListSet = new Array; >defList = new Object; >defList.defId="authInfoAccessCritical"; >defList.defConstraint="null"; >defList.defName="Criticality"; >defList.defSyntax="boolean"; >defList.defVal="false"; >record.defListSet[0] = defList; >defList = new Object; >defList.defId="authInfoAccessGeneralNames"; >defList.defConstraint="null"; >defList.defName="General Names"; >defList.defSyntax="string_list"; >defList.defVal="Record #0\r\nMethod:1.3.6.1.5.5.7.48.1\r\nLocation Type:URIName\r\nLocation:http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:80/ca/ocsp\r\nEnable:true\r\n\r\n"; >record.defListSet[1] = defList; >record.defDesc="This default populates a Authority Info Access Extension (1.3.6.1.5.5.7.1.1) to the request. The default values are Criticality=false, Record #0{Method:1.3.6.1.5.5.7.48.1,Location Type:URIName,Location:,Enable:true}"; >recordSet[4] = record; >record = new Object; >record.conDesc="This constraint accepts the Key Usage extension, if present, only when Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=true, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false"; >record.policyId="6"; >record.defListSet = new Array; >defList = new Object; >defList.defId="keyUsageCritical"; >defList.defConstraint="null"; >defList.defName="Criticality"; >defList.defSyntax="boolean"; >defList.defVal="true"; >record.defListSet[0] = defList; >defList = new Object; >defList.defId="keyUsageDigitalSignature"; >defList.defConstraint="null"; >defList.defName="Digital Signature"; >defList.defSyntax="boolean"; >defList.defVal="true"; >record.defListSet[1] = defList; >defList = new Object; >defList.defId="keyUsageNonRepudiation"; >defList.defConstraint="null"; >defList.defName="Non-Repudiation"; >defList.defSyntax="boolean"; >defList.defVal="true"; >record.defListSet[2] = defList; >defList = new Object; >defList.defId="keyUsageKeyEncipherment"; >defList.defConstraint="null"; >defList.defName="Key Encipherment"; >defList.defSyntax="boolean"; >defList.defVal="true"; >record.defListSet[3] = defList; >defList = new Object; >defList.defId="keyUsageDataEncipherment"; >defList.defConstraint="null"; >defList.defName="Data Encipherment"; >defList.defSyntax="boolean"; >defList.defVal="true"; >record.defListSet[4] = defList; >defList = new Object; >defList.defId="keyUsageKeyAgreement"; >defList.defConstraint="null"; >defList.defName="Key Agreement"; >defList.defSyntax="boolean"; >defList.defVal="false"; >record.defListSet[5] = defList; >defList = new Object; >defList.defId="keyUsageKeyCertSign"; >defList.defConstraint="null"; >defList.defName="Key CertSign"; >defList.defSyntax="boolean"; >defList.defVal="false"; >record.defListSet[6] = defList; >defList = new Object; >defList.defId="keyUsageCrlSign"; >defList.defConstraint="null"; >defList.defName="CRL Sign"; >defList.defSyntax="boolean"; >defList.defVal="false"; >record.defListSet[7] = defList; >defList = new Object; >defList.defId="keyUsageEncipherOnly"; >defList.defConstraint="null"; >defList.defName="Encipher Only"; >defList.defSyntax="boolean"; >defList.defVal="false"; >record.defListSet[8] = defList; >defList = new Object; >defList.defId="keyUsageDecipherOnly"; >defList.defConstraint="null"; >defList.defName="Decipher Only"; >defList.defSyntax="boolean"; >defList.defVal="false"; >record.defListSet[9] = defList; >record.defDesc="This default populates a Key Usage Extension (2.5.29.15) to the request. The default values are Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=true, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false"; >recordSet[5] = record; >record = new Object; >record.conDesc="No Constraint"; >record.policyId="7"; >record.defListSet = new Array; >defList = new Object; >defList.defId="exKeyUsageCritical"; >defList.defConstraint="null"; >defList.defName="Criticality"; >defList.defSyntax="boolean"; >defList.defVal="false"; >record.defListSet[0] = defList; >defList = new Object; >defList.defId="exKeyUsageOIDs"; >defList.defConstraint="null"; >defList.defName="Comma-Separated list of Object Identifiers"; >defList.defSyntax="string_list"; >defList.defVal="1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2"; >record.defListSet[1] = defList; >record.defDesc="This default populates an Extended Key Usage Extension () to the request. The default values are Criticality=false, OIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2"; >recordSet[6] = record; >record = new Object; >record.conDesc="This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"; >record.policyId="8"; >record.defListSet = new Array; >defList = new Object; >defList.defId="signingAlg"; >defList.defConstraint="SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA"; >defList.defName="Signing Algorithm"; >defList.defSyntax="choice"; >defList.defVal="SHA256withRSA"; >record.defListSet[0] = defList; >record.defDesc="This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA256withRSA"; >recordSet[7] = record; >profileDesc="This certificate profile is for enrolling server certificates."; >inputListSet = new Array; >inputList = new Object; >inputList.inputId="cert_request_type"; >inputList.inputName="Certificate Request Type"; >inputList.inputVal="pkcs10"; >inputList.inputSyntax="cert_request_type"; >inputList.inputConstraint="null"; >inputListSet[0] = inputList; >inputList = new Object; >inputList.inputId="cert_request"; >inputList.inputName="Certificate Request"; >inputList.inputVal="MIICjDCCAXQCAQAwRzE0MDIGA1UEChMrRE9NMjI3LkpFTktJTlNBRC5JRE0uTEFC\r\nLkVORy5CUlEuUkVESEFULkNPTTEPMA0GA1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1FR+D703q88PB3dcDtm4mfgN1Rjsc0huKTL2\r\ndRWs5tXhSGoPdDoiYtvNfFcUiwkYjjGDXjYnPe02Pvq8/dH3Q0f8ar72sk+16/r7\r\nJoQpCa4WhSgni4EQQHPeIvbO3soSU/7dMrIEMtO5JCytpkq4Tac5gZCuuS5O0+0p\r\nledQIBHUpc8l5que+YIw1oSHJo+vPdyRdH3qnOH/lQsgCCj265W3ZSzw6X/L2YBD\r\n8xc+Ldt6j9rlTXJ55No9gBoKZuBk92zsJkiVC2O6gZ6vYDFm3KQKCaGM1J1OrN2W\r\njh3QXv4B1diVtTVnBZ0iMDkN34RHfJplPit8y4z1GhZYrauOFwIDAQABoAAwDQYJ\r\nKoZIhvcNAQEFBQADggEBABdgT/CPKlPbQaA3yxCDCnn3T7ZjQwVNvd849T1bH8fw\r\n8lIg5XaD3mTibr0+StZtG6/wuNUCUXvmHFwL8Y/erZC0uHoDkj17/R1JTgpP0783\r\ncEMe8R4akzFAXCTyN3W8gtujWskaAB0DGKt9nppIIW8AV8q0hkwgIAhbsBTHVhic\r\nBQVgCO5idw42J8NzHogY6zxAuacMu4753i2qJPC3rHeB1aWM0a7P8oxMQ9VyFOk4\r\nyVQ4pGqKTbQHwyHjhL09OwDZBiB5LxmD+N6OpQAGl6jeu3OVRnpQgQl+AMMtcFJu\r\nj9oiLbKU/60dk57M+tdfI4X1L+3satrWYi48GUZV1lQ=\n"; >inputList.inputSyntax="cert_request"; >inputList.inputConstraint="null"; >inputListSet[1] = inputList; >inputList = new Object; >inputList.inputId="requestor_name"; >inputList.inputName="Requestor Name"; >inputList.inputVal="IPA Installer"; >inputList.inputSyntax="string"; >inputList.inputConstraint="null"; >inputListSet[2] = inputList; >inputList = new Object; >inputList.inputId="requestor_email"; >inputList.inputName="Requestor Email"; >inputList.inputVal="null"; >inputList.inputSyntax="string"; >inputList.inputConstraint="null"; >inputListSet[3] = inputList; >inputList = new Object; >inputList.inputId="requestor_phone"; >inputList.inputName="Requestor Phone"; >inputList.inputVal="null"; >inputList.inputSyntax="string"; >inputList.inputConstraint="null"; >inputListSet[4] = inputList; >errorCode="0"; >requestModificationTime="Fri Dec 13 14:16:41 CET 2013"; >profileRemoteAddr="null"; >profileName="Manual Server Certificate Enrollment"; >profileApprovedBy="admin"; >requestOwner=""; >profileId="caServerCert"; >profileRemoteHost="null"; >profileIsVisible="true"; >requestId="7"; >errorReason=""; >requestStatus="pending"; >requestCreationTime="Fri Dec 13 14:16:40 CET 2013"; >outputListSet = new Array; >outputList = new Object; >outputList.outputId="pretty_cert"; >outputList.outputSyntax="pretty_print"; >outputList.outputVal="null"; >outputList.outputName="Certificate Pretty Print"; >outputList.outputConstraint="null"; >outputListSet[0] = outputList; >outputList = new Object; >outputList.outputId="b64_cert"; >outputList.outputSyntax="pretty_print"; >outputList.outputVal="null"; >outputList.outputName="Certificate Base-64 Encoded"; >outputList.outputConstraint="null"; >outputListSet[1] = outputList; >profileSetId="serverCertSet"; ></script> ><style> >TABLE { border-spacing: 0 0; } ></style> > ><script type="text/javascript"> >function escapeValue(value) >{ > return value.replace(/"/g,'"'); >} > >function addEscapes(str) >{ > var outStr = str.replace(/</g, "<"); > outStr = outStr.replace(/>/g, ">"); > return outStr; >} > >document.writeln('<font size="+1" face="PrimaSans BT, Verdana, sans-serif">Request '); >document.writeln(requestId); >document.writeln('<br></font>'); ></script> ><font size="-1" face="PrimaSans BT, Verdana, sans-serif"></font> ><table border="0" cellspacing="0" cellpadding="0" background="/pki/images/hr.gif" >width="100%"> > <tr> > <td> </td> > </tr> ></table> ><p> ><script type="text/javascript"> >if (requestStatus == 'pending') { > document.writeln('<form method=post action="profileProcess">'); > document.writeln('<input type=hidden name=requestId value=' + requestId + '>'); >} >document.writeln('<p>'); >document.writeln('<TABLE width=100%><TR><TD valign="top" align="left" colspan="3" bgcolor="#e5e5e5"><FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">Request Information</FONT></TD></TR></TABLE>'); >document.writeln('<table border=1 width=100%>'); >document.writeln('<tr>'); >document.writeln('<td width=20%>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Request ID:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(requestId); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Request Type:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(requestType); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Request Status:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(requestStatus); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Requestor Host:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(profileRemoteHost); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Assigned To:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(requestOwner); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Creation Time:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(requestCreationTime); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Modification Time:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(requestModificationTime); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >document.writeln('</table>'); >document.writeln('<p>'); >document.writeln('<TABLE width=100%><TR><TD valign="top" align="left" colspan="3" bgcolor="#e5e5e5"><FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">Certificate Profile Information</FONT></TD></TR></TABLE>'); >document.writeln('<table border=1 width=100%>'); >document.writeln('<tr>'); >document.writeln('<td width=20%>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Certificate Profile Id:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(profileId); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >document.writeln('<tr>'); >document.writeln('<td width=20%>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Approved By:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(profileApprovedBy); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Certificate Profile Name:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(profileName); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Certificate Profile Description:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(profileDesc); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >document.writeln('</table>'); >document.writeln('<p>'); >if (requestStatus != 'pending') { > document.writeln('<TABLE width=100%><TR><TD valign="top" align="left" colspan="3" bgcolor="#e5e5e5"><FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">Additional Notes</FONT></TD></TR></TABLE>'); > document.writeln('<table width=100% border=1>'); > document.writeln('<tr>'); > document.writeln('<td>'); > document.writeln(requestNotes); > document.writeln('</td>'); > document.writeln('</tr>'); > document.writeln('</table>'); > document.writeln('<p>'); >} >if (profileIsVisible == 'true') { >document.writeln('<TABLE width=100%><TR><TD valign="top" align="left" colspan="3" bgcolor="#e5e5e5"><FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">Certificate Profile Inputs</FONT></TD></TR></TABLE>'); >document.writeln('<table border=1 width=100%>'); >document.writeln('<tr>'); >document.writeln('<td width=20%>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Id</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td width=40%>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Input Names</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Input Values</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >for (var i = 0; i < inputListSet.length; i++) { > document.writeln('<tr>'); > document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); > document.writeln(inputListSet[i].inputId); >document.writeln('</FONT>'); > document.writeln('</td>'); > document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); > document.writeln(inputListSet[i].inputName); >document.writeln('</FONT>'); > document.writeln('</td>'); > document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); > document.writeln(addEscapes(inputListSet[i].inputVal)); >document.writeln('</FONT>'); > document.writeln('</td>'); > document.writeln('</tr>'); >} >document.writeln('</table>'); >document.writeln('<p>'); >} >if (requestStatus == 'complete') { >document.writeln('<TABLE width=100%><TR><TD valign="top" align="left" colspan="3" bgcolor="#e5e5e5"><FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">Certificate Profile Outputs</FONT></TD></TR></TABLE>'); >for (var i = 0; i < outputListSet.length; i++) { > document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">' >); > document.writeln('<li>'); > document.writeln(outputListSet[i].outputName); > document.writeln('</FONT>'); > document.writeln('<p>'); > if (outputListSet[i].outputSyntax == 'string') { > document.writeln(outputListSet[i].outputVal); > } else if (outputListSet[i].outputSyntax == 'pretty_print') { > document.writeln('<pre>'); > document.writeln(outputListSet[i].outputVal); > document.writeln('</pre>'); > } else if (outputListSet[i].outputSyntax == 'der_b64') { > document.writeln('<pre>'); > document.writeln('-----BEGIN CERTIFICATE-----'); > document.writeln(outputListSet[i].outputVal); > document.writeln('-----END CERTIFICATE-----'); > document.writeln('</pre>'); > } > document.writeln('</p>'); >} >} >if (requestStatus == 'pending') { >document.writeln('<TABLE width=100%><TR><TD valign="top" align="left" colspan="3" bgcolor="#e5e5e5"><FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">Policy Information</FONT></TD></TR></TABLE>'); >document.writeln('<table>'); >document.writeln('<tr>'); >document.writeln('<td width=20%>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Certificate Profile Set Id:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(profileSetId); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >document.writeln('</table>'); >document.writeln('<table border=1 width=100%>'); >document.writeln('<tr>'); >document.writeln('<td width=10%>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>#</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td width=45%>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Extensions / Fields</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td width=45%>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Constraints</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >for (var i = 0; i < recordSet.length; i++) { > document.writeln('<tr valign=top>'); > document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); > document.writeln(recordSet[i].policyId); >document.writeln('</FONT>'); > document.writeln('</td>'); > document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); > document.writeln(recordSet[i].defDesc); >document.writeln('</FONT>'); > document.writeln('<p>'); > document.writeln('<table width=100%>'); > for (var j = 0; j < recordSet[i].defListSet.length; j++) { > document.writeln('<tr valign=top>'); > if (typeof(recordSet[i].defListSet[j].defName) != 'undefined') { > document.writeln('<td width=30%><i>'); > document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); > document.writeln(recordSet[i].defListSet[j].defName + ':'); > document.writeln('</FONT>'); > document.writeln('</i></td>'); > document.writeln('<td width=70%>'); > if (recordSet[i].defListSet[j].defConstraint == 'readonly') { > document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); > document.writeln(recordSet[i].defListSet[j].defVal); > document.writeln('</FONT>'); > } else { > if (recordSet[i].defListSet[j].defSyntax == 'string') { > document.writeln('<input size=32 type=text name="' + recordSet[i].defListSet[j].defId + '" value="' + escapeValue(recordSet[i].defListSet[j].defVal) + '">'); > } else if (recordSet[i].defListSet[j].defSyntax == 'string_list') { > document.writeln('<textarea cols=40 rows=5 name="' + recordSet[i].defListSet[j].defId + '">' + recordSet[i].defListSet[j].defVal + '</textarea>'); > } else if (recordSet[i].defListSet[j].defSyntax == 'integer') { > document.writeln('<input size=6 type=text name="' + recordSet[i].defListSet[j].defId + '" value="' + recordSet[i].defListSet[j].defVal + '">'); > } else if (recordSet[i].defListSet[j].defSyntax == 'image_url') { > document.writeln('<img border=0 src="' + recordSet[i].defListSet[j].defVal + '">'); > document.writeln('<input type=hidden name="' + recordSet[i].defListSet[j].defId + '" value="' + recordSet[i].defListSet[j].defVal + '">'); > } else if (recordSet[i].defListSet[j].defSyntax == 'choice') { > document.writeln('<select name="' + recordSet[i].defListSet[j].defId + '">'); > var c = recordSet[i].defListSet[j].defConstraint.split(','); > for(var k = 0; k < c.length; k++) { > if (recordSet[i].defListSet[j].defVal == c[k]) { > document.writeln('<option selected value=' + c[k] + '>'); > } else { > document.writeln('<option value=' + c[k] + '>'); > } > document.writeln(c[k]); > document.writeln('</option>'); > } > > document.writeln('</select>'); > } else if (recordSet[i].defListSet[j].defSyntax == 'boolean') { > document.writeln('<select name="' + recordSet[i].defListSet[j].defId + '">'); > if (recordSet[i].defListSet[j].defVal == 'true') { > document.writeln('<option selected value=true>true</option>'); > document.writeln('<option value=false>false</option>'); > } else { > document.writeln('<option value=true>true</option>'); > document.writeln('<option selected value=false>false</option>'); > } > document.writeln('</select>'); > } > } > document.writeln('</td>'); > } > document.writeln('</tr>'); > } > document.writeln('</table>'); > document.writeln('</td>'); > document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); > document.writeln(recordSet[i].conDesc); >document.writeln('</FONT>'); > document.writeln('</td>'); > document.writeln('</tr>'); >} // for >document.writeln('</table>'); >document.writeln('<p>'); >document.writeln('<TABLE width=100%><TR><TD valign="top" align="left" colspan="3" bgcolor="#e5e5e5"><FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">Additional Notes</FONT></TD></TR></TABLE>'); >document.writeln('<textarea cols=40 rows=5 name="requestNotes">' + requestNotes + '</textarea>'); >document.writeln('<p>'); > document.writeln('<SELECT NAME="op">'); > document.writeln('<OPTION VALUE="update">Update request</OPTION>'); > document.writeln('<OPTION VALUE="validate">Validate request</OPTION>'); > document.writeln('<OPTION SELECTED VALUE="approve">Approve request</OPTION>'); > document.writeln('<OPTION VALUE="reject">Reject request</OPTION>'); > document.writeln('<OPTION VALUE="cancel">Cancel request</OPTION>'); > document.writeln('<OPTION VALUE="assign">Assign request</OPTION>'); > document.writeln('<OPTION VALUE="unassign">Unassign request</OPTION>'); > document.writeln('</SELECT>'); >if (typeof(nonce) != "undefined") { > document.writeln("<INPUT TYPE=hidden name=nonce value=\"" + nonce +"\">"); >} >document.writeln('<input type=submit name=submit value=submit>'); >document.writeln('</form>'); >} // if ></script> ></html> > >Subject: CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >Issuer : CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >bulk cipher AES-256, 256 secret key bits, 256 key bits, status: 1 >Subject: CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >Issuer : CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > >2013-12-13T13:16:41Z DEBUG stderr=GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0 > >port: 8443 >addr='vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com' >family='2' >IP='10.34.47.227' >PR_Write wrote 55 bytes from bigBuf >bytes: [GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0 > >] >do_writes shutting down send socket >do_writes exiting with (failure = 0) >Called mygetclientauthdata - nickname = ipa-ca-agent > mygetclientauthdata - cert = 203c810 > mygetclientauthdata - privkey = 207f800 >connection 1 read 1 bytes (1 total). >these bytes read: >connection 1 read 8999 bytes (9000 total). >these bytes read: >connection 1 read 1 bytes (9001 total). >these bytes read: >connection 1 read 8999 bytes (18000 total). >these bytes read: >connection 1 read 1 bytes (18001 total). >these bytes read: >connection 1 read 8999 bytes (27000 total). >these bytes read: >connection 1 read 1 bytes (27001 total). >these bytes read: >connection 1 read 2777 bytes (29778 total). >these bytes read: >connection 1 read 29778 bytes total. ----------------------------- >Done with possible addresses - exiting. > >2013-12-13T13:16:41Z DEBUG Starting external process >2013-12-13T13:16:41Z DEBUG args=/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-Wu5lth -e exKeyUsageCritical=false&keyUsageEncipherOnly=false&keyUsageNonRepudiation=true&keyUsageDataEncipherment=true¬Before=2013-12-13+14%3A16%3A40&keyUsageCritical=true&submit=submit¬After=2015-12-03+14%3A16%3A40&requestId=7&signingAlg=SHA256withRSA&keyUsageDigitalSignature=true&authInfoAccessGeneralNames=Record+%230%0D%0AMethod%3A1.3.6.1.5.5.7.48.1%0D%0ALocation+Type%3AURIName%0D%0ALocation%3Ahttp%3A%2F%2Fvm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com%3A80%2Fca%2Focsp%0D%0AEnable%3Atrue%0D%0A%0D%0A&keyUsageKeyEncipherment=true&authInfoAccessCritical=false&name=CN%3DIPA+RA%2CO%3DDOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM&requestNotes=&keyUsageCrlSign=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.1%2C1.3.6.1.5.5.7.3.2&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageDecipherOnly=false&op=approve -r /ca/agent/ca/profileProcess vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:8443 >2013-12-13T13:16:42Z DEBUG Process finished, return code=0 >2013-12-13T13:16:42Z DEBUG stdout=HTTP/1.1 200 OK >Server: Apache-Coyote/1.1 >Content-Type: text/html;charset=UTF-8 >Date: Fri, 13 Dec 2013 13:16:41 GMT >Connection: close > ><!-- --- BEGIN COPYRIGHT BLOCK --- > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License as published by > the Free Software Foundation; version 2 of the License. > > This program is distributed in the hope that it will be useful, > but WITHOUT ANY WARRANTY; without even the implied warranty of > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > GNU General Public License for more details. > > You should have received a copy of the GNU General Public License along > with this program; if not, write to the Free Software Foundation, Inc., > 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. > > Copyright (C) 2007 Red Hat, Inc. > All rights reserved. > --- END COPYRIGHT BLOCK --- --> ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> ><html> ><script type="text/javascript"> >outputListSet = new Array; >outputList = new Object; >outputList.outputId="pretty_cert"; >outputList.outputSyntax="pretty_print"; >outputList.outputVal=" Certificate: \n Data: \n Version: v3\n Serial Number: 0x7\n Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11\n Issuer: CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM\n Validity: \n Not Before: Friday, December 13, 2013 2:16:40 PM CET Europe/Prague\n Not After: Thursday, December 3, 2015 2:16:40 PM CET Europe/Prague\n Subject: CN=IPA RA,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM\n Subject Public Key Info: \n Algorithm: RSA - 1.2.840.113549.1.1.1\n Public Key: \n Exponent: 65537\n Public Key Modulus: (2048 bits) :\n D4:54:7E:0F:BD:37:AB:CF:0F:07:77:5C:0E:D9:B8:99:\n F8:0D:D5:18:EC:73:48:6E:29:32:F6:75:15:AC:E6:D5:\n E1:48:6A:0F:74:3A:22:62:DB:CD:7C:57:14:8B:09:18:\n 8E:31:83:5E:36:27:3D:ED:36:3E:FA:BC:FD:D1:F7:43:\n 47:FC:6A:BE:F6:B2:4F:B5:EB:FA:FB:26:84:29:09:AE:\n 16:85:28:27:8B:81:10:40:73:DE:22:F6:CE:DE:CA:12:\n 53:FE:DD:32:B2:04:32:D3:B9:24:2C:AD:A6:4A:B8:4D:\n A7:39:81:90:AE:B9:2E:4E:D3:ED:29:95:E7:50:20:11:\n D4:A5:CF:25:E6:AB:9E:F9:82:30:D6:84:87:26:8F:AF:\n 3D:DC:91:74:7D:EA:9C:E1:FF:95:0B:20:08:28:F6:EB:\n 95:B7:65:2C:F0:E9:7F:CB:D9:80:43:F3:17:3E:2D:DB:\n 7A:8F:DA:E5:4D:72:79:E4:DA:3D:80:1A:0A:66:E0:64:\n F7:6C:EC:26:48:95:0B:63:BA:81:9E:AF:60:31:66:DC:\n A4:0A:09:A1:8C:D4:9D:4E:AC:DD:96:8E:1D:D0:5E:FE:\n 01:D5:D8:95:B5:35:67:05:9D:22:30:39:0D:DF:84:47:\n 7C:9A:65:3E:2B:7C:CB:8C:F5:1A:16:58:AD:AB:8E:17\n Extensions: \n Identifier: Authority Key Identifier - 2.5.29.35\n Critical: no \n Key Identifier: \n 67:52:CC:0A:9D:80:C4:CD:C7:DE:4E:CF:C5:00:79:8F:\n FF:84:4D:12\n Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1\n Critical: no \n Access Description: \n Method #0: ocsp\n Location #0: URIName: http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:80/ca/ocsp\n Identifier: Key Usage: - 2.5.29.15\n Critical: yes \n Key Usage: \n Digital Signature \n Non Repudiation \n Key Encipherment \n Data Encipherment \n Identifier: Extended Key Usage: - 2.5.29.37\n Critical: no \n Extended Key Usage: \n 1.3.6.1.5.5.7.3.1\n 1.3.6.1.5.5.7.3.2\n Signature: \n Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11\n Signature: \n D9:C6:F0:47:1D:6B:18:DE:FC:63:26:63:31:5F:49:DF:\n B6:49:29:CD:50:C9:3F:E1:56:82:69:31:0C:ED:BF:E6:\n F4:A8:92:74:3A:93:12:A6:A9:89:EC:02:95:06:F4:06:\n AB:83:55:E6:D5:44:15:7C:02:9E:B9:90:7D:DE:11:CA:\n 40:30:FE:41:FB:28:46:7B:1F:AE:30:36:BD:D9:EE:58:\n FC:1C:C8:54:F7:1A:6E:AC:2D:35:53:66:50:59:E6:79:\n 4E:80:87:9E:AB:7A:89:FE:13:0C:50:85:42:D9:19:68:\n AB:CA:E1:2A:29:8B:BA:79:D2:BB:78:A7:33:FC:7C:30:\n 66:61:13:C9:08:C3:70:0A:EA:DD:BC:4B:73:79:1D:0A:\n 91:A0:B1:44:B6:64:AB:DD:16:25:15:D3:69:E9:66:7C:\n 70:8C:53:7C:4B:CE:E9:87:05:8F:ED:EF:E2:8E:7B:97:\n 30:3C:23:2C:6D:D0:AA:25:5A:0C:86:DC:73:81:1D:18:\n 17:A7:67:B6:BE:92:64:4E:E2:69:43:24:F3:DA:63:B5:\n 54:37:3A:52:1B:EF:F1:88:F6:D5:09:14:6A:9D:D5:A6:\n 2A:F9:82:4E:EB:7C:3F:B6:E8:B9:87:16:BC:84:6B:22:\n 79:DA:8B:8A:1C:A5:5D:D4:68:C3:AF:E0:29:96:16:B7\n FingerPrint\n MD2:\n DC:A7:C0:3D:73:2B:AB:63:B6:40:43:D4:52:E9:14:A1\n MD5:\n FC:A9:DE:17:2F:E9:EB:77:C6:14:9A:44:B4:53:B6:9A\n SHA-1:\n 96:31:A6:1F:B3:35:83:39:F4:DB:90:D5:EF:C5:0A:3D:\n 4B:18:F1:7D\n SHA-256:\n 1E:53:A3:0C:31:C8:D1:E8:7D:05:41:3B:02:3C:EA:EB:\n A3:46:3F:53:E2:B6:B8:D1:E0:26:E8:E0:94:8E:9A:C8\n SHA-512:\n BD:90:30:D3:95:D5:70:26:16:55:AE:D9:93:6B:2E:0C:\n 13:66:18:C7:44:8D:B0:D7:49:2E:9C:87:9E:83:BC:6F:\n 64:47:B0:74:6D:9B:B2:FB:96:64:98:FE:02:78:A8:D6:\n B2:94:FF:DE:51:C4:D9:8D:70:B8:9D:D3:9D:F1:48:6C\n"; >outputList.outputName="Certificate Pretty Print"; >outputList.outputConstraint="null"; >outputListSet[0] = outputList; >outputList = new Object; >outputList.outputId="b64_cert"; >outputList.outputSyntax="pretty_print"; >outputList.outputVal="-----BEGIN CERTIFICATE-----\nMIIDzjCCAragAwIBAgIBBzANBgkqhkiG9w0BAQsFADBWMTQwMgYDVQQKDCtET00y\r\nMjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQD\r\nDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMTMxNjQwWhcNMTUxMjAz\r\nMTMxNjQwWjBHMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5H\r\nLkJSUS5SRURIQVQuQ09NMQ8wDQYDVQQDDAZJUEEgUkEwggEiMA0GCSqGSIb3DQEB\r\nAQUAA4IBDwAwggEKAoIBAQDUVH4PvTerzw8Hd1wO2biZ+A3VGOxzSG4pMvZ1Fazm\r\n1eFIag90OiJi2818VxSLCRiOMYNeNic97TY++rz90fdDR/xqvvayT7Xr+vsmhCkJ\r\nrhaFKCeLgRBAc94i9s7eyhJT/t0ysgQy07kkLK2mSrhNpzmBkK65Lk7T7SmV51Ag\r\nEdSlzyXmq575gjDWhIcmj6893JF0feqc4f+VCyAIKPbrlbdlLPDpf8vZgEPzFz4t\r\n23qP2uVNcnnk2j2AGgpm4GT3bOwmSJULY7qBnq9gMWbcpAoJoYzUnU6s3ZaOHdBe\r\n/gHV2JW1NWcFnSIwOQ3fhEd8mmU+K3zLjPUaFlitq44XAgMBAAGjgbUwgbIwHwYD\r\nVR0jBBgwFoAUZ1LMCp2AxM3H3k7PxQB5j/+ETRIwYAYIKwYBBQUHAQEEVDBSMFAG\r\nCCsGAQUFBzABhkRodHRwOi8vdm0tMjI3LmRvbTIyNy5qZW5raW5zYWQuaWRtLmxh\r\nYi5lbmcuYnJxLnJlZGhhdC5jb206ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAw\r\nHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IB\r\nAQDZxvBHHWsY3vxjJmMxX0nftkkpzVDJP+FWgmkxDO2/5vSoknQ6kxKmqYnsApUG\r\n9Aarg1Xm1UQVfAKeuZB93hHKQDD+QfsoRnsfrjA2vdnuWPwcyFT3Gm6sLTVTZlBZ\r\n5nlOgIeeq3qJ/hMMUIVC2Rloq8rhKimLunnSu3inM/x8MGZhE8kIw3AK6t28S3N5\r\nHQqRoLFEtmSr3RYlFdNp6WZ8cIxTfEvO6YcFj+3v4o57lzA8Iyxt0KolWgyG3HOB\r\nHRgXp2e2vpJkTuJpQyTz2mO1VDc6Uhvv8Yj21QkUap3Vpir5gk7rfD+26LmHFryE\r\nayJ52ouKHKVd1GjDr+Aplha3\r\n-----END CERTIFICATE-----\n"; >outputList.outputName="Certificate Base-64 Encoded"; >outputList.outputConstraint="null"; >outputListSet[1] = outputList; >errorReason=""; >requestType="enrollment"; >profileId="caServerCert"; >requestId="7"; >errorCode="0"; >requestStatus="complete"; >op="approve"; ></script> > ><script type="text/javascript"> >function addEscapes(str) >{ > var outStr = str.replace(/</g, "<"); > outStr = outStr.replace(/>/g, ">"); > return outStr; >} > >document.writeln('<font size="+1" face="PrimaSans BT, Verdana, sans-serif">Request '); >if (typeof(requestId) != "undefined") { > document.writeln(requestId); >} >document.writeln('<br></font>'); ></script> ><font size="-1" face="PrimaSans BT, Verdana, sans-serif"></font> ><table border="0" cellspacing="0" cellpadding="0" background="/pki/images/hr.gif" width="100%"> > <tr> > <td> </td> > </tr> ></table> ><p> > ><script type="text/javascript"> >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Request Information:</b>'); >document.writeln('</FONT>'); >document.writeln('<table border=1 width=100%>'); >if (typeof(requestId) != "undefined") { >document.writeln('<tr>'); >document.writeln('<td width=30%>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Request ID:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<a href="profileReview?requestId=' + requestId + '">'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(requestId); >document.writeln('</FONT>'); >document.writeln('</a>'); >document.writeln('</td>'); >document.writeln('</tr>'); >} >if (typeof(requestType) != "undefined") { >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Request Type:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(requestType); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >} >if (typeof(requestStatus) != "undefined") { >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Request Status:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(requestStatus); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >} >if (typeof(profileId) != "undefined") { >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Certificate Profile Id:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(profileId); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >} >if (typeof(op) != "undefined") { >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Operation Requested:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(op); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >} >if (typeof(errorCode) != "undefined") { >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Error Code:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(errorCode); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >} >if (typeof(errorReason) != "undefined") { >document.writeln('<tr>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln('<b>Error Reason:</b>'); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('<td>'); >document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">'); >document.writeln(errorReason); >document.writeln('</FONT>'); >document.writeln('</td>'); >document.writeln('</tr>'); >} >document.writeln('</table>'); >document.writeln('<p>'); >document.writeln('</table>'); >if (typeof(requestStatus) != "undefined" && requestStatus == 'complete') { > document.writeln('<table width=100%>'); >for (var i = 0; i < outputListSet.length; i++) { > document.writeln('<tr valign=top>'); > document.writeln('<td>'); > document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">' >); > document.writeln('<li>'); > document.writeln(outputListSet[i].outputName); > document.writeln('</FONT>'); > document.writeln('</td>'); > document.writeln('<tr valign=top>'); > document.writeln('</tr>'); > document.writeln('<td>'); > if (outputListSet[i].outputSyntax == 'string') { > document.writeln(addEscapes(outputListSet[i].outputVal)); > } else if (outputListSet[i].outputSyntax == 'pretty_print') { > document.writeln('<pre>'); > document.writeln(addEscapes(outputListSet[i].outputVal)); > document.writeln('</pre>'); > } > document.writeln('</td>'); > document.writeln('</tr>'); >} > document.writeln('</table>'); >} ></script> ></html> > >Subject: CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >Issuer : CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >bulk cipher AES-256, 256 secret key bits, 256 key bits, status: 1 >Subject: CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >Issuer : CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > >2013-12-13T13:16:42Z DEBUG stderr=POST /ca/agent/ca/profileProcess HTTP/1.0 >Content-Length: 813 >Content-Type: application/x-www-form-urlencoded > >exKeyUsageCritical=false&keyUsageEncipherOnly=false&keyUsageNonRepudiation=true&keyUsageDataEncipherment=true¬Before=2013-12-13+14%3A16%3A40&keyUsageCritical=true&submit=submit¬After=2015-12-03+14%3A16%3A40&requestId=7&signingAlg=SHA256withRSA&keyUsageDigitalSignature=true&authInfoAccessGeneralNames=Record+%230%0D%0AMethod%3A1.3.6.1.5.5.7.48.1%0D%0ALocation+Type%3AURIName%0D%0ALocation%3Ahttp%3A%2F%2Fvm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com%3A80%2Fca%2Focsp%0D%0AEnable%3Atrue%0D%0A%0D%0A&keyUsageKeyEncipherment=true&authInfoAccessCritical=false&name=CN%3DIPA+RA%2CO%3DDOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM&requestNotes=&keyUsageCrlSign=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.1%2C1.3.6.1.5.5.7.3.2&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageDecipherOnly=false&op=approveport: 8443 >addr='vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com' >family='2' >IP='10.34.47.227' >PR_Write wrote 928 bytes from bigBuf >bytes: [POST /ca/agent/ca/profileProcess HTTP/1.0 >Content-Length: 813 >Content-Type: application/x-www-form-urlencoded > >exKeyUsageCritical=false&keyUsageEncipherOnly=false&keyUsageNonRepudiation=true&keyUsageDataEncipherment=true¬Before=2013-12-13+14%3A16%3A40&keyUsageCritical=true&submit=submit¬After=2015-12-03+14%3A16%3A40&requestId=7&signingAlg=SHA256withRSA&keyUsageDigitalSignature=true&authInfoAccessGeneralNames=Record+%230%0D%0AMethod%3A1.3.6.1.5.5.7.48.1%0D%0ALocation+Type%3AURIName%0D%0ALocation%3Ahttp%3A%2F%2Fvm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com%3A80%2Fca%2Focsp%0D%0AEnable%3Atrue%0D%0A%0D%0A&keyUsageKeyEncipherment=true&authInfoAccessCritical=false&name=CN%3DIPA+RA%2CO%3DDOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM&requestNotes=&keyUsageCrlSign=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.1%2C1.3.6.1.5.5.7.3.2&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageDecipherOnly=false&op=approve] >do_writes shutting down send socket >do_writes exiting with (failure = 0) >Called mygetclientauthdata - nickname = ipa-ca-agent > mygetclientauthdata - cert = 1458b80 > mygetclientauthdata - privkey = 149bb70 >connection 1 read 1 bytes (1 total). >these bytes read: >connection 1 read 8999 bytes (9000 total). >these bytes read: >connection 1 read 1 bytes (9001 total). >these bytes read: >connection 1 read 4591 bytes (13592 total). >these bytes read: >connection 1 read 13592 bytes total. ----------------------------- >Done with possible addresses - exiting. > >2013-12-13T13:16:42Z DEBUG Starting external process >2013-12-13T13:16:42Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -A -t u,u,u -n ipaCert -a -i /tmp/tmp93d7bn >2013-12-13T13:16:42Z DEBUG Process finished, return code=0 >2013-12-13T13:16:42Z DEBUG stdout= >2013-12-13T13:16:42Z DEBUG stderr=Notice: Trust flag u is set automatically if the private key is present. > >2013-12-13T13:16:42Z DEBUG duration: 1 seconds >2013-12-13T13:16:42Z DEBUG [19/22]: adding RA agent as a trusted user >2013-12-13T13:16:43Z DEBUG flushing ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 from SchemaCache >2013-12-13T13:16:43Z DEBUG retrieving schema for SchemaCache url=ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x32cd7a0> >2013-12-13T13:16:43Z DEBUG duration: 1 seconds >2013-12-13T13:16:43Z DEBUG [20/22]: configure certificate renewals >2013-12-13T13:16:43Z DEBUG Starting external process >2013-12-13T13:16:43Z DEBUG args=/bin/systemctl enable certmonger.service >2013-12-13T13:16:43Z DEBUG Process finished, return code=0 >2013-12-13T13:16:43Z DEBUG stdout= >2013-12-13T13:16:43Z DEBUG stderr=ln -s '/usr/lib/systemd/system/certmonger.service' '/etc/systemd/system/multi-user.target.wants/certmonger.service' > >2013-12-13T13:16:43Z DEBUG Starting external process >2013-12-13T13:16:43Z DEBUG args=/bin/systemctl start messagebus.service >2013-12-13T13:16:43Z DEBUG Process finished, return code=0 >2013-12-13T13:16:43Z DEBUG stdout= >2013-12-13T13:16:43Z DEBUG stderr= >2013-12-13T13:16:43Z DEBUG Starting external process >2013-12-13T13:16:43Z DEBUG args=/bin/systemctl is-active messagebus.service >2013-12-13T13:16:43Z DEBUG Process finished, return code=0 >2013-12-13T13:16:43Z DEBUG stdout=active > >2013-12-13T13:16:43Z DEBUG stderr= >2013-12-13T13:16:43Z DEBUG Starting external process >2013-12-13T13:16:43Z DEBUG args=/bin/systemctl start certmonger.service >2013-12-13T13:16:44Z DEBUG Process finished, return code=0 >2013-12-13T13:16:44Z DEBUG stdout= >2013-12-13T13:16:44Z DEBUG stderr= >2013-12-13T13:16:44Z DEBUG Starting external process >2013-12-13T13:16:44Z DEBUG args=/bin/systemctl is-active certmonger.service >2013-12-13T13:16:44Z DEBUG Process finished, return code=0 >2013-12-13T13:16:44Z DEBUG stdout=active > >2013-12-13T13:16:44Z DEBUG stderr= >2013-12-13T13:16:44Z DEBUG Starting external process >2013-12-13T13:16:44Z DEBUG args=/usr/bin/certutil -L -d /etc/pki/pki-tomcat/alias -n auditSigningCert cert-pki-ca >2013-12-13T13:16:44Z DEBUG Process finished, return code=0 >2013-12-13T13:16:44Z DEBUG stdout=Certificate: > Data: > Version: 3 (0x2) > Serial Number: 5 (0x5) > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: "CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ. > REDHAT.COM" > Validity: > Not Before: Fri Dec 13 13:16:06 2013 > Not After : Thu Dec 03 13:16:06 2015 > Subject: "CN=CA Audit,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > f3:10:50:91:c9:1c:2d:17:f9:fd:9b:fa:d6:a7:a3:07: > 82:03:b0:ea:5f:28:89:c0:b4:9a:89:39:0b:64:01:9f: > 1d:0e:a2:ef:36:1d:77:66:7c:ab:af:9a:26:b4:5f:77: > cb:22:51:07:6d:65:6c:a2:26:bf:8b:40:e4:39:cf:6d: > 84:db:9b:9b:5a:c5:78:71:73:70:09:21:d6:3f:9d:1a: > 9f:ec:5f:63:0a:3d:7a:73:0a:4a:04:f3:50:1e:50:b6: > 05:b2:6c:e4:9f:ba:47:85:55:f5:52:5e:6c:8c:3a:01: > cd:a6:67:7c:74:52:de:50:64:32:3a:75:51:fb:f8:10: > 77:f4:a7:f7:f0:8c:e5:01:24:62:35:5f:ba:3a:a8:c0: > 69:04:ef:74:55:c1:ac:99:e4:e1:d3:95:2e:59:12:af: > 05:c4:9b:1e:23:6a:33:ef:07:40:ff:ce:69:61:da:ac: > 48:96:85:90:5c:22:6f:b6:30:6a:e4:cc:64:6b:ed:61: > d7:ba:e9:c6:a3:00:d4:d5:3b:e3:87:1c:e1:31:a5:b6: > 62:18:44:da:aa:7b:be:20:e9:2b:43:c1:d5:ca:29:5d: > ab:3d:3e:16:45:91:5a:24:9a:11:17:a8:ac:29:75:04: > e7:7b:01:1c:22:ed:ff:44:d2:c0:4e:4f:68:e2:ad:45 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Authority Key Identifier > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > > Name: Certificate Key Usage > Critical: True > Usages: Digital Signature > Non-Repudiation > > Name: Authority Information Access > Method: PKIX Online Certificate Status Protocol > Location: > URI: "http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.c > om:80/ca/ocsp" > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > e6:a2:cf:37:65:20:5d:46:81:16:80:92:24:f5:26:e5: > 1b:b7:ba:bc:19:61:8b:e2:58:0d:1c:c3:a7:cc:df:90: > 84:0f:fe:3d:b7:c1:ef:4a:bb:a8:77:3c:3c:a2:b6:ec: > 93:b4:fe:6e:29:d5:b3:12:f2:2e:2e:a0:0e:2c:e7:d0: > 62:41:08:96:a6:5f:bc:5e:32:e6:3a:72:57:e2:4a:7a: > 41:d3:bd:05:ca:d9:7b:fc:56:dc:4c:73:ec:59:54:ce: > e7:98:3a:d2:0a:90:8f:0a:28:d6:1d:72:c6:67:e0:fb: > 07:6d:d6:62:be:ee:f1:49:5a:05:9d:d4:b2:5e:c2:f3: > 76:b0:e7:9a:55:65:25:a9:f1:65:51:62:53:8a:19:50: > 04:1f:6e:a5:1d:e3:7a:77:73:b6:50:e1:c4:0a:af:e1: > c5:cb:cd:59:a2:bf:79:a2:07:7c:3d:5d:20:a3:7f:45: > 2e:84:dc:f1:e6:f1:9d:b9:30:c4:c1:61:cb:28:f5:64: > d8:a6:ab:31:95:c7:9b:e3:d8:77:0d:33:56:69:fe:ae: > ff:10:a7:92:c6:12:0a:f5:92:a7:04:3b:7d:00:15:4c: > 09:5b:15:dc:a4:48:48:01:2f:c4:8a:c4:44:a3:d8:a5: > a2:15:a8:cd:67:a8:1f:4b:93:b0:fe:4b:e9:09:c7:0a > Fingerprint (MD5): > CC:84:F8:39:24:44:EF:E5:80:A0:7C:37:2B:82:60:E9 > Fingerprint (SHA1): > 2E:1B:6E:08:E0:01:34:45:26:B8:B2:2B:A8:3C:C9:22:21:35:F3:2C > > Certificate Trust Flags: > SSL Flags: > User > Email Flags: > User > Object Signing Flags: > Terminal Record > Trusted > User > > >2013-12-13T13:16:44Z DEBUG stderr= >2013-12-13T13:16:44Z DEBUG Starting external process >2013-12-13T13:16:44Z DEBUG args=/usr/bin/getcert start-tracking -d /etc/pki/pki-tomcat/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX >2013-12-13T13:16:44Z DEBUG Process finished, return code=0 >2013-12-13T13:16:44Z DEBUG stdout=New tracking request "20131213131644" added. > >2013-12-13T13:16:44Z DEBUG stderr= >2013-12-13T13:16:44Z DEBUG Starting external process >2013-12-13T13:16:44Z DEBUG args=/usr/bin/certutil -L -d /etc/pki/pki-tomcat/alias -n ocspSigningCert cert-pki-ca >2013-12-13T13:16:44Z DEBUG Process finished, return code=0 >2013-12-13T13:16:44Z DEBUG stdout=Certificate: > Data: > Version: 3 (0x2) > Serial Number: 2 (0x2) > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: "CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ. > REDHAT.COM" > Validity: > Not Before: Fri Dec 13 13:16:03 2013 > Not After : Thu Dec 03 13:16:03 2015 > Subject: "CN=OCSP Subsystem,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT > .COM" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > dd:05:c5:d5:60:77:d1:56:fa:63:f1:6d:40:c5:e9:31: > d4:ad:26:6d:bc:e0:c5:1f:fb:9d:15:91:ae:10:ea:08: > 73:b0:db:43:5a:2d:db:8e:0d:81:db:bd:62:59:cf:33: > 8c:40:f5:f8:7e:4f:21:c3:b5:12:96:e6:38:25:34:9d: > cd:83:ab:0f:86:21:fc:a3:89:78:e1:8a:4f:20:fe:2b: > 13:72:99:af:41:43:6a:0d:84:b8:98:97:c4:de:34:f6: > fe:e5:e1:7a:9e:a5:2b:0a:ee:e4:35:c0:b8:13:36:d2: > 35:5c:d9:3c:e4:fd:8d:d8:04:62:b4:8c:a8:2f:bf:5d: > 7a:40:c2:c0:41:8c:b0:3a:f1:d2:ad:c8:27:90:8c:15: > de:b5:c5:a3:8e:73:c0:76:75:a7:a0:06:6d:3b:c6:da: > 98:12:6f:12:17:45:cf:c5:a7:9c:81:7d:4d:83:51:63: > 80:18:72:5e:f5:cb:10:4a:72:36:74:08:8c:41:38:7f: > 98:1a:50:13:92:9e:4a:f2:69:66:a0:4c:b3:2b:ea:b6: > 3e:b4:ac:34:5d:22:d1:c9:19:45:6f:83:94:d5:e3:5b: > a3:ed:a2:a8:ba:0a:8b:00:b2:26:4b:44:be:69:57:f8: > d7:f1:73:71:25:5d:a3:30:bb:ce:b6:7e:50:c6:41:41 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Authority Key Identifier > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > > Name: Certificate Key Usage > Critical: True > Usages: Digital Signature > Non-Repudiation > Certificate Signing > CRL Signing > > Name: Authority Information Access > Method: PKIX Online Certificate Status Protocol > Location: > URI: "http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.c > om:80/ca/ocsp" > > Name: Extended Key Usage > OCSP Responder Certificate > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 15:c1:5f:65:31:01:a6:a0:7e:00:34:5b:ab:00:ad:b5: > a1:81:b9:a0:bd:03:f6:cd:8d:d3:d0:08:0f:cc:9c:06: > d1:f7:cd:4d:3a:24:e3:5c:c2:85:c5:c7:06:85:b0:a2: > bf:9b:95:54:ee:ec:de:22:53:58:3b:60:ec:ce:d7:53: > f2:07:18:21:b9:5b:ca:54:6f:7c:a6:9b:c5:1f:7a:5a: > 42:c4:18:bc:f1:e2:42:f7:20:e2:9f:97:65:68:0c:3e: > c4:71:01:bc:8a:fb:71:9c:e7:3d:5f:9d:da:1d:32:49: > 3f:3c:05:3d:dc:b1:b8:da:25:b1:72:5b:e5:84:1f:de: > 74:3c:6c:08:2b:51:14:41:ec:f1:c8:3b:67:17:ea:5d: > 8b:f0:9a:1f:d8:05:2a:de:d3:12:20:9b:f0:1d:ca:db: > d8:e5:c4:38:3a:26:bc:17:ba:09:11:e5:a6:8e:a8:74: > d4:42:9d:60:60:46:19:35:6d:0f:c0:0f:76:92:5b:c6: > e6:f0:7f:ce:f0:ad:fd:31:3e:a8:17:07:6f:7e:3d:15: > 2d:ea:0c:bc:51:a9:f5:b2:91:a9:98:84:e8:82:d3:3d: > 45:0d:91:00:d1:b6:99:5a:09:56:9f:29:c5:88:01:c7: > 51:e0:26:ba:55:c1:a7:5b:06:74:44:2d:41:e4:fd:52 > Fingerprint (MD5): > 25:E4:1B:45:30:C9:1A:67:95:92:95:30:A9:69:88:83 > Fingerprint (SHA1): > 1E:74:24:9C:4D:D8:5D:21:1A:1E:F1:E8:FD:D8:5D:31:32:50:19:CC > > Certificate Trust Flags: > SSL Flags: > User > Email Flags: > User > Object Signing Flags: > User > > >2013-12-13T13:16:44Z DEBUG stderr= >2013-12-13T13:16:44Z DEBUG Starting external process >2013-12-13T13:16:44Z DEBUG args=/usr/bin/getcert start-tracking -d /etc/pki/pki-tomcat/alias -n ocspSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" -P XXXXXXXX >2013-12-13T13:16:45Z DEBUG Process finished, return code=0 >2013-12-13T13:16:45Z DEBUG stdout=New tracking request "20131213131645" added. > >2013-12-13T13:16:45Z DEBUG stderr= >2013-12-13T13:16:45Z DEBUG Starting external process >2013-12-13T13:16:45Z DEBUG args=/usr/bin/certutil -L -d /etc/pki/pki-tomcat/alias -n subsystemCert cert-pki-ca >2013-12-13T13:16:45Z DEBUG Process finished, return code=0 >2013-12-13T13:16:45Z DEBUG stdout=Certificate: > Data: > Version: 3 (0x2) > Serial Number: 4 (0x4) > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: "CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ. > REDHAT.COM" > Validity: > Not Before: Fri Dec 13 13:16:05 2013 > Not After : Thu Dec 03 13:16:05 2015 > Subject: "CN=CA Subsystem,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.C > OM" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > da:16:46:af:4e:2f:a8:41:6b:bd:d6:9b:88:ce:a7:33: > 75:7b:b5:be:47:29:11:d3:3e:66:6d:72:39:07:a6:08: > 12:7e:e6:ed:7e:31:c7:63:9c:2f:5b:a3:78:bc:61:ae: > 35:2e:a4:53:0c:1b:fa:37:a2:28:85:70:4b:e4:ee:cf: > 9c:cb:63:45:1b:8e:56:ee:95:a3:46:a0:54:5e:5d:f3: > 18:4f:32:8f:af:73:9f:e0:2d:37:12:cd:8d:87:67:a8: > a5:d6:1e:3c:1b:7f:c3:0d:1a:b3:2c:6e:1e:1d:53:a1: > c1:c0:4d:f6:e3:78:3a:68:d0:41:30:8f:11:d5:7c:11: > 4d:ad:14:fb:4a:82:a1:e3:e5:2b:df:78:da:ed:9a:39: > e1:73:c1:34:11:36:b7:dd:69:29:ea:89:f2:28:bc:2f: > dd:da:f0:da:8d:ee:f7:df:e9:77:ee:6a:25:48:56:ea: > 92:dc:2a:d1:6a:70:3c:c9:e1:1b:39:e2:0e:62:2f:31: > 06:cb:f5:03:02:a0:96:38:12:dd:c6:80:e6:02:bb:02: > 9d:5a:a4:08:4b:d6:fb:0b:d5:16:fd:a1:4a:0e:f8:2a: > 98:34:8c:50:09:db:22:ab:bf:65:d9:af:94:de:d7:ea: > 00:74:94:55:81:b6:8d:51:53:e5:74:69:f1:78:08:a3 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Authority Key Identifier > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > > Name: Authority Information Access > Method: PKIX Online Certificate Status Protocol > Location: > URI: "http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.c > om:80/ca/ocsp" > > Name: Certificate Key Usage > Critical: True > Usages: Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > TLS Web Client Authentication Certificate > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > c3:ba:c0:15:27:24:8e:2d:c6:06:45:d1:44:28:4a:ba: > 46:95:29:b9:74:73:3b:eb:5c:a0:7f:2f:61:a3:d0:cf: > 04:dc:3e:75:db:38:07:98:0f:25:3e:34:1f:8a:ef:e8: > dd:45:f1:bc:e2:08:24:be:04:a7:dc:5c:77:d1:32:d5: > 76:a6:58:35:80:5b:cb:31:d5:79:b6:f0:b2:35:1b:fe: > 2a:6c:76:d8:49:99:36:47:45:78:d1:fe:84:9c:b9:32: > 51:55:29:ba:39:9d:78:88:13:24:20:e4:f2:42:d4:65: > 2d:e0:c0:a0:f3:f0:e4:85:f9:ec:57:1f:0e:14:e3:d5: > 84:2e:ed:de:f0:3f:d2:e6:c7:8e:a6:4e:78:2b:28:5b: > 30:b8:8b:14:75:06:4b:54:37:00:77:d7:5b:cf:dd:82: > b1:ae:35:6d:66:4b:db:77:51:7b:ab:14:3d:a6:2f:9a: > 63:7f:04:ff:4c:82:65:1f:c0:75:8c:76:a8:6a:a4:e8: > 07:06:d0:9e:3e:3f:d2:ea:36:6d:50:62:8c:3a:9d:74: > 37:f2:cd:63:26:db:b6:2c:2a:dc:3c:86:e4:1c:3a:2d: > 55:31:85:a2:ee:bf:8c:c3:c3:08:81:33:42:cc:cf:f9: > 28:f3:bc:d1:c1:b3:f5:f9:bc:38:19:66:98:b1:21:4e > Fingerprint (MD5): > 01:09:70:85:8B:A4:A8:37:94:17:3E:EE:65:56:25:90 > Fingerprint (SHA1): > 20:6A:30:91:5C:ED:8B:5D:86:82:61:8B:44:2B:05:DE:62:93:4E:D6 > > Certificate Trust Flags: > SSL Flags: > User > Email Flags: > User > Object Signing Flags: > User > > >2013-12-13T13:16:45Z DEBUG stderr= >2013-12-13T13:16:45Z DEBUG Starting external process >2013-12-13T13:16:45Z DEBUG args=/usr/bin/getcert start-tracking -d /etc/pki/pki-tomcat/alias -n subsystemCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" -P XXXXXXXX >2013-12-13T13:16:46Z DEBUG Process finished, return code=0 >2013-12-13T13:16:46Z DEBUG stdout=New tracking request "20131213131646" added. > >2013-12-13T13:16:46Z DEBUG stderr= >2013-12-13T13:16:46Z DEBUG Starting external process >2013-12-13T13:16:46Z DEBUG args=/usr/bin/certutil -L -d /etc/httpd/alias -n ipaCert >2013-12-13T13:16:46Z DEBUG Process finished, return code=0 >2013-12-13T13:16:46Z DEBUG stdout=Certificate: > Data: > Version: 3 (0x2) > Serial Number: 7 (0x7) > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: "CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ. > REDHAT.COM" > Validity: > Not Before: Fri Dec 13 13:16:40 2013 > Not After : Thu Dec 03 13:16:40 2015 > Subject: "CN=IPA RA,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > d4:54:7e:0f:bd:37:ab:cf:0f:07:77:5c:0e:d9:b8:99: > f8:0d:d5:18:ec:73:48:6e:29:32:f6:75:15:ac:e6:d5: > e1:48:6a:0f:74:3a:22:62:db:cd:7c:57:14:8b:09:18: > 8e:31:83:5e:36:27:3d:ed:36:3e:fa:bc:fd:d1:f7:43: > 47:fc:6a:be:f6:b2:4f:b5:eb:fa:fb:26:84:29:09:ae: > 16:85:28:27:8b:81:10:40:73:de:22:f6:ce:de:ca:12: > 53:fe:dd:32:b2:04:32:d3:b9:24:2c:ad:a6:4a:b8:4d: > a7:39:81:90:ae:b9:2e:4e:d3:ed:29:95:e7:50:20:11: > d4:a5:cf:25:e6:ab:9e:f9:82:30:d6:84:87:26:8f:af: > 3d:dc:91:74:7d:ea:9c:e1:ff:95:0b:20:08:28:f6:eb: > 95:b7:65:2c:f0:e9:7f:cb:d9:80:43:f3:17:3e:2d:db: > 7a:8f:da:e5:4d:72:79:e4:da:3d:80:1a:0a:66:e0:64: > f7:6c:ec:26:48:95:0b:63:ba:81:9e:af:60:31:66:dc: > a4:0a:09:a1:8c:d4:9d:4e:ac:dd:96:8e:1d:d0:5e:fe: > 01:d5:d8:95:b5:35:67:05:9d:22:30:39:0d:df:84:47: > 7c:9a:65:3e:2b:7c:cb:8c:f5:1a:16:58:ad:ab:8e:17 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Authority Key Identifier > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > > Name: Authority Information Access > Method: PKIX Online Certificate Status Protocol > Location: > URI: "http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.c > om:80/ca/ocsp" > > Name: Certificate Key Usage > Critical: True > Usages: Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > TLS Web Client Authentication Certificate > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > d9:c6:f0:47:1d:6b:18:de:fc:63:26:63:31:5f:49:df: > b6:49:29:cd:50:c9:3f:e1:56:82:69:31:0c:ed:bf:e6: > f4:a8:92:74:3a:93:12:a6:a9:89:ec:02:95:06:f4:06: > ab:83:55:e6:d5:44:15:7c:02:9e:b9:90:7d:de:11:ca: > 40:30:fe:41:fb:28:46:7b:1f:ae:30:36:bd:d9:ee:58: > fc:1c:c8:54:f7:1a:6e:ac:2d:35:53:66:50:59:e6:79: > 4e:80:87:9e:ab:7a:89:fe:13:0c:50:85:42:d9:19:68: > ab:ca:e1:2a:29:8b:ba:79:d2:bb:78:a7:33:fc:7c:30: > 66:61:13:c9:08:c3:70:0a:ea:dd:bc:4b:73:79:1d:0a: > 91:a0:b1:44:b6:64:ab:dd:16:25:15:d3:69:e9:66:7c: > 70:8c:53:7c:4b:ce:e9:87:05:8f:ed:ef:e2:8e:7b:97: > 30:3c:23:2c:6d:d0:aa:25:5a:0c:86:dc:73:81:1d:18: > 17:a7:67:b6:be:92:64:4e:e2:69:43:24:f3:da:63:b5: > 54:37:3a:52:1b:ef:f1:88:f6:d5:09:14:6a:9d:d5:a6: > 2a:f9:82:4e:eb:7c:3f:b6:e8:b9:87:16:bc:84:6b:22: > 79:da:8b:8a:1c:a5:5d:d4:68:c3:af:e0:29:96:16:b7 > Fingerprint (MD5): > FC:A9:DE:17:2F:E9:EB:77:C6:14:9A:44:B4:53:B6:9A > Fingerprint (SHA1): > 96:31:A6:1F:B3:35:83:39:F4:DB:90:D5:EF:C5:0A:3D:4B:18:F1:7D > > Certificate Trust Flags: > SSL Flags: > User > Email Flags: > User > Object Signing Flags: > User > > >2013-12-13T13:16:46Z DEBUG stderr= >2013-12-13T13:16:46Z DEBUG Starting external process >2013-12-13T13:16:46Z DEBUG args=/usr/bin/getcert start-tracking -d /etc/httpd/alias -n ipaCert -c dogtag-ipa-renew-agent -C /usr/lib64/ipa/certmonger/renew_ra_cert -p /etc/httpd/alias/pwdfile.txt >2013-12-13T13:16:47Z DEBUG Process finished, return code=0 >2013-12-13T13:16:47Z DEBUG stdout=New tracking request "20131213131647" added. > >2013-12-13T13:16:47Z DEBUG stderr= >2013-12-13T13:16:47Z DEBUG duration: 3 seconds >2013-12-13T13:16:47Z DEBUG [21/22]: configure Server-Cert certificate renewal >2013-12-13T13:16:47Z DEBUG Starting external process >2013-12-13T13:16:47Z DEBUG args=/usr/bin/certutil -L -d /etc/pki/pki-tomcat/alias -n Server-Cert cert-pki-ca >2013-12-13T13:16:47Z DEBUG Process finished, return code=0 >2013-12-13T13:16:47Z DEBUG stdout=Certificate: > Data: > Version: 3 (0x2) > Serial Number: 3 (0x3) > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: "CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ. > REDHAT.COM" > Validity: > Not Before: Fri Dec 13 13:16:04 2013 > Not After : Thu Dec 03 13:16:04 2015 > Subject: "CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM > 227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > b7:9b:0e:6a:23:93:f9:e6:3e:6d:68:28:bf:4f:c9:bc: > 12:33:34:e3:1b:54:22:8c:53:91:21:49:c2:ea:0a:8c: > c8:0d:53:da:a4:dc:dd:fd:bb:b7:6c:06:52:a3:44:af: > 3c:8b:6f:bc:33:f2:4a:c2:3b:2d:bf:27:e3:43:6b:fa: > 61:81:9a:83:7b:bc:53:e8:1f:b6:8d:92:b9:04:d1:a6: > 2a:42:83:3e:15:0f:de:cc:a9:87:23:c4:2a:13:c3:3e: > 2b:6e:05:9a:fb:4d:d5:1b:08:c8:14:1b:55:04:cf:5c: > c3:0b:b9:da:c4:d9:1b:d8:4b:56:7a:2f:4b:18:a6:7c: > ba:0b:93:8b:30:cc:93:a4:2e:18:02:3d:c2:da:d0:78: > dd:c2:99:a0:5f:79:e1:ea:84:0b:a6:5d:90:71:af:99: > 8f:0c:86:08:28:50:0b:29:ab:84:1d:1a:50:2e:6a:b4: > 77:60:3a:33:ac:fe:5c:48:b0:9e:31:65:f0:6f:c6:a4: > cf:9e:35:4c:6b:b7:bd:8f:b8:7f:2e:23:78:cb:a3:49: > e7:25:b4:fc:dd:01:f3:13:99:76:09:d0:96:d1:5b:ae: > e5:32:e2:07:fd:ec:73:04:90:df:63:5b:42:d4:73:da: > 30:0e:2f:5a:82:eb:54:c4:43:a6:d1:6c:83:81:05:3b > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Authority Key Identifier > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > > Name: Authority Information Access > Method: PKIX Online Certificate Status Protocol > Location: > URI: "http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.c > om:80/ca/ocsp" > > Name: Certificate Key Usage > Critical: True > Usages: Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 3f:10:c2:20:63:db:d6:98:87:e5:73:6a:fe:6c:67:54: > e0:89:97:13:91:72:e5:10:55:79:f2:f1:d5:7b:59:25: > 27:de:f6:95:a5:9a:0b:de:09:5b:14:f8:61:c7:46:41: > 5d:53:38:ca:cd:09:59:92:d2:af:27:bb:b2:93:ac:11: > 6d:66:1e:09:6c:a6:8a:44:81:0c:63:5b:17:4e:cd:63: > b3:4a:af:5b:90:aa:8a:47:a7:fd:ae:21:d5:4b:ef:b8: > 57:b1:9c:b9:d8:8a:8f:3b:91:c5:11:18:b5:2c:51:b5: > ad:ee:88:c7:4a:ce:9a:84:d2:b6:04:7d:07:5b:0b:44: > 24:c9:7f:c5:f9:fd:78:6b:4a:af:06:6c:dc:97:da:83: > fc:07:fe:eb:bb:4f:63:9e:dd:2a:3d:0f:91:2b:14:1a: > 4d:85:d6:6f:56:47:08:5d:da:7d:57:fd:8d:34:db:53: > 76:9c:72:63:a0:f7:64:ec:48:e3:5b:e4:bd:38:b0:b6: > 37:dc:5c:b4:ec:e0:81:dc:ba:41:cc:6a:3c:0f:38:b9: > 69:94:0c:21:e5:f0:1e:92:d7:7c:5e:3e:e9:1c:a9:c4: > d3:04:c1:4f:ac:d1:f1:e3:54:51:90:7e:8a:68:0f:df: > 31:f0:8c:82:d5:05:50:09:44:18:4d:0d:60:54:55:14 > Fingerprint (MD5): > 28:59:BE:BA:D9:E0:6D:58:9E:E0:DA:44:7B:06:AD:93 > Fingerprint (SHA1): > 3A:81:C2:72:67:A7:4B:98:1D:7B:39:30:58:44:47:14:9C:84:A2:9A > > Certificate Trust Flags: > SSL Flags: > User > Email Flags: > User > Object Signing Flags: > User > > >2013-12-13T13:16:47Z DEBUG stderr= >2013-12-13T13:16:47Z DEBUG Starting external process >2013-12-13T13:16:47Z DEBUG args=/usr/bin/getcert start-tracking -d /etc/pki/pki-tomcat/alias -n Server-Cert cert-pki-ca -c dogtag-ipa-renew-agent -P XXXXXXXX >2013-12-13T13:16:48Z DEBUG Process finished, return code=0 >2013-12-13T13:16:48Z DEBUG stdout=New tracking request "20131213131648" added. > >2013-12-13T13:16:48Z DEBUG stderr= >2013-12-13T13:16:48Z DEBUG duration: 1 seconds >2013-12-13T13:16:48Z DEBUG [22/22]: Configure HTTP to proxy connections >2013-12-13T13:16:48Z DEBUG duration: 0 seconds >2013-12-13T13:16:48Z DEBUG Done configuring certificate server (pki-tomcatd). >2013-12-13T13:16:48Z DEBUG Starting external process >2013-12-13T13:16:48Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -L -n DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a >2013-12-13T13:16:48Z DEBUG Process finished, return code=0 >2013-12-13T13:16:48Z DEBUG stdout=-----BEGIN CERTIFICATE----- >MIID7jCCAtagAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMTQwMgYDVQQKDCtET00y >MjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQD >DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMTMxNTU4WhcNMzMxMjEz >MTMxNTU4WjBWMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5H >LkJSUS5SRURIQVQuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw >ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmsLTpVPDxxXGox6Fx4lP3 >9oZD5AGj0GLfa0VRkWqMHQOWLYjVHJFc1XzwCijrggTYUHYEeWqV8LQj/EMZJ9Fh >o7e2spE/VOJRt82nQEUCi0/PXAnMzvi4g1BtN7oDNE2sjadQ0rZcRdt0tQ5q/Pp1 >oiuQryrXh4eFWAo1/1/HZo6+cxD/S/5jWKfFpc5KP+w5dvkSKb5hJA9Gee4rzVGZ >wzvGe8C+5wImbYT+U0uw7Jpd/k54Q67UxCC8av5uyaG4JzUNQwwniAvacXH0Ub4y >yN6UwtyklOM1l5V/8sI5GdfUvsBqDn4Z1WO79zmiArgYbQGvai1FH8N7cUVUzYAf >AgMBAAGjgcYwgcMwHwYDVR0jBBgwFoAUZ1LMCp2AxM3H3k7PxQB5j/+ETRIwDwYD >VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFGdSzAqdgMTN >x95Oz8UAeY//hE0SMGAGCCsGAQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDov >L3ZtLTIyNy5kb20yMjcuamVua2luc2FkLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQu >Y29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAKO8Ac5pQyc14xs6lQtm >5R8UZsaxDB6CJRe/q/RHsNUvq95uuC9CEpTrkaNtBaOm09DLr1tVoKVsH6Prd0ag >/vzmvGKxW0puoJfp1Kiv1t+Yh1VM68OKPEC8c93zWftDc38SD7aNR+TUHe0Ln9G6 >L+8i74qCe7p4RPQ0hWjhckL7OAfQ+MxwLjpApoHFsDdHHiThT7UZf+9KM+K9imbF >SRfh7ge9B0d+LTHYMSRdwNdTA4YPUnr+th1CaO8SdgVaeT96dho5SINKjQKNpkxB >TrS83zYua+Nf//Yv3r93iS5Y5CPpXHsgJevcnylzeTvrfTOC93jSLWj/1OfyPSB1 >aJw= >-----END CERTIFICATE----- > >2013-12-13T13:16:48Z DEBUG stderr= >2013-12-13T13:16:48Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:16:48Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:16:48Z DEBUG Starting external process >2013-12-13T13:16:48Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -O -n ipaCert >2013-12-13T13:16:48Z DEBUG Process finished, return code=0 >2013-12-13T13:16:48Z DEBUG stdout="DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA" [CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM] > > "ipaCert" [CN=IPA RA,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM] > > >2013-12-13T13:16:48Z DEBUG stderr= >2013-12-13T13:16:48Z DEBUG Starting external process >2013-12-13T13:16:48Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a >2013-12-13T13:16:48Z DEBUG Process finished, return code=0 >2013-12-13T13:16:48Z DEBUG stdout=-----BEGIN CERTIFICATE----- >MIID7jCCAtagAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMTQwMgYDVQQKDCtET00y >MjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQD >DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMTMxNTU4WhcNMzMxMjEz >MTMxNTU4WjBWMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5H >LkJSUS5SRURIQVQuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw >ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmsLTpVPDxxXGox6Fx4lP3 >9oZD5AGj0GLfa0VRkWqMHQOWLYjVHJFc1XzwCijrggTYUHYEeWqV8LQj/EMZJ9Fh >o7e2spE/VOJRt82nQEUCi0/PXAnMzvi4g1BtN7oDNE2sjadQ0rZcRdt0tQ5q/Pp1 >oiuQryrXh4eFWAo1/1/HZo6+cxD/S/5jWKfFpc5KP+w5dvkSKb5hJA9Gee4rzVGZ >wzvGe8C+5wImbYT+U0uw7Jpd/k54Q67UxCC8av5uyaG4JzUNQwwniAvacXH0Ub4y >yN6UwtyklOM1l5V/8sI5GdfUvsBqDn4Z1WO79zmiArgYbQGvai1FH8N7cUVUzYAf >AgMBAAGjgcYwgcMwHwYDVR0jBBgwFoAUZ1LMCp2AxM3H3k7PxQB5j/+ETRIwDwYD >VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFGdSzAqdgMTN >x95Oz8UAeY//hE0SMGAGCCsGAQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDov >L3ZtLTIyNy5kb20yMjcuamVua2luc2FkLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQu >Y29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAKO8Ac5pQyc14xs6lQtm >5R8UZsaxDB6CJRe/q/RHsNUvq95uuC9CEpTrkaNtBaOm09DLr1tVoKVsH6Prd0ag >/vzmvGKxW0puoJfp1Kiv1t+Yh1VM68OKPEC8c93zWftDc38SD7aNR+TUHe0Ln9G6 >L+8i74qCe7p4RPQ0hWjhckL7OAfQ+MxwLjpApoHFsDdHHiThT7UZf+9KM+K9imbF >SRfh7ge9B0d+LTHYMSRdwNdTA4YPUnr+th1CaO8SdgVaeT96dho5SINKjQKNpkxB >TrS83zYua+Nf//Yv3r93iS5Y5CPpXHsgJevcnylzeTvrfTOC93jSLWj/1OfyPSB1 >aJw= >-----END CERTIFICATE----- > >2013-12-13T13:16:48Z DEBUG stderr= >2013-12-13T13:16:48Z DEBUG Starting external process >2013-12-13T13:16:48Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n ipaCert -a >2013-12-13T13:16:48Z DEBUG Process finished, return code=0 >2013-12-13T13:16:48Z DEBUG stdout=-----BEGIN CERTIFICATE----- >MIIDzjCCAragAwIBAgIBBzANBgkqhkiG9w0BAQsFADBWMTQwMgYDVQQKDCtET00y >MjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQD >DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMTMxNjQwWhcNMTUxMjAz >MTMxNjQwWjBHMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5H >LkJSUS5SRURIQVQuQ09NMQ8wDQYDVQQDDAZJUEEgUkEwggEiMA0GCSqGSIb3DQEB >AQUAA4IBDwAwggEKAoIBAQDUVH4PvTerzw8Hd1wO2biZ+A3VGOxzSG4pMvZ1Fazm >1eFIag90OiJi2818VxSLCRiOMYNeNic97TY++rz90fdDR/xqvvayT7Xr+vsmhCkJ >rhaFKCeLgRBAc94i9s7eyhJT/t0ysgQy07kkLK2mSrhNpzmBkK65Lk7T7SmV51Ag >EdSlzyXmq575gjDWhIcmj6893JF0feqc4f+VCyAIKPbrlbdlLPDpf8vZgEPzFz4t >23qP2uVNcnnk2j2AGgpm4GT3bOwmSJULY7qBnq9gMWbcpAoJoYzUnU6s3ZaOHdBe >/gHV2JW1NWcFnSIwOQ3fhEd8mmU+K3zLjPUaFlitq44XAgMBAAGjgbUwgbIwHwYD >VR0jBBgwFoAUZ1LMCp2AxM3H3k7PxQB5j/+ETRIwYAYIKwYBBQUHAQEEVDBSMFAG >CCsGAQUFBzABhkRodHRwOi8vdm0tMjI3LmRvbTIyNy5qZW5raW5zYWQuaWRtLmxh >Yi5lbmcuYnJxLnJlZGhhdC5jb206ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAw >HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IB >AQDZxvBHHWsY3vxjJmMxX0nftkkpzVDJP+FWgmkxDO2/5vSoknQ6kxKmqYnsApUG >9Aarg1Xm1UQVfAKeuZB93hHKQDD+QfsoRnsfrjA2vdnuWPwcyFT3Gm6sLTVTZlBZ >5nlOgIeeq3qJ/hMMUIVC2Rloq8rhKimLunnSu3inM/x8MGZhE8kIw3AK6t28S3N5 >HQqRoLFEtmSr3RYlFdNp6WZ8cIxTfEvO6YcFj+3v4o57lzA8Iyxt0KolWgyG3HOB >HRgXp2e2vpJkTuJpQyTz2mO1VDc6Uhvv8Yj21QkUap3Vpir5gk7rfD+26LmHFryE >ayJ52ouKHKVd1GjDr+Aplha3 >-----END CERTIFICATE----- > >2013-12-13T13:16:48Z DEBUG stderr= >2013-12-13T13:16:48Z DEBUG Starting external process >2013-12-13T13:16:48Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -L -n DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a >2013-12-13T13:16:48Z DEBUG Process finished, return code=255 >2013-12-13T13:16:48Z DEBUG stdout= >2013-12-13T13:16:48Z DEBUG stderr=certutil: Could not find cert: DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA >: PR_FILE_NOT_FOUND_ERROR: File not found > >2013-12-13T13:16:48Z DEBUG Starting external process >2013-12-13T13:16:48Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -N -f /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM//pwdfile.txt >2013-12-13T13:16:48Z DEBUG Process finished, return code=0 >2013-12-13T13:16:48Z DEBUG stdout= >2013-12-13T13:16:48Z DEBUG stderr= >2013-12-13T13:16:48Z DEBUG Starting external process >2013-12-13T13:16:48Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -A -n DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -t CT,,C -a >2013-12-13T13:16:48Z DEBUG Process finished, return code=0 >2013-12-13T13:16:48Z DEBUG stdout= >2013-12-13T13:16:48Z DEBUG stderr= >2013-12-13T13:16:48Z DEBUG Starting external process >2013-12-13T13:16:48Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -A -n CN=IPA RA,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -t CT,,C -a >2013-12-13T13:16:48Z DEBUG Process finished, return code=0 >2013-12-13T13:16:48Z DEBUG stdout= >2013-12-13T13:16:48Z DEBUG stderr= >2013-12-13T13:16:48Z DEBUG Starting external process >2013-12-13T13:16:48Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -R -s CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -o /var/lib/ipa/ipa-k6AvFa/tmpcertreq -k rsa -g 2048 -z /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM//noise.txt -f /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM//pwdfile.txt -a >2013-12-13T13:16:49Z DEBUG Process finished, return code=0 >2013-12-13T13:16:49Z DEBUG stdout= >2013-12-13T13:16:49Z DEBUG stderr= > >Generating key. This may take a few moments... > > >2013-12-13T13:16:49Z DEBUG request 'https://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:8443/ca/ee/ca/profileSubmitSSLClient' >2013-12-13T13:16:49Z DEBUG request body 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=MIICuDCCAaACAQAwczE0MDIGA1UEChMrRE9NMjI3LkpFTktJTlNBRC5JRE0uTEFC%0D%0ALkVORy5CUlEuUkVESEFULkNPTTE7MDkGA1UEAxMydm0tMjI3LmRvbTIyNy5qZW5r%0D%0AaW5zYWQuaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb20wggEiMA0GCSqGSIb3DQEB%0D%0AAQUAA4IBDwAwggEKAoIBAQColqyFpD%2FMQlPbrh%2FdR906t%2BK7ANAExDu%2B%2BV6fktv%2B%0D%0A1iKXUQY7GrfGeSgoFiFwlBa5rwTosZXJKrVa82%2Bo%2FMsHWyJe%2FYMS%2BSN7Km6M9aX3%0D%0AAlWsPsq7buE%2FY2B2NBe69aFnQQrTDHkwv4C9gsWfEgQJJFIJe%2FdWfjZ8CN00WJUb%0D%0AsOVkfagkojx2hWwbbRkPpXWlsMZohYQTKN2fUWZIWgYkji2DUNTdC41DxyYWRfFm%0D%0ARq9TNXQLjisTdiNCwY2MWF%2FtK%2BQ82VB1FInPWPh1ZdYvCPldXC7Fm7No4en3Xib2%0D%0ANwd07ELqoj9mZNNI%2FiSDrP7nxH3jN64v9qt7qdWzcfTNAgMBAAGgADANBgkqhkiG%0D%0A9w0BAQUFAAOCAQEALf6Znu7oP%2FO%2BqJPi9Iv6%2Bk4ESmheBX4ZAF7jlg0wwrJvQHCd%0D%0AaITQgQy83Jxsb3qlyx2OGO6mC7aYz2t0naiZkFwdP%2FJhux4XTc1pFz2z5afyDbH8%0D%0AB6PxXt%2BnET4lvqE3VdMd%2Fm12AuDe%2FJNMrfaVYQZgnFWvMnRzlqziDGvnqxwwWFLB%0D%0Ag4ZjpVNmx1hIu9N1PSslObuizpGH3zGbwncLPDVancmkNvWs%2FKMdkUy1ujxJKqTu%0D%0AmVkW7EJydxBFQNvrRyz%2BQfD3ggIJ5tjfiySrNigXt7mYsiObwWPtZ7dnShVXRyjP%0D%0AK8lTMeuv62IbbXWSYPmrw5Om0ybgeKMSSx%2FWDw%3D%3D%0A&cert_request_type=pkcs10&xmlOutput=true' >2013-12-13T13:16:49Z DEBUG NSSConnection init vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:16:49Z DEBUG Connecting: 10.34.47.227:0 >2013-12-13T13:16:49Z DEBUG auth_certificate_callback: check_sig=True is_server=False >Data: > Version: 3 (0x2) > Serial Number: 3 (0x3) > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > Validity: > Not Before: Fri Dec 13 13:16:04 2013 UTC > Not After: Thu Dec 03 13:16:04 2015 UTC > Subject: CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > Subject Public Key Info: > Public Key Algorithm: > Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > b7:9b:0e:6a:23:93:f9:e6:3e:6d:68:28:bf:4f:c9:bc: > 12:33:34:e3:1b:54:22:8c:53:91:21:49:c2:ea:0a:8c: > c8:0d:53:da:a4:dc:dd:fd:bb:b7:6c:06:52:a3:44:af: > 3c:8b:6f:bc:33:f2:4a:c2:3b:2d:bf:27:e3:43:6b:fa: > 61:81:9a:83:7b:bc:53:e8:1f:b6:8d:92:b9:04:d1:a6: > 2a:42:83:3e:15:0f:de:cc:a9:87:23:c4:2a:13:c3:3e: > 2b:6e:05:9a:fb:4d:d5:1b:08:c8:14:1b:55:04:cf:5c: > c3:0b:b9:da:c4:d9:1b:d8:4b:56:7a:2f:4b:18:a6:7c: > ba:0b:93:8b:30:cc:93:a4:2e:18:02:3d:c2:da:d0:78: > dd:c2:99:a0:5f:79:e1:ea:84:0b:a6:5d:90:71:af:99: > 8f:0c:86:08:28:50:0b:29:ab:84:1d:1a:50:2e:6a:b4: > 77:60:3a:33:ac:fe:5c:48:b0:9e:31:65:f0:6f:c6:a4: > cf:9e:35:4c:6b:b7:bd:8f:b8:7f:2e:23:78:cb:a3:49: > e7:25:b4:fc:dd:01:f3:13:99:76:09:d0:96:d1:5b:ae: > e5:32:e2:07:fd:ec:73:04:90:df:63:5b:42:d4:73:da: > 30:0e:2f:5a:82:eb:54:c4:43:a6:d1:6c:83:81:05:3b > Exponent: > 65537 (0x10001) > Signed Extensions: (4) > Name: Certificate Authority Key Identifier > Critical: False > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > Serial Number: None > General Names: [0 total] > > Name: Authority Information Access > Critical: False > Authority Information Access: [1 total] > Info [1]: > Method: PKIX Online Certificate Status Protocol > Location: URI: http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:80/ca/ocsp > > Name: Certificate Key Usage > Critical: True > Usages: > Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > Critical: False > Usages: > TLS Web Server Authentication Certificate > > Signature: > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 3f:10:c2:20:63:db:d6:98:87:e5:73:6a:fe:6c:67:54: > e0:89:97:13:91:72:e5:10:55:79:f2:f1:d5:7b:59:25: > 27:de:f6:95:a5:9a:0b:de:09:5b:14:f8:61:c7:46:41: > 5d:53:38:ca:cd:09:59:92:d2:af:27:bb:b2:93:ac:11: > 6d:66:1e:09:6c:a6:8a:44:81:0c:63:5b:17:4e:cd:63: > b3:4a:af:5b:90:aa:8a:47:a7:fd:ae:21:d5:4b:ef:b8: > 57:b1:9c:b9:d8:8a:8f:3b:91:c5:11:18:b5:2c:51:b5: > ad:ee:88:c7:4a:ce:9a:84:d2:b6:04:7d:07:5b:0b:44: > 24:c9:7f:c5:f9:fd:78:6b:4a:af:06:6c:dc:97:da:83: > fc:07:fe:eb:bb:4f:63:9e:dd:2a:3d:0f:91:2b:14:1a: > 4d:85:d6:6f:56:47:08:5d:da:7d:57:fd:8d:34:db:53: > 76:9c:72:63:a0:f7:64:ec:48:e3:5b:e4:bd:38:b0:b6: > 37:dc:5c:b4:ec:e0:81:dc:ba:41:cc:6a:3c:0f:38:b9: > 69:94:0c:21:e5:f0:1e:92:d7:7c:5e:3e:e9:1c:a9:c4: > d3:04:c1:4f:ac:d1:f1:e3:54:51:90:7e:8a:68:0f:df: > 31:f0:8c:82:d5:05:50:09:44:18:4d:0d:60:54:55:14 > Fingerprint (MD5): > 28:59:be:ba:d9:e0:6d:58:9e:e0:da:44:7b:06:ad:93 > Fingerprint (SHA1): > 3a:81:c2:72:67:a7:4b:98:1d:7b:39:30:58:44:47:14: > 9c:84:a2:9a >2013-12-13T13:16:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server >2013-12-13T13:16:49Z DEBUG cert valid True for "CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" >2013-12-13T13:16:49Z DEBUG handshake complete, peer = 10.34.47.227:8443 >2013-12-13T13:16:49Z DEBUG auth_certificate_callback: check_sig=True is_server=False >Data: > Version: 3 (0x2) > Serial Number: 3 (0x3) > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > Validity: > Not Before: Fri Dec 13 13:16:04 2013 UTC > Not After: Thu Dec 03 13:16:04 2015 UTC > Subject: CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > Subject Public Key Info: > Public Key Algorithm: > Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > b7:9b:0e:6a:23:93:f9:e6:3e:6d:68:28:bf:4f:c9:bc: > 12:33:34:e3:1b:54:22:8c:53:91:21:49:c2:ea:0a:8c: > c8:0d:53:da:a4:dc:dd:fd:bb:b7:6c:06:52:a3:44:af: > 3c:8b:6f:bc:33:f2:4a:c2:3b:2d:bf:27:e3:43:6b:fa: > 61:81:9a:83:7b:bc:53:e8:1f:b6:8d:92:b9:04:d1:a6: > 2a:42:83:3e:15:0f:de:cc:a9:87:23:c4:2a:13:c3:3e: > 2b:6e:05:9a:fb:4d:d5:1b:08:c8:14:1b:55:04:cf:5c: > c3:0b:b9:da:c4:d9:1b:d8:4b:56:7a:2f:4b:18:a6:7c: > ba:0b:93:8b:30:cc:93:a4:2e:18:02:3d:c2:da:d0:78: > dd:c2:99:a0:5f:79:e1:ea:84:0b:a6:5d:90:71:af:99: > 8f:0c:86:08:28:50:0b:29:ab:84:1d:1a:50:2e:6a:b4: > 77:60:3a:33:ac:fe:5c:48:b0:9e:31:65:f0:6f:c6:a4: > cf:9e:35:4c:6b:b7:bd:8f:b8:7f:2e:23:78:cb:a3:49: > e7:25:b4:fc:dd:01:f3:13:99:76:09:d0:96:d1:5b:ae: > e5:32:e2:07:fd:ec:73:04:90:df:63:5b:42:d4:73:da: > 30:0e:2f:5a:82:eb:54:c4:43:a6:d1:6c:83:81:05:3b > Exponent: > 65537 (0x10001) > Signed Extensions: (4) > Name: Certificate Authority Key Identifier > Critical: False > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > Serial Number: None > General Names: [0 total] > > Name: Authority Information Access > Critical: False > Authority Information Access: [1 total] > Info [1]: > Method: PKIX Online Certificate Status Protocol > Location: URI: http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:80/ca/ocsp > > Name: Certificate Key Usage > Critical: True > Usages: > Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > Critical: False > Usages: > TLS Web Server Authentication Certificate > > Signature: > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 3f:10:c2:20:63:db:d6:98:87:e5:73:6a:fe:6c:67:54: > e0:89:97:13:91:72:e5:10:55:79:f2:f1:d5:7b:59:25: > 27:de:f6:95:a5:9a:0b:de:09:5b:14:f8:61:c7:46:41: > 5d:53:38:ca:cd:09:59:92:d2:af:27:bb:b2:93:ac:11: > 6d:66:1e:09:6c:a6:8a:44:81:0c:63:5b:17:4e:cd:63: > b3:4a:af:5b:90:aa:8a:47:a7:fd:ae:21:d5:4b:ef:b8: > 57:b1:9c:b9:d8:8a:8f:3b:91:c5:11:18:b5:2c:51:b5: > ad:ee:88:c7:4a:ce:9a:84:d2:b6:04:7d:07:5b:0b:44: > 24:c9:7f:c5:f9:fd:78:6b:4a:af:06:6c:dc:97:da:83: > fc:07:fe:eb:bb:4f:63:9e:dd:2a:3d:0f:91:2b:14:1a: > 4d:85:d6:6f:56:47:08:5d:da:7d:57:fd:8d:34:db:53: > 76:9c:72:63:a0:f7:64:ec:48:e3:5b:e4:bd:38:b0:b6: > 37:dc:5c:b4:ec:e0:81:dc:ba:41:cc:6a:3c:0f:38:b9: > 69:94:0c:21:e5:f0:1e:92:d7:7c:5e:3e:e9:1c:a9:c4: > d3:04:c1:4f:ac:d1:f1:e3:54:51:90:7e:8a:68:0f:df: > 31:f0:8c:82:d5:05:50:09:44:18:4d:0d:60:54:55:14 > Fingerprint (MD5): > 28:59:be:ba:d9:e0:6d:58:9e:e0:da:44:7b:06:ad:93 > Fingerprint (SHA1): > 3a:81:c2:72:67:a7:4b:98:1d:7b:39:30:58:44:47:14: > 9c:84:a2:9a >2013-12-13T13:16:49Z DEBUG approved_usage = SSL Server intended_usage = SSL Server >2013-12-13T13:16:49Z DEBUG cert valid True for "CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" >2013-12-13T13:16:49Z DEBUG handshake complete, peer = 10.34.47.227:8443 >2013-12-13T13:16:51Z DEBUG request status 200 >2013-12-13T13:16:51Z DEBUG request reason_phrase u'OK' >2013-12-13T13:16:51Z DEBUG request headers {'date': 'Fri, 13 Dec 2013 13:16:51 GMT', 'content-length': '1916', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} >2013-12-13T13:16:51Z DEBUG request body '<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><Requests><Request><Id>8</Id><SubjectDN>CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM</SubjectDN><serialno>8</serialno><b64>MIIEtDCCA5ygAwIBAgIBCDANBgkqhkiG9w0BAQsFADBWMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMTMxNjUwWhcNMTUxMjE0MTMxNjUwWjBzMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMTswOQYDVQQDDDJ2bS0yMjcuZG9tMjI3LmplbmtpbnNhZC5pZG0ubGFiLmVuZy5icnEucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKiWrIWkP8xCU9uuH91H3Tq34rsA0ATEO775Xp+S2/7WIpdRBjsat8Z5KCgWIXCUFrmvBOixlckqtVrzb6j8ywdbIl79gxL5I3sqboz1pfcCVaw+yrtu4T9jYHY0F7r1oWdBCtMMeTC/gL2CxZ8SBAkkUgl791Z+NnwI3TRYlRuw5WR9qCSiPHaFbBttGQ+ldaWwxmiFhBMo3Z9RZkhaBiSOLYNQ1N0LjUPHJhZF8WZGr1M1dAuOKxN2I0LBjYxYX+0r5DzZUHUUic9Y+HVl1i8I+V1cLsWbs2jh6fdeJvY3B3TsQuqiP2Zk00j+JIOs/ufEfeM3ri/2q3up1bNx9M0CAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFGdSzAqdgMTNx95Oz8UAeY//hE0SMF0GCCsGAQUFBwEBBFEwTzBNBggrBgEFBQcwAYZBaHR0cDovL2lwYS1jYS5kb20yMjcuamVua2luc2FkLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQuY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmQYDVR0fBIGRMIGOMIGLoFOgUYZPaHR0cDovL2lwYS1jYS5kb20yMjcuamVua2luc2FkLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUXTJU8608WDdqWS8Gl3x3fGUK4RMwDQYJKoZIhvcNAQELBQADggEBADCB8m3eMV9jUYPYlXeDG+NdHD+sAfnna0mjMb/4qaJKLXdCAneqmd3dK7/0qf6tJ3u1hhnlFSwhYQ/XwbhL2VqLQaVmhPZn/+GvEPbqASo0xy8Jydn8AJ5zdrHhnQLuwaNV0XWRd58SpcTMSuWastM9QgQeC5Dsn4Ov5zcm/MBgul9wy43D/oprNnL2xNIRPaP8hi+Dgn5QNRVCuI9MOtROR4JtltZTXhJ9+WSmz0P5MS8gx/50aLUPQotEclnZ9Vrf6hlDQyILcttdhKRz7yuk1TRo9JnBP05Jjjp1eBqcTbCmyCwGoJQYhbdZoJltxYQyWNpHncz53CuXrYUH7ZA=</b64></Request></Requests></XMLResponse>' >2013-12-13T13:16:51Z DEBUG Starting external process >2013-12-13T13:16:51Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-k6AvFa/tmpcert.der -f /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM//pwdfile.txt >2013-12-13T13:16:51Z DEBUG Process finished, return code=0 >2013-12-13T13:16:51Z DEBUG stdout= >2013-12-13T13:16:51Z DEBUG stderr=Notice: Trust flag u is set automatically if the private key is present. > >2013-12-13T13:16:51Z DEBUG Starting external process >2013-12-13T13:16:51Z DEBUG args=/bin/systemctl enable certmonger.service >2013-12-13T13:16:51Z DEBUG Process finished, return code=0 >2013-12-13T13:16:51Z DEBUG stdout= >2013-12-13T13:16:51Z DEBUG stderr= >2013-12-13T13:16:51Z DEBUG Starting external process >2013-12-13T13:16:51Z DEBUG args=/bin/systemctl start messagebus.service >2013-12-13T13:16:51Z DEBUG Process finished, return code=0 >2013-12-13T13:16:51Z DEBUG stdout= >2013-12-13T13:16:51Z DEBUG stderr= >2013-12-13T13:16:51Z DEBUG Starting external process >2013-12-13T13:16:51Z DEBUG args=/bin/systemctl is-active messagebus.service >2013-12-13T13:16:51Z DEBUG Process finished, return code=0 >2013-12-13T13:16:51Z DEBUG stdout=active > >2013-12-13T13:16:51Z DEBUG stderr= >2013-12-13T13:16:51Z DEBUG Starting external process >2013-12-13T13:16:51Z DEBUG args=/bin/systemctl start certmonger.service >2013-12-13T13:16:51Z DEBUG Process finished, return code=0 >2013-12-13T13:16:51Z DEBUG stdout= >2013-12-13T13:16:51Z DEBUG stderr= >2013-12-13T13:16:51Z DEBUG Starting external process >2013-12-13T13:16:51Z DEBUG args=/bin/systemctl is-active certmonger.service >2013-12-13T13:16:51Z DEBUG Process finished, return code=0 >2013-12-13T13:16:51Z DEBUG stdout=active > >2013-12-13T13:16:51Z DEBUG stderr= >2013-12-13T13:16:51Z DEBUG Starting external process >2013-12-13T13:16:52Z DEBUG args=/usr/bin/certutil -L -d /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM -n Server-Cert >2013-12-13T13:16:52Z DEBUG Process finished, return code=0 >2013-12-13T13:16:52Z DEBUG stdout=Certificate: > Data: > Version: 3 (0x2) > Serial Number: 8 (0x8) > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: "CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ. > REDHAT.COM" > Validity: > Not Before: Fri Dec 13 13:16:50 2013 > Not After : Mon Dec 14 13:16:50 2015 > Subject: "CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM > 227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > a8:96:ac:85:a4:3f:cc:42:53:db:ae:1f:dd:47:dd:3a: > b7:e2:bb:00:d0:04:c4:3b:be:f9:5e:9f:92:db:fe:d6: > 22:97:51:06:3b:1a:b7:c6:79:28:28:16:21:70:94:16: > b9:af:04:e8:b1:95:c9:2a:b5:5a:f3:6f:a8:fc:cb:07: > 5b:22:5e:fd:83:12:f9:23:7b:2a:6e:8c:f5:a5:f7:02: > 55:ac:3e:ca:bb:6e:e1:3f:63:60:76:34:17:ba:f5:a1: > 67:41:0a:d3:0c:79:30:bf:80:bd:82:c5:9f:12:04:09: > 24:52:09:7b:f7:56:7e:36:7c:08:dd:34:58:95:1b:b0: > e5:64:7d:a8:24:a2:3c:76:85:6c:1b:6d:19:0f:a5:75: > a5:b0:c6:68:85:84:13:28:dd:9f:51:66:48:5a:06:24: > 8e:2d:83:50:d4:dd:0b:8d:43:c7:26:16:45:f1:66:46: > af:53:35:74:0b:8e:2b:13:76:23:42:c1:8d:8c:58:5f: > ed:2b:e4:3c:d9:50:75:14:89:cf:58:f8:75:65:d6:2f: > 08:f9:5d:5c:2e:c5:9b:b3:68:e1:e9:f7:5e:26:f6:37: > 07:74:ec:42:ea:a2:3f:66:64:d3:48:fe:24:83:ac:fe: > e7:c4:7d:e3:37:ae:2f:f6:ab:7b:a9:d5:b3:71:f4:cd > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Authority Key Identifier > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > > Name: Authority Information Access > Method: PKIX Online Certificate Status Protocol > Location: > URI: "http://ipa-ca.dom227.jenkinsad.idm.lab.eng.brq.redhat.c > om/ca/ocsp" > > Name: Certificate Key Usage > Critical: True > Usages: Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > TLS Web Client Authentication Certificate > > Name: CRL Distribution Points > Distribution point: > URI: "http://ipa-ca.dom227.jenkinsad.idm.lab.eng.brq.redhat.c > om/ipa/crl/MasterCRL.bin" > CRL issuer: > Directory Name: "CN=Certificate Authority,O=ipaca" > > Name: Certificate Subject Key ID > Data: > 5d:32:54:f3:ad:3c:58:37:6a:59:2f:06:97:7c:77:7c: > 65:0a:e1:13 > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 30:81:f2:6d:de:31:5f:63:51:83:d8:95:77:83:1b:e3: > 5d:1c:3f:ac:01:f9:e7:6b:49:a3:31:bf:f8:a9:a2:4a: > 2d:77:42:02:77:aa:99:dd:dd:2b:bf:f4:a9:fe:ad:27: > 7b:b5:86:19:e5:15:2c:21:61:0f:d7:c1:b8:4b:d9:5a: > 8b:41:a5:66:84:f6:67:ff:e1:af:10:f6:ea:01:2a:34: > c7:2f:09:c9:d9:fc:00:9e:73:76:b1:e1:9d:02:ee:c1: > a3:55:d1:75:91:77:9f:12:a5:c4:cc:4a:e5:9a:b2:d3: > 3d:42:04:1e:0b:90:ec:9f:83:af:e7:37:26:fc:c0:60: > ba:5f:70:cb:8d:c3:fe:8a:6b:36:72:f6:c4:d2:11:3d: > a3:fc:86:2f:83:82:7e:50:35:15:42:b8:8f:4c:3a:d4: > 4e:47:82:6d:96:d6:53:5e:12:7d:f9:64:a6:cf:43:f9: > 31:2f:20:c7:fe:74:68:b5:0f:42:8b:44:72:59:d9:f5: > 5a:df:ea:19:43:43:22:0b:72:db:5d:84:a4:73:ef:2b: > a4:d5:34:68:f4:99:c1:3f:4e:49:8e:3a:75:78:1a:9c: > 4d:b0:a6:c8:2c:06:a0:94:18:85:b7:59:a0:99:6d:c5: > 84:32:58:da:47:9d:cc:f9:dc:2b:97:ad:85:07:ed:90 > Fingerprint (MD5): > 87:B1:24:2C:E9:99:8B:24:52:C5:95:74:E0:7D:5E:12 > Fingerprint (SHA1): > A8:D8:66:C8:AE:C8:3C:50:38:31:90:2C:E7:E8:DA:56:BF:88:B9:A9 > > Certificate Trust Flags: > SSL Flags: > User > Email Flags: > User > Object Signing Flags: > User > > >2013-12-13T13:16:52Z DEBUG stderr= >2013-12-13T13:16:52Z DEBUG Starting external process >2013-12-13T13:16:52Z DEBUG args=/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM -n Server-Cert -p /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:16:52Z DEBUG Process finished, return code=0 >2013-12-13T13:16:52Z DEBUG stdout=New tracking request "20131213131652" added. > >2013-12-13T13:16:52Z DEBUG stderr= >2013-12-13T13:16:52Z DEBUG Starting external process >2013-12-13T13:16:52Z DEBUG args=/bin/systemctl stop certmonger.service >2013-12-13T13:16:52Z DEBUG Process finished, return code=0 >2013-12-13T13:16:52Z DEBUG stdout= >2013-12-13T13:16:52Z DEBUG stderr= >2013-12-13T13:16:52Z DEBUG Starting external process >2013-12-13T13:16:52Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -L -n Server-Cert -a >2013-12-13T13:16:52Z DEBUG Process finished, return code=0 >2013-12-13T13:16:52Z DEBUG stdout=-----BEGIN CERTIFICATE----- >MIIEtDCCA5ygAwIBAgIBCDANBgkqhkiG9w0BAQsFADBWMTQwMgYDVQQKDCtET00y >MjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQD >DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMTMxNjUwWhcNMTUxMjE0 >MTMxNjUwWjBzMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5H >LkJSUS5SRURIQVQuQ09NMTswOQYDVQQDDDJ2bS0yMjcuZG9tMjI3LmplbmtpbnNh >ZC5pZG0ubGFiLmVuZy5icnEucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD >ggEPADCCAQoCggEBAKiWrIWkP8xCU9uuH91H3Tq34rsA0ATEO775Xp+S2/7WIpdR >Bjsat8Z5KCgWIXCUFrmvBOixlckqtVrzb6j8ywdbIl79gxL5I3sqboz1pfcCVaw+ >yrtu4T9jYHY0F7r1oWdBCtMMeTC/gL2CxZ8SBAkkUgl791Z+NnwI3TRYlRuw5WR9 >qCSiPHaFbBttGQ+ldaWwxmiFhBMo3Z9RZkhaBiSOLYNQ1N0LjUPHJhZF8WZGr1M1 >dAuOKxN2I0LBjYxYX+0r5DzZUHUUic9Y+HVl1i8I+V1cLsWbs2jh6fdeJvY3B3Ts >QuqiP2Zk00j+JIOs/ufEfeM3ri/2q3up1bNx9M0CAwEAAaOCAW4wggFqMB8GA1Ud >IwQYMBaAFGdSzAqdgMTNx95Oz8UAeY//hE0SMF0GCCsGAQUFBwEBBFEwTzBNBggr >BgEFBQcwAYZBaHR0cDovL2lwYS1jYS5kb20yMjcuamVua2luc2FkLmlkbS5sYWIu >ZW5nLmJycS5yZWRoYXQuY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1Ud >JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmQYDVR0fBIGRMIGOMIGLoFOgUYZP >aHR0cDovL2lwYS1jYS5kb20yMjcuamVua2luc2FkLmlkbS5sYWIuZW5nLmJycS5y >ZWRoYXQuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwF >aXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQU >XTJU8608WDdqWS8Gl3x3fGUK4RMwDQYJKoZIhvcNAQELBQADggEBADCB8m3eMV9j >UYPYlXeDG+NdHD+sAfnna0mjMb/4qaJKLXdCAneqmd3dK7/0qf6tJ3u1hhnlFSwh >YQ/XwbhL2VqLQaVmhPZn/+GvEPbqASo0xy8Jydn8AJ5zdrHhnQLuwaNV0XWRd58S >pcTMSuWastM9QgQeC5Dsn4Ov5zcm/MBgul9wy43D/oprNnL2xNIRPaP8hi+Dgn5Q >NRVCuI9MOtROR4JtltZTXhJ9+WSmz0P5MS8gx/50aLUPQotEclnZ9Vrf6hlDQyIL >cttdhKRz7yuk1TRo9JnBP05Jjjp1eBqcTbCmyCwGoJQYhbdZoJltxYQyWNpHncz5 >3CuXrYUH7ZA= >-----END CERTIFICATE----- > >2013-12-13T13:16:52Z DEBUG stderr= >2013-12-13T13:17:14Z DEBUG Starting external process >2013-12-13T13:17:14Z DEBUG args=/bin/systemctl start certmonger.service >2013-12-13T13:17:14Z DEBUG Process finished, return code=0 >2013-12-13T13:17:14Z DEBUG stdout= >2013-12-13T13:17:14Z DEBUG stderr= >2013-12-13T13:17:14Z DEBUG Starting external process >2013-12-13T13:17:14Z DEBUG args=/bin/systemctl is-active certmonger.service >2013-12-13T13:17:14Z DEBUG Process finished, return code=0 >2013-12-13T13:17:14Z DEBUG stdout=active > >2013-12-13T13:17:14Z DEBUG stderr= >2013-12-13T13:17:14Z DEBUG flushing ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 from SchemaCache >2013-12-13T13:17:14Z DEBUG retrieving schema for SchemaCache url=ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x16fdc20> >2013-12-13T13:17:14Z DEBUG Starting external process >2013-12-13T13:17:14Z DEBUG args=/bin/systemctl restart dirsrv.target >2013-12-13T13:17:16Z DEBUG Process finished, return code=0 >2013-12-13T13:17:16Z DEBUG stdout= >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=3 >2013-12-13T13:17:16Z DEBUG stdout=activating > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG Starting external process >2013-12-13T13:17:16Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:16Z DEBUG Process finished, return code=0 >2013-12-13T13:17:16Z DEBUG stdout=active > >2013-12-13T13:17:16Z DEBUG stderr= >2013-12-13T13:17:16Z DEBUG wait_for_open_ports: localhost [389] timeout 120 >2013-12-13T13:17:17Z DEBUG Starting external process >2013-12-13T13:17:17Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:17:17Z DEBUG Process finished, return code=0 >2013-12-13T13:17:17Z DEBUG stdout=active > >2013-12-13T13:17:17Z DEBUG stderr= >2013-12-13T13:17:17Z DEBUG Starting external process >2013-12-13T13:17:17Z DEBUG args=/bin/systemctl disable pki-tomcatd.target >2013-12-13T13:17:17Z DEBUG Process finished, return code=0 >2013-12-13T13:17:17Z DEBUG stdout= >2013-12-13T13:17:17Z DEBUG stderr= >2013-12-13T13:17:17Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache >2013-12-13T13:17:17Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x32df908> >2013-12-13T13:17:18Z DEBUG Ensuring that service pki_tomcatd@pki-tomcat is not running while the next set of commands is being executed. >2013-12-13T13:17:18Z DEBUG Starting external process >2013-12-13T13:17:18Z DEBUG args=/bin/systemctl is-active pki-tomcatd@pki-tomcat.service >2013-12-13T13:17:18Z DEBUG Process finished, return code=0 >2013-12-13T13:17:18Z DEBUG stdout=active > >2013-12-13T13:17:18Z DEBUG stderr= >2013-12-13T13:17:18Z DEBUG Stopping pki_tomcatd@pki-tomcat. >2013-12-13T13:17:18Z DEBUG Starting external process >2013-12-13T13:17:18Z DEBUG args=/bin/systemctl stop pki-tomcatd@pki-tomcat.service >2013-12-13T13:17:19Z DEBUG Process finished, return code=0 >2013-12-13T13:17:19Z DEBUG stdout= >2013-12-13T13:17:19Z DEBUG stderr= >2013-12-13T13:17:19Z DEBUG Starting pki_tomcatd@pki-tomcat. >2013-12-13T13:17:19Z DEBUG Starting external process >2013-12-13T13:17:19Z DEBUG args=/bin/systemctl start pki-tomcatd@pki-tomcat.service >2013-12-13T13:17:19Z DEBUG Process finished, return code=0 >2013-12-13T13:17:19Z DEBUG stdout= >2013-12-13T13:17:19Z DEBUG stderr= >2013-12-13T13:17:19Z DEBUG Starting external process >2013-12-13T13:17:19Z DEBUG args=/bin/systemctl is-active pki-tomcatd@pki-tomcat.service >2013-12-13T13:17:19Z DEBUG Process finished, return code=0 >2013-12-13T13:17:19Z DEBUG stdout=active > >2013-12-13T13:17:19Z DEBUG stderr= >2013-12-13T13:17:19Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 120 >2013-12-13T13:17:22Z DEBUG The httpd proxy is not installed, wait on local port >2013-12-13T13:17:22Z DEBUG Waiting until the CA is running >2013-12-13T13:17:22Z DEBUG request 'https://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:8443/ca/admin/ca/getStatus' >2013-12-13T13:17:22Z DEBUG request body '' >2013-12-13T13:17:36Z DEBUG request status 200 >2013-12-13T13:17:36Z DEBUG request reason_phrase u'OK' >2013-12-13T13:17:36Z DEBUG request headers {'date': 'Fri, 13 Dec 2013 13:17:36 GMT', 'content-length': '168', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} >2013-12-13T13:17:36Z DEBUG request body '<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.1.0-1.fc20</Version></XMLResponse>' >2013-12-13T13:17:36Z DEBUG The CA status is: running >2013-12-13T13:17:36Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:17:36Z DEBUG Starting external process >2013-12-13T13:17:36Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -L -n DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a >2013-12-13T13:17:36Z DEBUG Process finished, return code=0 >2013-12-13T13:17:36Z DEBUG stdout=-----BEGIN CERTIFICATE----- >MIID7jCCAtagAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMTQwMgYDVQQKDCtET00y >MjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQD >DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMTMxNTU4WhcNMzMxMjEz >MTMxNTU4WjBWMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5H >LkJSUS5SRURIQVQuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw >ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmsLTpVPDxxXGox6Fx4lP3 >9oZD5AGj0GLfa0VRkWqMHQOWLYjVHJFc1XzwCijrggTYUHYEeWqV8LQj/EMZJ9Fh >o7e2spE/VOJRt82nQEUCi0/PXAnMzvi4g1BtN7oDNE2sjadQ0rZcRdt0tQ5q/Pp1 >oiuQryrXh4eFWAo1/1/HZo6+cxD/S/5jWKfFpc5KP+w5dvkSKb5hJA9Gee4rzVGZ >wzvGe8C+5wImbYT+U0uw7Jpd/k54Q67UxCC8av5uyaG4JzUNQwwniAvacXH0Ub4y >yN6UwtyklOM1l5V/8sI5GdfUvsBqDn4Z1WO79zmiArgYbQGvai1FH8N7cUVUzYAf >AgMBAAGjgcYwgcMwHwYDVR0jBBgwFoAUZ1LMCp2AxM3H3k7PxQB5j/+ETRIwDwYD >VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFGdSzAqdgMTN >x95Oz8UAeY//hE0SMGAGCCsGAQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDov >L3ZtLTIyNy5kb20yMjcuamVua2luc2FkLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQu >Y29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAKO8Ac5pQyc14xs6lQtm >5R8UZsaxDB6CJRe/q/RHsNUvq95uuC9CEpTrkaNtBaOm09DLr1tVoKVsH6Prd0ag >/vzmvGKxW0puoJfp1Kiv1t+Yh1VM68OKPEC8c93zWftDc38SD7aNR+TUHe0Ln9G6 >L+8i74qCe7p4RPQ0hWjhckL7OAfQ+MxwLjpApoHFsDdHHiThT7UZf+9KM+K9imbF >SRfh7ge9B0d+LTHYMSRdwNdTA4YPUnr+th1CaO8SdgVaeT96dho5SINKjQKNpkxB >TrS83zYua+Nf//Yv3r93iS5Y5CPpXHsgJevcnylzeTvrfTOC93jSLWj/1OfyPSB1 >aJw= >-----END CERTIFICATE----- > >2013-12-13T13:17:36Z DEBUG stderr= >2013-12-13T13:17:36Z DEBUG Starting external process >2013-12-13T13:17:36Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpqdgllm -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpg5etEE >2013-12-13T13:17:36Z DEBUG Process finished, return code=0 >2013-12-13T13:17:36Z DEBUG stdout=add objectClass: > nsContainer > pkiCA >add cn: > CAcert >add cACertificate;binary: > NOT ASCII (1010 bytes) >adding new entry "cn=CAcert,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:17:36Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:17:36Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:17:36Z DEBUG Starting external process >2013-12-13T13:17:36Z DEBUG args=keyctl get_persistent @s 0 >2013-12-13T13:17:36Z DEBUG Process finished, return code=0 >2013-12-13T13:17:36Z DEBUG stdout=946187946 > >2013-12-13T13:17:36Z DEBUG stderr= >2013-12-13T13:17:36Z DEBUG Enabling persistent keyring CCACHE >2013-12-13T13:17:36Z DEBUG Starting external process >2013-12-13T13:17:36Z DEBUG args=/bin/systemctl is-active krb5kdc.service >2013-12-13T13:17:36Z DEBUG Process finished, return code=3 >2013-12-13T13:17:36Z DEBUG stdout=unknown > >2013-12-13T13:17:36Z DEBUG stderr= >2013-12-13T13:17:36Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:17:36Z DEBUG Starting external process >2013-12-13T13:17:36Z DEBUG args=/bin/systemctl stop krb5kdc.service >2013-12-13T13:17:36Z DEBUG Process finished, return code=0 >2013-12-13T13:17:36Z DEBUG stdout= >2013-12-13T13:17:36Z DEBUG stderr= >2013-12-13T13:17:36Z DEBUG Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds >2013-12-13T13:17:36Z DEBUG [1/10]: adding sasl mappings to the directory >2013-12-13T13:17:36Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache >2013-12-13T13:17:36Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x3dbeea8> >2013-12-13T13:17:37Z DEBUG duration: 0 seconds >2013-12-13T13:17:37Z DEBUG [2/10]: adding kerberos container to the directory >2013-12-13T13:17:37Z DEBUG Starting external process >2013-12-13T13:17:37Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpwsrmOq -H ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -x -D cn=Directory Manager -y /tmp/tmp0cRpbC >2013-12-13T13:17:37Z DEBUG Process finished, return code=0 >2013-12-13T13:17:37Z DEBUG stdout=add objectClass: > krbContainer > top >add cn: > kerberos >adding new entry "cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add cn: > DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >add objectClass: > top > krbrealmcontainer > krbticketpolicyaux >add krbSubTrees: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add krbSearchScope: > 2 >add krbSupportedEncSaltTypes: > aes256-cts:normal > aes256-cts:special > aes128-cts:normal > aes128-cts:special > des3-hmac-sha1:normal > des3-hmac-sha1:special > arcfour-hmac:normal > arcfour-hmac:special > camellia128-cts-cmac:normal > camellia128-cts-cmac:special > camellia256-cts-cmac:normal > camellia256-cts-cmac:special >add krbMaxTicketLife: > 86400 >add krbMaxRenewableAge: > 604800 >add krbDefaultEncSaltTypes: > aes256-cts:special > aes128-cts:special > des3-hmac-sha1:special > arcfour-hmac:special >adding new entry "cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > nsContainer > krbPwdPolicy >add krbMinPwdLife: > 3600 >add krbPwdMinDiffChars: > 0 >add krbPwdMinLength: > 8 >add krbPwdHistoryLength: > 0 >add krbMaxPwdLife: > 7776000 >add krbPwdMaxFailure: > 6 >add krbPwdFailureCountInterval: > 60 >add krbPwdLockoutDuration: > 600 >adding new entry "cn=global_policy,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:17:37Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket/??base ) > >2013-12-13T13:17:37Z DEBUG duration: 0 seconds >2013-12-13T13:17:37Z DEBUG [3/10]: configuring KDC >2013-12-13T13:17:37Z DEBUG Backing up system configuration file '/var/kerberos/krb5kdc/kdc.conf' >2013-12-13T13:17:37Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:17:37Z DEBUG Backing up system configuration file '/etc/krb5.conf' >2013-12-13T13:17:37Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:17:37Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krb5.ini' >2013-12-13T13:17:37Z DEBUG -> Not backing up - '/usr/share/ipa/html/krb5.ini' doesn't exist >2013-12-13T13:17:37Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krb.con' >2013-12-13T13:17:37Z DEBUG -> Not backing up - '/usr/share/ipa/html/krb.con' doesn't exist >2013-12-13T13:17:37Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krbrealm.con' >2013-12-13T13:17:37Z DEBUG -> Not backing up - '/usr/share/ipa/html/krbrealm.con' doesn't exist >2013-12-13T13:17:37Z DEBUG Starting external process >2013-12-13T13:17:37Z DEBUG args=klist -V >2013-12-13T13:17:37Z DEBUG Process finished, return code=0 >2013-12-13T13:17:37Z DEBUG stdout=Kerberos 5 version 1.11.3 > >2013-12-13T13:17:37Z DEBUG stderr= >2013-12-13T13:17:37Z DEBUG Backing up system configuration file '/etc/sysconfig/krb5kdc' >2013-12-13T13:17:37Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:17:37Z DEBUG Starting external process >2013-12-13T13:17:37Z DEBUG args=/usr/sbin/selinuxenabled >2013-12-13T13:17:37Z DEBUG Process finished, return code=0 >2013-12-13T13:17:37Z DEBUG stdout= >2013-12-13T13:17:37Z DEBUG stderr= >2013-12-13T13:17:37Z DEBUG Starting external process >2013-12-13T13:17:37Z DEBUG args=/usr/sbin/restorecon /etc/sysconfig/krb5kdc >2013-12-13T13:17:37Z DEBUG Process finished, return code=0 >2013-12-13T13:17:37Z DEBUG stdout= >2013-12-13T13:17:37Z DEBUG stderr= >2013-12-13T13:17:37Z DEBUG duration: 0 seconds >2013-12-13T13:17:37Z DEBUG [4/10]: initialize kerberos container >2013-12-13T13:17:37Z DEBUG Starting external process >2013-12-13T13:17:37Z DEBUG args=kdb5_util create -s -r DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -x ipa-setup-override-restrictions >2013-12-13T13:19:34Z DEBUG Process finished, return code=0 >2013-12-13T13:19:34Z DEBUG stdout=Loading random data >Initializing database '/var/kerberos/krb5kdc/principal' for realm 'DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM', >master key name 'K/M@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM' >You will be prompted for the database Master Password. >It is important that you NOT FORGET this password. >Enter KDC database master key: >Re-enter KDC database master key to verify: > >2013-12-13T13:19:34Z DEBUG stderr= >2013-12-13T13:19:34Z DEBUG duration: 116 seconds >2013-12-13T13:19:34Z DEBUG [5/10]: adding default ACIs >2013-12-13T13:19:34Z DEBUG Starting external process >2013-12-13T13:19:34Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmp8ykjuN -H ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -x -D cn=Directory Manager -y /tmp/tmpRLU_72 >2013-12-13T13:19:34Z DEBUG Process finished, return code=0 >2013-12-13T13:19:34Z DEBUG stdout=add aci: > (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) > (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) > (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) > (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) > (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetfilter = "(objectClass=ipaGuiConfig)")(targetattr != "aci")(version 3.0;acl "Admins can change GUI config"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetfilter = "(|(objectClass=ipaConfigObject)(dnahostname=*))")(version 3.0;acl "Admins can change GUI config"; allow (delete) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Admins can manage service keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage service Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) >modifying entry "cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";) > (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";) >modifying entry "cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) > (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) >modifying entry "cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";) >modifying entry "cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) >modifying entry "cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) >modifying entry "cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";) > (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";) > (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:19:34Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket/??base ) > >2013-12-13T13:19:34Z DEBUG duration: 0 seconds >2013-12-13T13:19:34Z DEBUG [6/10]: creating a keytab for the directory >2013-12-13T13:19:34Z DEBUG Starting external process >2013-12-13T13:19:34Z DEBUG args=kadmin.local -q addprinc -randkey ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -x ipa-setup-override-restrictions >2013-12-13T13:19:34Z DEBUG Process finished, return code=0 >2013-12-13T13:19:34Z DEBUG stdout=Authenticating as principal root/admin@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with password. >Principal "ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" created. > >2013-12-13T13:19:34Z DEBUG stderr=WARNING: no policy specified for ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM; defaulting to no policy > >2013-12-13T13:19:34Z DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab' >2013-12-13T13:19:34Z DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist >2013-12-13T13:19:34Z DEBUG Starting external process >2013-12-13T13:19:34Z DEBUG args=kadmin.local -q ktadd -k /etc/dirsrv/ds.keytab ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -x ipa-setup-override-restrictions >2013-12-13T13:19:36Z DEBUG Process finished, return code=0 >2013-12-13T13:19:36Z DEBUG stdout=Authenticating as principal root/admin@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with password. >Entry for principal ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/dirsrv/ds.keytab. >Entry for principal ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/dirsrv/ds.keytab. >Entry for principal ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/dirsrv/ds.keytab. >Entry for principal ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/dirsrv/ds.keytab. > >2013-12-13T13:19:36Z DEBUG stderr= >2013-12-13T13:19:36Z DEBUG duration: 1 seconds >2013-12-13T13:19:36Z DEBUG [7/10]: creating a keytab for the machine >2013-12-13T13:19:36Z DEBUG Starting external process >2013-12-13T13:19:36Z DEBUG args=kadmin.local -q addprinc -randkey host/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -x ipa-setup-override-restrictions >2013-12-13T13:19:36Z DEBUG Process finished, return code=0 >2013-12-13T13:19:36Z DEBUG stdout=Authenticating as principal root/admin@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with password. >Principal "host/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" created. > >2013-12-13T13:19:36Z DEBUG stderr=WARNING: no policy specified for host/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM; defaulting to no policy > >2013-12-13T13:19:36Z DEBUG Backing up system configuration file '/etc/krb5.keytab' >2013-12-13T13:19:36Z DEBUG -> Not backing up - '/etc/krb5.keytab' doesn't exist >2013-12-13T13:19:36Z DEBUG Starting external process >2013-12-13T13:19:36Z DEBUG args=kadmin.local -q ktadd -k /etc/krb5.keytab host/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -x ipa-setup-override-restrictions >2013-12-13T13:19:36Z DEBUG Process finished, return code=0 >2013-12-13T13:19:36Z DEBUG stdout=Authenticating as principal root/admin@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with password. >Entry for principal host/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. >Entry for principal host/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. >Entry for principal host/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab. >Entry for principal host/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab. > >2013-12-13T13:19:36Z DEBUG stderr= >2013-12-13T13:19:36Z DEBUG duration: 0 seconds >2013-12-13T13:19:36Z DEBUG [8/10]: adding the password extension to the directory >2013-12-13T13:19:36Z DEBUG Starting external process >2013-12-13T13:19:36Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmp08fVUr -H ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -x -D cn=Directory Manager -y /tmp/tmpSJSBl3 >2013-12-13T13:19:36Z DEBUG Process finished, return code=0 >2013-12-13T13:19:36Z DEBUG stdout=add objectclass: > top > nsSlapdPlugin > extensibleObject >add cn: > ipa_pwd_extop >add nsslapd-pluginpath: > libipa_pwd_extop >add nsslapd-plugininitfunc: > ipapwd_init >add nsslapd-plugintype: > extendedop >add nsslapd-pluginbetxn: > on >add nsslapd-pluginenabled: > on >add nsslapd-pluginid: > ipa_pwd_extop >add nsslapd-pluginversion: > 1.0 >add nsslapd-pluginvendor: > RedHat >add nsslapd-plugindescription: > Support saving passwords in multiple formats for different consumers (krb5, samba, freeradius, etc.) >add nsslapd-plugin-depends-on-type: > database >add nsslapd-realmTree: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=ipa_pwd_extop,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:19:36Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket/??base ) > >2013-12-13T13:19:36Z DEBUG duration: 0 seconds >2013-12-13T13:19:36Z DEBUG [9/10]: starting the KDC >2013-12-13T13:19:36Z DEBUG Starting external process >2013-12-13T13:19:36Z DEBUG args=/bin/systemctl start krb5kdc.service >2013-12-13T13:19:36Z DEBUG Process finished, return code=0 >2013-12-13T13:19:37Z DEBUG stdout= >2013-12-13T13:19:37Z DEBUG stderr= >2013-12-13T13:19:37Z DEBUG Starting external process >2013-12-13T13:19:37Z DEBUG args=/bin/systemctl is-active krb5kdc.service >2013-12-13T13:19:37Z DEBUG Process finished, return code=0 >2013-12-13T13:19:37Z DEBUG stdout=active > >2013-12-13T13:19:37Z DEBUG stderr= >2013-12-13T13:19:37Z DEBUG duration: 0 seconds >2013-12-13T13:19:37Z DEBUG [10/10]: configuring KDC to start on boot >2013-12-13T13:19:37Z DEBUG Starting external process >2013-12-13T13:19:37Z DEBUG args=/bin/systemctl is-enabled krb5kdc.service >2013-12-13T13:19:37Z DEBUG Process finished, return code=1 >2013-12-13T13:19:37Z DEBUG stdout=disabled > >2013-12-13T13:19:37Z DEBUG stderr= >2013-12-13T13:19:37Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:19:37Z DEBUG Starting external process >2013-12-13T13:19:37Z DEBUG args=/bin/systemctl disable krb5kdc.service >2013-12-13T13:19:37Z DEBUG Process finished, return code=0 >2013-12-13T13:19:37Z DEBUG stdout= >2013-12-13T13:19:37Z DEBUG stderr= >2013-12-13T13:19:37Z DEBUG duration: 0 seconds >2013-12-13T13:19:37Z DEBUG Done configuring Kerberos KDC (krb5kdc). >2013-12-13T13:19:37Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:19:37Z DEBUG Configuring kadmin >2013-12-13T13:19:37Z DEBUG [1/2]: starting kadmin >2013-12-13T13:19:37Z DEBUG Starting external process >2013-12-13T13:19:37Z DEBUG args=/bin/systemctl is-active kadmin.service >2013-12-13T13:19:37Z DEBUG Process finished, return code=3 >2013-12-13T13:19:37Z DEBUG stdout=unknown > >2013-12-13T13:19:37Z DEBUG stderr= >2013-12-13T13:19:37Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:19:37Z DEBUG Starting external process >2013-12-13T13:19:37Z DEBUG args=/bin/systemctl restart kadmin.service >2013-12-13T13:19:37Z DEBUG Process finished, return code=0 >2013-12-13T13:19:37Z DEBUG stdout= >2013-12-13T13:19:37Z DEBUG stderr= >2013-12-13T13:19:37Z DEBUG Starting external process >2013-12-13T13:19:37Z DEBUG args=/bin/systemctl is-active kadmin.service >2013-12-13T13:19:37Z DEBUG Process finished, return code=0 >2013-12-13T13:19:37Z DEBUG stdout=active > >2013-12-13T13:19:37Z DEBUG stderr= >2013-12-13T13:19:37Z DEBUG duration: 0 seconds >2013-12-13T13:19:37Z DEBUG [2/2]: configuring kadmin to start on boot >2013-12-13T13:19:37Z DEBUG Starting external process >2013-12-13T13:19:37Z DEBUG args=/bin/systemctl enable kadmin.service >2013-12-13T13:19:37Z DEBUG Process finished, return code=0 >2013-12-13T13:19:37Z DEBUG stdout= >2013-12-13T13:19:37Z DEBUG stderr=ln -s '/usr/lib/systemd/system/kadmin.service' '/etc/systemd/system/multi-user.target.wants/kadmin.service' > >2013-12-13T13:19:37Z DEBUG Starting external process >2013-12-13T13:19:37Z DEBUG args=/bin/systemctl is-enabled kadmin.service >2013-12-13T13:19:37Z DEBUG Process finished, return code=0 >2013-12-13T13:19:37Z DEBUG stdout=enabled > >2013-12-13T13:19:37Z DEBUG stderr= >2013-12-13T13:19:37Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:19:37Z DEBUG Starting external process >2013-12-13T13:19:37Z DEBUG args=/bin/systemctl disable kadmin.service >2013-12-13T13:19:37Z DEBUG Process finished, return code=0 >2013-12-13T13:19:37Z DEBUG stdout= >2013-12-13T13:19:37Z DEBUG stderr=rm '/etc/systemd/system/multi-user.target.wants/kadmin.service' > >2013-12-13T13:19:37Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache >2013-12-13T13:19:37Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x32d9ea8> >2013-12-13T13:19:38Z DEBUG duration: 0 seconds >2013-12-13T13:19:38Z DEBUG Done configuring kadmin. >2013-12-13T13:19:38Z DEBUG flushing ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 from SchemaCache >2013-12-13T13:19:38Z DEBUG retrieving schema for SchemaCache url=ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x1f74680> >2013-12-13T13:19:38Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:19:38Z DEBUG Configuring ipa_memcached >2013-12-13T13:19:38Z DEBUG [1/2]: starting ipa_memcached >2013-12-13T13:19:38Z DEBUG Starting external process >2013-12-13T13:19:38Z DEBUG args=/bin/systemctl is-active ipa_memcached.service >2013-12-13T13:19:38Z DEBUG Process finished, return code=3 >2013-12-13T13:19:38Z DEBUG stdout=unknown > >2013-12-13T13:19:38Z DEBUG stderr= >2013-12-13T13:19:38Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:19:38Z DEBUG Starting external process >2013-12-13T13:19:38Z DEBUG args=/bin/systemctl restart ipa_memcached.service >2013-12-13T13:19:38Z DEBUG Process finished, return code=0 >2013-12-13T13:19:38Z DEBUG stdout= >2013-12-13T13:19:38Z DEBUG stderr= >2013-12-13T13:19:38Z DEBUG Starting external process >2013-12-13T13:19:38Z DEBUG args=/bin/systemctl is-active ipa_memcached.service >2013-12-13T13:19:38Z DEBUG Process finished, return code=0 >2013-12-13T13:19:38Z DEBUG stdout=active > >2013-12-13T13:19:38Z DEBUG stderr= >2013-12-13T13:19:38Z DEBUG duration: 0 seconds >2013-12-13T13:19:38Z DEBUG [2/2]: configuring ipa_memcached to start on boot >2013-12-13T13:19:38Z DEBUG Starting external process >2013-12-13T13:19:38Z DEBUG args=/bin/systemctl enable ipa_memcached.service >2013-12-13T13:19:38Z DEBUG Process finished, return code=0 >2013-12-13T13:19:38Z DEBUG stdout= >2013-12-13T13:19:38Z DEBUG stderr=ln -s '/usr/lib/systemd/system/ipa_memcached.service' '/etc/systemd/system/multi-user.target.wants/ipa_memcached.service' > >2013-12-13T13:19:38Z DEBUG Starting external process >2013-12-13T13:19:38Z DEBUG args=/bin/systemctl is-enabled ipa_memcached.service >2013-12-13T13:19:38Z DEBUG Process finished, return code=0 >2013-12-13T13:19:38Z DEBUG stdout=enabled > >2013-12-13T13:19:38Z DEBUG stderr= >2013-12-13T13:19:38Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:19:38Z DEBUG Starting external process >2013-12-13T13:19:38Z DEBUG args=/bin/systemctl disable ipa_memcached.service >2013-12-13T13:19:38Z DEBUG Process finished, return code=0 >2013-12-13T13:19:38Z DEBUG stdout= >2013-12-13T13:19:38Z DEBUG stderr=rm '/etc/systemd/system/multi-user.target.wants/ipa_memcached.service' > >2013-12-13T13:19:38Z DEBUG flushing ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 from SchemaCache >2013-12-13T13:19:38Z DEBUG retrieving schema for SchemaCache url=ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x32d8fc8> >2013-12-13T13:19:38Z DEBUG duration: 0 seconds >2013-12-13T13:19:38Z DEBUG Done configuring ipa_memcached. >2013-12-13T13:19:38Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:19:38Z DEBUG Configuring ipa-otpd >2013-12-13T13:19:38Z DEBUG [1/2]: starting ipa-otpd >2013-12-13T13:19:38Z DEBUG Starting external process >2013-12-13T13:19:38Z DEBUG args=/bin/systemctl is-active ipa-otpd.socket >2013-12-13T13:19:38Z DEBUG Process finished, return code=3 >2013-12-13T13:19:38Z DEBUG stdout=unknown > >2013-12-13T13:19:38Z DEBUG stderr= >2013-12-13T13:19:38Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:19:38Z DEBUG Starting external process >2013-12-13T13:19:38Z DEBUG args=/bin/systemctl restart ipa-otpd.socket >2013-12-13T13:19:38Z DEBUG Process finished, return code=0 >2013-12-13T13:19:38Z DEBUG stdout= >2013-12-13T13:19:38Z DEBUG stderr= >2013-12-13T13:19:38Z DEBUG Starting external process >2013-12-13T13:19:38Z DEBUG args=/bin/systemctl is-active ipa-otpd.socket >2013-12-13T13:19:38Z DEBUG Process finished, return code=0 >2013-12-13T13:19:38Z DEBUG stdout=active > >2013-12-13T13:19:38Z DEBUG stderr= >2013-12-13T13:19:38Z DEBUG duration: 0 seconds >2013-12-13T13:19:38Z DEBUG [2/2]: configuring ipa-otpd to start on boot >2013-12-13T13:19:38Z DEBUG Starting external process >2013-12-13T13:19:38Z DEBUG args=/bin/systemctl enable ipa-otpd.socket >2013-12-13T13:19:39Z DEBUG Process finished, return code=0 >2013-12-13T13:19:39Z DEBUG stdout= >2013-12-13T13:19:39Z DEBUG stderr=ln -s '/usr/lib/systemd/system/ipa-otpd.socket' '/etc/systemd/system/krb5kdc.service.wants/ipa-otpd.socket' > >2013-12-13T13:19:39Z DEBUG Starting external process >2013-12-13T13:19:39Z DEBUG args=/bin/systemctl is-enabled ipa-otpd.socket >2013-12-13T13:19:39Z DEBUG Process finished, return code=0 >2013-12-13T13:19:39Z DEBUG stdout=enabled > >2013-12-13T13:19:39Z DEBUG stderr= >2013-12-13T13:19:39Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:19:39Z DEBUG Starting external process >2013-12-13T13:19:39Z DEBUG args=/bin/systemctl disable ipa-otpd.socket >2013-12-13T13:19:39Z DEBUG Process finished, return code=0 >2013-12-13T13:19:39Z DEBUG stdout= >2013-12-13T13:19:39Z DEBUG stderr=rm '/etc/systemd/system/krb5kdc.service.wants/ipa-otpd.socket' > >2013-12-13T13:19:39Z DEBUG flushing ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 from SchemaCache >2013-12-13T13:19:39Z DEBUG retrieving schema for SchemaCache url=ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x42aca70> >2013-12-13T13:19:39Z DEBUG duration: 0 seconds >2013-12-13T13:19:39Z DEBUG Done configuring ipa-otpd. >2013-12-13T13:19:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:19:39Z DEBUG Configuring the web interface (httpd): Estimated time 1 minute >2013-12-13T13:19:39Z DEBUG [1/14]: setting mod_nss port to 443 >2013-12-13T13:19:39Z DEBUG Backing up system configuration file '/etc/httpd/conf.d/nss.conf' >2013-12-13T13:19:39Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:19:39Z DEBUG duration: 0 seconds >2013-12-13T13:19:39Z DEBUG [2/14]: setting mod_nss password file >2013-12-13T13:19:39Z DEBUG duration: 0 seconds >2013-12-13T13:19:39Z DEBUG [3/14]: enabling mod_nss renegotiate >2013-12-13T13:19:39Z DEBUG duration: 0 seconds >2013-12-13T13:19:39Z DEBUG [4/14]: adding URL rewriting rules >2013-12-13T13:19:39Z DEBUG duration: 0 seconds >2013-12-13T13:19:39Z DEBUG [5/14]: configuring httpd >2013-12-13T13:19:39Z DEBUG Backing up system configuration file '/etc/httpd/conf.d/ipa.conf' >2013-12-13T13:19:39Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa.conf' doesn't exist >2013-12-13T13:19:39Z DEBUG Backing up system configuration file '/etc/httpd/conf.d/ipa-rewrite.conf' >2013-12-13T13:19:39Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist >2013-12-13T13:19:39Z DEBUG duration: 0 seconds >2013-12-13T13:19:39Z DEBUG [6/14]: setting up ssl >2013-12-13T13:19:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:19:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:19:39Z DEBUG Starting external process >2013-12-13T13:19:39Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -R -s CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -o /var/lib/ipa/ipa-j8oEeH/tmpcertreq -k rsa -g 2048 -z /etc/httpd/alias/noise.txt -f /etc/httpd/alias/pwdfile.txt -a >2013-12-13T13:19:40Z DEBUG Process finished, return code=0 >2013-12-13T13:19:40Z DEBUG stdout= >2013-12-13T13:19:40Z DEBUG stderr= > >Generating key. This may take a few moments... > > >2013-12-13T13:19:40Z DEBUG request 'https://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:8443/ca/ee/ca/profileSubmitSSLClient' >2013-12-13T13:19:40Z DEBUG request body 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=MIICuDCCAaACAQAwczE0MDIGA1UEChMrRE9NMjI3LkpFTktJTlNBRC5JRE0uTEFC%0D%0ALkVORy5CUlEuUkVESEFULkNPTTE7MDkGA1UEAxMydm0tMjI3LmRvbTIyNy5qZW5r%0D%0AaW5zYWQuaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb20wggEiMA0GCSqGSIb3DQEB%0D%0AAQUAA4IBDwAwggEKAoIBAQDffgRYZX2yaz%2F4rgiACbfOCs9M7Ir7gvF7JgpWLJnZ%0D%0AhpkNikU9TobfMPKFjfaS2e2YRK66ouKs604QxCsRvLqrhm1hiOs2TMIAkAXMGQn9%0D%0AWIOw9iQ8NW8KbKRYCuLSzHcV8vMNL4hOfFMlmIjH8GM7epy9boMmkuisSbFcqXKq%0D%0A2E%2FZXl1Iy9pMMFa%2BHz5%2BG%2BpDQsnObOl4gApZqxgabqTit4%2F7uAnoFOe8sAIiAm4%2B%0D%0AiNo%2F54ggpZPM5pffVw%2FKWckmZqlHQ6JhGSaeEscEyVNNPvr5hXP0LFg%2BGLqA9kE1%0D%0AIk5YRQ2bXds40%2BrqT%2BNtHMm6R91tQskGTA7gwSxGnv%2BRAgMBAAGgADANBgkqhkiG%0D%0A9w0BAQUFAAOCAQEASUhMZxQWSiKdC9iKGqWhzPycSdTEgNK%2FudFZM7ouGM8wKMtH%0D%0AeHdUSikZm9EUNvB119SPEzU0qBfnl4iDHcI7YQ08m5SFlBpEvHJqWWvzE7VZtb2a%0D%0AAiO3Lk6TD1BdLbRjFKQyhInSGWWrQvxQb2yjqtNlnlgfeiJJRQOU9O7BUlF2%2BMyg%0D%0A5SWH00YgtMRdZWuYS1yymmlN8uhBbB9Qi1B8IqxFxCnLRbK8Tocdxa1DRd0NiB4N%0D%0AHoNDeC65G3nhHR0pvZW6%2F4epxBr4jfn%2BzSXlOuq7TK%2F4Td4QIu7KP19oXUY3OyxY%0D%0AZwO2%2BodR%2BRCramhpgtAxkTP3bPpvCJoedQIUIw%3D%3D%0A&cert_request_type=pkcs10&xmlOutput=true' >2013-12-13T13:19:40Z DEBUG NSSConnection init vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:19:40Z DEBUG Connecting: 10.34.47.227:0 >2013-12-13T13:19:40Z DEBUG auth_certificate_callback: check_sig=True is_server=False >Data: > Version: 3 (0x2) > Serial Number: 3 (0x3) > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > Validity: > Not Before: Fri Dec 13 13:16:04 2013 UTC > Not After: Thu Dec 03 13:16:04 2015 UTC > Subject: CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > Subject Public Key Info: > Public Key Algorithm: > Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > b7:9b:0e:6a:23:93:f9:e6:3e:6d:68:28:bf:4f:c9:bc: > 12:33:34:e3:1b:54:22:8c:53:91:21:49:c2:ea:0a:8c: > c8:0d:53:da:a4:dc:dd:fd:bb:b7:6c:06:52:a3:44:af: > 3c:8b:6f:bc:33:f2:4a:c2:3b:2d:bf:27:e3:43:6b:fa: > 61:81:9a:83:7b:bc:53:e8:1f:b6:8d:92:b9:04:d1:a6: > 2a:42:83:3e:15:0f:de:cc:a9:87:23:c4:2a:13:c3:3e: > 2b:6e:05:9a:fb:4d:d5:1b:08:c8:14:1b:55:04:cf:5c: > c3:0b:b9:da:c4:d9:1b:d8:4b:56:7a:2f:4b:18:a6:7c: > ba:0b:93:8b:30:cc:93:a4:2e:18:02:3d:c2:da:d0:78: > dd:c2:99:a0:5f:79:e1:ea:84:0b:a6:5d:90:71:af:99: > 8f:0c:86:08:28:50:0b:29:ab:84:1d:1a:50:2e:6a:b4: > 77:60:3a:33:ac:fe:5c:48:b0:9e:31:65:f0:6f:c6:a4: > cf:9e:35:4c:6b:b7:bd:8f:b8:7f:2e:23:78:cb:a3:49: > e7:25:b4:fc:dd:01:f3:13:99:76:09:d0:96:d1:5b:ae: > e5:32:e2:07:fd:ec:73:04:90:df:63:5b:42:d4:73:da: > 30:0e:2f:5a:82:eb:54:c4:43:a6:d1:6c:83:81:05:3b > Exponent: > 65537 (0x10001) > Signed Extensions: (4) > Name: Certificate Authority Key Identifier > Critical: False > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > Serial Number: None > General Names: [0 total] > > Name: Authority Information Access > Critical: False > Authority Information Access: [1 total] > Info [1]: > Method: PKIX Online Certificate Status Protocol > Location: URI: http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:80/ca/ocsp > > Name: Certificate Key Usage > Critical: True > Usages: > Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > Critical: False > Usages: > TLS Web Server Authentication Certificate > > Signature: > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 3f:10:c2:20:63:db:d6:98:87:e5:73:6a:fe:6c:67:54: > e0:89:97:13:91:72:e5:10:55:79:f2:f1:d5:7b:59:25: > 27:de:f6:95:a5:9a:0b:de:09:5b:14:f8:61:c7:46:41: > 5d:53:38:ca:cd:09:59:92:d2:af:27:bb:b2:93:ac:11: > 6d:66:1e:09:6c:a6:8a:44:81:0c:63:5b:17:4e:cd:63: > b3:4a:af:5b:90:aa:8a:47:a7:fd:ae:21:d5:4b:ef:b8: > 57:b1:9c:b9:d8:8a:8f:3b:91:c5:11:18:b5:2c:51:b5: > ad:ee:88:c7:4a:ce:9a:84:d2:b6:04:7d:07:5b:0b:44: > 24:c9:7f:c5:f9:fd:78:6b:4a:af:06:6c:dc:97:da:83: > fc:07:fe:eb:bb:4f:63:9e:dd:2a:3d:0f:91:2b:14:1a: > 4d:85:d6:6f:56:47:08:5d:da:7d:57:fd:8d:34:db:53: > 76:9c:72:63:a0:f7:64:ec:48:e3:5b:e4:bd:38:b0:b6: > 37:dc:5c:b4:ec:e0:81:dc:ba:41:cc:6a:3c:0f:38:b9: > 69:94:0c:21:e5:f0:1e:92:d7:7c:5e:3e:e9:1c:a9:c4: > d3:04:c1:4f:ac:d1:f1:e3:54:51:90:7e:8a:68:0f:df: > 31:f0:8c:82:d5:05:50:09:44:18:4d:0d:60:54:55:14 > Fingerprint (MD5): > 28:59:be:ba:d9:e0:6d:58:9e:e0:da:44:7b:06:ad:93 > Fingerprint (SHA1): > 3a:81:c2:72:67:a7:4b:98:1d:7b:39:30:58:44:47:14: > 9c:84:a2:9a >2013-12-13T13:19:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server >2013-12-13T13:19:40Z DEBUG cert valid True for "CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" >2013-12-13T13:19:40Z DEBUG handshake complete, peer = 10.34.47.227:8443 >2013-12-13T13:19:40Z DEBUG auth_certificate_callback: check_sig=True is_server=False >Data: > Version: 3 (0x2) > Serial Number: 3 (0x3) > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > Validity: > Not Before: Fri Dec 13 13:16:04 2013 UTC > Not After: Thu Dec 03 13:16:04 2015 UTC > Subject: CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > Subject Public Key Info: > Public Key Algorithm: > Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > b7:9b:0e:6a:23:93:f9:e6:3e:6d:68:28:bf:4f:c9:bc: > 12:33:34:e3:1b:54:22:8c:53:91:21:49:c2:ea:0a:8c: > c8:0d:53:da:a4:dc:dd:fd:bb:b7:6c:06:52:a3:44:af: > 3c:8b:6f:bc:33:f2:4a:c2:3b:2d:bf:27:e3:43:6b:fa: > 61:81:9a:83:7b:bc:53:e8:1f:b6:8d:92:b9:04:d1:a6: > 2a:42:83:3e:15:0f:de:cc:a9:87:23:c4:2a:13:c3:3e: > 2b:6e:05:9a:fb:4d:d5:1b:08:c8:14:1b:55:04:cf:5c: > c3:0b:b9:da:c4:d9:1b:d8:4b:56:7a:2f:4b:18:a6:7c: > ba:0b:93:8b:30:cc:93:a4:2e:18:02:3d:c2:da:d0:78: > dd:c2:99:a0:5f:79:e1:ea:84:0b:a6:5d:90:71:af:99: > 8f:0c:86:08:28:50:0b:29:ab:84:1d:1a:50:2e:6a:b4: > 77:60:3a:33:ac:fe:5c:48:b0:9e:31:65:f0:6f:c6:a4: > cf:9e:35:4c:6b:b7:bd:8f:b8:7f:2e:23:78:cb:a3:49: > e7:25:b4:fc:dd:01:f3:13:99:76:09:d0:96:d1:5b:ae: > e5:32:e2:07:fd:ec:73:04:90:df:63:5b:42:d4:73:da: > 30:0e:2f:5a:82:eb:54:c4:43:a6:d1:6c:83:81:05:3b > Exponent: > 65537 (0x10001) > Signed Extensions: (4) > Name: Certificate Authority Key Identifier > Critical: False > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > Serial Number: None > General Names: [0 total] > > Name: Authority Information Access > Critical: False > Authority Information Access: [1 total] > Info [1]: > Method: PKIX Online Certificate Status Protocol > Location: URI: http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:80/ca/ocsp > > Name: Certificate Key Usage > Critical: True > Usages: > Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > Critical: False > Usages: > TLS Web Server Authentication Certificate > > Signature: > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 3f:10:c2:20:63:db:d6:98:87:e5:73:6a:fe:6c:67:54: > e0:89:97:13:91:72:e5:10:55:79:f2:f1:d5:7b:59:25: > 27:de:f6:95:a5:9a:0b:de:09:5b:14:f8:61:c7:46:41: > 5d:53:38:ca:cd:09:59:92:d2:af:27:bb:b2:93:ac:11: > 6d:66:1e:09:6c:a6:8a:44:81:0c:63:5b:17:4e:cd:63: > b3:4a:af:5b:90:aa:8a:47:a7:fd:ae:21:d5:4b:ef:b8: > 57:b1:9c:b9:d8:8a:8f:3b:91:c5:11:18:b5:2c:51:b5: > ad:ee:88:c7:4a:ce:9a:84:d2:b6:04:7d:07:5b:0b:44: > 24:c9:7f:c5:f9:fd:78:6b:4a:af:06:6c:dc:97:da:83: > fc:07:fe:eb:bb:4f:63:9e:dd:2a:3d:0f:91:2b:14:1a: > 4d:85:d6:6f:56:47:08:5d:da:7d:57:fd:8d:34:db:53: > 76:9c:72:63:a0:f7:64:ec:48:e3:5b:e4:bd:38:b0:b6: > 37:dc:5c:b4:ec:e0:81:dc:ba:41:cc:6a:3c:0f:38:b9: > 69:94:0c:21:e5:f0:1e:92:d7:7c:5e:3e:e9:1c:a9:c4: > d3:04:c1:4f:ac:d1:f1:e3:54:51:90:7e:8a:68:0f:df: > 31:f0:8c:82:d5:05:50:09:44:18:4d:0d:60:54:55:14 > Fingerprint (MD5): > 28:59:be:ba:d9:e0:6d:58:9e:e0:da:44:7b:06:ad:93 > Fingerprint (SHA1): > 3a:81:c2:72:67:a7:4b:98:1d:7b:39:30:58:44:47:14: > 9c:84:a2:9a >2013-12-13T13:19:40Z DEBUG approved_usage = SSL Server intended_usage = SSL Server >2013-12-13T13:19:40Z DEBUG cert valid True for "CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" >2013-12-13T13:19:40Z DEBUG handshake complete, peer = 10.34.47.227:8443 >2013-12-13T13:19:40Z DEBUG request status 200 >2013-12-13T13:19:40Z DEBUG request reason_phrase u'OK' >2013-12-13T13:19:40Z DEBUG request headers {'date': 'Fri, 13 Dec 2013 13:19:40 GMT', 'content-length': '1916', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} >2013-12-13T13:19:40Z DEBUG request body '<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><Requests><Request><Id>9</Id><SubjectDN>CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM</SubjectDN><serialno>9</serialno><b64>MIIEtDCCA5ygAwIBAgIBCTANBgkqhkiG9w0BAQsFADBWMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMTMxOTQwWhcNMTUxMjE0MTMxOTQwWjBzMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMTswOQYDVQQDDDJ2bS0yMjcuZG9tMjI3LmplbmtpbnNhZC5pZG0ubGFiLmVuZy5icnEucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN9+BFhlfbJrP/iuCIAJt84Kz0zsivuC8XsmClYsmdmGmQ2KRT1Oht8w8oWN9pLZ7ZhErrqi4qzrThDEKxG8uquGbWGI6zZMwgCQBcwZCf1Yg7D2JDw1bwpspFgK4tLMdxXy8w0viE58UyWYiMfwYzt6nL1ugyaS6KxJsVypcqrYT9leXUjL2kwwVr4fPn4b6kNCyc5s6XiAClmrGBpupOK3j/u4CegU57ywAiICbj6I2j/niCClk8zml99XD8pZySZmqUdDomEZJp4SxwTJU00++vmFc/QsWD4YuoD2QTUiTlhFDZtd2zjT6upP420cybpH3W1CyQZMDuDBLEae/5ECAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFGdSzAqdgMTNx95Oz8UAeY//hE0SMF0GCCsGAQUFBwEBBFEwTzBNBggrBgEFBQcwAYZBaHR0cDovL2lwYS1jYS5kb20yMjcuamVua2luc2FkLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQuY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmQYDVR0fBIGRMIGOMIGLoFOgUYZPaHR0cDovL2lwYS1jYS5kb20yMjcuamVua2luc2FkLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUZm2hM+toZu+L6fFl+zrtg0y/sF4wDQYJKoZIhvcNAQELBQADggEBAGkq5b4Sqijj2SY0zRnACV7HzxIR+mw6/NrFup9LtEN8nDWvGtLqvSV4X5Z13ue6jmkBQqoid5kXw8R8GkbqPGJVRBqw0Oqpcwlk8HuummcLx1S+ENVK+mkvLz9aDx9WNNA6DI1SbsDkkzO+I/UGLh9wulg++ATHfYWW6p8lmQG2+IyDiHh7+PkeZVJGfV7b5asmDSm7U9n2Jfp7twR8lyRqgVL8t0cCtlXg0X4wxpXFWPADrcN29F/I2kpkbq19VVwLDXRZ0p1MMAVuyZsYPdlqL2g1SQuycmfQczBi5FEyhBvJwSmFJt3TabgxHOLdatOZ99PoH6csCqPDdt1YTj4=</b64></Request></Requests></XMLResponse>' >2013-12-13T13:19:40Z DEBUG Starting external process >2013-12-13T13:19:40Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-j8oEeH/tmpcert.der -f /etc/httpd/alias/pwdfile.txt >2013-12-13T13:19:41Z DEBUG Process finished, return code=0 >2013-12-13T13:19:41Z DEBUG stdout= >2013-12-13T13:19:41Z DEBUG stderr=Notice: Trust flag u is set automatically if the private key is present. > >2013-12-13T13:19:41Z DEBUG Starting external process >2013-12-13T13:19:41Z DEBUG args=/bin/systemctl enable certmonger.service >2013-12-13T13:19:41Z DEBUG Process finished, return code=0 >2013-12-13T13:19:41Z DEBUG stdout= >2013-12-13T13:19:41Z DEBUG stderr= >2013-12-13T13:19:41Z DEBUG Starting external process >2013-12-13T13:19:41Z DEBUG args=/bin/systemctl start messagebus.service >2013-12-13T13:19:41Z DEBUG Process finished, return code=0 >2013-12-13T13:19:41Z DEBUG stdout= >2013-12-13T13:19:41Z DEBUG stderr= >2013-12-13T13:19:41Z DEBUG Starting external process >2013-12-13T13:19:41Z DEBUG args=/bin/systemctl is-active messagebus.service >2013-12-13T13:19:41Z DEBUG Process finished, return code=0 >2013-12-13T13:19:41Z DEBUG stdout=active > >2013-12-13T13:19:41Z DEBUG stderr= >2013-12-13T13:19:41Z DEBUG Starting external process >2013-12-13T13:19:41Z DEBUG args=/bin/systemctl start certmonger.service >2013-12-13T13:19:41Z DEBUG Process finished, return code=0 >2013-12-13T13:19:41Z DEBUG stdout= >2013-12-13T13:19:41Z DEBUG stderr= >2013-12-13T13:19:41Z DEBUG Starting external process >2013-12-13T13:19:41Z DEBUG args=/bin/systemctl is-active certmonger.service >2013-12-13T13:19:41Z DEBUG Process finished, return code=0 >2013-12-13T13:19:41Z DEBUG stdout=active > >2013-12-13T13:19:41Z DEBUG stderr= >2013-12-13T13:19:41Z DEBUG Starting external process >2013-12-13T13:19:41Z DEBUG args=/usr/bin/certutil -L -d /etc/httpd/alias -n Server-Cert >2013-12-13T13:19:41Z DEBUG Process finished, return code=0 >2013-12-13T13:19:41Z DEBUG stdout=Certificate: > Data: > Version: 3 (0x2) > Serial Number: 9 (0x9) > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: "CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ. > REDHAT.COM" > Validity: > Not Before: Fri Dec 13 13:19:40 2013 > Not After : Mon Dec 14 13:19:40 2015 > Subject: "CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM > 227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > df:7e:04:58:65:7d:b2:6b:3f:f8:ae:08:80:09:b7:ce: > 0a:cf:4c:ec:8a:fb:82:f1:7b:26:0a:56:2c:99:d9:86: > 99:0d:8a:45:3d:4e:86:df:30:f2:85:8d:f6:92:d9:ed: > 98:44:ae:ba:a2:e2:ac:eb:4e:10:c4:2b:11:bc:ba:ab: > 86:6d:61:88:eb:36:4c:c2:00:90:05:cc:19:09:fd:58: > 83:b0:f6:24:3c:35:6f:0a:6c:a4:58:0a:e2:d2:cc:77: > 15:f2:f3:0d:2f:88:4e:7c:53:25:98:88:c7:f0:63:3b: > 7a:9c:bd:6e:83:26:92:e8:ac:49:b1:5c:a9:72:aa:d8: > 4f:d9:5e:5d:48:cb:da:4c:30:56:be:1f:3e:7e:1b:ea: > 43:42:c9:ce:6c:e9:78:80:0a:59:ab:18:1a:6e:a4:e2: > b7:8f:fb:b8:09:e8:14:e7:bc:b0:02:22:02:6e:3e:88: > da:3f:e7:88:20:a5:93:cc:e6:97:df:57:0f:ca:59:c9: > 26:66:a9:47:43:a2:61:19:26:9e:12:c7:04:c9:53:4d: > 3e:fa:f9:85:73:f4:2c:58:3e:18:ba:80:f6:41:35:22: > 4e:58:45:0d:9b:5d:db:38:d3:ea:ea:4f:e3:6d:1c:c9: > ba:47:dd:6d:42:c9:06:4c:0e:e0:c1:2c:46:9e:ff:91 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Authority Key Identifier > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > > Name: Authority Information Access > Method: PKIX Online Certificate Status Protocol > Location: > URI: "http://ipa-ca.dom227.jenkinsad.idm.lab.eng.brq.redhat.c > om/ca/ocsp" > > Name: Certificate Key Usage > Critical: True > Usages: Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > TLS Web Client Authentication Certificate > > Name: CRL Distribution Points > Distribution point: > URI: "http://ipa-ca.dom227.jenkinsad.idm.lab.eng.brq.redhat.c > om/ipa/crl/MasterCRL.bin" > CRL issuer: > Directory Name: "CN=Certificate Authority,O=ipaca" > > Name: Certificate Subject Key ID > Data: > 66:6d:a1:33:eb:68:66:ef:8b:e9:f1:65:fb:3a:ed:83: > 4c:bf:b0:5e > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 69:2a:e5:be:12:aa:28:e3:d9:26:34:cd:19:c0:09:5e: > c7:cf:12:11:fa:6c:3a:fc:da:c5:ba:9f:4b:b4:43:7c: > 9c:35:af:1a:d2:ea:bd:25:78:5f:96:75:de:e7:ba:8e: > 69:01:42:aa:22:77:99:17:c3:c4:7c:1a:46:ea:3c:62: > 55:44:1a:b0:d0:ea:a9:73:09:64:f0:7b:ae:9a:67:0b: > c7:54:be:10:d5:4a:fa:69:2f:2f:3f:5a:0f:1f:56:34: > d0:3a:0c:8d:52:6e:c0:e4:93:33:be:23:f5:06:2e:1f: > 70:ba:58:3e:f8:04:c7:7d:85:96:ea:9f:25:99:01:b6: > f8:8c:83:88:78:7b:f8:f9:1e:65:52:46:7d:5e:db:e5: > ab:26:0d:29:bb:53:d9:f6:25:fa:7b:b7:04:7c:97:24: > 6a:81:52:fc:b7:47:02:b6:55:e0:d1:7e:30:c6:95:c5: > 58:f0:03:ad:c3:76:f4:5f:c8:da:4a:64:6e:ad:7d:55: > 5c:0b:0d:74:59:d2:9d:4c:30:05:6e:c9:9b:18:3d:d9: > 6a:2f:68:35:49:0b:b2:72:67:d0:73:30:62:e4:51:32: > 84:1b:c9:c1:29:85:26:dd:d3:69:b8:31:1c:e2:dd:6a: > d3:99:f7:d3:e8:1f:a7:2c:0a:a3:c3:76:dd:58:4e:3e > Fingerprint (MD5): > 03:81:10:47:C0:0A:21:48:AC:E4:0A:60:D0:0A:6C:7D > Fingerprint (SHA1): > 98:21:0D:1D:AD:69:E0:91:08:5D:94:23:9A:B0:D6:3C:0D:CA:E7:EE > > Certificate Trust Flags: > SSL Flags: > User > Email Flags: > User > Object Signing Flags: > User > > >2013-12-13T13:19:41Z DEBUG stderr= >2013-12-13T13:19:41Z DEBUG Starting external process >2013-12-13T13:19:41Z DEBUG args=/usr/bin/ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd >2013-12-13T13:19:41Z DEBUG Process finished, return code=0 >2013-12-13T13:19:41Z DEBUG stdout=New tracking request "20131213131941" added. > >2013-12-13T13:19:41Z DEBUG stderr= >2013-12-13T13:19:41Z DEBUG Starting external process >2013-12-13T13:19:41Z DEBUG args=/bin/systemctl stop certmonger.service >2013-12-13T13:19:41Z DEBUG Process finished, return code=0 >2013-12-13T13:19:41Z DEBUG stdout= >2013-12-13T13:19:41Z DEBUG stderr= >2013-12-13T13:19:41Z DEBUG Starting external process >2013-12-13T13:19:41Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L -n Server-Cert -a >2013-12-13T13:19:41Z DEBUG Process finished, return code=0 >2013-12-13T13:19:41Z DEBUG stdout=-----BEGIN CERTIFICATE----- >MIIEtDCCA5ygAwIBAgIBCTANBgkqhkiG9w0BAQsFADBWMTQwMgYDVQQKDCtET00y >MjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQD >DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMTMxOTQwWhcNMTUxMjE0 >MTMxOTQwWjBzMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5H >LkJSUS5SRURIQVQuQ09NMTswOQYDVQQDDDJ2bS0yMjcuZG9tMjI3LmplbmtpbnNh >ZC5pZG0ubGFiLmVuZy5icnEucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD >ggEPADCCAQoCggEBAN9+BFhlfbJrP/iuCIAJt84Kz0zsivuC8XsmClYsmdmGmQ2K >RT1Oht8w8oWN9pLZ7ZhErrqi4qzrThDEKxG8uquGbWGI6zZMwgCQBcwZCf1Yg7D2 >JDw1bwpspFgK4tLMdxXy8w0viE58UyWYiMfwYzt6nL1ugyaS6KxJsVypcqrYT9le >XUjL2kwwVr4fPn4b6kNCyc5s6XiAClmrGBpupOK3j/u4CegU57ywAiICbj6I2j/n >iCClk8zml99XD8pZySZmqUdDomEZJp4SxwTJU00++vmFc/QsWD4YuoD2QTUiTlhF >DZtd2zjT6upP420cybpH3W1CyQZMDuDBLEae/5ECAwEAAaOCAW4wggFqMB8GA1Ud >IwQYMBaAFGdSzAqdgMTNx95Oz8UAeY//hE0SMF0GCCsGAQUFBwEBBFEwTzBNBggr >BgEFBQcwAYZBaHR0cDovL2lwYS1jYS5kb20yMjcuamVua2luc2FkLmlkbS5sYWIu >ZW5nLmJycS5yZWRoYXQuY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1Ud >JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmQYDVR0fBIGRMIGOMIGLoFOgUYZP >aHR0cDovL2lwYS1jYS5kb20yMjcuamVua2luc2FkLmlkbS5sYWIuZW5nLmJycS5y >ZWRoYXQuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwF >aXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQU >Zm2hM+toZu+L6fFl+zrtg0y/sF4wDQYJKoZIhvcNAQELBQADggEBAGkq5b4Sqijj >2SY0zRnACV7HzxIR+mw6/NrFup9LtEN8nDWvGtLqvSV4X5Z13ue6jmkBQqoid5kX >w8R8GkbqPGJVRBqw0Oqpcwlk8HuummcLx1S+ENVK+mkvLz9aDx9WNNA6DI1SbsDk >kzO+I/UGLh9wulg++ATHfYWW6p8lmQG2+IyDiHh7+PkeZVJGfV7b5asmDSm7U9n2 >Jfp7twR8lyRqgVL8t0cCtlXg0X4wxpXFWPADrcN29F/I2kpkbq19VVwLDXRZ0p1M >MAVuyZsYPdlqL2g1SQuycmfQczBi5FEyhBvJwSmFJt3TabgxHOLdatOZ99PoH6cs >CqPDdt1YTj4= >-----END CERTIFICATE----- > >2013-12-13T13:19:41Z DEBUG stderr= >2013-12-13T13:20:05Z DEBUG Starting external process >2013-12-13T13:20:05Z DEBUG args=/bin/systemctl start certmonger.service >2013-12-13T13:20:05Z DEBUG Process finished, return code=0 >2013-12-13T13:20:05Z DEBUG stdout= >2013-12-13T13:20:05Z DEBUG stderr= >2013-12-13T13:20:05Z DEBUG Starting external process >2013-12-13T13:20:05Z DEBUG args=/bin/systemctl is-active certmonger.service >2013-12-13T13:20:05Z DEBUG Process finished, return code=0 >2013-12-13T13:20:05Z DEBUG stdout=active > >2013-12-13T13:20:05Z DEBUG stderr= >2013-12-13T13:20:05Z DEBUG Starting external process >2013-12-13T13:20:05Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -R -s CN=Object Signing Cert,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -o /var/lib/ipa/ipa-j8oEeH/tmpcertreq -k rsa -g 2048 -z /etc/httpd/alias/noise.txt -f /etc/httpd/alias/pwdfile.txt -a >2013-12-13T13:20:06Z DEBUG Process finished, return code=0 >2013-12-13T13:20:06Z DEBUG stdout= >2013-12-13T13:20:06Z DEBUG stderr= > >Generating key. This may take a few moments... > > >2013-12-13T13:20:06Z DEBUG request 'https://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:8443/ca/ee/ca/profileSubmitSSLClient' >2013-12-13T13:20:06Z DEBUG request body 'profileId=caJarSigningCert&requestor_name=IPA+Installer&cert_request=MIICmTCCAYECAQAwVDE0MDIGA1UEChMrRE9NMjI3LkpFTktJTlNBRC5JRE0uTEFC%0D%0ALkVORy5CUlEuUkVESEFULkNPTTEcMBoGA1UEAxMTT2JqZWN0IFNpZ25pbmcgQ2Vy%0D%0AdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDd6eh2EBukOjb9fO6n%0D%0AqY10sF9XYbSZYENbEnYhjXuU7qVLzWgANXDOKgYSWBh6ca1%2FIP9Txw5IsB1D59VZ%0D%0AGTBi7x1f53Lh%2BukH8VbmeTTvxcxm3Gi9Cny8laEvWN0j1bu6KqhlQofmrgk66k9F%0D%0A4VrtWLv6VHtcA26i6w59Z3TjfieFOEJe5YuPWJC3LAxyCAbK1FBpzLnnHY06U4PX%0D%0AMi7ktR%2FEBCBLzpx4IAjR5tAgaBeQ%2FmlIO3WvBnd8GAnV2W2RpjnkZO3q8BqWht%2Bk%0D%0AbiStuUvv20Cy4EqZSdU3epPe6BK6FhD0HB9%2F2Bv1uLRcx4KM6DrUX44SFAdYCiqc%0D%0Ax0MCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAKpyOWNtEqLqBmOmOOhyE9IR%2F9%0D%0AYR%2Fy85qiMO8vn3Q0bP5UfKhTSSH3gZzI4DdW%2Bpae2VTYCPV06Yomx8RyTr%2B5qo2n%0D%0AiZsPrdnTSZ0h4mCSPZkksf0kZV%2Fx5jY7%2FxW0E5No97M42VPGOUiIMxGUig7PfJtx%0D%0Aa5%2FiLue4NF3BjZf0m2ZDJPayQSqa9a7Yy7oQj6qgsSJpS8gGpTMtaaa%2BpuXhisq5%0D%0A4O3dMq34i6M89Dn9SZ%2BwoBKXxnPJRHj1gf3H6N02fT2Us4TQU8IePb6AsrliR%2B1x%0D%0AGSb9lgwUKkmQVzHO%2BOlJ1XT6GKQ3c7JfGcBzhgJaDNmvdJLTmApKFvOa8Xks%0A&cert_request_type=pkcs10&xmlOutput=true' >2013-12-13T13:20:06Z DEBUG NSSConnection init vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:20:06Z DEBUG Connecting: 10.34.47.227:0 >2013-12-13T13:20:06Z DEBUG auth_certificate_callback: check_sig=True is_server=False >Data: > Version: 3 (0x2) > Serial Number: 3 (0x3) > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > Validity: > Not Before: Fri Dec 13 13:16:04 2013 UTC > Not After: Thu Dec 03 13:16:04 2015 UTC > Subject: CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > Subject Public Key Info: > Public Key Algorithm: > Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > b7:9b:0e:6a:23:93:f9:e6:3e:6d:68:28:bf:4f:c9:bc: > 12:33:34:e3:1b:54:22:8c:53:91:21:49:c2:ea:0a:8c: > c8:0d:53:da:a4:dc:dd:fd:bb:b7:6c:06:52:a3:44:af: > 3c:8b:6f:bc:33:f2:4a:c2:3b:2d:bf:27:e3:43:6b:fa: > 61:81:9a:83:7b:bc:53:e8:1f:b6:8d:92:b9:04:d1:a6: > 2a:42:83:3e:15:0f:de:cc:a9:87:23:c4:2a:13:c3:3e: > 2b:6e:05:9a:fb:4d:d5:1b:08:c8:14:1b:55:04:cf:5c: > c3:0b:b9:da:c4:d9:1b:d8:4b:56:7a:2f:4b:18:a6:7c: > ba:0b:93:8b:30:cc:93:a4:2e:18:02:3d:c2:da:d0:78: > dd:c2:99:a0:5f:79:e1:ea:84:0b:a6:5d:90:71:af:99: > 8f:0c:86:08:28:50:0b:29:ab:84:1d:1a:50:2e:6a:b4: > 77:60:3a:33:ac:fe:5c:48:b0:9e:31:65:f0:6f:c6:a4: > cf:9e:35:4c:6b:b7:bd:8f:b8:7f:2e:23:78:cb:a3:49: > e7:25:b4:fc:dd:01:f3:13:99:76:09:d0:96:d1:5b:ae: > e5:32:e2:07:fd:ec:73:04:90:df:63:5b:42:d4:73:da: > 30:0e:2f:5a:82:eb:54:c4:43:a6:d1:6c:83:81:05:3b > Exponent: > 65537 (0x10001) > Signed Extensions: (4) > Name: Certificate Authority Key Identifier > Critical: False > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > Serial Number: None > General Names: [0 total] > > Name: Authority Information Access > Critical: False > Authority Information Access: [1 total] > Info [1]: > Method: PKIX Online Certificate Status Protocol > Location: URI: http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:80/ca/ocsp > > Name: Certificate Key Usage > Critical: True > Usages: > Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > Critical: False > Usages: > TLS Web Server Authentication Certificate > > Signature: > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 3f:10:c2:20:63:db:d6:98:87:e5:73:6a:fe:6c:67:54: > e0:89:97:13:91:72:e5:10:55:79:f2:f1:d5:7b:59:25: > 27:de:f6:95:a5:9a:0b:de:09:5b:14:f8:61:c7:46:41: > 5d:53:38:ca:cd:09:59:92:d2:af:27:bb:b2:93:ac:11: > 6d:66:1e:09:6c:a6:8a:44:81:0c:63:5b:17:4e:cd:63: > b3:4a:af:5b:90:aa:8a:47:a7:fd:ae:21:d5:4b:ef:b8: > 57:b1:9c:b9:d8:8a:8f:3b:91:c5:11:18:b5:2c:51:b5: > ad:ee:88:c7:4a:ce:9a:84:d2:b6:04:7d:07:5b:0b:44: > 24:c9:7f:c5:f9:fd:78:6b:4a:af:06:6c:dc:97:da:83: > fc:07:fe:eb:bb:4f:63:9e:dd:2a:3d:0f:91:2b:14:1a: > 4d:85:d6:6f:56:47:08:5d:da:7d:57:fd:8d:34:db:53: > 76:9c:72:63:a0:f7:64:ec:48:e3:5b:e4:bd:38:b0:b6: > 37:dc:5c:b4:ec:e0:81:dc:ba:41:cc:6a:3c:0f:38:b9: > 69:94:0c:21:e5:f0:1e:92:d7:7c:5e:3e:e9:1c:a9:c4: > d3:04:c1:4f:ac:d1:f1:e3:54:51:90:7e:8a:68:0f:df: > 31:f0:8c:82:d5:05:50:09:44:18:4d:0d:60:54:55:14 > Fingerprint (MD5): > 28:59:be:ba:d9:e0:6d:58:9e:e0:da:44:7b:06:ad:93 > Fingerprint (SHA1): > 3a:81:c2:72:67:a7:4b:98:1d:7b:39:30:58:44:47:14: > 9c:84:a2:9a >2013-12-13T13:20:06Z DEBUG approved_usage = SSL Server intended_usage = SSL Server >2013-12-13T13:20:06Z DEBUG cert valid True for "CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" >2013-12-13T13:20:06Z DEBUG handshake complete, peer = 10.34.47.227:8443 >2013-12-13T13:20:06Z DEBUG auth_certificate_callback: check_sig=True is_server=False >Data: > Version: 3 (0x2) > Serial Number: 3 (0x3) > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: CN=Certificate Authority,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > Validity: > Not Before: Fri Dec 13 13:16:04 2013 UTC > Not After: Thu Dec 03 13:16:04 2015 UTC > Subject: CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM > Subject Public Key Info: > Public Key Algorithm: > Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > b7:9b:0e:6a:23:93:f9:e6:3e:6d:68:28:bf:4f:c9:bc: > 12:33:34:e3:1b:54:22:8c:53:91:21:49:c2:ea:0a:8c: > c8:0d:53:da:a4:dc:dd:fd:bb:b7:6c:06:52:a3:44:af: > 3c:8b:6f:bc:33:f2:4a:c2:3b:2d:bf:27:e3:43:6b:fa: > 61:81:9a:83:7b:bc:53:e8:1f:b6:8d:92:b9:04:d1:a6: > 2a:42:83:3e:15:0f:de:cc:a9:87:23:c4:2a:13:c3:3e: > 2b:6e:05:9a:fb:4d:d5:1b:08:c8:14:1b:55:04:cf:5c: > c3:0b:b9:da:c4:d9:1b:d8:4b:56:7a:2f:4b:18:a6:7c: > ba:0b:93:8b:30:cc:93:a4:2e:18:02:3d:c2:da:d0:78: > dd:c2:99:a0:5f:79:e1:ea:84:0b:a6:5d:90:71:af:99: > 8f:0c:86:08:28:50:0b:29:ab:84:1d:1a:50:2e:6a:b4: > 77:60:3a:33:ac:fe:5c:48:b0:9e:31:65:f0:6f:c6:a4: > cf:9e:35:4c:6b:b7:bd:8f:b8:7f:2e:23:78:cb:a3:49: > e7:25:b4:fc:dd:01:f3:13:99:76:09:d0:96:d1:5b:ae: > e5:32:e2:07:fd:ec:73:04:90:df:63:5b:42:d4:73:da: > 30:0e:2f:5a:82:eb:54:c4:43:a6:d1:6c:83:81:05:3b > Exponent: > 65537 (0x10001) > Signed Extensions: (4) > Name: Certificate Authority Key Identifier > Critical: False > Key ID: > 67:52:cc:0a:9d:80:c4:cd:c7:de:4e:cf:c5:00:79:8f: > ff:84:4d:12 > Serial Number: None > General Names: [0 total] > > Name: Authority Information Access > Critical: False > Authority Information Access: [1 total] > Info [1]: > Method: PKIX Online Certificate Status Protocol > Location: URI: http://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:80/ca/ocsp > > Name: Certificate Key Usage > Critical: True > Usages: > Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > Critical: False > Usages: > TLS Web Server Authentication Certificate > > Signature: > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 3f:10:c2:20:63:db:d6:98:87:e5:73:6a:fe:6c:67:54: > e0:89:97:13:91:72:e5:10:55:79:f2:f1:d5:7b:59:25: > 27:de:f6:95:a5:9a:0b:de:09:5b:14:f8:61:c7:46:41: > 5d:53:38:ca:cd:09:59:92:d2:af:27:bb:b2:93:ac:11: > 6d:66:1e:09:6c:a6:8a:44:81:0c:63:5b:17:4e:cd:63: > b3:4a:af:5b:90:aa:8a:47:a7:fd:ae:21:d5:4b:ef:b8: > 57:b1:9c:b9:d8:8a:8f:3b:91:c5:11:18:b5:2c:51:b5: > ad:ee:88:c7:4a:ce:9a:84:d2:b6:04:7d:07:5b:0b:44: > 24:c9:7f:c5:f9:fd:78:6b:4a:af:06:6c:dc:97:da:83: > fc:07:fe:eb:bb:4f:63:9e:dd:2a:3d:0f:91:2b:14:1a: > 4d:85:d6:6f:56:47:08:5d:da:7d:57:fd:8d:34:db:53: > 76:9c:72:63:a0:f7:64:ec:48:e3:5b:e4:bd:38:b0:b6: > 37:dc:5c:b4:ec:e0:81:dc:ba:41:cc:6a:3c:0f:38:b9: > 69:94:0c:21:e5:f0:1e:92:d7:7c:5e:3e:e9:1c:a9:c4: > d3:04:c1:4f:ac:d1:f1:e3:54:51:90:7e:8a:68:0f:df: > 31:f0:8c:82:d5:05:50:09:44:18:4d:0d:60:54:55:14 > Fingerprint (MD5): > 28:59:be:ba:d9:e0:6d:58:9e:e0:da:44:7b:06:ad:93 > Fingerprint (SHA1): > 3a:81:c2:72:67:a7:4b:98:1d:7b:39:30:58:44:47:14: > 9c:84:a2:9a >2013-12-13T13:20:06Z DEBUG approved_usage = SSL Server intended_usage = SSL Server >2013-12-13T13:20:06Z DEBUG cert valid True for "CN=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" >2013-12-13T13:20:06Z DEBUG handshake complete, peer = 10.34.47.227:8443 >2013-12-13T13:20:07Z DEBUG request status 200 >2013-12-13T13:20:07Z DEBUG request reason_phrase u'OK' >2013-12-13T13:20:07Z DEBUG request headers {'date': 'Fri, 13 Dec 2013 13:20:07 GMT', 'content-length': '1402', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} >2013-12-13T13:20:07Z DEBUG request body '<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><Requests><Request><Id>10</Id><SubjectDN>CN=Object Signing Cert,O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM</SubjectDN><serialno>a</serialno><b64>MIIDSjCCAjKgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBWMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMTMyMTA2WhcNMTcxMjEzMTMyMTA2WjBUMTQwMgYDVQQKEytET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMRwwGgYDVQQDExNPYmplY3QgU2lnbmluZyBDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0N3p6HYQG6Q6Nv187qepjXSwX1dhtJlgQ1sSdiGNe5TupUvNaAA1cM4qBhJYGHpxrX8g/1PHDkiwHUPn1VkZMGLvHV/ncuH66QfxVuZ5NO/FzGbcaL0KfLyVoS9Y3SPVu7oqqGVCh+auCTrqT0XhWu1Yu/pUe1wDbqLrDn1ndON+J4U4Ql7li49YkLcsDHIIBsrUUGnMuecdjTpTg9cyLuS1H8QEIEvOnHggCNHm0CBoF5D+aUg7da8Gd3wYCdXZbZGmOeRk7erwGpaG36RuJK25S+/bQLLgSplJ1Td6k97oEroWEPQcH3/YG/W4tFzHgozoOtRfjhIUB1gKKpzHQwIDAQABoyUwIzAOBgNVHQ8BAf8EBAMCAoQwEQYJYIZIAYb4QgEBBAQDAgQQMA0GCSqGSIb3DQEBCwUAA4IBAQDEEK+Ct0Yo+4hsHgTlI5YRAG6mZwLjTbY8qHDVkOZS+SKVFKY8xiA4XbvwC/OHRVudN5/w98oyrtheBnShYcqCBF5h3AqWN8oU7WvuLXxtuL4ca0mVU7AL2rqsrr45oqK3gfTl55FEB1bjxVQdnbXC++QnxocpRJW+CI6w3Pz27xEfJrX4NIjnKHuH0mpu+1YCK8hbKerZciRsLmj7fHnuMCPynL9epa8UBhpm2chMZxuJFBkCigxc0CCGgKan1VkbR1BEOpp/o3YbVy8fkVZxnlw7v2OpKkePPGGd9Bqhhz3M9JcNP04HjVGXf5qqhYK7DFAUSRKI9hF/mxMkoC2l</b64></Request></Requests></XMLResponse>' >2013-12-13T13:20:07Z DEBUG Starting external process >2013-12-13T13:20:07Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -A -n Signing-Cert -t u,u,u -i /var/lib/ipa/ipa-j8oEeH/tmpcert.der -f /etc/httpd/alias/pwdfile.txt >2013-12-13T13:20:07Z DEBUG Process finished, return code=0 >2013-12-13T13:20:07Z DEBUG stdout= >2013-12-13T13:20:07Z DEBUG stderr=Notice: Trust flag u is set automatically if the private key is present. > >2013-12-13T13:20:07Z DEBUG Starting external process >2013-12-13T13:20:07Z DEBUG args=/usr/sbin/selinuxenabled >2013-12-13T13:20:07Z DEBUG Process finished, return code=0 >2013-12-13T13:20:07Z DEBUG stdout= >2013-12-13T13:20:07Z DEBUG stderr= >2013-12-13T13:20:07Z DEBUG Starting external process >2013-12-13T13:20:07Z DEBUG args=/usr/sbin/restorecon /etc/httpd/alias/cert8.db >2013-12-13T13:20:07Z DEBUG Process finished, return code=0 >2013-12-13T13:20:07Z DEBUG stdout= >2013-12-13T13:20:07Z DEBUG stderr= >2013-12-13T13:20:07Z DEBUG Starting external process >2013-12-13T13:20:07Z DEBUG args=/usr/sbin/selinuxenabled >2013-12-13T13:20:07Z DEBUG Process finished, return code=0 >2013-12-13T13:20:07Z DEBUG stdout= >2013-12-13T13:20:07Z DEBUG stderr= >2013-12-13T13:20:07Z DEBUG Starting external process >2013-12-13T13:20:07Z DEBUG args=/usr/sbin/restorecon /etc/httpd/alias/key3.db >2013-12-13T13:20:07Z DEBUG Process finished, return code=0 >2013-12-13T13:20:07Z DEBUG stdout= >2013-12-13T13:20:07Z DEBUG stderr= >2013-12-13T13:20:07Z DEBUG duration: 28 seconds >2013-12-13T13:20:07Z DEBUG [7/14]: setting up browser autoconfig >2013-12-13T13:20:07Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:20:07Z DEBUG Starting external process >2013-12-13T13:20:07Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L >2013-12-13T13:20:08Z DEBUG Process finished, return code=0 >2013-12-13T13:20:08Z DEBUG stdout= >Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > >DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA CT,C,C >ipaCert u,u,u >Server-Cert u,u,u >Signing-Cert u,u,u > >2013-12-13T13:20:08Z DEBUG stderr= >2013-12-13T13:20:08Z DEBUG Starting external process >2013-12-13T13:20:08Z DEBUG args=/usr/bin/signtool -d /etc/httpd/alias -p f5b182ea1c5443fae42e -k Signing-Cert -Z /usr/share/ipa/html/configure.jar -e .html -p f5b182ea1c5443fae42e /tmp/tmp-KbAG04 >2013-12-13T13:20:08Z DEBUG Process finished, return code=0 >2013-12-13T13:20:08Z DEBUG stdout=Generating /tmp/tmp-KbAG04/META-INF/manifest.mf file.. >--> preferences.html >adding /tmp/tmp-KbAG04/preferences.html to /usr/share/ipa/html/configure.jar...(deflated 57%) >Generating zigbert.sf file.. >adding /tmp/tmp-KbAG04/META-INF/manifest.mf to /usr/share/ipa/html/configure.jar...(deflated 16%) >adding /tmp/tmp-KbAG04/META-INF/zigbert.sf to /usr/share/ipa/html/configure.jar...(deflated 27%) >adding /tmp/tmp-KbAG04/META-INF/zigbert.rsa to /usr/share/ipa/html/configure.jar...(deflated 15%) >tree "/tmp/tmp-KbAG04" signed successfully > >2013-12-13T13:20:08Z DEBUG stderr=warning: password (-p) option specified more than once. >Only last specification will be used. > >2013-12-13T13:20:08Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:20:08Z DEBUG Starting external process >2013-12-13T13:20:08Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L >2013-12-13T13:20:08Z DEBUG Process finished, return code=0 >2013-12-13T13:20:08Z DEBUG stdout= >Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > >DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA CT,C,C >ipaCert u,u,u >Server-Cert u,u,u >Signing-Cert u,u,u > >2013-12-13T13:20:08Z DEBUG stderr= >2013-12-13T13:20:08Z DEBUG Starting external process >2013-12-13T13:20:08Z DEBUG args=/usr/bin/signtool -d /etc/httpd/alias -p f5b182ea1c5443fae42e -k Signing-Cert -p f5b182ea1c5443fae42e -X -Z /usr/share/ipa/html/kerberosauth.xpi /tmp/tmp-ET0n_h/ext >2013-12-13T13:20:08Z DEBUG Process finished, return code=0 >2013-12-13T13:20:08Z DEBUG stdout=Generating /tmp/tmp-ET0n_h/ext/META-INF/manifest.mf file.. >--> bootstrap.js >--> locale/en-US/kerberosauth.properties >--> install.rdf >--> chrome.manifest >--> chrome/content/kerberosauth_overlay.xul >--> chrome/content/kerberosauth.js >Generating zigbert.sf file.. >Creating XPI Compatible Archive >adding /tmp/tmp-ET0n_h/ext/META-INF/zigbert.rsa to /usr/share/ipa/html/kerberosauth.xpi...(deflated 15%) >--> bootstrap.js >adding /tmp/tmp-ET0n_h/ext/bootstrap.js to /usr/share/ipa/html/kerberosauth.xpi...(deflated 67%) >--> locale/en-US/kerberosauth.properties >adding /tmp/tmp-ET0n_h/ext/locale/en-US/kerberosauth.properties to /usr/share/ipa/html/kerberosauth.xpi...(deflated 36%) >--> install.rdf >adding /tmp/tmp-ET0n_h/ext/install.rdf to /usr/share/ipa/html/kerberosauth.xpi...(deflated 55%) >--> chrome.manifest >adding /tmp/tmp-ET0n_h/ext/chrome.manifest to /usr/share/ipa/html/kerberosauth.xpi...(deflated 51%) >--> chrome/content/kerberosauth_overlay.xul >adding /tmp/tmp-ET0n_h/ext/chrome/content/kerberosauth_overlay.xul to /usr/share/ipa/html/kerberosauth.xpi...(deflated 34%) >--> chrome/content/kerberosauth.js >adding /tmp/tmp-ET0n_h/ext/chrome/content/kerberosauth.js to /usr/share/ipa/html/kerberosauth.xpi...(deflated 65%) >adding /tmp/tmp-ET0n_h/ext/META-INF/manifest.mf to /usr/share/ipa/html/kerberosauth.xpi...(deflated 46%) >adding /tmp/tmp-ET0n_h/ext/META-INF/zigbert.sf to /usr/share/ipa/html/kerberosauth.xpi...(deflated 47%) >tree "/tmp/tmp-ET0n_h/ext" signed successfully > >2013-12-13T13:20:08Z DEBUG stderr=warning: password (-p) option specified more than once. >Only last specification will be used. > >2013-12-13T13:20:08Z DEBUG duration: 0 seconds >2013-12-13T13:20:08Z DEBUG [8/14]: publish CA cert >2013-12-13T13:20:08Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:20:08Z DEBUG duration: 0 seconds >2013-12-13T13:20:08Z DEBUG [9/14]: creating a keytab for httpd >2013-12-13T13:20:08Z DEBUG Starting external process >2013-12-13T13:20:08Z DEBUG args=kadmin.local -q addprinc -randkey HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -x ipa-setup-override-restrictions >2013-12-13T13:20:08Z DEBUG Process finished, return code=0 >2013-12-13T13:20:08Z DEBUG stdout=Authenticating as principal root/admin@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with password. >Principal "HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" created. > >2013-12-13T13:20:08Z DEBUG stderr=WARNING: no policy specified for HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM; defaulting to no policy > >2013-12-13T13:20:08Z DEBUG Starting external process >2013-12-13T13:20:08Z DEBUG args=kadmin.local -q ktadd -k /etc/httpd/conf/ipa.keytab HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -x ipa-setup-override-restrictions >2013-12-13T13:20:09Z DEBUG Process finished, return code=0 >2013-12-13T13:20:09Z DEBUG stdout=Authenticating as principal root/admin@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with password. >Entry for principal HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/httpd/conf/ipa.keytab. >Entry for principal HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/httpd/conf/ipa.keytab. >Entry for principal HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/httpd/conf/ipa.keytab. >Entry for principal HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/httpd/conf/ipa.keytab. > >2013-12-13T13:20:09Z DEBUG stderr= >2013-12-13T13:20:09Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache >2013-12-13T13:20:09Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4527950> >2013-12-13T13:20:09Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache >2013-12-13T13:20:09Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x3eb23b0> >2013-12-13T13:20:10Z DEBUG duration: 1 seconds >2013-12-13T13:20:10Z DEBUG [10/14]: clean up any existing httpd ccache >2013-12-13T13:20:10Z DEBUG duration: 0 seconds >2013-12-13T13:20:10Z DEBUG [11/14]: configuring SELinux for httpd >2013-12-13T13:20:10Z DEBUG Starting external process >2013-12-13T13:20:10Z DEBUG args=/usr/sbin/selinuxenabled >2013-12-13T13:20:10Z DEBUG Process finished, return code=0 >2013-12-13T13:20:10Z DEBUG stdout= >2013-12-13T13:20:10Z DEBUG stderr= >2013-12-13T13:20:10Z DEBUG Starting external process >2013-12-13T13:20:10Z DEBUG args=/usr/sbin/getsebool httpd_can_network_connect >2013-12-13T13:20:10Z DEBUG Process finished, return code=0 >2013-12-13T13:20:10Z DEBUG stdout=httpd_can_network_connect --> off > >2013-12-13T13:20:10Z DEBUG stderr= >2013-12-13T13:20:10Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:20:10Z DEBUG Starting external process >2013-12-13T13:20:10Z DEBUG args=/usr/sbin/getsebool httpd_manage_ipa >2013-12-13T13:20:10Z DEBUG Process finished, return code=0 >2013-12-13T13:20:10Z DEBUG stdout=httpd_manage_ipa --> off > >2013-12-13T13:20:10Z DEBUG stderr= >2013-12-13T13:20:10Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:20:10Z DEBUG Starting external process >2013-12-13T13:20:10Z DEBUG args=/usr/sbin/setsebool -P httpd_can_network_connect=on httpd_manage_ipa=on >2013-12-13T13:20:28Z DEBUG Process finished, return code=0 >2013-12-13T13:20:28Z DEBUG stdout= >2013-12-13T13:20:28Z DEBUG stderr= >2013-12-13T13:20:28Z DEBUG duration: 18 seconds >2013-12-13T13:20:28Z DEBUG [12/14]: configure httpd ccache >2013-12-13T13:20:28Z DEBUG Backing up system configuration file '/etc/sysconfig/httpd' >2013-12-13T13:20:28Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:20:28Z DEBUG Starting external process >2013-12-13T13:20:28Z DEBUG args=/usr/sbin/selinuxenabled >2013-12-13T13:20:28Z DEBUG Process finished, return code=0 >2013-12-13T13:20:28Z DEBUG stdout= >2013-12-13T13:20:28Z DEBUG stderr= >2013-12-13T13:20:28Z DEBUG Starting external process >2013-12-13T13:20:28Z DEBUG args=/usr/sbin/restorecon /etc/sysconfig/httpd >2013-12-13T13:20:28Z DEBUG Process finished, return code=0 >2013-12-13T13:20:28Z DEBUG stdout= >2013-12-13T13:20:28Z DEBUG stderr= >2013-12-13T13:20:28Z DEBUG duration: 0 seconds >2013-12-13T13:20:28Z DEBUG [13/14]: restarting httpd >2013-12-13T13:20:28Z DEBUG Starting external process >2013-12-13T13:20:28Z DEBUG args=/bin/systemctl is-active httpd.service >2013-12-13T13:20:28Z DEBUG Process finished, return code=3 >2013-12-13T13:20:28Z DEBUG stdout=unknown > >2013-12-13T13:20:28Z DEBUG stderr= >2013-12-13T13:20:28Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:20:28Z DEBUG Starting external process >2013-12-13T13:20:28Z DEBUG args=/bin/systemctl restart httpd.service >2013-12-13T13:20:29Z DEBUG Process finished, return code=0 >2013-12-13T13:20:29Z DEBUG stdout= >2013-12-13T13:20:29Z DEBUG stderr= >2013-12-13T13:20:29Z DEBUG Starting external process >2013-12-13T13:20:29Z DEBUG args=/bin/systemctl is-active httpd.service >2013-12-13T13:20:29Z DEBUG Process finished, return code=0 >2013-12-13T13:20:29Z DEBUG stdout=active > >2013-12-13T13:20:29Z DEBUG stderr= >2013-12-13T13:20:29Z DEBUG duration: 0 seconds >2013-12-13T13:20:29Z DEBUG [14/14]: configuring httpd to start on boot >2013-12-13T13:20:29Z DEBUG Starting external process >2013-12-13T13:20:29Z DEBUG args=/bin/systemctl is-active httpd.service >2013-12-13T13:20:29Z DEBUG Process finished, return code=0 >2013-12-13T13:20:29Z DEBUG stdout=active > >2013-12-13T13:20:29Z DEBUG stderr= >2013-12-13T13:20:29Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:20:29Z DEBUG Starting external process >2013-12-13T13:20:29Z DEBUG args=/bin/systemctl disable httpd.service >2013-12-13T13:20:29Z DEBUG Process finished, return code=0 >2013-12-13T13:20:29Z DEBUG stdout= >2013-12-13T13:20:29Z DEBUG stderr= >2013-12-13T13:20:29Z DEBUG duration: 0 seconds >2013-12-13T13:20:29Z DEBUG Done configuring the web interface (httpd). >2013-12-13T13:20:29Z DEBUG Starting external process >2013-12-13T13:20:29Z DEBUG args=/usr/sbin/selinuxenabled >2013-12-13T13:20:29Z DEBUG Process finished, return code=0 >2013-12-13T13:20:29Z DEBUG stdout= >2013-12-13T13:20:29Z DEBUG stderr= >2013-12-13T13:20:29Z DEBUG Starting external process >2013-12-13T13:20:29Z DEBUG args=/usr/sbin/restorecon /var/cache/ipa/sessions >2013-12-13T13:20:29Z DEBUG Process finished, return code=255 >2013-12-13T13:20:29Z DEBUG stdout= >2013-12-13T13:20:29Z DEBUG stderr=/usr/sbin/restorecon: lstat(/var/cache/ipa/sessions) failed: No such file or directory > >2013-12-13T13:20:30Z DEBUG Created connection context.ldap2_65757136 >2013-12-13T13:20:30Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache >2013-12-13T13:20:30Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x3eb2998> >2013-12-13T13:20:31Z DEBUG Destroyed connection context.ldap2_65757136 >2013-12-13T13:20:31Z DEBUG Applying LDAP updates >2013-12-13T13:20:31Z INFO PRE_UPDATE >2013-12-13T13:20:31Z DEBUG Created connection context.ldap2 >2013-12-13T13:20:31Z DEBUG raw: update_managed_post_first >2013-12-13T13:20:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache >2013-12-13T13:20:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x48f2488> >2013-12-13T13:20:31Z DEBUG raw: update_replica_attribute_lists >2013-12-13T13:20:31Z DEBUG Start replication agreement exclude list update task >2013-12-13T13:20:31Z DEBUG Found 0 agreement(s) >2013-12-13T13:20:31Z DEBUG Done updating agreements >2013-12-13T13:20:31Z DEBUG Destroyed connection context.ldap2 >2013-12-13T13:20:31Z INFO Parsing update file '/usr/share/ipa/updates/10-config.update' >2013-12-13T13:20:31Z INFO Parsing update file '/usr/share/ipa/updates/10-enable-betxn.update' >2013-12-13T13:20:31Z INFO Parsing update file '/usr/share/ipa/updates/10-schema_compat.update' >2013-12-13T13:20:31Z INFO Parsing update file '/usr/share/ipa/updates/10-selinuxusermap.update' >2013-12-13T13:20:31Z INFO Parsing update file '/usr/share/ipa/updates/10-uniqueness.update' >2013-12-13T13:20:31Z INFO Parsing update file '/usr/share/ipa/updates/19-managed-entries.update' >2013-12-13T13:20:31Z DEBUG flushing ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 from SchemaCache >2013-12-13T13:20:31Z DEBUG retrieving schema for SchemaCache url=ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x48ddb00> >2013-12-13T13:20:32Z INFO Updating existing entry: cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-ldapimaptoentries: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logrotationsynchour: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-port: >2013-12-13T13:20:32Z DEBUG 389 >2013-12-13T13:20:32Z DEBUG nsslapd-betype: >2013-12-13T13:20:32Z DEBUG ldbm database >2013-12-13T13:20:32Z DEBUG nsslapd-nagle: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-list: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-entryusn-global: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-referralmode: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logminfreediskspace: >2013-12-13T13:20:32Z DEBUG 5 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logrotationsynchour: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-reservedescriptors: >2013-12-13T13:20:32Z DEBUG 64 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logmaxdiskspace: >2013-12-13T13:20:32Z DEBUG 500 >2013-12-13T13:20:32Z DEBUG passwordMinAlphas: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-sasl-max-buffer-size: >2013-12-13T13:20:32Z DEBUG 65536 >2013-12-13T13:20:32Z DEBUG nsslapd-enquote-sup-oc: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-readonly: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-syntaxcheck: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logbuffering: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-disk-monitoring-logging-critical: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG passwordMinDigits: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG passwordMinUppers: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-plugin: >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreIA5SubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=telephoneNumberMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseExactOrderingMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreOrderingMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseExactIA5SubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=octetStringOrderingMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseExactSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Boolean Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseExactMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Numeric String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=OID Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Guide Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreIA5Match,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Delivery Method Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Name And Optional UID Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Enhanced Guide Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Integer Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=uniqueMemberMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Bit String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Postal Address Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=integerFirstComponentMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=integerOrderingMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseExactIA5Match,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Octet String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=booleanMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Case Ignore String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=generalizedTimeOrderingMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=objectIdentifierFirstComponentMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreListMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=octetStringMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=distinguishedNameMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Fax Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Generalized Time Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Internationalization Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Country String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=telephoneNumberSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=bitStringMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Distinguished Name Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=numericStringOrderingMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=generalizedTimeMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Telephone Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=objectIdentifierMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=numericStringSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreListSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Printable String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Telex Number Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Facsimile Telephone Number Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Teletex Terminal Identifier Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Binary Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=JPEG Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=directoryStringFirstComponentMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=integerMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Bitwise Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Case Exact String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=numericStringMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logrotationtime: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-dn-validate-strict: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-ndn-cache-max-size: >2013-12-13T13:20:32Z DEBUG 20971520 >2013-12-13T13:20:32Z DEBUG nsslapd-timelimit: >2013-12-13T13:20:32Z DEBUG 3600 >2013-12-13T13:20:32Z DEBUG nsslapd-disk-monitoring: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-rundir: >2013-12-13T13:20:32Z DEBUG /var/run/dirsrv >2013-12-13T13:20:32Z DEBUG passwordMinTokenLength: >2013-12-13T13:20:32Z DEBUG 3 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logrotationsync-enabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG passwordMinAge: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logrotationtime: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logmaxdiskspace: >2013-12-13T13:20:32Z DEBUG 100 >2013-12-13T13:20:32Z DEBUG nsslapd-disk-monitoring-grace-period: >2013-12-13T13:20:32Z DEBUG 60 >2013-12-13T13:20:32Z DEBUG nsslapd-maxdescriptors: >2013-12-13T13:20:32Z DEBUG 8192 >2013-12-13T13:20:32Z DEBUG passwordInHistory: >2013-12-13T13:20:32Z DEBUG 6 >2013-12-13T13:20:32Z DEBUG nsslapd-ssl-check-hostname: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-conntablesize: >2013-12-13T13:20:32Z DEBUG 8192 >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logging-enabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logrotationsync-enabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logexpirationtimeunit: >2013-12-13T13:20:32Z DEBUG month >2013-12-13T13:20:32Z DEBUG nsslapd-saslpath: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG passwordMaxAge: >2013-12-13T13:20:32Z DEBUG 8640000 >2013-12-13T13:20:32Z DEBUG nsslapd-ldapiautobind: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-maxthreadsperconn: >2013-12-13T13:20:32Z DEBUG 5 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logrotationsyncmin: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-ldapigidnumbertype: >2013-12-13T13:20:32Z DEBUG gidNumber >2013-12-13T13:20:32Z DEBUG nsslapd-connection-buffer: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logrotationtimeunit: >2013-12-13T13:20:32Z DEBUG day >2013-12-13T13:20:32Z DEBUG nsslapd-tmpdir: >2013-12-13T13:20:32Z DEBUG /tmp >2013-12-13T13:20:32Z DEBUG passwordResetFailureCount: >2013-12-13T13:20:32Z DEBUG 600 >2013-12-13T13:20:32Z DEBUG nsslapd-counters: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-svrtab: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-allowed-sasl-mechanisms: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-secureport: >2013-12-13T13:20:32Z DEBUG 636 >2013-12-13T13:20:32Z DEBUG nsslapd-minssf: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-maxlogsize: >2013-12-13T13:20:32Z DEBUG 100 >2013-12-13T13:20:32Z DEBUG nsslapd-localuser: >2013-12-13T13:20:32Z DEBUG dirsrv >2013-12-13T13:20:32Z DEBUG nsslapd-security: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG passwordChange: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-force-sasl-external: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-requiresrestart: >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-changelogmaxage >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-plugin >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-maxdescriptors >2013-12-13T13:20:32Z DEBUG cn=config,cn=ldbm:nsslapd-idlistscanlimit >2013-12-13T13:20:32Z DEBUG cn=encryption,cn=config:nsssl2 >2013-12-13T13:20:32Z DEBUG cn=encryption,cn=config:nsssl3 >2013-12-13T13:20:32Z DEBUG cn=config,cn=ldbm:nsslapd-parentcheck >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-changelogsuffix >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-sslclientauth >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-schema-ignore-trailing-spaces >2013-12-13T13:20:32Z DEBUG cn=config,cn=ldbm:nsslapd-dbcachesize >2013-12-13T13:20:32Z DEBUG cn=encryption,cn=config:nssslsessiontimeout >2013-12-13T13:20:32Z DEBUG cn=config,cn=ldbm:nsslapd-cachesize >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-db-locks >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-secureport >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-changelogmaxentries >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-allowed-sasl-mechanisms >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-ldapilisten >2013-12-13T13:20:32Z DEBUG cn=config,cn=ldbm:nsslapd-plugin >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-ldapifilepath >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-changelogdir >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-workingdir >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-port >2013-12-13T13:20:32Z DEBUG cn=encryption,cn=config:nssslclientauth >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-return-exact-case >2013-12-13T13:20:32Z DEBUG cn=config,cn=ldbm:nsslapd-dbncache >2013-12-13T13:20:32Z DEBUG passwordMaxFailure: >2013-12-13T13:20:32Z DEBUG 3 >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logrotationsync-enabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logging-enabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logrotationsyncmin: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-pagedsizelimit: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logexpirationtime: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-listen-backlog-size: >2013-12-13T13:20:32Z DEBUG 128 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog: >2013-12-13T13:20:32Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/access >2013-12-13T13:20:32Z DEBUG nsslapd-certmap-basedn: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-logging: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-anonlimitsdn: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-ldifdir: >2013-12-13T13:20:32Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ldif >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-mode: >2013-12-13T13:20:32Z DEBUG 600 >2013-12-13T13:20:32Z DEBUG nsslapd-maxbersize: >2013-12-13T13:20:32Z DEBUG 209715200 >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logging-enabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-hash-filters: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG passwordMustChange: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG passwordExp: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-list: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-ldapilisten: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logminfreediskspace: >2013-12-13T13:20:32Z DEBUG 5 >2013-12-13T13:20:32Z DEBUG nsslapd-schema-ignore-trailing-spaces: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG aci: >2013-12-13T13:20:32Z DEBUG (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";) >2013-12-13T13:20:32Z DEBUG (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:20:32Z DEBUG nsslapd-listenhost: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logexpirationtimeunit: >2013-12-13T13:20:32Z DEBUG month >2013-12-13T13:20:32Z DEBUG nsslapd-outbound-ldap-io-timeout: >2013-12-13T13:20:32Z DEBUG 300000 >2013-12-13T13:20:32Z DEBUG passwordMinLength: >2013-12-13T13:20:32Z DEBUG 8 >2013-12-13T13:20:32Z DEBUG nsslapd-require-secure-binds: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-groupevalnestlevel: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-rootdn: >2013-12-13T13:20:32Z DEBUG cn=Directory Manager >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logrotationtimeunit: >2013-12-13T13:20:32Z DEBUG day >2013-12-13T13:20:32Z DEBUG nsslapd-snmp-index: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG config >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapdConfig >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logrotationtimeunit: >2013-12-13T13:20:32Z DEBUG week >2013-12-13T13:20:32Z DEBUG nsslapd-entryusn-import-initval: >2013-12-13T13:20:32Z DEBUG next >2013-12-13T13:20:32Z DEBUG nsslapd-ignore-time-skew: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-allow-unauthenticated-binds: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logging-hide-unhashed-pw: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-maxlogsperdir: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logmaxdiskspace: >2013-12-13T13:20:32Z DEBUG 100 >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-mode: >2013-12-13T13:20:32Z DEBUG 600 >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog: >2013-12-13T13:20:32Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/errors >2013-12-13T13:20:32Z DEBUG nsslapd-disk-monitoring-threshold: >2013-12-13T13:20:32Z DEBUG 2097152 >2013-12-13T13:20:32Z DEBUG nsslapd-sasl-mapping-fallback: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG passwordlegacypolicy: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-ldapifilepath: >2013-12-13T13:20:32Z DEBUG /var/run/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket >2013-12-13T13:20:32Z DEBUG passwordCheckSyntax: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG passwordGraceLimit: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG passwordWarning: >2013-12-13T13:20:32Z DEBUG 86400 >2013-12-13T13:20:32Z DEBUG nsslapd-instancedir: >2013-12-13T13:20:32Z DEBUG /var/lib/dirsrv/scripts-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:20:32Z DEBUG nsslapd-config: >2013-12-13T13:20:32Z DEBUG cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-level: >2013-12-13T13:20:32Z DEBUG 256 >2013-12-13T13:20:32Z DEBUG nsslapd-return-exact-case: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-maxsasliosize: >2013-12-13T13:20:32Z DEBUG 2097152 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logexpirationtimeunit: >2013-12-13T13:20:32Z DEBUG month >2013-12-13T13:20:32Z DEBUG nsslapd-rootpwstoragescheme: >2013-12-13T13:20:32Z DEBUG SSHA >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-binddn-tracking: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logexpirationtime: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG passwordLockout: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-lockdir: >2013-12-13T13:20:32Z DEBUG /var/lock/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:20:32Z DEBUG nsslapd-certdir: >2013-12-13T13:20:32Z DEBUG /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:20:32Z DEBUG nsslapd-allow-anonymous-access: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-maxlogsperdir: >2013-12-13T13:20:32Z DEBUG 10 >2013-12-13T13:20:32Z DEBUG nsslapd-backendconfig: >2013-12-13T13:20:32Z DEBUG cn=config,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=config,cn=ipaca,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-threadnumber: >2013-12-13T13:20:32Z DEBUG 30 >2013-12-13T13:20:32Z DEBUG nsslapd-schemamod: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-search-return-original-type-switch: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-localhost: >2013-12-13T13:20:32Z DEBUG vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:20:32Z DEBUG nsslapd-bakdir: >2013-12-13T13:20:32Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/bak >2013-12-13T13:20:32Z DEBUG passwordMin8bit: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-ldapiuidnumbertype: >2013-12-13T13:20:32Z DEBUG uidNumber >2013-12-13T13:20:32Z DEBUG nsslapd-validate-cert: >2013-12-13T13:20:32Z DEBUG warn >2013-12-13T13:20:32Z DEBUG passwordMinCategories: >2013-12-13T13:20:32Z DEBUG 3 >2013-12-13T13:20:32Z DEBUG passwordMinLowers: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG passwordAdminDN: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-versionstring: >2013-12-13T13:20:32Z DEBUG 389-Directory/1.3.2.7 >2013-12-13T13:20:32Z DEBUG passwordMinSpecials: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-rewrite-rfc1274: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-lastmod: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-max-filter-nest-level: >2013-12-13T13:20:32Z DEBUG 40 >2013-12-13T13:20:32Z DEBUG passwordMaxRepeats: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-result-tweak: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-syntaxlogging: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG passwordUnlock: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-schemacheck: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG passwordTrackUpdateTime: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-maxlogsize: >2013-12-13T13:20:32Z DEBUG 100 >2013-12-13T13:20:32Z DEBUG nsslapd-ldapientrysearchbase: >2013-12-13T13:20:32Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logexpirationtime: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-localssf: >2013-12-13T13:20:32Z DEBUG 71 >2013-12-13T13:20:32Z DEBUG passwordisglobalpolicy: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-sizelimit: >2013-12-13T13:20:32Z DEBUG 2000 >2013-12-13T13:20:32Z DEBUG nsslapd-minssf-exclude-rootdse: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logrotationsyncmin: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-ignore-virtual-attrs: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-ndn-cache-enabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-defaultnamingcontext: >2013-12-13T13:20:32Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-mode: >2013-12-13T13:20:32Z DEBUG 600 >2013-12-13T13:20:32Z DEBUG nsslapd-pwpolicy-local: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-schemadir: >2013-12-13T13:20:32Z DEBUG /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/schema >2013-12-13T13:20:32Z DEBUG passwordLockoutDuration: >2013-12-13T13:20:32Z DEBUG 3600 >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-list: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-csnlogging: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-maxlogsize: >2013-12-13T13:20:32Z DEBUG 100 >2013-12-13T13:20:32Z DEBUG nsslapd-privatenamespaces: >2013-12-13T13:20:32Z DEBUG cn=schema >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG cn=config >2013-12-13T13:20:32Z DEBUG cn=monitor >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-maxlogsperdir: >2013-12-13T13:20:32Z DEBUG 2 >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog: >2013-12-13T13:20:32Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/audit >2013-12-13T13:20:32Z DEBUG nsslapd-ldapimaprootdn: >2013-12-13T13:20:32Z DEBUG cn=Directory Manager >2013-12-13T13:20:32Z DEBUG nsslapd-rootpw: >2013-12-13T13:20:32Z DEBUG {SSHA}v/YbIvfLZBnzzDiaMPKT2iAZwiDpB6XjDHgWVQ== >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logrotationsynchour: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-ds4-compatible-schema: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-workingdir: >2013-12-13T13:20:32Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:20:32Z DEBUG nsslapd-unhashed-pw-switch: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-accesscontrol: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-schemareplace: >2013-12-13T13:20:32Z DEBUG replication-only >2013-12-13T13:20:32Z DEBUG nsslapd-enable-turbo-mode: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-level: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-securelistenhost: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logrotationtime: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-ioblocktimeout: >2013-12-13T13:20:32Z DEBUG 1800000 >2013-12-13T13:20:32Z DEBUG nsslapd-sslclientauth: >2013-12-13T13:20:32Z DEBUG allowed >2013-12-13T13:20:32Z DEBUG nsslapd-attribute-name-exceptions: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-idletimeout: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-allowed-to-delete-attrs: >2013-12-13T13:20:32Z DEBUG nsslapd-listenhost nsslapd-securelistenhost nsslapd-defaultnamingcontext >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logminfreediskspace: >2013-12-13T13:20:32Z DEBUG 5 >2013-12-13T13:20:32Z DEBUG passwordStorageScheme: >2013-12-13T13:20:32Z DEBUG SSHA >2013-12-13T13:20:32Z DEBUG nsslapd-connection-nocanon: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG only: set nsslapd-ssl-check-hostname to 'on', current value [u'on'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'on'] >2013-12-13T13:20:32Z DEBUG only: set nsslapd-anonlimitsdn to 'cn=anonymous-limits,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com', current value [u''] >2013-12-13T13:20:32Z DEBUG only: updated value [u'cn=anonymous-limits,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'] >2013-12-13T13:20:32Z DEBUG add: 'dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to nsslapd-defaultNamingContext, current value [u'dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'] >2013-12-13T13:20:32Z DEBUG add: updated value [u'dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'] >2013-12-13T13:20:32Z DEBUG only: set nsslapd-minssf-exclude-rootdse to 'on', current value [u'off'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'on'] >2013-12-13T13:20:32Z DEBUG only: set nsslapd-sasl-mapping-fallback to 'on', current value [u'on'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'on'] >2013-12-13T13:20:32Z DEBUG only: set nsslapd-sasl-max-buffer-size to '2097152', current value [u'65536'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'2097152'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-ldapimaptoentries: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logrotationsynchour: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-port: >2013-12-13T13:20:32Z DEBUG 389 >2013-12-13T13:20:32Z DEBUG nsslapd-betype: >2013-12-13T13:20:32Z DEBUG ldbm database >2013-12-13T13:20:32Z DEBUG nsslapd-nagle: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-list: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-entryusn-global: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-referralmode: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logminfreediskspace: >2013-12-13T13:20:32Z DEBUG 5 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logrotationsynchour: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-reservedescriptors: >2013-12-13T13:20:32Z DEBUG 64 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logmaxdiskspace: >2013-12-13T13:20:32Z DEBUG 500 >2013-12-13T13:20:32Z DEBUG passwordMinAlphas: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-sasl-max-buffer-size: >2013-12-13T13:20:32Z DEBUG 2097152 >2013-12-13T13:20:32Z DEBUG nsslapd-enquote-sup-oc: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-readonly: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-syntaxcheck: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logbuffering: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-disk-monitoring-logging-critical: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG passwordMinDigits: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG passwordMinUppers: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-plugin: >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreIA5SubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=telephoneNumberMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseExactOrderingMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreOrderingMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseExactIA5SubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=octetStringOrderingMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseExactSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Boolean Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseExactMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Numeric String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=OID Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Guide Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreIA5Match,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Delivery Method Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Name And Optional UID Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Enhanced Guide Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Integer Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=uniqueMemberMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Bit String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Postal Address Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=integerFirstComponentMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=integerOrderingMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseExactIA5Match,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Octet String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=booleanMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Case Ignore String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=generalizedTimeOrderingMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=objectIdentifierFirstComponentMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreListMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=octetStringMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=distinguishedNameMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Fax Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Generalized Time Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Internationalization Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Country String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=telephoneNumberSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=bitStringMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Distinguished Name Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=numericStringOrderingMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=generalizedTimeMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Telephone Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=objectIdentifierMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=numericStringSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreListSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Printable String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Telex Number Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Facsimile Telephone Number Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Teletex Terminal Identifier Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Binary Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=JPEG Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=directoryStringFirstComponentMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=integerMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Bitwise Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=Case Exact String Syntax,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=caseIgnoreMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=numericStringMatch,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logrotationtime: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-dn-validate-strict: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-ndn-cache-max-size: >2013-12-13T13:20:32Z DEBUG 20971520 >2013-12-13T13:20:32Z DEBUG nsslapd-timelimit: >2013-12-13T13:20:32Z DEBUG 3600 >2013-12-13T13:20:32Z DEBUG nsslapd-disk-monitoring: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-rundir: >2013-12-13T13:20:32Z DEBUG /var/run/dirsrv >2013-12-13T13:20:32Z DEBUG passwordMinTokenLength: >2013-12-13T13:20:32Z DEBUG 3 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logrotationsync-enabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG passwordMinAge: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logrotationtime: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logmaxdiskspace: >2013-12-13T13:20:32Z DEBUG 100 >2013-12-13T13:20:32Z DEBUG nsslapd-disk-monitoring-grace-period: >2013-12-13T13:20:32Z DEBUG 60 >2013-12-13T13:20:32Z DEBUG nsslapd-maxdescriptors: >2013-12-13T13:20:32Z DEBUG 8192 >2013-12-13T13:20:32Z DEBUG passwordInHistory: >2013-12-13T13:20:32Z DEBUG 6 >2013-12-13T13:20:32Z DEBUG nsslapd-ssl-check-hostname: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-conntablesize: >2013-12-13T13:20:32Z DEBUG 8192 >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logging-enabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logrotationsync-enabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logexpirationtimeunit: >2013-12-13T13:20:32Z DEBUG month >2013-12-13T13:20:32Z DEBUG nsslapd-saslpath: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG passwordMaxAge: >2013-12-13T13:20:32Z DEBUG 8640000 >2013-12-13T13:20:32Z DEBUG nsslapd-ldapiautobind: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-maxthreadsperconn: >2013-12-13T13:20:32Z DEBUG 5 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logrotationsyncmin: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-ldapigidnumbertype: >2013-12-13T13:20:32Z DEBUG gidNumber >2013-12-13T13:20:32Z DEBUG nsslapd-connection-buffer: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logrotationtimeunit: >2013-12-13T13:20:32Z DEBUG day >2013-12-13T13:20:32Z DEBUG nsslapd-tmpdir: >2013-12-13T13:20:32Z DEBUG /tmp >2013-12-13T13:20:32Z DEBUG passwordResetFailureCount: >2013-12-13T13:20:32Z DEBUG 600 >2013-12-13T13:20:32Z DEBUG nsslapd-counters: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-svrtab: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-allowed-sasl-mechanisms: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-secureport: >2013-12-13T13:20:32Z DEBUG 636 >2013-12-13T13:20:32Z DEBUG nsslapd-minssf: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-maxlogsize: >2013-12-13T13:20:32Z DEBUG 100 >2013-12-13T13:20:32Z DEBUG nsslapd-localuser: >2013-12-13T13:20:32Z DEBUG dirsrv >2013-12-13T13:20:32Z DEBUG nsslapd-security: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG passwordChange: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-force-sasl-external: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-requiresrestart: >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-changelogmaxage >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-plugin >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-maxdescriptors >2013-12-13T13:20:32Z DEBUG cn=config,cn=ldbm:nsslapd-idlistscanlimit >2013-12-13T13:20:32Z DEBUG cn=encryption,cn=config:nsssl2 >2013-12-13T13:20:32Z DEBUG cn=encryption,cn=config:nsssl3 >2013-12-13T13:20:32Z DEBUG cn=config,cn=ldbm:nsslapd-parentcheck >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-changelogsuffix >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-sslclientauth >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-schema-ignore-trailing-spaces >2013-12-13T13:20:32Z DEBUG cn=config,cn=ldbm:nsslapd-dbcachesize >2013-12-13T13:20:32Z DEBUG cn=encryption,cn=config:nssslsessiontimeout >2013-12-13T13:20:32Z DEBUG cn=config,cn=ldbm:nsslapd-cachesize >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-db-locks >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-secureport >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-changelogmaxentries >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-allowed-sasl-mechanisms >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-ldapilisten >2013-12-13T13:20:32Z DEBUG cn=config,cn=ldbm:nsslapd-plugin >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-ldapifilepath >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-changelogdir >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-workingdir >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-port >2013-12-13T13:20:32Z DEBUG cn=encryption,cn=config:nssslclientauth >2013-12-13T13:20:32Z DEBUG cn=config:nsslapd-return-exact-case >2013-12-13T13:20:32Z DEBUG cn=config,cn=ldbm:nsslapd-dbncache >2013-12-13T13:20:32Z DEBUG passwordMaxFailure: >2013-12-13T13:20:32Z DEBUG 3 >2013-12-13T13:20:32Z DEBUG nsslapd-defaultNamingContext: >2013-12-13T13:20:32Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logrotationsync-enabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logging-enabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logrotationsyncmin: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-pagedsizelimit: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logexpirationtime: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-listen-backlog-size: >2013-12-13T13:20:32Z DEBUG 128 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog: >2013-12-13T13:20:32Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/access >2013-12-13T13:20:32Z DEBUG nsslapd-certmap-basedn: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-logging: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-anonlimitsdn: >2013-12-13T13:20:32Z DEBUG cn=anonymous-limits,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-ldifdir: >2013-12-13T13:20:32Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ldif >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-mode: >2013-12-13T13:20:32Z DEBUG 600 >2013-12-13T13:20:32Z DEBUG nsslapd-maxbersize: >2013-12-13T13:20:32Z DEBUG 209715200 >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logging-enabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-hash-filters: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG passwordMustChange: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG passwordExp: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-list: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-ldapilisten: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logminfreediskspace: >2013-12-13T13:20:32Z DEBUG 5 >2013-12-13T13:20:32Z DEBUG nsslapd-schema-ignore-trailing-spaces: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG aci: >2013-12-13T13:20:32Z DEBUG (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";) >2013-12-13T13:20:32Z DEBUG (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:20:32Z DEBUG nsslapd-listenhost: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logexpirationtimeunit: >2013-12-13T13:20:32Z DEBUG month >2013-12-13T13:20:32Z DEBUG nsslapd-outbound-ldap-io-timeout: >2013-12-13T13:20:32Z DEBUG 300000 >2013-12-13T13:20:32Z DEBUG passwordMinLength: >2013-12-13T13:20:32Z DEBUG 8 >2013-12-13T13:20:32Z DEBUG nsslapd-require-secure-binds: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-groupevalnestlevel: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-rootdn: >2013-12-13T13:20:32Z DEBUG cn=Directory Manager >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logrotationtimeunit: >2013-12-13T13:20:32Z DEBUG day >2013-12-13T13:20:32Z DEBUG nsslapd-snmp-index: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG config >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapdConfig >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logrotationtimeunit: >2013-12-13T13:20:32Z DEBUG week >2013-12-13T13:20:32Z DEBUG nsslapd-entryusn-import-initval: >2013-12-13T13:20:32Z DEBUG next >2013-12-13T13:20:32Z DEBUG nsslapd-ignore-time-skew: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-allow-unauthenticated-binds: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logging-hide-unhashed-pw: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-maxlogsperdir: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logmaxdiskspace: >2013-12-13T13:20:32Z DEBUG 100 >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-mode: >2013-12-13T13:20:32Z DEBUG 600 >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog: >2013-12-13T13:20:32Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/errors >2013-12-13T13:20:32Z DEBUG nsslapd-disk-monitoring-threshold: >2013-12-13T13:20:32Z DEBUG 2097152 >2013-12-13T13:20:32Z DEBUG nsslapd-sasl-mapping-fallback: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG passwordlegacypolicy: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-ldapifilepath: >2013-12-13T13:20:32Z DEBUG /var/run/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket >2013-12-13T13:20:32Z DEBUG passwordCheckSyntax: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG passwordGraceLimit: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG passwordWarning: >2013-12-13T13:20:32Z DEBUG 86400 >2013-12-13T13:20:32Z DEBUG nsslapd-instancedir: >2013-12-13T13:20:32Z DEBUG /var/lib/dirsrv/scripts-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:20:32Z DEBUG nsslapd-config: >2013-12-13T13:20:32Z DEBUG cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-level: >2013-12-13T13:20:32Z DEBUG 256 >2013-12-13T13:20:32Z DEBUG nsslapd-return-exact-case: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-maxsasliosize: >2013-12-13T13:20:32Z DEBUG 2097152 >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logexpirationtimeunit: >2013-12-13T13:20:32Z DEBUG month >2013-12-13T13:20:32Z DEBUG nsslapd-rootpwstoragescheme: >2013-12-13T13:20:32Z DEBUG SSHA >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-binddn-tracking: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logexpirationtime: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG passwordLockout: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-lockdir: >2013-12-13T13:20:32Z DEBUG /var/lock/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:20:32Z DEBUG nsslapd-certdir: >2013-12-13T13:20:32Z DEBUG /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:20:32Z DEBUG nsslapd-allow-anonymous-access: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-maxlogsperdir: >2013-12-13T13:20:32Z DEBUG 10 >2013-12-13T13:20:32Z DEBUG nsslapd-backendconfig: >2013-12-13T13:20:32Z DEBUG cn=config,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn=config,cn=ipaca,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-threadnumber: >2013-12-13T13:20:32Z DEBUG 30 >2013-12-13T13:20:32Z DEBUG nsslapd-schemamod: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-search-return-original-type-switch: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-localhost: >2013-12-13T13:20:32Z DEBUG vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:20:32Z DEBUG nsslapd-bakdir: >2013-12-13T13:20:32Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/bak >2013-12-13T13:20:32Z DEBUG passwordMin8bit: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-ldapiuidnumbertype: >2013-12-13T13:20:32Z DEBUG uidNumber >2013-12-13T13:20:32Z DEBUG nsslapd-validate-cert: >2013-12-13T13:20:32Z DEBUG warn >2013-12-13T13:20:32Z DEBUG passwordMinCategories: >2013-12-13T13:20:32Z DEBUG 3 >2013-12-13T13:20:32Z DEBUG passwordMinLowers: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG passwordAdminDN: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-versionstring: >2013-12-13T13:20:32Z DEBUG 389-Directory/1.3.2.7 >2013-12-13T13:20:32Z DEBUG passwordMinSpecials: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-rewrite-rfc1274: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-lastmod: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-max-filter-nest-level: >2013-12-13T13:20:32Z DEBUG 40 >2013-12-13T13:20:32Z DEBUG passwordMaxRepeats: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-result-tweak: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-syntaxlogging: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG passwordUnlock: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-schemacheck: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG passwordTrackUpdateTime: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-maxlogsize: >2013-12-13T13:20:32Z DEBUG 100 >2013-12-13T13:20:32Z DEBUG nsslapd-ldapientrysearchbase: >2013-12-13T13:20:32Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logexpirationtime: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-localssf: >2013-12-13T13:20:32Z DEBUG 71 >2013-12-13T13:20:32Z DEBUG passwordisglobalpolicy: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-sizelimit: >2013-12-13T13:20:32Z DEBUG 2000 >2013-12-13T13:20:32Z DEBUG nsslapd-minssf-exclude-rootdse: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logrotationsyncmin: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-ignore-virtual-attrs: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-ndn-cache-enabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-mode: >2013-12-13T13:20:32Z DEBUG 600 >2013-12-13T13:20:32Z DEBUG nsslapd-pwpolicy-local: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-schemadir: >2013-12-13T13:20:32Z DEBUG /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/schema >2013-12-13T13:20:32Z DEBUG passwordLockoutDuration: >2013-12-13T13:20:32Z DEBUG 3600 >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-list: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-csnlogging: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-maxlogsize: >2013-12-13T13:20:32Z DEBUG 100 >2013-12-13T13:20:32Z DEBUG nsslapd-privatenamespaces: >2013-12-13T13:20:32Z DEBUG cn=schema >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG cn=config >2013-12-13T13:20:32Z DEBUG cn=monitor >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-maxlogsperdir: >2013-12-13T13:20:32Z DEBUG 2 >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog: >2013-12-13T13:20:32Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/audit >2013-12-13T13:20:32Z DEBUG nsslapd-ldapimaprootdn: >2013-12-13T13:20:32Z DEBUG cn=Directory Manager >2013-12-13T13:20:32Z DEBUG nsslapd-rootpw: >2013-12-13T13:20:32Z DEBUG {SSHA}v/YbIvfLZBnzzDiaMPKT2iAZwiDpB6XjDHgWVQ== >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-logrotationsynchour: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-ds4-compatible-schema: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-workingdir: >2013-12-13T13:20:32Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:20:32Z DEBUG nsslapd-unhashed-pw-switch: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-accesscontrol: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-schemareplace: >2013-12-13T13:20:32Z DEBUG replication-only >2013-12-13T13:20:32Z DEBUG nsslapd-enable-turbo-mode: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-errorlog-level: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-securelistenhost: >2013-12-13T13:20:32Z DEBUG >2013-12-13T13:20:32Z DEBUG nsslapd-auditlog-logrotationtime: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-ioblocktimeout: >2013-12-13T13:20:32Z DEBUG 1800000 >2013-12-13T13:20:32Z DEBUG nsslapd-sslclientauth: >2013-12-13T13:20:32Z DEBUG allowed >2013-12-13T13:20:32Z DEBUG nsslapd-attribute-name-exceptions: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-idletimeout: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-allowed-to-delete-attrs: >2013-12-13T13:20:32Z DEBUG nsslapd-listenhost nsslapd-securelistenhost nsslapd-defaultnamingcontext >2013-12-13T13:20:32Z DEBUG nsslapd-accesslog-logminfreediskspace: >2013-12-13T13:20:32Z DEBUG 5 >2013-12-13T13:20:32Z DEBUG passwordStorageScheme: >2013-12-13T13:20:32Z DEBUG SSHA >2013-12-13T13:20:32Z DEBUG nsslapd-connection-nocanon: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG [(2, u'nsslapd-sasl-max-buffer-size', ['2097152']), (2, u'nsslapd-anonlimitsdn', ['cn=anonymous-limits,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com']), (2, u'nsslapd-minssf-exclude-rootdse', ['on'])] >2013-12-13T13:20:32Z DEBUG Live 1, updated 1 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=Linked Attributes,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=Linked Attributes,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG Linked Attributes >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG Linked Attributes >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG nsContainer >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Linked Attributes plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG liblinkedattrs-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpreoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG linked_attrs_init >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginType to 'betxnpreoperation', current value [u'betxnpreoperation'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'betxnpreoperation'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=Linked Attributes,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG Linked Attributes >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG Linked Attributes >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG nsContainer >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Linked Attributes plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG liblinkedattrs-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpreoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG linked_attrs_init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=7-bit check,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=7-bit check,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG NS7bitAttr >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG 7-bit check >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Enforce 7-bit clean attribute values >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg0: >2013-12-13T13:20:32Z DEBUG uid >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libattr-unique-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg1: >2013-12-13T13:20:32Z DEBUG mail >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg3: >2013-12-13T13:20:32Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg2: >2013-12-13T13:20:32Z DEBUG , >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpreoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG NS7bitAttr_Init >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginType to 'betxnpreoperation', current value [u'betxnpreoperation'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'betxnpreoperation'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=7-bit check,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG NS7bitAttr >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG 7-bit check >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Enforce 7-bit clean attribute values >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg0: >2013-12-13T13:20:32Z DEBUG uid >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libattr-unique-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg1: >2013-12-13T13:20:32Z DEBUG mail >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg3: >2013-12-13T13:20:32Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg2: >2013-12-13T13:20:32Z DEBUG , >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpreoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG NS7bitAttr_Init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=PAM Pass Through Auth,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=PAM Pass Through Auth,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG PAM Pass Through Auth >2013-12-13T13:20:32Z DEBUG pamExcludeSuffix: >2013-12-13T13:20:32Z DEBUG cn=config >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG pamConfig >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libpam-passthru-plugin >2013-12-13T13:20:32Z DEBUG pamService: >2013-12-13T13:20:32Z DEBUG ldapserver >2013-12-13T13:20:32Z DEBUG pamSecure: >2013-12-13T13:20:32Z DEBUG TRUE >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpreoperation >2013-12-13T13:20:32Z DEBUG pamIDMapMethod: >2013-12-13T13:20:32Z DEBUG RDN >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG pam_passthruauth_init >2013-12-13T13:20:32Z DEBUG pamFallback: >2013-12-13T13:20:32Z DEBUG FALSE >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG pamMissingSuffix: >2013-12-13T13:20:32Z DEBUG ALLOW >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG pamIDAttr: >2013-12-13T13:20:32Z DEBUG notUsedWithRDNMethod >2013-12-13T13:20:32Z DEBUG nsslapd-pluginloadglobal: >2013-12-13T13:20:32Z DEBUG true >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginType to 'betxnpreoperation', current value [u'betxnpreoperation'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'betxnpreoperation'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=PAM Pass Through Auth,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG PAM Pass Through Auth >2013-12-13T13:20:32Z DEBUG pamExcludeSuffix: >2013-12-13T13:20:32Z DEBUG cn=config >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG pamConfig >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libpam-passthru-plugin >2013-12-13T13:20:32Z DEBUG pamService: >2013-12-13T13:20:32Z DEBUG ldapserver >2013-12-13T13:20:32Z DEBUG pamSecure: >2013-12-13T13:20:32Z DEBUG TRUE >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpreoperation >2013-12-13T13:20:32Z DEBUG pamIDMapMethod: >2013-12-13T13:20:32Z DEBUG RDN >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG pam_passthruauth_init >2013-12-13T13:20:32Z DEBUG pamFallback: >2013-12-13T13:20:32Z DEBUG FALSE >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG pamMissingSuffix: >2013-12-13T13:20:32Z DEBUG ALLOW >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG pamIDAttr: >2013-12-13T13:20:32Z DEBUG notUsedWithRDNMethod >2013-12-13T13:20:32Z DEBUG nsslapd-pluginloadglobal: >2013-12-13T13:20:32Z DEBUG true >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=attribute uniqueness,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=attribute uniqueness,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG attribute uniqueness >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg0: >2013-12-13T13:20:32Z DEBUG uid >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libattr-unique-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg1: >2013-12-13T13:20:32Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpreoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG NSUniqueAttr_Init >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginType to 'betxnpreoperation', current value [u'betxnpreoperation'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'betxnpreoperation'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=attribute uniqueness,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG attribute uniqueness >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg0: >2013-12-13T13:20:32Z DEBUG uid >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG off >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libattr-unique-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg1: >2013-12-13T13:20:32Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG none >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpreoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG NSUniqueAttr_Init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginbetxn: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG Schema Compatibility >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Schema Compatibility Plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG schema-compat-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 0.50 (betxn support not available) >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG /usr/lib64/dirsrv/plugins/schemacompat-plugin.so >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG redhat.com >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG object >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG schema_compat_plugin_init >2013-12-13T13:20:32Z DEBUG onlyifexist: 'on' to nsslapd-pluginbetxn, current value [u'on'] >2013-12-13T13:20:32Z DEBUG onlyifexist: set nsslapd-pluginbetxn to [u'on'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginbetxn: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG Schema Compatibility >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Schema Compatibility Plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG schema-compat-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 0.50 (betxn support not available) >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG /usr/lib64/dirsrv/plugins/schemacompat-plugin.so >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG redhat.com >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG object >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG schema_compat_plugin_init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO New entry: cn=NIS Server,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=NIS Server,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG onlyifexist: 'on' to nsslapd-pluginbetxn, current value [] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=NIS Server,cn=plugins,cn=config >2013-12-13T13:20:32Z INFO Updating existing entry: cn=Roles Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=Roles Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginbetxn: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG Roles Plugin >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-named: >2013-12-13T13:20:32Z DEBUG State Change Plugin >2013-12-13T13:20:32Z DEBUG Views >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG roles plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG roles >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libroles-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG object >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG roles_init >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginbetxn to 'on', current value [u'on'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'on'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=Roles Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginbetxn: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG Roles Plugin >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-named: >2013-12-13T13:20:32Z DEBUG State Change Plugin >2013-12-13T13:20:32Z DEBUG Views >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG roles plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG roles >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libroles-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG object >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG roles_init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=Managed Entries,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=Managed Entries,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG Managed Entries >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG Managed Entries >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG nsContainer >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Managed Entries plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libmanagedentries-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginConfigArea: >2013-12-13T13:20:32Z DEBUG cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpreoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG mep_init >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginType to 'betxnpreoperation', current value [u'betxnpreoperation'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'betxnpreoperation'] >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginConfigArea to 'cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com', current value [ipapython.dn.DN('cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:20:32Z DEBUG only: updated value [ipapython.dn.DN('cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=Managed Entries,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG Managed Entries >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG Managed Entries >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG nsContainer >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Managed Entries plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libmanagedentries-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginConfigArea: >2013-12-13T13:20:32Z DEBUG cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpreoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG mep_init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=ipa-winsync,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=ipa-winsync,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG ipa-winsync >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG ipawinsynchomedirattr: >2013-12-13T13:20:32Z DEBUG ipaHomesRootDir >2013-12-13T13:20:32Z DEBUG ipawinsyncnewuserocattr: >2013-12-13T13:20:32Z DEBUG ipauserobjectclasses >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libipa_winsync >2013-12-13T13:20:32Z DEBUG ipawinsyncuserflatten: >2013-12-13T13:20:32Z DEBUG true >2013-12-13T13:20:32Z DEBUG ipawinsyncnewentryfilter: >2013-12-13T13:20:32Z DEBUG (cn=ipaConfig) >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG FreeIPA project >2013-12-13T13:20:32Z DEBUG ipawinsyncdefaultgroupattr: >2013-12-13T13:20:32Z DEBUG ipaDefaultPrimaryGroup >2013-12-13T13:20:32Z DEBUG ipawinsyncrealmfilter: >2013-12-13T13:20:32Z DEBUG (objectclass=krbRealmContainer) >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG preoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG ipa_winsync_plugin_init >2013-12-13T13:20:32Z DEBUG ipawinsyncforcesync: >2013-12-13T13:20:32Z DEBUG true >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG FreeIPA/1.0 >2013-12-13T13:20:32Z DEBUG ipawinsyncrealmattr: >2013-12-13T13:20:32Z DEBUG cn >2013-12-13T13:20:32Z DEBUG ipawinsyncloginshellattr: >2013-12-13T13:20:32Z DEBUG ipaDefaultLoginShell >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG ipa-winsync-plugin >2013-12-13T13:20:32Z DEBUG ipawinsyncuserattr: >2013-12-13T13:20:32Z DEBUG uidNumber -1 >2013-12-13T13:20:32Z DEBUG gidNumber -1 >2013-12-13T13:20:32Z DEBUG ipawinsyncdefaultgroupfilter: >2013-12-13T13:20:32Z DEBUG (gidNumber=*)(objectclass=posixGroup)(objectclass=groupOfNames) >2013-12-13T13:20:32Z DEBUG ipawinsyncacctdisable: >2013-12-13T13:20:32Z DEBUG both >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG ipa winsync plugin >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginPrecedence to '60', current value [] >2013-12-13T13:20:32Z DEBUG only: updated value [u'60'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=ipa-winsync,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG ipa-winsync >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG ipawinsynchomedirattr: >2013-12-13T13:20:32Z DEBUG ipaHomesRootDir >2013-12-13T13:20:32Z DEBUG ipawinsyncnewuserocattr: >2013-12-13T13:20:32Z DEBUG ipauserobjectclasses >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libipa_winsync >2013-12-13T13:20:32Z DEBUG ipawinsyncuserflatten: >2013-12-13T13:20:32Z DEBUG true >2013-12-13T13:20:32Z DEBUG ipawinsyncnewentryfilter: >2013-12-13T13:20:32Z DEBUG (cn=ipaConfig) >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG FreeIPA project >2013-12-13T13:20:32Z DEBUG ipawinsyncdefaultgroupattr: >2013-12-13T13:20:32Z DEBUG ipaDefaultPrimaryGroup >2013-12-13T13:20:32Z DEBUG ipawinsyncrealmfilter: >2013-12-13T13:20:32Z DEBUG (objectclass=krbRealmContainer) >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG preoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG ipa_winsync_plugin_init >2013-12-13T13:20:32Z DEBUG ipawinsyncforcesync: >2013-12-13T13:20:32Z DEBUG true >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG FreeIPA/1.0 >2013-12-13T13:20:32Z DEBUG ipawinsyncrealmattr: >2013-12-13T13:20:32Z DEBUG cn >2013-12-13T13:20:32Z DEBUG ipawinsyncloginshellattr: >2013-12-13T13:20:32Z DEBUG ipaDefaultLoginShell >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG ipa-winsync-plugin >2013-12-13T13:20:32Z DEBUG ipawinsyncuserattr: >2013-12-13T13:20:32Z DEBUG uidNumber -1 >2013-12-13T13:20:32Z DEBUG gidNumber -1 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPrecedence: >2013-12-13T13:20:32Z DEBUG 60 >2013-12-13T13:20:32Z DEBUG ipawinsyncdefaultgroupfilter: >2013-12-13T13:20:32Z DEBUG (gidNumber=*)(objectclass=posixGroup)(objectclass=groupOfNames) >2013-12-13T13:20:32Z DEBUG ipawinsyncacctdisable: >2013-12-13T13:20:32Z DEBUG both >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG ipa winsync plugin >2013-12-13T13:20:32Z DEBUG [(0, u'nsslapd-pluginPrecedence', ['60'])] >2013-12-13T13:20:32Z DEBUG Live 1, updated 1 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=USN,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=USN,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginbetxn: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG USN >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG USN (Update Sequence Number) plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG USN >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libusn-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG object >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG usn_init >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginbetxn to 'on', current value [u'on'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'on'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=USN,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginbetxn: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG USN >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG USN (Update Sequence Number) plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG USN >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libusn-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG object >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG usn_init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=Multimaster Replication Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=Multimaster Replication Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginbetxn: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG Multimaster Replication Plugin >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-named: >2013-12-13T13:20:32Z DEBUG Class of Service >2013-12-13T13:20:32Z DEBUG DES >2013-12-13T13:20:32Z DEBUG ldbm database >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Multi-master Replication Plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libreplication-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG replication-multimaster >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG replication_multimaster_plugin_init >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG object >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginbetxn to 'on', current value [u'on'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'on'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=Multimaster Replication Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginbetxn: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG Multimaster Replication Plugin >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-named: >2013-12-13T13:20:32Z DEBUG Class of Service >2013-12-13T13:20:32Z DEBUG DES >2013-12-13T13:20:32Z DEBUG ldbm database >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Multi-master Replication Plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libreplication-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG replication-multimaster >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG replication_multimaster_plugin_init >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG object >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=sudorule name uniqueness,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=sudorule name uniqueness,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG NSUniqueAttr >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG sudorule name uniqueness >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Enforce unique attribute values >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg0: >2013-12-13T13:20:32Z DEBUG cn >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libattr-unique-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg1: >2013-12-13T13:20:32Z DEBUG cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG preoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG NSUniqueAttr_Init >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=sudorule name uniqueness,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG NSUniqueAttr >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG sudorule name uniqueness >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Enforce unique attribute values >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg0: >2013-12-13T13:20:32Z DEBUG cn >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libattr-unique-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg1: >2013-12-13T13:20:32Z DEBUG cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG preoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG NSUniqueAttr_Init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=State Change Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=State Change Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG statechange >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG State Change Plugin >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG state change notification service plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libstatechange-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpostoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG statechange_init >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginType to 'betxnpostoperation', current value [u'betxnpostoperation'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'betxnpostoperation'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=State Change Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG statechange >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG State Change Plugin >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG state change notification service plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libstatechange-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpostoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG statechange_init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=Auto Membership Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=Auto Membership Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG Auto Membership >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG Auto Membership Plugin >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Auto Membership plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libautomember-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginConfigArea: >2013-12-13T13:20:32Z DEBUG cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpreoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG automember_init >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginType to 'betxnpreoperation', current value [u'betxnpreoperation'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'betxnpreoperation'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=Auto Membership Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG Auto Membership >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG Auto Membership Plugin >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Auto Membership plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libautomember-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginConfigArea: >2013-12-13T13:20:32Z DEBUG cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpreoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG automember_init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=referential integrity postoperation,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=referential integrity postoperation,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG referential integrity postoperation >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg16: >2013-12-13T13:20:32Z DEBUG ipasudorunas >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libreferint-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg10: >2013-12-13T13:20:32Z DEBUG memberhost >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg13: >2013-12-13T13:20:32Z DEBUG managedby >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg12: >2013-12-13T13:20:32Z DEBUG memberservice >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg17: >2013-12-13T13:20:32Z DEBUG ipasudorunasgroup >2013-12-13T13:20:32Z DEBUG nsslapd-pluginprecedence: >2013-12-13T13:20:32Z DEBUG 40 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpostoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG referint_postop_init >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg11: >2013-12-13T13:20:32Z DEBUG sourcehost >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG referint >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG referential integrity plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg5: >2013-12-13T13:20:32Z DEBUG owner >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg4: >2013-12-13T13:20:32Z DEBUG uniquemember >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg7: >2013-12-13T13:20:32Z DEBUG manager >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg6: >2013-12-13T13:20:32Z DEBUG seeAlso >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg1: >2013-12-13T13:20:32Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/referint >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg0: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg3: >2013-12-13T13:20:32Z DEBUG member >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg2: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg15: >2013-12-13T13:20:32Z DEBUG memberdenycmd >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg9: >2013-12-13T13:20:32Z DEBUG memberuser >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg8: >2013-12-13T13:20:32Z DEBUG secretary >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg14: >2013-12-13T13:20:32Z DEBUG memberallowcmd >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginType to 'betxnpostoperation', current value [u'betxnpostoperation'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'betxnpostoperation'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=referential integrity postoperation,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG referential integrity postoperation >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg16: >2013-12-13T13:20:32Z DEBUG ipasudorunas >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libreferint-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg10: >2013-12-13T13:20:32Z DEBUG memberhost >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg13: >2013-12-13T13:20:32Z DEBUG managedby >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg12: >2013-12-13T13:20:32Z DEBUG memberservice >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg17: >2013-12-13T13:20:32Z DEBUG ipasudorunasgroup >2013-12-13T13:20:32Z DEBUG nsslapd-pluginprecedence: >2013-12-13T13:20:32Z DEBUG 40 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpostoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG referint_postop_init >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg11: >2013-12-13T13:20:32Z DEBUG sourcehost >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG referint >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG referential integrity plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg5: >2013-12-13T13:20:32Z DEBUG owner >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg4: >2013-12-13T13:20:32Z DEBUG uniquemember >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg7: >2013-12-13T13:20:32Z DEBUG manager >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg6: >2013-12-13T13:20:32Z DEBUG seeAlso >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg1: >2013-12-13T13:20:32Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/referint >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg0: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg3: >2013-12-13T13:20:32Z DEBUG member >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg2: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg15: >2013-12-13T13:20:32Z DEBUG memberdenycmd >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg9: >2013-12-13T13:20:32Z DEBUG memberuser >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg8: >2013-12-13T13:20:32Z DEBUG secretary >2013-12-13T13:20:32Z DEBUG nsslapd-pluginarg14: >2013-12-13T13:20:32Z DEBUG memberallowcmd >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=ipa_pwd_extop,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=ipa_pwd_extop,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginbetxn: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG ipa_pwd_extop >2013-12-13T13:20:32Z DEBUG nsslapd-realmtree: >2013-12-13T13:20:32Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Support saving passwords in multiple formats for different consumers (krb5, samba, freeradius, etc.) >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG ipa_pwd_extop >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.0 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libipa_pwd_extop >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG RedHat >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG extendedop >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG ipapwd_init >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginbetxn to 'on', current value [u'on'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'on'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=ipa_pwd_extop,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginbetxn: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG ipa_pwd_extop >2013-12-13T13:20:32Z DEBUG nsslapd-realmtree: >2013-12-13T13:20:32Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG Support saving passwords in multiple formats for different consumers (krb5, samba, freeradius, etc.) >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG ipa_pwd_extop >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.0 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libipa_pwd_extop >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG RedHat >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG extendedop >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG ipapwd_init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=IPA MODRDN,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=IPA MODRDN,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG IPA MODRDN >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG IPA MODRDN >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG IPA MODRDN plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libipa_modrdn >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.0 >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG Red Hat, Inc. >2013-12-13T13:20:32Z DEBUG nsslapd-pluginprecedence: >2013-12-13T13:20:32Z DEBUG 60 >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpostoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG ipamodrdn_init >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginPrecedence to '60', current value [u'60'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'60'] >2013-12-13T13:20:32Z DEBUG only: set nsslapd-plugintype to 'betxnpostoperation', current value [u'betxnpostoperation'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'betxnpostoperation'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=IPA MODRDN,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG IPA MODRDN >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG IPA MODRDN >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG IPA MODRDN plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libipa_modrdn >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.0 >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG Red Hat, Inc. >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPrecedence: >2013-12-13T13:20:32Z DEBUG 60 >2013-12-13T13:20:32Z DEBUG nsslapd-plugintype: >2013-12-13T13:20:32Z DEBUG betxnpostoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG ipamodrdn_init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=MemberOf Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=MemberOf Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG memberof >2013-12-13T13:20:32Z DEBUG memberofgroupattr: >2013-12-13T13:20:32Z DEBUG member >2013-12-13T13:20:32Z DEBUG memberUser >2013-12-13T13:20:32Z DEBUG memberHost >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG MemberOf Plugin >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG memberof plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libmemberof-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG memberofattr: >2013-12-13T13:20:32Z DEBUG memberOf >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpostoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG memberof_postop_init >2013-12-13T13:20:32Z DEBUG only: set nsslapd-pluginType to 'betxnpostoperation', current value [u'betxnpostoperation'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'betxnpostoperation'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=MemberOf Plugin,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:32Z DEBUG memberof >2013-12-13T13:20:32Z DEBUG memberofgroupattr: >2013-12-13T13:20:32Z DEBUG member >2013-12-13T13:20:32Z DEBUG memberUser >2013-12-13T13:20:32Z DEBUG memberHost >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG MemberOf Plugin >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG nsSlapdPlugin >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:32Z DEBUG memberof plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:32Z DEBUG libmemberof-plugin >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:32Z DEBUG 1.3.2.7 >2013-12-13T13:20:32Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:32Z DEBUG database >2013-12-13T13:20:32Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:32Z DEBUG 389 Project >2013-12-13T13:20:32Z DEBUG memberofattr: >2013-12-13T13:20:32Z DEBUG memberOf >2013-12-13T13:20:32Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:32Z DEBUG betxnpostoperation >2013-12-13T13:20:32Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:32Z DEBUG memberof_postop_init >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:20:32Z DEBUG memberNisNetgroup=%deref_r("member","cn") >2013-12-13T13:20:32Z DEBUG objectclass=nisNetgroup >2013-12-13T13:20:32Z DEBUG nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) >2013-12-13T13:20:32Z DEBUG schema-compat-check-access: >2013-12-13T13:20:32Z DEBUG yes >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG ng >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG schema-compat-search-filter: >2013-12-13T13:20:32Z DEBUG (objectclass=ipaNisNetgroup) >2013-12-13T13:20:32Z DEBUG schema-compat-container-rdn: >2013-12-13T13:20:32Z DEBUG cn=ng >2013-12-13T13:20:32Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:20:32Z DEBUG cn=%{cn} >2013-12-13T13:20:32Z DEBUG schema-compat-search-base: >2013-12-13T13:20:32Z DEBUG cn=ng, cn=alt, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG schema-compat-container-group: >2013-12-13T13:20:32Z DEBUG cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:20:32Z DEBUG memberNisNetgroup=%deref_r("member","cn") >2013-12-13T13:20:32Z DEBUG objectclass=nisNetgroup >2013-12-13T13:20:32Z DEBUG nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) >2013-12-13T13:20:32Z DEBUG schema-compat-check-access: >2013-12-13T13:20:32Z DEBUG yes >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG ng >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG schema-compat-search-filter: >2013-12-13T13:20:32Z DEBUG (objectclass=ipaNisNetgroup) >2013-12-13T13:20:32Z DEBUG schema-compat-container-rdn: >2013-12-13T13:20:32Z DEBUG cn=ng >2013-12-13T13:20:32Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:20:32Z DEBUG cn=%{cn} >2013-12-13T13:20:32Z DEBUG schema-compat-search-base: >2013-12-13T13:20:32Z DEBUG cn=ng, cn=alt, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG schema-compat-container-group: >2013-12-13T13:20:32Z DEBUG cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=config,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=config,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-directory: >2013-12-13T13:20:32Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/db >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG config >2013-12-13T13:20:32Z DEBUG nsslapd-db-transaction-batch-val: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-rangelookthroughlimit: >2013-12-13T13:20:32Z DEBUG 5000 >2013-12-13T13:20:32Z DEBUG nsslapd-dbcachesize: >2013-12-13T13:20:32Z DEBUG 10000000 >2013-12-13T13:20:32Z DEBUG nsslapd-exclude-from-export: >2013-12-13T13:20:32Z DEBUG entrydn entryid dncomp parentid numSubordinates tombstonenumsubordinates entryusn >2013-12-13T13:20:32Z DEBUG nsslapd-db-logbuf-size: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-import-cache-autosize: >2013-12-13T13:20:32Z DEBUG -1 >2013-12-13T13:20:32Z DEBUG nsslapd-lookthroughlimit: >2013-12-13T13:20:32Z DEBUG 5000 >2013-12-13T13:20:32Z DEBUG nsslapd-db-deadlock-policy: >2013-12-13T13:20:32Z DEBUG 9 >2013-12-13T13:20:32Z DEBUG nsslapd-db-transaction-batch-min-wait: >2013-12-13T13:20:32Z DEBUG 50 >2013-12-13T13:20:32Z DEBUG nsslapd-search-use-vlv-index: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pagedidlistscanlimit: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-idlistscanlimit: >2013-12-13T13:20:32Z DEBUG 4000 >2013-12-13T13:20:32Z DEBUG nsslapd-serial-lock: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-search-bypass-filter-test: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pagedlookthroughlimit: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-subtree-rename-switch: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-backend-opt-level: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-db-compactdb-interval: >2013-12-13T13:20:32Z DEBUG 2592000 >2013-12-13T13:20:32Z DEBUG nsslapd-db-transaction-batch-max-wait: >2013-12-13T13:20:32Z DEBUG 50 >2013-12-13T13:20:32Z DEBUG nsslapd-idl-switch: >2013-12-13T13:20:32Z DEBUG new >2013-12-13T13:20:32Z DEBUG nsslapd-db-durable-transaction: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-db-logdirectory: >2013-12-13T13:20:32Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/db >2013-12-13T13:20:32Z DEBUG nsslapd-mode: >2013-12-13T13:20:32Z DEBUG 600 >2013-12-13T13:20:32Z DEBUG nsslapd-import-cachesize: >2013-12-13T13:20:32Z DEBUG 20000000 >2013-12-13T13:20:32Z DEBUG nsslapd-db-checkpoint-interval: >2013-12-13T13:20:32Z DEBUG 60 >2013-12-13T13:20:32Z DEBUG nsslapd-db-private-import-mem: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=config,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG nsslapd-directory: >2013-12-13T13:20:32Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/db >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG config >2013-12-13T13:20:32Z DEBUG nsslapd-db-transaction-batch-val: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG nsslapd-rangelookthroughlimit: >2013-12-13T13:20:32Z DEBUG 5000 >2013-12-13T13:20:32Z DEBUG nsslapd-dbcachesize: >2013-12-13T13:20:32Z DEBUG 10000000 >2013-12-13T13:20:32Z DEBUG nsslapd-exclude-from-export: >2013-12-13T13:20:32Z DEBUG entrydn entryid dncomp parentid numSubordinates tombstonenumsubordinates entryusn >2013-12-13T13:20:32Z DEBUG nsslapd-db-logbuf-size: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-import-cache-autosize: >2013-12-13T13:20:32Z DEBUG -1 >2013-12-13T13:20:32Z DEBUG nsslapd-lookthroughlimit: >2013-12-13T13:20:32Z DEBUG 5000 >2013-12-13T13:20:32Z DEBUG nsslapd-db-deadlock-policy: >2013-12-13T13:20:32Z DEBUG 9 >2013-12-13T13:20:32Z DEBUG nsslapd-db-transaction-batch-min-wait: >2013-12-13T13:20:32Z DEBUG 50 >2013-12-13T13:20:32Z DEBUG nsslapd-search-use-vlv-index: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pagedidlistscanlimit: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-idlistscanlimit: >2013-12-13T13:20:32Z DEBUG 4000 >2013-12-13T13:20:32Z DEBUG nsslapd-serial-lock: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-search-bypass-filter-test: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-pagedlookthroughlimit: >2013-12-13T13:20:32Z DEBUG 0 >2013-12-13T13:20:32Z DEBUG nsslapd-subtree-rename-switch: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-backend-opt-level: >2013-12-13T13:20:32Z DEBUG 1 >2013-12-13T13:20:32Z DEBUG nsslapd-db-compactdb-interval: >2013-12-13T13:20:32Z DEBUG 2592000 >2013-12-13T13:20:32Z DEBUG nsslapd-db-transaction-batch-max-wait: >2013-12-13T13:20:32Z DEBUG 50 >2013-12-13T13:20:32Z DEBUG nsslapd-idl-switch: >2013-12-13T13:20:32Z DEBUG new >2013-12-13T13:20:32Z DEBUG nsslapd-db-durable-transaction: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG nsslapd-db-logdirectory: >2013-12-13T13:20:32Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/db >2013-12-13T13:20:32Z DEBUG nsslapd-mode: >2013-12-13T13:20:32Z DEBUG 600 >2013-12-13T13:20:32Z DEBUG nsslapd-import-cachesize: >2013-12-13T13:20:32Z DEBUG 20000000 >2013-12-13T13:20:32Z DEBUG nsslapd-db-checkpoint-interval: >2013-12-13T13:20:32Z DEBUG 60 >2013-12-13T13:20:32Z DEBUG nsslapd-db-private-import-mem: >2013-12-13T13:20:32Z DEBUG on >2013-12-13T13:20:32Z DEBUG [] >2013-12-13T13:20:32Z DEBUG Live 1, updated 0 >2013-12-13T13:20:32Z INFO Done >2013-12-13T13:20:32Z INFO Updating existing entry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Initial value >2013-12-13T13:20:32Z DEBUG dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:20:32Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")") >2013-12-13T13:20:32Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") >2013-12-13T13:20:32Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") >2013-12-13T13:20:32Z DEBUG sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")") >2013-12-13T13:20:32Z DEBUG sudoRunAsUser=%deref("ipaSudoRunAs","uid") >2013-12-13T13:20:32Z DEBUG objectclass=sudoRole >2013-12-13T13:20:32Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}") >2013-12-13T13:20:32Z DEBUG sudoRunAsUser=%{ipaSudoRunAsExtUser} >2013-12-13T13:20:32Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") >2013-12-13T13:20:32Z DEBUG sudoOption=%{ipaSudoOpt} >2013-12-13T13:20:32Z DEBUG sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd") >2013-12-13T13:20:32Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")") >2013-12-13T13:20:32Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") >2013-12-13T13:20:32Z DEBUG sudoCommand=!%deref("memberDenyCmd","sudoCmd") >2013-12-13T13:20:32Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")") >2013-12-13T13:20:32Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") >2013-12-13T13:20:32Z DEBUG sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") >2013-12-13T13:20:32Z DEBUG sudoRunAsGroup=%{ipaSudoRunAsExtGroup} >2013-12-13T13:20:32Z DEBUG sudoRunAsGroup=%deref("ipaSudoRunAs","cn") >2013-12-13T13:20:32Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}") >2013-12-13T13:20:32Z DEBUG sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")") >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG sudoers >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:20:32Z DEBUG DISABLED >2013-12-13T13:20:32Z DEBUG FALSE >2013-12-13T13:20:32Z DEBUG cn=%{cn}) >2013-12-13T13:20:32Z DEBUG %ifeq("ipaEnabledFlag" >2013-12-13T13:20:32Z DEBUG schema-compat-search-base: >2013-12-13T13:20:32Z DEBUG cn=sudorules, cn=sudo, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG schema-compat-container-group: >2013-12-13T13:20:32Z DEBUG ou=SUDOers, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG schema-compat-search-filter: >2013-12-13T13:20:32Z DEBUG (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) >2013-12-13T13:20:32Z DEBUG only: set schema-compat-entry-rdn to '%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")', current value [u'DISABLED', u'FALSE', u'cn=%{cn})', u'%ifeq("ipaEnabledFlag"'] >2013-12-13T13:20:32Z DEBUG only: updated value [u'%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")'] >2013-12-13T13:20:32Z DEBUG --------------------------------------------- >2013-12-13T13:20:32Z DEBUG Final value after applying updates >2013-12-13T13:20:32Z DEBUG dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:20:32Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:20:32Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")") >2013-12-13T13:20:32Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") >2013-12-13T13:20:32Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") >2013-12-13T13:20:32Z DEBUG sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")") >2013-12-13T13:20:32Z DEBUG sudoRunAsUser=%deref("ipaSudoRunAs","uid") >2013-12-13T13:20:32Z DEBUG objectclass=sudoRole >2013-12-13T13:20:32Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}") >2013-12-13T13:20:32Z DEBUG sudoRunAsUser=%{ipaSudoRunAsExtUser} >2013-12-13T13:20:32Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") >2013-12-13T13:20:32Z DEBUG sudoOption=%{ipaSudoOpt} >2013-12-13T13:20:32Z DEBUG sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd") >2013-12-13T13:20:32Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")") >2013-12-13T13:20:32Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") >2013-12-13T13:20:32Z DEBUG sudoCommand=!%deref("memberDenyCmd","sudoCmd") >2013-12-13T13:20:32Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")") >2013-12-13T13:20:32Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") >2013-12-13T13:20:32Z DEBUG sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") >2013-12-13T13:20:32Z DEBUG sudoRunAsGroup=%{ipaSudoRunAsExtGroup} >2013-12-13T13:20:32Z DEBUG sudoRunAsGroup=%deref("ipaSudoRunAs","cn") >2013-12-13T13:20:32Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}") >2013-12-13T13:20:32Z DEBUG sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")") >2013-12-13T13:20:32Z DEBUG cn: >2013-12-13T13:20:32Z DEBUG sudoers >2013-12-13T13:20:32Z DEBUG objectClass: >2013-12-13T13:20:32Z DEBUG top >2013-12-13T13:20:32Z DEBUG extensibleObject >2013-12-13T13:20:32Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:20:32Z DEBUG %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") >2013-12-13T13:20:32Z DEBUG schema-compat-search-base: >2013-12-13T13:20:32Z DEBUG cn=sudorules, cn=sudo, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG schema-compat-container-group: >2013-12-13T13:20:32Z DEBUG ou=SUDOers, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:32Z DEBUG schema-compat-search-filter: >2013-12-13T13:20:32Z DEBUG (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) >2013-12-13T13:20:32Z DEBUG [(0, u'schema-compat-entry-rdn', ['%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")']), (1, u'schema-compat-entry-rdn', ['DISABLED', 'FALSE', 'cn=%{cn})', '%ifeq("ipaEnabledFlag"'])] >2013-12-13T13:20:32Z DEBUG Live 1, updated 1 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=Name Only,cn=mapping,cn=sasl,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=Name Only,cn=mapping,cn=sasl,cn=config >2013-12-13T13:20:33Z DEBUG nsSaslMapPriority: >2013-12-13T13:20:33Z DEBUG 10 >2013-12-13T13:20:33Z DEBUG nsSaslMapRegexString: >2013-12-13T13:20:33Z DEBUG ^[^:@]+$ >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Name Only >2013-12-13T13:20:33Z DEBUG nsSaslMapBaseDNTemplate: >2013-12-13T13:20:33Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsSaslMapping >2013-12-13T13:20:33Z DEBUG nsSaslMapFilterTemplate: >2013-12-13T13:20:33Z DEBUG (krbPrincipalName=&@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM) >2013-12-13T13:20:33Z DEBUG addifnew: '10' to nsSaslMapPriority, current value [u'10'] >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=Name Only,cn=mapping,cn=sasl,cn=config >2013-12-13T13:20:33Z DEBUG nsSaslMapPriority: >2013-12-13T13:20:33Z DEBUG 10 >2013-12-13T13:20:33Z DEBUG nsSaslMapRegexString: >2013-12-13T13:20:33Z DEBUG ^[^:@]+$ >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Name Only >2013-12-13T13:20:33Z DEBUG nsSaslMapBaseDNTemplate: >2013-12-13T13:20:33Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsSaslMapping >2013-12-13T13:20:33Z DEBUG nsSaslMapFilterTemplate: >2013-12-13T13:20:33Z DEBUG (krbPrincipalName=&@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM) >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=Full Principal,cn=mapping,cn=sasl,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config >2013-12-13T13:20:33Z DEBUG nsSaslMapPriority: >2013-12-13T13:20:33Z DEBUG 10 >2013-12-13T13:20:33Z DEBUG nsSaslMapRegexString: >2013-12-13T13:20:33Z DEBUG \(.*\)@\(.*\) >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Full Principal >2013-12-13T13:20:33Z DEBUG nsSaslMapBaseDNTemplate: >2013-12-13T13:20:33Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsSaslMapping >2013-12-13T13:20:33Z DEBUG nsSaslMapFilterTemplate: >2013-12-13T13:20:33Z DEBUG (krbPrincipalName=\1@\2) >2013-12-13T13:20:33Z DEBUG addifnew: '10' to nsSaslMapPriority, current value [u'10'] >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config >2013-12-13T13:20:33Z DEBUG nsSaslMapPriority: >2013-12-13T13:20:33Z DEBUG 10 >2013-12-13T13:20:33Z DEBUG nsSaslMapRegexString: >2013-12-13T13:20:33Z DEBUG \(.*\)@\(.*\) >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Full Principal >2013-12-13T13:20:33Z DEBUG nsSaslMapBaseDNTemplate: >2013-12-13T13:20:33Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsSaslMapping >2013-12-13T13:20:33Z DEBUG nsSaslMapFilterTemplate: >2013-12-13T13:20:33Z DEBUG (krbPrincipalName=\1@\2) >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG computers >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG extensibleObject >2013-12-13T13:20:33Z DEBUG schema-compat-container-group: >2013-12-13T13:20:33Z DEBUG cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG schema-compat-search-filter: >2013-12-13T13:20:33Z DEBUG (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) >2013-12-13T13:20:33Z DEBUG schema-compat-container-rdn: >2013-12-13T13:20:33Z DEBUG cn=computers >2013-12-13T13:20:33Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:20:33Z DEBUG cn=%first("%{fqdn}") >2013-12-13T13:20:33Z DEBUG schema-compat-search-base: >2013-12-13T13:20:33Z DEBUG cn=computers, cn=accounts, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:20:33Z DEBUG objectclass=device >2013-12-13T13:20:33Z DEBUG cn=%{fqdn} >2013-12-13T13:20:33Z DEBUG macAddress=%{macAddress} >2013-12-13T13:20:33Z DEBUG objectclass=ieee802Device >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG computers >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG extensibleObject >2013-12-13T13:20:33Z DEBUG schema-compat-container-group: >2013-12-13T13:20:33Z DEBUG cn=compat, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG schema-compat-search-filter: >2013-12-13T13:20:33Z DEBUG (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) >2013-12-13T13:20:33Z DEBUG schema-compat-container-rdn: >2013-12-13T13:20:33Z DEBUG cn=computers >2013-12-13T13:20:33Z DEBUG schema-compat-entry-rdn: >2013-12-13T13:20:33Z DEBUG cn=%first("%{fqdn}") >2013-12-13T13:20:33Z DEBUG schema-compat-search-base: >2013-12-13T13:20:33Z DEBUG cn=computers, cn=accounts, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG schema-compat-entry-attribute: >2013-12-13T13:20:33Z DEBUG objectclass=device >2013-12-13T13:20:33Z DEBUG cn=%{fqdn} >2013-12-13T13:20:33Z DEBUG macAddress=%{macAddress} >2013-12-13T13:20:33Z DEBUG objectclass=ieee802Device >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG ipamodrdnsuffix: >2013-12-13T13:20:33Z DEBUG @DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Kerberos Principal Name >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG extensibleObject >2013-12-13T13:20:33Z DEBUG ipamodrdnsourceattr: >2013-12-13T13:20:33Z DEBUG uid >2013-12-13T13:20:33Z DEBUG ipamodrdntargetattr: >2013-12-13T13:20:33Z DEBUG krbPrincipalName >2013-12-13T13:20:33Z DEBUG ipamodrdnscope: >2013-12-13T13:20:33Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG ipamodrdnfilter: >2013-12-13T13:20:33Z DEBUG (&(objectclass=posixaccount)(objectclass=krbPrincipalAux)) >2013-12-13T13:20:33Z DEBUG remove: '60' from nsslapd-pluginPrecedence, current value [] >2013-12-13T13:20:33Z WARNING remove: '60' not in nsslapd-pluginPrecedence >2013-12-13T13:20:33Z DEBUG remove: updated value [] >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG ipamodrdnsuffix: >2013-12-13T13:20:33Z DEBUG @DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Kerberos Principal Name >2013-12-13T13:20:33Z DEBUG nsslapd-pluginPrecedence: >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG extensibleObject >2013-12-13T13:20:33Z DEBUG ipamodrdnsourceattr: >2013-12-13T13:20:33Z DEBUG uid >2013-12-13T13:20:33Z DEBUG ipamodrdntargetattr: >2013-12-13T13:20:33Z DEBUG krbPrincipalName >2013-12-13T13:20:33Z DEBUG ipamodrdnscope: >2013-12-13T13:20:33Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG ipamodrdnfilter: >2013-12-13T13:20:33Z DEBUG (&(objectclass=posixaccount)(objectclass=krbPrincipalAux)) >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG selinux >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG selinux >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG usermap >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG usermap >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO New entry: cn=anonymous-limits,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=anonymous-limits,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectclass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsSizeLimit: >2013-12-13T13:20:33Z DEBUG 5000 >2013-12-13T13:20:33Z DEBUG nsLookThroughLimit: >2013-12-13T13:20:33Z DEBUG 5000 >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG anonymous-limits >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=anonymous-limits,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectclass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsSizeLimit: >2013-12-13T13:20:33Z DEBUG 5000 >2013-12-13T13:20:33Z DEBUG nsLookThroughLimit: >2013-12-13T13:20:33Z DEBUG 5000 >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG anonymous-limits >2013-12-13T13:20:33Z INFO Updating existing entry: cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Managed Entries >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Managed Entries >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Definitions >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Definitions >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Templates >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Templates >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Parsing update file '/usr/share/ipa/updates/20-aci.update' >2013-12-13T13:20:33Z INFO Parsing update file '/usr/share/ipa/updates/20-dna.update' >2013-12-13T13:20:33Z INFO Parsing update file '/usr/share/ipa/updates/20-host_nis_groups.update' >2013-12-13T13:20:33Z INFO Parsing update file '/usr/share/ipa/updates/20-indices.update' >2013-12-13T13:20:33Z INFO Parsing update file '/usr/share/ipa/updates/20-nss_ldap.update' >2013-12-13T13:20:33Z INFO Parsing update file '/usr/share/ipa/updates/20-replication.update' >2013-12-13T13:20:33Z INFO Parsing update file '/usr/share/ipa/updates/20-user_private_groups.update' >2013-12-13T13:20:33Z INFO Parsing update file '/usr/share/ipa/updates/20-winsync_index.update' >2013-12-13T13:20:33Z INFO Parsing update file '/usr/share/ipa/updates/21-ca_renewal_container.update' >2013-12-13T13:20:33Z INFO Parsing update file '/usr/share/ipa/updates/21-replicas_container.update' >2013-12-13T13:20:33Z INFO Parsing update file '/usr/share/ipa/updates/25-referint.update' >2013-12-13T13:20:33Z INFO Updating existing entry: cn=ipa-winsync,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=ipa-winsync,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG ipa-winsync >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsSlapdPlugin >2013-12-13T13:20:33Z DEBUG extensibleObject >2013-12-13T13:20:33Z DEBUG ipawinsynchomedirattr: >2013-12-13T13:20:33Z DEBUG ipaHomesRootDir >2013-12-13T13:20:33Z DEBUG ipawinsyncnewuserocattr: >2013-12-13T13:20:33Z DEBUG ipauserobjectclasses >2013-12-13T13:20:33Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:33Z DEBUG libipa_winsync >2013-12-13T13:20:33Z DEBUG ipawinsyncuserflatten: >2013-12-13T13:20:33Z DEBUG true >2013-12-13T13:20:33Z DEBUG ipawinsyncnewentryfilter: >2013-12-13T13:20:33Z DEBUG (cn=ipaConfig) >2013-12-13T13:20:33Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:33Z DEBUG database >2013-12-13T13:20:33Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:33Z DEBUG FreeIPA project >2013-12-13T13:20:33Z DEBUG nsslapd-pluginprecedence: >2013-12-13T13:20:33Z DEBUG 60 >2013-12-13T13:20:33Z DEBUG ipawinsyncdefaultgroupattr: >2013-12-13T13:20:33Z DEBUG ipaDefaultPrimaryGroup >2013-12-13T13:20:33Z DEBUG ipawinsyncrealmfilter: >2013-12-13T13:20:33Z DEBUG (objectclass=krbRealmContainer) >2013-12-13T13:20:33Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:33Z DEBUG preoperation >2013-12-13T13:20:33Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:33Z DEBUG ipa_winsync_plugin_init >2013-12-13T13:20:33Z DEBUG ipawinsyncforcesync: >2013-12-13T13:20:33Z DEBUG true >2013-12-13T13:20:33Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:33Z DEBUG FreeIPA/1.0 >2013-12-13T13:20:33Z DEBUG ipawinsyncrealmattr: >2013-12-13T13:20:33Z DEBUG cn >2013-12-13T13:20:33Z DEBUG ipawinsyncloginshellattr: >2013-12-13T13:20:33Z DEBUG ipaDefaultLoginShell >2013-12-13T13:20:33Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:33Z DEBUG on >2013-12-13T13:20:33Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:33Z DEBUG ipa-winsync-plugin >2013-12-13T13:20:33Z DEBUG ipawinsyncuserattr: >2013-12-13T13:20:33Z DEBUG uidNumber -1 >2013-12-13T13:20:33Z DEBUG gidNumber -1 >2013-12-13T13:20:33Z DEBUG ipawinsyncdefaultgroupfilter: >2013-12-13T13:20:33Z DEBUG (gidNumber=*)(objectclass=posixGroup)(objectclass=groupOfNames) >2013-12-13T13:20:33Z DEBUG ipawinsyncacctdisable: >2013-12-13T13:20:33Z DEBUG both >2013-12-13T13:20:33Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:33Z DEBUG ipa winsync plugin >2013-12-13T13:20:33Z DEBUG remove: 'uidNumber 999' from ipaWinSyncUserAttr, current value [u'uidNumber -1', u'gidNumber -1'] >2013-12-13T13:20:33Z WARNING remove: 'uidNumber 999' not in ipaWinSyncUserAttr >2013-12-13T13:20:33Z DEBUG remove: updated value [u'uidNumber -1', u'gidNumber -1'] >2013-12-13T13:20:33Z DEBUG remove: 'gidNumber 999' from ipaWinSyncUserAttr, current value [u'uidNumber -1', u'gidNumber -1'] >2013-12-13T13:20:33Z WARNING remove: 'gidNumber 999' not in ipaWinSyncUserAttr >2013-12-13T13:20:33Z DEBUG remove: updated value [u'uidNumber -1', u'gidNumber -1'] >2013-12-13T13:20:33Z DEBUG add: 'uidNumber -1' to ipaWinSyncUserAttr, current value [u'uidNumber -1', u'gidNumber -1'] >2013-12-13T13:20:33Z DEBUG add: updated value [u'gidNumber -1', u'uidNumber -1'] >2013-12-13T13:20:33Z DEBUG add: 'gidNumber -1' to ipaWinSyncUserAttr, current value [u'gidNumber -1', u'uidNumber -1'] >2013-12-13T13:20:33Z DEBUG add: updated value [u'uidNumber -1', u'gidNumber -1'] >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=ipa-winsync,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG ipa-winsync >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsSlapdPlugin >2013-12-13T13:20:33Z DEBUG extensibleObject >2013-12-13T13:20:33Z DEBUG ipawinsynchomedirattr: >2013-12-13T13:20:33Z DEBUG ipaHomesRootDir >2013-12-13T13:20:33Z DEBUG ipawinsyncnewuserocattr: >2013-12-13T13:20:33Z DEBUG ipauserobjectclasses >2013-12-13T13:20:33Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:33Z DEBUG libipa_winsync >2013-12-13T13:20:33Z DEBUG ipawinsyncuserflatten: >2013-12-13T13:20:33Z DEBUG true >2013-12-13T13:20:33Z DEBUG ipawinsyncnewentryfilter: >2013-12-13T13:20:33Z DEBUG (cn=ipaConfig) >2013-12-13T13:20:33Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:33Z DEBUG database >2013-12-13T13:20:33Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:33Z DEBUG FreeIPA project >2013-12-13T13:20:33Z DEBUG nsslapd-pluginprecedence: >2013-12-13T13:20:33Z DEBUG 60 >2013-12-13T13:20:33Z DEBUG ipawinsyncdefaultgroupattr: >2013-12-13T13:20:33Z DEBUG ipaDefaultPrimaryGroup >2013-12-13T13:20:33Z DEBUG ipawinsyncrealmfilter: >2013-12-13T13:20:33Z DEBUG (objectclass=krbRealmContainer) >2013-12-13T13:20:33Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:33Z DEBUG preoperation >2013-12-13T13:20:33Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:33Z DEBUG ipa_winsync_plugin_init >2013-12-13T13:20:33Z DEBUG ipawinsyncforcesync: >2013-12-13T13:20:33Z DEBUG true >2013-12-13T13:20:33Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:33Z DEBUG FreeIPA/1.0 >2013-12-13T13:20:33Z DEBUG ipawinsyncrealmattr: >2013-12-13T13:20:33Z DEBUG cn >2013-12-13T13:20:33Z DEBUG ipawinsyncloginshellattr: >2013-12-13T13:20:33Z DEBUG ipaDefaultLoginShell >2013-12-13T13:20:33Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:33Z DEBUG on >2013-12-13T13:20:33Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:33Z DEBUG ipa-winsync-plugin >2013-12-13T13:20:33Z DEBUG ipaWinSyncUserAttr: >2013-12-13T13:20:33Z DEBUG uidNumber -1 >2013-12-13T13:20:33Z DEBUG gidNumber -1 >2013-12-13T13:20:33Z DEBUG ipawinsyncdefaultgroupfilter: >2013-12-13T13:20:33Z DEBUG (gidNumber=*)(objectclass=posixGroup)(objectclass=groupOfNames) >2013-12-13T13:20:33Z DEBUG ipawinsyncacctdisable: >2013-12-13T13:20:33Z DEBUG both >2013-12-13T13:20:33Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:33Z DEBUG ipa winsync plugin >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:33Z DEBUG none >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Distributed Numeric Assignment Plugin >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsSlapdPlugin >2013-12-13T13:20:33Z DEBUG extensibleObject >2013-12-13T13:20:33Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:33Z DEBUG none >2013-12-13T13:20:33Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:33Z DEBUG off >2013-12-13T13:20:33Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:33Z DEBUG libdna-plugin >2013-12-13T13:20:33Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:33Z DEBUG none >2013-12-13T13:20:33Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:33Z DEBUG database >2013-12-13T13:20:33Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:33Z DEBUG none >2013-12-13T13:20:33Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:33Z DEBUG bepreoperation >2013-12-13T13:20:33Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:33Z DEBUG dna_init >2013-12-13T13:20:33Z DEBUG only: set nsslapd-pluginEnabled to 'on', current value [u'off'] >2013-12-13T13:20:33Z DEBUG only: updated value [u'on'] >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:33Z DEBUG none >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Distributed Numeric Assignment Plugin >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG nsContainer >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsSlapdPlugin >2013-12-13T13:20:33Z DEBUG extensibleObject >2013-12-13T13:20:33Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:33Z DEBUG none >2013-12-13T13:20:33Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:33Z DEBUG on >2013-12-13T13:20:33Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:33Z DEBUG libdna-plugin >2013-12-13T13:20:33Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:33Z DEBUG none >2013-12-13T13:20:33Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:33Z DEBUG database >2013-12-13T13:20:33Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:33Z DEBUG none >2013-12-13T13:20:33Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:33Z DEBUG bepreoperation >2013-12-13T13:20:33Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:33Z DEBUG dna_init >2013-12-13T13:20:33Z DEBUG [(2, u'nsslapd-pluginEnabled', ['on'])] >2013-12-13T13:20:33Z DEBUG Live 1, updated 1 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=referential integrity postoperation,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=referential integrity postoperation,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG referential integrity postoperation >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsSlapdPlugin >2013-12-13T13:20:33Z DEBUG extensibleObject >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg16: >2013-12-13T13:20:33Z DEBUG ipasudorunas >2013-12-13T13:20:33Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:33Z DEBUG libreferint-plugin >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg10: >2013-12-13T13:20:33Z DEBUG memberhost >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg13: >2013-12-13T13:20:33Z DEBUG managedby >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg12: >2013-12-13T13:20:33Z DEBUG memberservice >2013-12-13T13:20:33Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:33Z DEBUG database >2013-12-13T13:20:33Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:33Z DEBUG 389 Project >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg17: >2013-12-13T13:20:33Z DEBUG ipasudorunasgroup >2013-12-13T13:20:33Z DEBUG nsslapd-pluginprecedence: >2013-12-13T13:20:33Z DEBUG 40 >2013-12-13T13:20:33Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:33Z DEBUG betxnpostoperation >2013-12-13T13:20:33Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:33Z DEBUG referint_postop_init >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg11: >2013-12-13T13:20:33Z DEBUG sourcehost >2013-12-13T13:20:33Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:33Z DEBUG 1.3.2.7 >2013-12-13T13:20:33Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:33Z DEBUG referint >2013-12-13T13:20:33Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:33Z DEBUG referential integrity plugin >2013-12-13T13:20:33Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:33Z DEBUG on >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg5: >2013-12-13T13:20:33Z DEBUG owner >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg4: >2013-12-13T13:20:33Z DEBUG uniquemember >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg7: >2013-12-13T13:20:33Z DEBUG manager >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg6: >2013-12-13T13:20:33Z DEBUG seeAlso >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg1: >2013-12-13T13:20:33Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/referint >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg0: >2013-12-13T13:20:33Z DEBUG 0 >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg3: >2013-12-13T13:20:33Z DEBUG member >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg2: >2013-12-13T13:20:33Z DEBUG 0 >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg15: >2013-12-13T13:20:33Z DEBUG memberdenycmd >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg9: >2013-12-13T13:20:33Z DEBUG memberuser >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg8: >2013-12-13T13:20:33Z DEBUG secretary >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg14: >2013-12-13T13:20:33Z DEBUG memberallowcmd >2013-12-13T13:20:33Z DEBUG add: 'memberuser' to nsslapd-pluginArg9, current value [u'memberuser'] >2013-12-13T13:20:33Z DEBUG add: updated value [u'memberuser'] >2013-12-13T13:20:33Z DEBUG add: 'memberhost' to nsslapd-pluginArg10, current value [u'memberhost'] >2013-12-13T13:20:33Z DEBUG add: updated value [u'memberhost'] >2013-12-13T13:20:33Z DEBUG add: 'sourcehost' to nsslapd-pluginArg11, current value [u'sourcehost'] >2013-12-13T13:20:33Z DEBUG add: updated value [u'sourcehost'] >2013-12-13T13:20:33Z DEBUG add: 'memberservice' to nsslapd-pluginArg12, current value [u'memberservice'] >2013-12-13T13:20:33Z DEBUG add: updated value [u'memberservice'] >2013-12-13T13:20:33Z DEBUG add: 'managedby' to nsslapd-pluginArg13, current value [u'managedby'] >2013-12-13T13:20:33Z DEBUG add: updated value [u'managedby'] >2013-12-13T13:20:33Z DEBUG add: 'memberallowcmd' to nsslapd-pluginArg14, current value [u'memberallowcmd'] >2013-12-13T13:20:33Z DEBUG add: updated value [u'memberallowcmd'] >2013-12-13T13:20:33Z DEBUG add: 'memberdenycmd' to nsslapd-pluginArg15, current value [u'memberdenycmd'] >2013-12-13T13:20:33Z DEBUG add: updated value [u'memberdenycmd'] >2013-12-13T13:20:33Z DEBUG add: 'ipasudorunas' to nsslapd-pluginArg16, current value [u'ipasudorunas'] >2013-12-13T13:20:33Z DEBUG add: updated value [u'ipasudorunas'] >2013-12-13T13:20:33Z DEBUG add: 'ipasudorunasgroup' to nsslapd-pluginArg17, current value [u'ipasudorunasgroup'] >2013-12-13T13:20:33Z DEBUG add: updated value [u'ipasudorunasgroup'] >2013-12-13T13:20:33Z DEBUG add: 'ipatokenradiusconfiglink' to nsslapd-pluginArg18, current value [] >2013-12-13T13:20:33Z DEBUG add: updated value [u'ipatokenradiusconfiglink'] >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=referential integrity postoperation,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG referential integrity postoperation >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsSlapdPlugin >2013-12-13T13:20:33Z DEBUG extensibleObject >2013-12-13T13:20:33Z DEBUG nsslapd-pluginArg16: >2013-12-13T13:20:33Z DEBUG ipasudorunas >2013-12-13T13:20:33Z DEBUG nsslapd-pluginPath: >2013-12-13T13:20:33Z DEBUG libreferint-plugin >2013-12-13T13:20:33Z DEBUG nsslapd-pluginArg17: >2013-12-13T13:20:33Z DEBUG ipasudorunasgroup >2013-12-13T13:20:33Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:20:33Z DEBUG database >2013-12-13T13:20:33Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:20:33Z DEBUG 389 Project >2013-12-13T13:20:33Z DEBUG nsslapd-pluginprecedence: >2013-12-13T13:20:33Z DEBUG 40 >2013-12-13T13:20:33Z DEBUG nsslapd-pluginArg18: >2013-12-13T13:20:33Z DEBUG ipatokenradiusconfiglink >2013-12-13T13:20:33Z DEBUG nsslapd-pluginArg9: >2013-12-13T13:20:33Z DEBUG memberuser >2013-12-13T13:20:33Z DEBUG nsslapd-pluginType: >2013-12-13T13:20:33Z DEBUG betxnpostoperation >2013-12-13T13:20:33Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:20:33Z DEBUG referint_postop_init >2013-12-13T13:20:33Z DEBUG nsslapd-pluginArg11: >2013-12-13T13:20:33Z DEBUG sourcehost >2013-12-13T13:20:33Z DEBUG nsslapd-pluginArg10: >2013-12-13T13:20:33Z DEBUG memberhost >2013-12-13T13:20:33Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:20:33Z DEBUG 1.3.2.7 >2013-12-13T13:20:33Z DEBUG nsslapd-pluginId: >2013-12-13T13:20:33Z DEBUG referint >2013-12-13T13:20:33Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:20:33Z DEBUG referential integrity plugin >2013-12-13T13:20:33Z DEBUG nsslapd-pluginArg13: >2013-12-13T13:20:33Z DEBUG managedby >2013-12-13T13:20:33Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:20:33Z DEBUG on >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg5: >2013-12-13T13:20:33Z DEBUG owner >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg4: >2013-12-13T13:20:33Z DEBUG uniquemember >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg7: >2013-12-13T13:20:33Z DEBUG manager >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg6: >2013-12-13T13:20:33Z DEBUG seeAlso >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg1: >2013-12-13T13:20:33Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/referint >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg0: >2013-12-13T13:20:33Z DEBUG 0 >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg3: >2013-12-13T13:20:33Z DEBUG member >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg2: >2013-12-13T13:20:33Z DEBUG 0 >2013-12-13T13:20:33Z DEBUG nsslapd-pluginArg15: >2013-12-13T13:20:33Z DEBUG memberdenycmd >2013-12-13T13:20:33Z DEBUG nsslapd-pluginArg12: >2013-12-13T13:20:33Z DEBUG memberservice >2013-12-13T13:20:33Z DEBUG nsslapd-pluginarg8: >2013-12-13T13:20:33Z DEBUG secretary >2013-12-13T13:20:33Z DEBUG nsslapd-pluginArg14: >2013-12-13T13:20:33Z DEBUG memberallowcmd >2013-12-13T13:20:33Z DEBUG [(0, u'nsslapd-pluginArg18', ['ipatokenradiusconfiglink'])] >2013-12-13T13:20:33Z DEBUG Live 1, updated 1 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG dnaScope: >2013-12-13T13:20:33Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG dnaThreshold: >2013-12-13T13:20:33Z DEBUG 500 >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Posix IDs >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG extensibleObject >2013-12-13T13:20:33Z DEBUG aci: >2013-12-13T13:20:33Z DEBUG (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:20:33Z DEBUG dnaNextValue: >2013-12-13T13:20:33Z DEBUG 346000000 >2013-12-13T13:20:33Z DEBUG dnaMagicRegen: >2013-12-13T13:20:33Z DEBUG -1 >2013-12-13T13:20:33Z DEBUG dnaFilter: >2013-12-13T13:20:33Z DEBUG (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject)) >2013-12-13T13:20:33Z DEBUG dnaType: >2013-12-13T13:20:33Z DEBUG gidNumber >2013-12-13T13:20:33Z DEBUG uidNumber >2013-12-13T13:20:33Z DEBUG dnaMaxValue: >2013-12-13T13:20:33Z DEBUG 346199999 >2013-12-13T13:20:33Z DEBUG dnaSharedCfgDN: >2013-12-13T13:20:33Z DEBUG cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG only: set dnaMagicRegen to '-1', current value [u'-1'] >2013-12-13T13:20:33Z DEBUG only: updated value [u'-1'] >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG dnaScope: >2013-12-13T13:20:33Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG dnaThreshold: >2013-12-13T13:20:33Z DEBUG 500 >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG Posix IDs >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG extensibleObject >2013-12-13T13:20:33Z DEBUG aci: >2013-12-13T13:20:33Z DEBUG (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:20:33Z DEBUG dnaNextValue: >2013-12-13T13:20:33Z DEBUG 346000000 >2013-12-13T13:20:33Z DEBUG dnaMagicRegen: >2013-12-13T13:20:33Z DEBUG -1 >2013-12-13T13:20:33Z DEBUG dnaFilter: >2013-12-13T13:20:33Z DEBUG (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject)) >2013-12-13T13:20:33Z DEBUG dnaType: >2013-12-13T13:20:33Z DEBUG gidNumber >2013-12-13T13:20:33Z DEBUG uidNumber >2013-12-13T13:20:33Z DEBUG dnaMaxValue: >2013-12-13T13:20:33Z DEBUG 346199999 >2013-12-13T13:20:33Z DEBUG dnaSharedCfgDN: >2013-12-13T13:20:33Z DEBUG cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsIndex >2013-12-13T13:20:33Z DEBUG nsIndexType: >2013-12-13T13:20:33Z DEBUG eq >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG automountkey >2013-12-13T13:20:33Z DEBUG nsSystemIndex: >2013-12-13T13:20:33Z DEBUG false >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsIndex >2013-12-13T13:20:33Z DEBUG nsIndexType: >2013-12-13T13:20:33Z DEBUG eq >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG automountkey >2013-12-13T13:20:33Z DEBUG nsSystemIndex: >2013-12-13T13:20:33Z DEBUG false >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsIndex >2013-12-13T13:20:33Z DEBUG nsIndexType: >2013-12-13T13:20:33Z DEBUG eq >2013-12-13T13:20:33Z DEBUG sub >2013-12-13T13:20:33Z DEBUG pres >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG ipasudorunas >2013-12-13T13:20:33Z DEBUG nsSystemIndex: >2013-12-13T13:20:33Z DEBUG false >2013-12-13T13:20:33Z DEBUG only: set nsIndexType to 'eq', current value [u'eq', u'sub', u'pres'] >2013-12-13T13:20:33Z DEBUG only: updated value [u'eq'] >2013-12-13T13:20:33Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:20:33Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:20:33Z DEBUG only: set nsIndexType to 'sub', current value [u'eq', u'pres'] >2013-12-13T13:20:33Z DEBUG only: updated value [u'eq', u'pres', u'sub'] >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsIndex >2013-12-13T13:20:33Z DEBUG nsIndexType: >2013-12-13T13:20:33Z DEBUG eq >2013-12-13T13:20:33Z DEBUG pres >2013-12-13T13:20:33Z DEBUG sub >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG ipasudorunas >2013-12-13T13:20:33Z DEBUG nsSystemIndex: >2013-12-13T13:20:33Z DEBUG false >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsIndex >2013-12-13T13:20:33Z DEBUG nsIndexType: >2013-12-13T13:20:33Z DEBUG eq >2013-12-13T13:20:33Z DEBUG pres >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG fqdn >2013-12-13T13:20:33Z DEBUG nsSystemIndex: >2013-12-13T13:20:33Z DEBUG false >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsIndex >2013-12-13T13:20:33Z DEBUG nsIndexType: >2013-12-13T13:20:33Z DEBUG eq >2013-12-13T13:20:33Z DEBUG pres >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG fqdn >2013-12-13T13:20:33Z DEBUG nsSystemIndex: >2013-12-13T13:20:33Z DEBUG false >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsIndex >2013-12-13T13:20:33Z DEBUG nsIndexType: >2013-12-13T13:20:33Z DEBUG eq >2013-12-13T13:20:33Z DEBUG pres >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG macAddress >2013-12-13T13:20:33Z DEBUG nsSystemIndex: >2013-12-13T13:20:33Z DEBUG false >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsIndex >2013-12-13T13:20:33Z DEBUG nsIndexType: >2013-12-13T13:20:33Z DEBUG eq >2013-12-13T13:20:33Z DEBUG pres >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG macAddress >2013-12-13T13:20:33Z DEBUG nsSystemIndex: >2013-12-13T13:20:33Z DEBUG false >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO Updating existing entry: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsIndex >2013-12-13T13:20:33Z DEBUG nsIndexType: >2013-12-13T13:20:33Z DEBUG eq >2013-12-13T13:20:33Z DEBUG sub >2013-12-13T13:20:33Z DEBUG pres >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG manager >2013-12-13T13:20:33Z DEBUG nsSystemIndex: >2013-12-13T13:20:33Z DEBUG false >2013-12-13T13:20:33Z DEBUG only: set nsIndexType to 'eq', current value [u'eq', u'sub', u'pres'] >2013-12-13T13:20:33Z DEBUG only: updated value [u'eq'] >2013-12-13T13:20:33Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:20:33Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:20:33Z DEBUG only: set nsIndexType to 'sub', current value [u'eq', u'pres'] >2013-12-13T13:20:33Z DEBUG only: updated value [u'eq', u'pres', u'sub'] >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG objectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsIndex >2013-12-13T13:20:33Z DEBUG nsIndexType: >2013-12-13T13:20:33Z DEBUG eq >2013-12-13T13:20:33Z DEBUG pres >2013-12-13T13:20:33Z DEBUG sub >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG manager >2013-12-13T13:20:33Z DEBUG nsSystemIndex: >2013-12-13T13:20:33Z DEBUG false >2013-12-13T13:20:33Z DEBUG [] >2013-12-13T13:20:33Z DEBUG Live 1, updated 0 >2013-12-13T13:20:33Z INFO Done >2013-12-13T13:20:33Z INFO New entry: cn=ipatokenradiusconfiglink,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Initial value >2013-12-13T13:20:33Z DEBUG dn: cn=ipatokenradiusconfiglink,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG ObjectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsIndex >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG ipatokenradiusconfiglink >2013-12-13T13:20:33Z DEBUG nsSystemIndex: >2013-12-13T13:20:33Z DEBUG false >2013-12-13T13:20:33Z DEBUG only: set nsIndexType to 'eq', current value [] >2013-12-13T13:20:33Z DEBUG only: updated value [u'eq'] >2013-12-13T13:20:33Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:20:33Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:20:33Z DEBUG only: set nsIndexType to 'sub', current value [u'eq', u'pres'] >2013-12-13T13:20:33Z DEBUG only: updated value [u'eq', u'pres', u'sub'] >2013-12-13T13:20:33Z DEBUG --------------------------------------------- >2013-12-13T13:20:33Z DEBUG Final value after applying updates >2013-12-13T13:20:33Z DEBUG dn: cn=ipatokenradiusconfiglink,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:33Z DEBUG ObjectClass: >2013-12-13T13:20:33Z DEBUG top >2013-12-13T13:20:33Z DEBUG nsIndex >2013-12-13T13:20:33Z DEBUG nsIndexType: >2013-12-13T13:20:33Z DEBUG eq >2013-12-13T13:20:33Z DEBUG pres >2013-12-13T13:20:33Z DEBUG sub >2013-12-13T13:20:33Z DEBUG cn: >2013-12-13T13:20:33Z DEBUG ipatokenradiusconfiglink >2013-12-13T13:20:33Z DEBUG nsSystemIndex: >2013-12-13T13:20:33Z DEBUG false >2013-12-13T13:20:38Z INFO Creating task to index attribute: ipatokenradiusconfiglink >2013-12-13T13:20:38Z DEBUG Task id: cn=indextask_ipatokenradiusconfiglink_136062336384096570_6525,cn=index,cn=tasks,cn=config >2013-12-13T13:20:41Z INFO Indexing finished >2013-12-13T13:20:41Z INFO Updating existing entry: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:41Z DEBUG --------------------------------------------- >2013-12-13T13:20:41Z DEBUG Initial value >2013-12-13T13:20:41Z DEBUG dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:41Z DEBUG objectClass: >2013-12-13T13:20:41Z DEBUG top >2013-12-13T13:20:41Z DEBUG nsIndex >2013-12-13T13:20:41Z DEBUG nsIndexType: >2013-12-13T13:20:41Z DEBUG eq,pres >2013-12-13T13:20:41Z DEBUG cn: >2013-12-13T13:20:41Z DEBUG ntUniqueId >2013-12-13T13:20:41Z DEBUG nsSystemIndex: >2013-12-13T13:20:41Z DEBUG false >2013-12-13T13:20:41Z DEBUG only: set nsIndexType to 'eq', current value [u'eq,pres'] >2013-12-13T13:20:41Z DEBUG only: updated value [u'eq'] >2013-12-13T13:20:41Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:20:41Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:20:41Z DEBUG --------------------------------------------- >2013-12-13T13:20:41Z DEBUG Final value after applying updates >2013-12-13T13:20:41Z DEBUG dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:41Z DEBUG objectClass: >2013-12-13T13:20:41Z DEBUG top >2013-12-13T13:20:41Z DEBUG nsIndex >2013-12-13T13:20:41Z DEBUG nsIndexType: >2013-12-13T13:20:41Z DEBUG eq >2013-12-13T13:20:41Z DEBUG pres >2013-12-13T13:20:41Z DEBUG cn: >2013-12-13T13:20:41Z DEBUG ntUniqueId >2013-12-13T13:20:41Z DEBUG nsSystemIndex: >2013-12-13T13:20:41Z DEBUG false >2013-12-13T13:20:41Z DEBUG [(0, u'nsIndexType', ['eq', 'pres']), (1, u'nsIndexType', ['eq,pres'])] >2013-12-13T13:20:41Z DEBUG Live 1, updated 1 >2013-12-13T13:20:41Z INFO Done >2013-12-13T13:20:46Z INFO Creating task to index attribute: ntUniqueId >2013-12-13T13:20:46Z DEBUG Task id: cn=indextask_ntUniqueId_136062336464518240_6525,cn=index,cn=tasks,cn=config >2013-12-13T13:20:48Z INFO Indexing finished >2013-12-13T13:20:48Z INFO Updating existing entry: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Initial value >2013-12-13T13:20:48Z DEBUG dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG sub >2013-12-13T13:20:48Z DEBUG pres >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG memberHost >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'eq', current value [u'eq', u'sub', u'pres'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'sub', current value [u'eq', u'pres'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq', u'pres', u'sub'] >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Final value after applying updates >2013-12-13T13:20:48Z DEBUG dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG pres >2013-12-13T13:20:48Z DEBUG sub >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG memberHost >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG [] >2013-12-13T13:20:48Z DEBUG Live 1, updated 0 >2013-12-13T13:20:48Z INFO Done >2013-12-13T13:20:48Z INFO Updating existing entry: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Initial value >2013-12-13T13:20:48Z DEBUG dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG sub >2013-12-13T13:20:48Z DEBUG pres >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG ipasudorunasgroup >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'eq', current value [u'eq', u'sub', u'pres'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'sub', current value [u'eq', u'pres'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq', u'pres', u'sub'] >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Final value after applying updates >2013-12-13T13:20:48Z DEBUG dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG pres >2013-12-13T13:20:48Z DEBUG sub >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG ipasudorunasgroup >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG [] >2013-12-13T13:20:48Z DEBUG Live 1, updated 0 >2013-12-13T13:20:48Z INFO Done >2013-12-13T13:20:48Z INFO Updating existing entry: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Initial value >2013-12-13T13:20:48Z DEBUG dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG sub >2013-12-13T13:20:48Z DEBUG pres >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG memberservice >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'eq', current value [u'eq', u'sub', u'pres'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'sub', current value [u'eq', u'pres'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq', u'pres', u'sub'] >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Final value after applying updates >2013-12-13T13:20:48Z DEBUG dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG pres >2013-12-13T13:20:48Z DEBUG sub >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG memberservice >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG [] >2013-12-13T13:20:48Z DEBUG Live 1, updated 0 >2013-12-13T13:20:48Z INFO Done >2013-12-13T13:20:48Z INFO Updating existing entry: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Initial value >2013-12-13T13:20:48Z DEBUG dn: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG sub >2013-12-13T13:20:48Z DEBUG pres >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG managedby >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'eq', current value [u'eq', u'sub', u'pres'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'sub', current value [u'eq', u'pres'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq', u'pres', u'sub'] >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Final value after applying updates >2013-12-13T13:20:48Z DEBUG dn: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG pres >2013-12-13T13:20:48Z DEBUG sub >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG managedby >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG [] >2013-12-13T13:20:48Z DEBUG Live 1, updated 0 >2013-12-13T13:20:48Z INFO Done >2013-12-13T13:20:48Z INFO Updating existing entry: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Initial value >2013-12-13T13:20:48Z DEBUG dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG memberOf >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Final value after applying updates >2013-12-13T13:20:48Z DEBUG dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG memberOf >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG [] >2013-12-13T13:20:48Z DEBUG Live 1, updated 0 >2013-12-13T13:20:48Z INFO Done >2013-12-13T13:20:48Z INFO Updating existing entry: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Initial value >2013-12-13T13:20:48Z DEBUG dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG sub >2013-12-13T13:20:48Z DEBUG pres >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG memberdenycmd >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'eq', current value [u'eq', u'sub', u'pres'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'sub', current value [u'eq', u'pres'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq', u'pres', u'sub'] >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Final value after applying updates >2013-12-13T13:20:48Z DEBUG dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG pres >2013-12-13T13:20:48Z DEBUG sub >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG memberdenycmd >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG [] >2013-12-13T13:20:48Z DEBUG Live 1, updated 0 >2013-12-13T13:20:48Z INFO Done >2013-12-13T13:20:48Z INFO Updating existing entry: cn=seeAlso,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Initial value >2013-12-13T13:20:48Z DEBUG dn: cn=seeAlso,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG seeAlso >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'eq', current value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: set nsIndexType to 'sub', current value [u'eq'] >2013-12-13T13:20:48Z DEBUG only: updated value [u'eq', u'sub'] >2013-12-13T13:20:48Z DEBUG --------------------------------------------- >2013-12-13T13:20:48Z DEBUG Final value after applying updates >2013-12-13T13:20:48Z DEBUG dn: cn=seeAlso,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:48Z DEBUG objectClass: >2013-12-13T13:20:48Z DEBUG top >2013-12-13T13:20:48Z DEBUG nsIndex >2013-12-13T13:20:48Z DEBUG nsIndexType: >2013-12-13T13:20:48Z DEBUG eq >2013-12-13T13:20:48Z DEBUG sub >2013-12-13T13:20:48Z DEBUG cn: >2013-12-13T13:20:48Z DEBUG seeAlso >2013-12-13T13:20:48Z DEBUG nsSystemIndex: >2013-12-13T13:20:48Z DEBUG false >2013-12-13T13:20:48Z DEBUG [(0, u'nsIndexType', ['sub'])] >2013-12-13T13:20:48Z DEBUG Live 1, updated 1 >2013-12-13T13:20:48Z INFO Done >2013-12-13T13:20:53Z INFO Creating task to index attribute: seeAlso >2013-12-13T13:20:53Z DEBUG Task id: cn=indextask_seeAlso_136062336535205700_6525,cn=index,cn=tasks,cn=config >2013-12-13T13:20:56Z INFO Indexing finished >2013-12-13T13:20:56Z INFO Updating existing entry: cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:56Z DEBUG --------------------------------------------- >2013-12-13T13:20:56Z DEBUG Initial value >2013-12-13T13:20:56Z DEBUG dn: cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:56Z DEBUG objectClass: >2013-12-13T13:20:56Z DEBUG top >2013-12-13T13:20:56Z DEBUG nsIndex >2013-12-13T13:20:56Z DEBUG nsIndexType: >2013-12-13T13:20:56Z DEBUG eq >2013-12-13T13:20:56Z DEBUG cn: >2013-12-13T13:20:56Z DEBUG ipauniqueid >2013-12-13T13:20:56Z DEBUG nsSystemIndex: >2013-12-13T13:20:56Z DEBUG false >2013-12-13T13:20:56Z DEBUG --------------------------------------------- >2013-12-13T13:20:56Z DEBUG Final value after applying updates >2013-12-13T13:20:56Z DEBUG dn: cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:56Z DEBUG objectClass: >2013-12-13T13:20:56Z DEBUG top >2013-12-13T13:20:56Z DEBUG nsIndex >2013-12-13T13:20:56Z DEBUG nsIndexType: >2013-12-13T13:20:56Z DEBUG eq >2013-12-13T13:20:56Z DEBUG cn: >2013-12-13T13:20:56Z DEBUG ipauniqueid >2013-12-13T13:20:56Z DEBUG nsSystemIndex: >2013-12-13T13:20:56Z DEBUG false >2013-12-13T13:20:56Z DEBUG [] >2013-12-13T13:20:56Z DEBUG Live 1, updated 0 >2013-12-13T13:20:56Z INFO Done >2013-12-13T13:20:56Z INFO Updating existing entry: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:56Z DEBUG --------------------------------------------- >2013-12-13T13:20:56Z DEBUG Initial value >2013-12-13T13:20:56Z DEBUG dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:56Z DEBUG objectClass: >2013-12-13T13:20:56Z DEBUG top >2013-12-13T13:20:56Z DEBUG nsIndex >2013-12-13T13:20:56Z DEBUG nsIndexType: >2013-12-13T13:20:56Z DEBUG eq >2013-12-13T13:20:56Z DEBUG cn: >2013-12-13T13:20:56Z DEBUG ipakrbprincipalalias >2013-12-13T13:20:56Z DEBUG nsSystemIndex: >2013-12-13T13:20:56Z DEBUG false >2013-12-13T13:20:56Z DEBUG --------------------------------------------- >2013-12-13T13:20:56Z DEBUG Final value after applying updates >2013-12-13T13:20:56Z DEBUG dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:56Z DEBUG objectClass: >2013-12-13T13:20:56Z DEBUG top >2013-12-13T13:20:56Z DEBUG nsIndex >2013-12-13T13:20:56Z DEBUG nsIndexType: >2013-12-13T13:20:56Z DEBUG eq >2013-12-13T13:20:56Z DEBUG cn: >2013-12-13T13:20:56Z DEBUG ipakrbprincipalalias >2013-12-13T13:20:56Z DEBUG nsSystemIndex: >2013-12-13T13:20:56Z DEBUG false >2013-12-13T13:20:56Z DEBUG [] >2013-12-13T13:20:56Z DEBUG Live 1, updated 0 >2013-12-13T13:20:56Z INFO Done >2013-12-13T13:20:56Z INFO Updating existing entry: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:56Z DEBUG --------------------------------------------- >2013-12-13T13:20:56Z DEBUG Initial value >2013-12-13T13:20:56Z DEBUG dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:56Z DEBUG objectClass: >2013-12-13T13:20:56Z DEBUG top >2013-12-13T13:20:56Z DEBUG nsIndex >2013-12-13T13:20:56Z DEBUG nsIndexType: >2013-12-13T13:20:56Z DEBUG eq,pres >2013-12-13T13:20:56Z DEBUG cn: >2013-12-13T13:20:56Z DEBUG ntUserDomainId >2013-12-13T13:20:56Z DEBUG nsSystemIndex: >2013-12-13T13:20:56Z DEBUG false >2013-12-13T13:20:56Z DEBUG only: set nsIndexType to 'eq', current value [u'eq,pres'] >2013-12-13T13:20:56Z DEBUG only: updated value [u'eq'] >2013-12-13T13:20:56Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:20:56Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:20:56Z DEBUG --------------------------------------------- >2013-12-13T13:20:56Z DEBUG Final value after applying updates >2013-12-13T13:20:56Z DEBUG dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:20:56Z DEBUG objectClass: >2013-12-13T13:20:56Z DEBUG top >2013-12-13T13:20:56Z DEBUG nsIndex >2013-12-13T13:20:56Z DEBUG nsIndexType: >2013-12-13T13:20:56Z DEBUG eq >2013-12-13T13:20:56Z DEBUG pres >2013-12-13T13:20:56Z DEBUG cn: >2013-12-13T13:20:56Z DEBUG ntUserDomainId >2013-12-13T13:20:56Z DEBUG nsSystemIndex: >2013-12-13T13:20:56Z DEBUG false >2013-12-13T13:20:56Z DEBUG [(0, u'nsIndexType', ['eq', 'pres']), (1, u'nsIndexType', ['eq,pres'])] >2013-12-13T13:20:56Z DEBUG Live 1, updated 1 >2013-12-13T13:20:56Z INFO Done >2013-12-13T13:21:01Z INFO Creating task to index attribute: ntUserDomainId >2013-12-13T13:21:01Z DEBUG Task id: cn=indextask_ntUserDomainId_136062336615735180_6525,cn=index,cn=tasks,cn=config >2013-12-13T13:21:03Z INFO Indexing finished >2013-12-13T13:21:03Z INFO Updating existing entry: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:03Z DEBUG --------------------------------------------- >2013-12-13T13:21:03Z DEBUG Initial value >2013-12-13T13:21:03Z DEBUG dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:03Z DEBUG objectClass: >2013-12-13T13:21:03Z DEBUG top >2013-12-13T13:21:03Z DEBUG nsIndex >2013-12-13T13:21:03Z DEBUG nsIndexType: >2013-12-13T13:21:03Z DEBUG eq >2013-12-13T13:21:03Z DEBUG sub >2013-12-13T13:21:03Z DEBUG pres >2013-12-13T13:21:03Z DEBUG cn: >2013-12-13T13:21:03Z DEBUG memberUser >2013-12-13T13:21:03Z DEBUG nsSystemIndex: >2013-12-13T13:21:03Z DEBUG false >2013-12-13T13:21:03Z DEBUG only: set nsIndexType to 'eq', current value [u'eq', u'sub', u'pres'] >2013-12-13T13:21:03Z DEBUG only: updated value [u'eq'] >2013-12-13T13:21:03Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:21:03Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:21:03Z DEBUG only: set nsIndexType to 'sub', current value [u'eq', u'pres'] >2013-12-13T13:21:03Z DEBUG only: updated value [u'eq', u'pres', u'sub'] >2013-12-13T13:21:03Z DEBUG --------------------------------------------- >2013-12-13T13:21:03Z DEBUG Final value after applying updates >2013-12-13T13:21:03Z DEBUG dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:03Z DEBUG objectClass: >2013-12-13T13:21:03Z DEBUG top >2013-12-13T13:21:03Z DEBUG nsIndex >2013-12-13T13:21:03Z DEBUG nsIndexType: >2013-12-13T13:21:03Z DEBUG eq >2013-12-13T13:21:03Z DEBUG pres >2013-12-13T13:21:03Z DEBUG sub >2013-12-13T13:21:03Z DEBUG cn: >2013-12-13T13:21:03Z DEBUG memberUser >2013-12-13T13:21:03Z DEBUG nsSystemIndex: >2013-12-13T13:21:03Z DEBUG false >2013-12-13T13:21:03Z DEBUG [] >2013-12-13T13:21:03Z DEBUG Live 1, updated 0 >2013-12-13T13:21:03Z INFO Done >2013-12-13T13:21:03Z INFO New entry: cn=memberuid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:03Z DEBUG --------------------------------------------- >2013-12-13T13:21:03Z DEBUG Initial value >2013-12-13T13:21:03Z DEBUG dn: cn=memberuid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:03Z DEBUG ObjectClass: >2013-12-13T13:21:03Z DEBUG top >2013-12-13T13:21:03Z DEBUG nsIndex >2013-12-13T13:21:03Z DEBUG nsIndexType: >2013-12-13T13:21:03Z DEBUG eq,pres >2013-12-13T13:21:03Z DEBUG cn: >2013-12-13T13:21:03Z DEBUG memberuid >2013-12-13T13:21:03Z DEBUG nsSystemIndex: >2013-12-13T13:21:03Z DEBUG false >2013-12-13T13:21:03Z DEBUG --------------------------------------------- >2013-12-13T13:21:03Z DEBUG Final value after applying updates >2013-12-13T13:21:03Z DEBUG dn: cn=memberuid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:03Z DEBUG ObjectClass: >2013-12-13T13:21:03Z DEBUG top >2013-12-13T13:21:03Z DEBUG nsIndex >2013-12-13T13:21:03Z DEBUG nsIndexType: >2013-12-13T13:21:03Z DEBUG eq,pres >2013-12-13T13:21:03Z DEBUG cn: >2013-12-13T13:21:03Z DEBUG memberuid >2013-12-13T13:21:03Z DEBUG nsSystemIndex: >2013-12-13T13:21:03Z DEBUG false >2013-12-13T13:21:08Z INFO Creating task to index attribute: memberuid >2013-12-13T13:21:08Z DEBUG Task id: cn=indextask_memberuid_136062336686178290_6525,cn=index,cn=tasks,cn=config >2013-12-13T13:21:10Z INFO Indexing finished >2013-12-13T13:21:10Z INFO Updating existing entry: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:10Z DEBUG --------------------------------------------- >2013-12-13T13:21:10Z DEBUG Initial value >2013-12-13T13:21:10Z DEBUG dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:10Z DEBUG objectClass: >2013-12-13T13:21:10Z DEBUG top >2013-12-13T13:21:10Z DEBUG nsIndex >2013-12-13T13:21:10Z DEBUG nsIndexType: >2013-12-13T13:21:10Z DEBUG eq >2013-12-13T13:21:10Z DEBUG sub >2013-12-13T13:21:10Z DEBUG pres >2013-12-13T13:21:10Z DEBUG cn: >2013-12-13T13:21:10Z DEBUG secretary >2013-12-13T13:21:10Z DEBUG nsSystemIndex: >2013-12-13T13:21:10Z DEBUG false >2013-12-13T13:21:10Z DEBUG only: set nsIndexType to 'eq', current value [u'eq', u'sub', u'pres'] >2013-12-13T13:21:10Z DEBUG only: updated value [u'eq'] >2013-12-13T13:21:10Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:21:10Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:21:10Z DEBUG only: set nsIndexType to 'sub', current value [u'eq', u'pres'] >2013-12-13T13:21:10Z DEBUG only: updated value [u'eq', u'pres', u'sub'] >2013-12-13T13:21:10Z DEBUG --------------------------------------------- >2013-12-13T13:21:10Z DEBUG Final value after applying updates >2013-12-13T13:21:10Z DEBUG dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:10Z DEBUG objectClass: >2013-12-13T13:21:10Z DEBUG top >2013-12-13T13:21:10Z DEBUG nsIndex >2013-12-13T13:21:10Z DEBUG nsIndexType: >2013-12-13T13:21:10Z DEBUG eq >2013-12-13T13:21:10Z DEBUG pres >2013-12-13T13:21:10Z DEBUG sub >2013-12-13T13:21:10Z DEBUG cn: >2013-12-13T13:21:10Z DEBUG secretary >2013-12-13T13:21:10Z DEBUG nsSystemIndex: >2013-12-13T13:21:10Z DEBUG false >2013-12-13T13:21:10Z DEBUG [] >2013-12-13T13:21:10Z DEBUG Live 1, updated 0 >2013-12-13T13:21:10Z INFO Done >2013-12-13T13:21:10Z INFO Updating existing entry: cn=uniquemember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:10Z DEBUG --------------------------------------------- >2013-12-13T13:21:10Z DEBUG Initial value >2013-12-13T13:21:10Z DEBUG dn: cn=uniquemember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:10Z DEBUG objectClass: >2013-12-13T13:21:10Z DEBUG top >2013-12-13T13:21:10Z DEBUG nsIndex >2013-12-13T13:21:10Z DEBUG nsIndexType: >2013-12-13T13:21:10Z DEBUG eq >2013-12-13T13:21:10Z DEBUG cn: >2013-12-13T13:21:10Z DEBUG uniquemember >2013-12-13T13:21:10Z DEBUG nsSystemIndex: >2013-12-13T13:21:10Z DEBUG false >2013-12-13T13:21:10Z DEBUG only: set nsIndexType to 'eq', current value [u'eq'] >2013-12-13T13:21:10Z DEBUG only: updated value [u'eq'] >2013-12-13T13:21:10Z DEBUG only: set nsIndexType to 'sub', current value [u'eq'] >2013-12-13T13:21:10Z DEBUG only: updated value [u'eq', u'sub'] >2013-12-13T13:21:10Z DEBUG --------------------------------------------- >2013-12-13T13:21:10Z DEBUG Final value after applying updates >2013-12-13T13:21:10Z DEBUG dn: cn=uniquemember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:10Z DEBUG objectClass: >2013-12-13T13:21:10Z DEBUG top >2013-12-13T13:21:10Z DEBUG nsIndex >2013-12-13T13:21:10Z DEBUG nsIndexType: >2013-12-13T13:21:10Z DEBUG eq >2013-12-13T13:21:10Z DEBUG sub >2013-12-13T13:21:10Z DEBUG cn: >2013-12-13T13:21:10Z DEBUG uniquemember >2013-12-13T13:21:10Z DEBUG nsSystemIndex: >2013-12-13T13:21:10Z DEBUG false >2013-12-13T13:21:10Z DEBUG [(0, u'nsIndexType', ['sub'])] >2013-12-13T13:21:10Z DEBUG Live 1, updated 1 >2013-12-13T13:21:10Z INFO Done >2013-12-13T13:21:15Z INFO Creating task to index attribute: uniquemember >2013-12-13T13:21:15Z DEBUG Task id: cn=indextask_uniquemember_136062336756619340_6525,cn=index,cn=tasks,cn=config >2013-12-13T13:21:16Z INFO Indexing finished >2013-12-13T13:21:16Z INFO Updating existing entry: cn=owner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:16Z DEBUG --------------------------------------------- >2013-12-13T13:21:16Z DEBUG Initial value >2013-12-13T13:21:16Z DEBUG dn: cn=owner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:16Z DEBUG objectClass: >2013-12-13T13:21:16Z DEBUG top >2013-12-13T13:21:16Z DEBUG nsIndex >2013-12-13T13:21:16Z DEBUG nsIndexType: >2013-12-13T13:21:16Z DEBUG eq >2013-12-13T13:21:16Z DEBUG cn: >2013-12-13T13:21:16Z DEBUG owner >2013-12-13T13:21:16Z DEBUG nsSystemIndex: >2013-12-13T13:21:16Z DEBUG false >2013-12-13T13:21:16Z DEBUG only: set nsIndexType to 'eq', current value [u'eq'] >2013-12-13T13:21:16Z DEBUG only: updated value [u'eq'] >2013-12-13T13:21:16Z DEBUG only: set nsIndexType to 'sub', current value [u'eq'] >2013-12-13T13:21:16Z DEBUG only: updated value [u'eq', u'sub'] >2013-12-13T13:21:16Z DEBUG --------------------------------------------- >2013-12-13T13:21:16Z DEBUG Final value after applying updates >2013-12-13T13:21:16Z DEBUG dn: cn=owner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:16Z DEBUG objectClass: >2013-12-13T13:21:16Z DEBUG top >2013-12-13T13:21:16Z DEBUG nsIndex >2013-12-13T13:21:16Z DEBUG nsIndexType: >2013-12-13T13:21:16Z DEBUG eq >2013-12-13T13:21:16Z DEBUG sub >2013-12-13T13:21:16Z DEBUG cn: >2013-12-13T13:21:16Z DEBUG owner >2013-12-13T13:21:16Z DEBUG nsSystemIndex: >2013-12-13T13:21:16Z DEBUG false >2013-12-13T13:21:16Z DEBUG [(0, u'nsIndexType', ['sub'])] >2013-12-13T13:21:16Z DEBUG Live 1, updated 1 >2013-12-13T13:21:16Z INFO Done >2013-12-13T13:21:21Z INFO Creating task to index attribute: owner >2013-12-13T13:21:21Z DEBUG Task id: cn=indextask_owner_136062336817023440_6525,cn=index,cn=tasks,cn=config >2013-12-13T13:21:23Z INFO Indexing finished >2013-12-13T13:21:23Z INFO Updating existing entry: cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:23Z DEBUG --------------------------------------------- >2013-12-13T13:21:23Z DEBUG Initial value >2013-12-13T13:21:23Z DEBUG dn: cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:23Z DEBUG objectClass: >2013-12-13T13:21:23Z DEBUG top >2013-12-13T13:21:23Z DEBUG nsIndex >2013-12-13T13:21:23Z DEBUG nsIndexType: >2013-12-13T13:21:23Z DEBUG eq >2013-12-13T13:21:23Z DEBUG sub >2013-12-13T13:21:23Z DEBUG pres >2013-12-13T13:21:23Z DEBUG cn: >2013-12-13T13:21:23Z DEBUG sourcehost >2013-12-13T13:21:23Z DEBUG nsSystemIndex: >2013-12-13T13:21:23Z DEBUG false >2013-12-13T13:21:23Z DEBUG only: set nsIndexType to 'eq', current value [u'eq', u'sub', u'pres'] >2013-12-13T13:21:23Z DEBUG only: updated value [u'eq'] >2013-12-13T13:21:23Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:21:23Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:21:23Z DEBUG only: set nsIndexType to 'sub', current value [u'eq', u'pres'] >2013-12-13T13:21:23Z DEBUG only: updated value [u'eq', u'pres', u'sub'] >2013-12-13T13:21:23Z DEBUG --------------------------------------------- >2013-12-13T13:21:23Z DEBUG Final value after applying updates >2013-12-13T13:21:23Z DEBUG dn: cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:23Z DEBUG objectClass: >2013-12-13T13:21:23Z DEBUG top >2013-12-13T13:21:23Z DEBUG nsIndex >2013-12-13T13:21:23Z DEBUG nsIndexType: >2013-12-13T13:21:23Z DEBUG eq >2013-12-13T13:21:23Z DEBUG pres >2013-12-13T13:21:23Z DEBUG sub >2013-12-13T13:21:23Z DEBUG cn: >2013-12-13T13:21:23Z DEBUG sourcehost >2013-12-13T13:21:23Z DEBUG nsSystemIndex: >2013-12-13T13:21:23Z DEBUG false >2013-12-13T13:21:23Z DEBUG [] >2013-12-13T13:21:23Z DEBUG Live 1, updated 0 >2013-12-13T13:21:23Z INFO Done >2013-12-13T13:21:23Z INFO Updating existing entry: cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:23Z DEBUG --------------------------------------------- >2013-12-13T13:21:23Z DEBUG Initial value >2013-12-13T13:21:23Z DEBUG dn: cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:23Z DEBUG objectClass: >2013-12-13T13:21:23Z DEBUG top >2013-12-13T13:21:23Z DEBUG nsIndex >2013-12-13T13:21:23Z DEBUG nsIndexType: >2013-12-13T13:21:23Z DEBUG eq >2013-12-13T13:21:23Z DEBUG cn: >2013-12-13T13:21:23Z DEBUG member >2013-12-13T13:21:23Z DEBUG nsSystemIndex: >2013-12-13T13:21:23Z DEBUG false >2013-12-13T13:21:23Z DEBUG only: set nsIndexType to 'eq', current value [u'eq'] >2013-12-13T13:21:23Z DEBUG only: updated value [u'eq'] >2013-12-13T13:21:23Z DEBUG only: set nsIndexType to 'sub', current value [u'eq'] >2013-12-13T13:21:23Z DEBUG only: updated value [u'eq', u'sub'] >2013-12-13T13:21:23Z DEBUG --------------------------------------------- >2013-12-13T13:21:23Z DEBUG Final value after applying updates >2013-12-13T13:21:23Z DEBUG dn: cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:23Z DEBUG objectClass: >2013-12-13T13:21:23Z DEBUG top >2013-12-13T13:21:23Z DEBUG nsIndex >2013-12-13T13:21:23Z DEBUG nsIndexType: >2013-12-13T13:21:23Z DEBUG eq >2013-12-13T13:21:23Z DEBUG sub >2013-12-13T13:21:23Z DEBUG cn: >2013-12-13T13:21:23Z DEBUG member >2013-12-13T13:21:23Z DEBUG nsSystemIndex: >2013-12-13T13:21:23Z DEBUG false >2013-12-13T13:21:23Z DEBUG [(0, u'nsIndexType', ['sub'])] >2013-12-13T13:21:23Z DEBUG Live 1, updated 1 >2013-12-13T13:21:23Z INFO Done >2013-12-13T13:21:28Z INFO Creating task to index attribute: member >2013-12-13T13:21:28Z DEBUG Task id: cn=indextask_member_136062336887443680_6525,cn=index,cn=tasks,cn=config >2013-12-13T13:21:32Z INFO Indexing finished >2013-12-13T13:21:32Z INFO Updating existing entry: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:32Z DEBUG --------------------------------------------- >2013-12-13T13:21:32Z DEBUG Initial value >2013-12-13T13:21:32Z DEBUG dn: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:32Z DEBUG objectClass: >2013-12-13T13:21:32Z DEBUG top >2013-12-13T13:21:32Z DEBUG nsIndex >2013-12-13T13:21:32Z DEBUG nsIndexType: >2013-12-13T13:21:32Z DEBUG eq >2013-12-13T13:21:32Z DEBUG sub >2013-12-13T13:21:32Z DEBUG pres >2013-12-13T13:21:32Z DEBUG cn: >2013-12-13T13:21:32Z DEBUG memberallowcmd >2013-12-13T13:21:32Z DEBUG nsSystemIndex: >2013-12-13T13:21:32Z DEBUG false >2013-12-13T13:21:32Z DEBUG only: set nsIndexType to 'eq', current value [u'eq', u'sub', u'pres'] >2013-12-13T13:21:32Z DEBUG only: updated value [u'eq'] >2013-12-13T13:21:32Z DEBUG only: set nsIndexType to 'pres', current value [u'eq'] >2013-12-13T13:21:32Z DEBUG only: updated value [u'eq', u'pres'] >2013-12-13T13:21:32Z DEBUG only: set nsIndexType to 'sub', current value [u'eq', u'pres'] >2013-12-13T13:21:32Z DEBUG only: updated value [u'eq', u'pres', u'sub'] >2013-12-13T13:21:32Z DEBUG --------------------------------------------- >2013-12-13T13:21:32Z DEBUG Final value after applying updates >2013-12-13T13:21:32Z DEBUG dn: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:32Z DEBUG objectClass: >2013-12-13T13:21:32Z DEBUG top >2013-12-13T13:21:32Z DEBUG nsIndex >2013-12-13T13:21:32Z DEBUG nsIndexType: >2013-12-13T13:21:32Z DEBUG eq >2013-12-13T13:21:32Z DEBUG pres >2013-12-13T13:21:32Z DEBUG sub >2013-12-13T13:21:32Z DEBUG cn: >2013-12-13T13:21:32Z DEBUG memberallowcmd >2013-12-13T13:21:32Z DEBUG nsSystemIndex: >2013-12-13T13:21:32Z DEBUG false >2013-12-13T13:21:32Z DEBUG [] >2013-12-13T13:21:32Z DEBUG Live 1, updated 0 >2013-12-13T13:21:32Z INFO Done >2013-12-13T13:21:32Z INFO Updating existing entry: dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:32Z DEBUG --------------------------------------------- >2013-12-13T13:21:32Z DEBUG Initial value >2013-12-13T13:21:32Z DEBUG dn: dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:32Z DEBUG objectClass: >2013-12-13T13:21:32Z DEBUG top >2013-12-13T13:21:32Z DEBUG pilotObject >2013-12-13T13:21:32Z DEBUG domain >2013-12-13T13:21:32Z DEBUG info: >2013-12-13T13:21:32Z DEBUG IPA V2.0 >2013-12-13T13:21:32Z DEBUG aci: >2013-12-13T13:21:32Z DEBUG (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) >2013-12-13T13:21:32Z DEBUG (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:32Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:32Z DEBUG (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:32Z DEBUG (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:32Z DEBUG (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG dc: >2013-12-13T13:21:32Z DEBUG dom227 >2013-12-13T13:21:32Z DEBUG add: '(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:32Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)'] >2013-12-13T13:21:32Z DEBUG add: 'domain' to objectClass, current value [u'top', u'pilotObject', u'domain'] >2013-12-13T13:21:32Z DEBUG add: updated value [u'top', u'pilotObject', u'domain'] >2013-12-13T13:21:32Z DEBUG add: 'domainRelatedObject' to objectClass, current value [u'top', u'pilotObject', u'domain'] >2013-12-13T13:21:32Z DEBUG add: updated value [u'top', u'pilotObject', u'domain', u'domainRelatedObject'] >2013-12-13T13:21:32Z DEBUG add: 'nisDomainObject' to objectClass, current value [u'top', u'pilotObject', u'domain', u'domainRelatedObject'] >2013-12-13T13:21:32Z DEBUG add: updated value [u'top', u'pilotObject', u'domain', u'domainRelatedObject', u'nisDomainObject'] >2013-12-13T13:21:32Z DEBUG add: 'dom227.jenkinsad.idm.lab.eng.brq.redhat.com' to associatedDomain, current value [] >2013-12-13T13:21:32Z DEBUG add: updated value [u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com'] >2013-12-13T13:21:32Z DEBUG add: 'dom227.jenkinsad.idm.lab.eng.brq.redhat.com' to nisDomain, current value [] >2013-12-13T13:21:32Z DEBUG add: updated value [u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com'] >2013-12-13T13:21:32Z DEBUG --------------------------------------------- >2013-12-13T13:21:32Z DEBUG Final value after applying updates >2013-12-13T13:21:32Z DEBUG dn: dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:32Z DEBUG info: >2013-12-13T13:21:32Z DEBUG IPA V2.0 >2013-12-13T13:21:32Z DEBUG objectClass: >2013-12-13T13:21:32Z DEBUG top >2013-12-13T13:21:32Z DEBUG pilotObject >2013-12-13T13:21:32Z DEBUG domain >2013-12-13T13:21:32Z DEBUG domainRelatedObject >2013-12-13T13:21:32Z DEBUG nisDomainObject >2013-12-13T13:21:32Z DEBUG aci: >2013-12-13T13:21:32Z DEBUG (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:32Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:32Z DEBUG (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:32Z DEBUG (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:32Z DEBUG (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:32Z DEBUG (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:32Z DEBUG (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) >2013-12-13T13:21:32Z DEBUG dc: >2013-12-13T13:21:32Z DEBUG dom227 >2013-12-13T13:21:32Z DEBUG nisDomain: >2013-12-13T13:21:32Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:32Z DEBUG associatedDomain: >2013-12-13T13:21:32Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:32Z DEBUG [(0, u'objectClass', ['domainRelatedObject', 'nisDomainObject']), (0, u'nisDomain', ['dom227.jenkinsad.idm.lab.eng.brq.redhat.com']), (0, u'associatedDomain', ['dom227.jenkinsad.idm.lab.eng.brq.redhat.com'])] >2013-12-13T13:21:32Z DEBUG Live 1, updated 1 >2013-12-13T13:21:32Z INFO Done >2013-12-13T13:21:32Z INFO New entry: ou=profile,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:32Z DEBUG --------------------------------------------- >2013-12-13T13:21:32Z DEBUG Initial value >2013-12-13T13:21:32Z DEBUG dn: ou=profile,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:32Z DEBUG add: 'top' to objectClass, current value [] >2013-12-13T13:21:32Z DEBUG add: updated value [u'top'] >2013-12-13T13:21:32Z DEBUG add: 'organizationalUnit' to objectClass, current value [u'top'] >2013-12-13T13:21:32Z DEBUG add: updated value [u'top', u'organizationalUnit'] >2013-12-13T13:21:32Z DEBUG add: 'profiles' to ou, current value [] >2013-12-13T13:21:32Z DEBUG add: updated value [u'profiles'] >2013-12-13T13:21:32Z DEBUG --------------------------------------------- >2013-12-13T13:21:32Z DEBUG Final value after applying updates >2013-12-13T13:21:32Z DEBUG dn: ou=profile,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:32Z DEBUG objectClass: >2013-12-13T13:21:32Z DEBUG top >2013-12-13T13:21:32Z DEBUG organizationalUnit >2013-12-13T13:21:32Z DEBUG ou: >2013-12-13T13:21:32Z DEBUG profiles >2013-12-13T13:21:34Z INFO Updating existing entry: cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG accounts >2013-12-13T13:21:34Z DEBUG add: '(targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)' to aci, current value [u'(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)'] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG accounts >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG ng >2013-12-13T13:21:34Z DEBUG add: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)' to aci, current value [] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)'] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";) >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG ng >2013-12-13T13:21:34Z DEBUG [(0, u'aci', ['(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)'])] >2013-12-13T13:21:34Z DEBUG Live 1, updated 1 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO New entry: cn=replication,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=replication,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectclass: >2013-12-13T13:21:34Z DEBUG nsDS5Replica >2013-12-13T13:21:34Z DEBUG nsDS5ReplicaId: >2013-12-13T13:21:34Z DEBUG 3 >2013-12-13T13:21:34Z DEBUG nsDS5ReplicaRoot: >2013-12-13T13:21:34Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=replication,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectclass: >2013-12-13T13:21:34Z DEBUG nsDS5Replica >2013-12-13T13:21:34Z DEBUG nsDS5ReplicaId: >2013-12-13T13:21:34Z DEBUG 3 >2013-12-13T13:21:34Z DEBUG nsDS5ReplicaRoot: >2013-12-13T13:21:34Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z INFO New entry: cn=default,ou=profile,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=default,ou=profile,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG defaultServerList: >2013-12-13T13:21:34Z DEBUG vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:34Z DEBUG defaultSearchBase: >2013-12-13T13:21:34Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG ObjectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG DUAConfigProfile >2013-12-13T13:21:34Z DEBUG serviceSearchDescriptor: >2013-12-13T13:21:34Z DEBUG passwd:cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG group:cn=groups,cn=compat,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG searchTimeLimit: >2013-12-13T13:21:34Z DEBUG 15 >2013-12-13T13:21:34Z DEBUG followReferrals: >2013-12-13T13:21:34Z DEBUG TRUE >2013-12-13T13:21:34Z DEBUG objectClassMap: >2013-12-13T13:21:34Z DEBUG shadow:shadowAccount=posixAccount >2013-12-13T13:21:34Z DEBUG bindTimeLimit: >2013-12-13T13:21:34Z DEBUG 5 >2013-12-13T13:21:34Z DEBUG authenticationMethod: >2013-12-13T13:21:34Z DEBUG none >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG default >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=default,ou=profile,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG defaultServerList: >2013-12-13T13:21:34Z DEBUG vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:34Z DEBUG defaultSearchBase: >2013-12-13T13:21:34Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG ObjectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG DUAConfigProfile >2013-12-13T13:21:34Z DEBUG serviceSearchDescriptor: >2013-12-13T13:21:34Z DEBUG passwd:cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG group:cn=groups,cn=compat,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG searchTimeLimit: >2013-12-13T13:21:34Z DEBUG 15 >2013-12-13T13:21:34Z DEBUG followReferrals: >2013-12-13T13:21:34Z DEBUG TRUE >2013-12-13T13:21:34Z DEBUG objectClassMap: >2013-12-13T13:21:34Z DEBUG shadow:shadowAccount=posixAccount >2013-12-13T13:21:34Z DEBUG bindTimeLimit: >2013-12-13T13:21:34Z DEBUG 5 >2013-12-13T13:21:34Z DEBUG authenticationMethod: >2013-12-13T13:21:34Z DEBUG none >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG default >2013-12-13T13:21:34Z INFO Updating existing entry: cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";) >2013-12-13T13:21:34Z DEBUG (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";) >2013-12-13T13:21:34Z DEBUG (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) >2013-12-13T13:21:34Z DEBUG (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG computers >2013-12-13T13:21:34Z DEBUG add: '(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)' to aci, current value [u'(targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";)', u'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)', u'(targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)', u'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";)', u'(targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)', u'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)', u'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)' to aci, current value [u'(targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";)', u'(targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)', u'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)', u'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";)', u'(targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)', u'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)', u'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)'] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";) >2013-12-13T13:21:34Z DEBUG (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) >2013-12-13T13:21:34Z DEBUG (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";) >2013-12-13T13:21:34Z DEBUG (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG computers >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG ca_renewal >2013-12-13T13:21:34Z DEBUG add: 'top' to objectClass, current value [u'nsContainer', u'top'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'nsContainer', u'top'] >2013-12-13T13:21:34Z DEBUG add: 'nsContainer' to objectClass, current value [u'nsContainer', u'top'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'top', u'nsContainer'] >2013-12-13T13:21:34Z DEBUG add: 'ca_renewal' to cn, current value [u'ca_renewal'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'ca_renewal'] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG ca_renewal >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=replicas,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=replicas,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG replicas >2013-12-13T13:21:34Z DEBUG add: 'top' to objectClass, current value [u'nsContainer', u'top'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'nsContainer', u'top'] >2013-12-13T13:21:34Z DEBUG add: 'nsContainer' to objectClass, current value [u'nsContainer', u'top'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'top', u'nsContainer'] >2013-12-13T13:21:34Z DEBUG add: 'replicas' to cn, current value [u'replicas'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'replicas'] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=replicas,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG replicas >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG originfilter: >2013-12-13T13:21:34Z DEBUG objectclass=ipahostgroup >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG NGP Definition >2013-12-13T13:21:34Z DEBUG managedbase: >2013-12-13T13:21:34Z DEBUG cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG originscope: >2013-12-13T13:21:34Z DEBUG cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG managedtemplate: >2013-12-13T13:21:34Z DEBUG cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG only: set cn to 'NGP Definition', current value [u'NGP Definition'] >2013-12-13T13:21:34Z DEBUG only: updated value [u'NGP Definition'] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG originfilter: >2013-12-13T13:21:34Z DEBUG objectclass=ipahostgroup >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG NGP Definition >2013-12-13T13:21:34Z DEBUG managedbase: >2013-12-13T13:21:34Z DEBUG cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG originscope: >2013-12-13T13:21:34Z DEBUG cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG managedtemplate: >2013-12-13T13:21:34Z DEBUG cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG originfilter: >2013-12-13T13:21:34Z DEBUG (&(objectclass=posixAccount)(!(description=__no_upg__))) >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG UPG Definition >2013-12-13T13:21:34Z DEBUG managedbase: >2013-12-13T13:21:34Z DEBUG cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG originscope: >2013-12-13T13:21:34Z DEBUG cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG managedtemplate: >2013-12-13T13:21:34Z DEBUG cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG originfilter: >2013-12-13T13:21:34Z DEBUG (&(objectclass=posixAccount)(!(description=__no_upg__))) >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG UPG Definition >2013-12-13T13:21:34Z DEBUG managedbase: >2013-12-13T13:21:34Z DEBUG cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG originscope: >2013-12-13T13:21:34Z DEBUG cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG managedtemplate: >2013-12-13T13:21:34Z DEBUG cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG mepTemplateEntry >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG mepMappedAttr: >2013-12-13T13:21:34Z DEBUG cn: $uid >2013-12-13T13:21:34Z DEBUG gidNumber: $uidNumber >2013-12-13T13:21:34Z DEBUG description: User private group for $uid >2013-12-13T13:21:34Z DEBUG mepStaticAttr: >2013-12-13T13:21:34Z DEBUG objectclass: posixgroup >2013-12-13T13:21:34Z DEBUG ipaUniqueId: autogenerate >2013-12-13T13:21:34Z DEBUG objectclass: ipaobject >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG UPG Template >2013-12-13T13:21:34Z DEBUG mepRDNAttr: >2013-12-13T13:21:34Z DEBUG cn >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG mepTemplateEntry >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG mepMappedAttr: >2013-12-13T13:21:34Z DEBUG cn: $uid >2013-12-13T13:21:34Z DEBUG gidNumber: $uidNumber >2013-12-13T13:21:34Z DEBUG description: User private group for $uid >2013-12-13T13:21:34Z DEBUG mepStaticAttr: >2013-12-13T13:21:34Z DEBUG objectclass: posixgroup >2013-12-13T13:21:34Z DEBUG ipaUniqueId: autogenerate >2013-12-13T13:21:34Z DEBUG objectclass: ipaobject >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG UPG Template >2013-12-13T13:21:34Z DEBUG mepRDNAttr: >2013-12-13T13:21:34Z DEBUG cn >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG mepTemplateEntry >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG mepMappedAttr: >2013-12-13T13:21:34Z DEBUG cn: $cn >2013-12-13T13:21:34Z DEBUG description: ipaNetgroup $cn >2013-12-13T13:21:34Z DEBUG memberHost: $dn >2013-12-13T13:21:34Z DEBUG mepStaticAttr: >2013-12-13T13:21:34Z DEBUG ipaUniqueId: autogenerate >2013-12-13T13:21:34Z DEBUG objectclass: ipanisnetgroup >2013-12-13T13:21:34Z DEBUG objectclass: ipaobject >2013-12-13T13:21:34Z DEBUG nisDomainName: dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG NGP HGP Template >2013-12-13T13:21:34Z DEBUG mepRDNAttr: >2013-12-13T13:21:34Z DEBUG cn >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG mepTemplateEntry >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG mepMappedAttr: >2013-12-13T13:21:34Z DEBUG cn: $cn >2013-12-13T13:21:34Z DEBUG description: ipaNetgroup $cn >2013-12-13T13:21:34Z DEBUG memberHost: $dn >2013-12-13T13:21:34Z DEBUG mepStaticAttr: >2013-12-13T13:21:34Z DEBUG ipaUniqueId: autogenerate >2013-12-13T13:21:34Z DEBUG objectclass: ipanisnetgroup >2013-12-13T13:21:34Z DEBUG objectclass: ipaobject >2013-12-13T13:21:34Z DEBUG nisDomainName: dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG NGP HGP Template >2013-12-13T13:21:34Z DEBUG mepRDNAttr: >2013-12-13T13:21:34Z DEBUG cn >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Parsing update file '/usr/share/ipa/updates/30-s4u2proxy.update' >2013-12-13T13:21:34Z INFO Updating existing entry: cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG s4u2proxy >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG s4u2proxy >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG groupOfPrincipals >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG memberPrincipal: >2013-12-13T13:21:34Z DEBUG ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG ipa-ldap-delegation-targets >2013-12-13T13:21:34Z DEBUG add: 'ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM' to memberPrincipal, current value [u'ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM'] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG groupOfPrincipals >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG memberPrincipal: >2013-12-13T13:21:34Z DEBUG ldap/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG ipa-ldap-delegation-targets >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG groupOfPrincipals >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG ipaKrb5DelegationACL >2013-12-13T13:21:34Z DEBUG memberPrincipal: >2013-12-13T13:21:34Z DEBUG HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:21:34Z DEBUG ipaAllowedTarget: >2013-12-13T13:21:34Z DEBUG cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG ipa-http-delegation >2013-12-13T13:21:34Z DEBUG add: 'HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM' to memberPrincipal, current value [u'HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM'] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG groupOfPrincipals >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG ipaKrb5DelegationACL >2013-12-13T13:21:34Z DEBUG memberPrincipal: >2013-12-13T13:21:34Z DEBUG HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:21:34Z DEBUG ipaAllowedTarget: >2013-12-13T13:21:34Z DEBUG cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG ipa-http-delegation >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Parsing update file '/usr/share/ipa/updates/40-automember.update' >2013-12-13T13:21:34Z INFO Parsing update file '/usr/share/ipa/updates/40-delegation.update' >2013-12-13T13:21:34Z INFO Parsing update file '/usr/share/ipa/updates/40-dns.update' >2013-12-13T13:21:34Z INFO Parsing update file '/usr/share/ipa/updates/40-otp.update' >2013-12-13T13:21:34Z INFO Parsing update file '/usr/share/ipa/updates/40-realm_domains.update' >2013-12-13T13:21:34Z INFO Parsing update file '/usr/share/ipa/updates/40-replication.update' >2013-12-13T13:21:34Z INFO Parsing update file '/usr/share/ipa/updates/45-roles.update' >2013-12-13T13:21:34Z INFO Updating existing entry: cn=config >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-ldapimaptoentries: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logrotationsynchour: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-port: >2013-12-13T13:21:34Z DEBUG 389 >2013-12-13T13:21:34Z DEBUG nsslapd-betype: >2013-12-13T13:21:34Z DEBUG ldbm database >2013-12-13T13:21:34Z DEBUG nsslapd-nagle: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-list: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-entryusn-global: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-referralmode: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logminfreediskspace: >2013-12-13T13:21:34Z DEBUG 5 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logrotationsynchour: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-reservedescriptors: >2013-12-13T13:21:34Z DEBUG 64 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logmaxdiskspace: >2013-12-13T13:21:34Z DEBUG 500 >2013-12-13T13:21:34Z DEBUG passwordMinAlphas: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-sasl-max-buffer-size: >2013-12-13T13:21:34Z DEBUG 2097152 >2013-12-13T13:21:34Z DEBUG nsslapd-enquote-sup-oc: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-readonly: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-syntaxcheck: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logbuffering: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-disk-monitoring-logging-critical: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG passwordMinDigits: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG passwordMinUppers: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-plugin: >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreIA5SubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=telephoneNumberMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseExactOrderingMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreOrderingMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseExactIA5SubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=octetStringOrderingMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseExactSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Boolean Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseExactMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Numeric String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=OID Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Guide Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreIA5Match,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Delivery Method Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Name And Optional UID Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Enhanced Guide Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Integer Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=uniqueMemberMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Bit String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Postal Address Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=integerFirstComponentMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=integerOrderingMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseExactIA5Match,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Octet String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=booleanMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Case Ignore String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=generalizedTimeOrderingMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=objectIdentifierFirstComponentMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreListMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=octetStringMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=distinguishedNameMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Fax Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Generalized Time Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Internationalization Plugin,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Country String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=telephoneNumberSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=bitStringMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Distinguished Name Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=numericStringOrderingMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=generalizedTimeMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Telephone Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=objectIdentifierMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=numericStringSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreListSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Printable String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Telex Number Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Facsimile Telephone Number Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Teletex Terminal Identifier Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Binary Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=JPEG Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=directoryStringFirstComponentMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=integerMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Bitwise Plugin,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Case Exact String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=numericStringMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logrotationtime: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-dn-validate-strict: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-ndn-cache-max-size: >2013-12-13T13:21:34Z DEBUG 20971520 >2013-12-13T13:21:34Z DEBUG nsslapd-timelimit: >2013-12-13T13:21:34Z DEBUG 3600 >2013-12-13T13:21:34Z DEBUG nsslapd-disk-monitoring: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-rundir: >2013-12-13T13:21:34Z DEBUG /var/run/dirsrv >2013-12-13T13:21:34Z DEBUG passwordMinTokenLength: >2013-12-13T13:21:34Z DEBUG 3 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logrotationsync-enabled: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG passwordMinAge: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logrotationtime: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logmaxdiskspace: >2013-12-13T13:21:34Z DEBUG 100 >2013-12-13T13:21:34Z DEBUG nsslapd-disk-monitoring-grace-period: >2013-12-13T13:21:34Z DEBUG 60 >2013-12-13T13:21:34Z DEBUG nsslapd-maxdescriptors: >2013-12-13T13:21:34Z DEBUG 8192 >2013-12-13T13:21:34Z DEBUG passwordInHistory: >2013-12-13T13:21:34Z DEBUG 6 >2013-12-13T13:21:34Z DEBUG nsslapd-ssl-check-hostname: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-conntablesize: >2013-12-13T13:21:34Z DEBUG 8192 >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logging-enabled: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logrotationsync-enabled: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logexpirationtimeunit: >2013-12-13T13:21:34Z DEBUG month >2013-12-13T13:21:34Z DEBUG nsslapd-saslpath: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG passwordMaxAge: >2013-12-13T13:21:34Z DEBUG 8640000 >2013-12-13T13:21:34Z DEBUG nsslapd-ldapiautobind: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-maxthreadsperconn: >2013-12-13T13:21:34Z DEBUG 5 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logrotationsyncmin: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-ldapigidnumbertype: >2013-12-13T13:21:34Z DEBUG gidNumber >2013-12-13T13:21:34Z DEBUG nsslapd-connection-buffer: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logrotationtimeunit: >2013-12-13T13:21:34Z DEBUG day >2013-12-13T13:21:34Z DEBUG nsslapd-tmpdir: >2013-12-13T13:21:34Z DEBUG /tmp >2013-12-13T13:21:34Z DEBUG passwordResetFailureCount: >2013-12-13T13:21:34Z DEBUG 600 >2013-12-13T13:21:34Z DEBUG nsslapd-counters: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-svrtab: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-allowed-sasl-mechanisms: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-secureport: >2013-12-13T13:21:34Z DEBUG 636 >2013-12-13T13:21:34Z DEBUG nsslapd-minssf: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-maxlogsize: >2013-12-13T13:21:34Z DEBUG 100 >2013-12-13T13:21:34Z DEBUG nsslapd-localuser: >2013-12-13T13:21:34Z DEBUG dirsrv >2013-12-13T13:21:34Z DEBUG nsslapd-security: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG passwordChange: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-force-sasl-external: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-requiresrestart: >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-changelogmaxage >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-plugin >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-maxdescriptors >2013-12-13T13:21:34Z DEBUG cn=config,cn=ldbm:nsslapd-idlistscanlimit >2013-12-13T13:21:34Z DEBUG cn=encryption,cn=config:nsssl2 >2013-12-13T13:21:34Z DEBUG cn=encryption,cn=config:nsssl3 >2013-12-13T13:21:34Z DEBUG cn=config,cn=ldbm:nsslapd-parentcheck >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-changelogsuffix >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-sslclientauth >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-schema-ignore-trailing-spaces >2013-12-13T13:21:34Z DEBUG cn=config,cn=ldbm:nsslapd-dbcachesize >2013-12-13T13:21:34Z DEBUG cn=encryption,cn=config:nssslsessiontimeout >2013-12-13T13:21:34Z DEBUG cn=config,cn=ldbm:nsslapd-cachesize >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-db-locks >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-secureport >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-changelogmaxentries >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-allowed-sasl-mechanisms >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-ldapilisten >2013-12-13T13:21:34Z DEBUG cn=config,cn=ldbm:nsslapd-plugin >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-ldapifilepath >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-changelogdir >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-workingdir >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-port >2013-12-13T13:21:34Z DEBUG cn=encryption,cn=config:nssslclientauth >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-return-exact-case >2013-12-13T13:21:34Z DEBUG cn=config,cn=ldbm:nsslapd-dbncache >2013-12-13T13:21:34Z DEBUG passwordMaxFailure: >2013-12-13T13:21:34Z DEBUG 3 >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logrotationsync-enabled: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logging-enabled: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logrotationsyncmin: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-pagedsizelimit: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logexpirationtime: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-listen-backlog-size: >2013-12-13T13:21:34Z DEBUG 128 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog: >2013-12-13T13:21:34Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/access >2013-12-13T13:21:34Z DEBUG nsslapd-certmap-basedn: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-plugin-logging: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-anonlimitsdn: >2013-12-13T13:21:34Z DEBUG cn=anonymous-limits,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG nsslapd-ldifdir: >2013-12-13T13:21:34Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ldif >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-mode: >2013-12-13T13:21:34Z DEBUG 600 >2013-12-13T13:21:34Z DEBUG nsslapd-maxbersize: >2013-12-13T13:21:34Z DEBUG 209715200 >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logging-enabled: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-hash-filters: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG passwordMustChange: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG passwordExp: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-list: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-ldapilisten: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logminfreediskspace: >2013-12-13T13:21:34Z DEBUG 5 >2013-12-13T13:21:34Z DEBUG nsslapd-schema-ignore-trailing-spaces: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";) >2013-12-13T13:21:34Z DEBUG (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG nsslapd-listenhost: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logexpirationtimeunit: >2013-12-13T13:21:34Z DEBUG month >2013-12-13T13:21:34Z DEBUG nsslapd-outbound-ldap-io-timeout: >2013-12-13T13:21:34Z DEBUG 300000 >2013-12-13T13:21:34Z DEBUG passwordMinLength: >2013-12-13T13:21:34Z DEBUG 8 >2013-12-13T13:21:34Z DEBUG nsslapd-require-secure-binds: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-groupevalnestlevel: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-rootdn: >2013-12-13T13:21:34Z DEBUG cn=Directory Manager >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logrotationtimeunit: >2013-12-13T13:21:34Z DEBUG day >2013-12-13T13:21:34Z DEBUG nsslapd-snmp-index: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG config >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG nsslapdConfig >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logrotationtimeunit: >2013-12-13T13:21:34Z DEBUG week >2013-12-13T13:21:34Z DEBUG nsslapd-entryusn-import-initval: >2013-12-13T13:21:34Z DEBUG next >2013-12-13T13:21:34Z DEBUG nsslapd-ignore-time-skew: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-allow-unauthenticated-binds: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logging-hide-unhashed-pw: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-maxlogsperdir: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logmaxdiskspace: >2013-12-13T13:21:34Z DEBUG 100 >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-mode: >2013-12-13T13:21:34Z DEBUG 600 >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog: >2013-12-13T13:21:34Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/errors >2013-12-13T13:21:34Z DEBUG nsslapd-disk-monitoring-threshold: >2013-12-13T13:21:34Z DEBUG 2097152 >2013-12-13T13:21:34Z DEBUG nsslapd-sasl-mapping-fallback: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG passwordlegacypolicy: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-ldapifilepath: >2013-12-13T13:21:34Z DEBUG /var/run/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket >2013-12-13T13:21:34Z DEBUG passwordCheckSyntax: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG passwordGraceLimit: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG passwordWarning: >2013-12-13T13:21:34Z DEBUG 86400 >2013-12-13T13:21:34Z DEBUG nsslapd-instancedir: >2013-12-13T13:21:34Z DEBUG /var/lib/dirsrv/scripts-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:21:34Z DEBUG nsslapd-config: >2013-12-13T13:21:34Z DEBUG cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-level: >2013-12-13T13:21:34Z DEBUG 256 >2013-12-13T13:21:34Z DEBUG nsslapd-return-exact-case: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-maxsasliosize: >2013-12-13T13:21:34Z DEBUG 2097152 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logexpirationtimeunit: >2013-12-13T13:21:34Z DEBUG month >2013-12-13T13:21:34Z DEBUG nsslapd-rootpwstoragescheme: >2013-12-13T13:21:34Z DEBUG SSHA >2013-12-13T13:21:34Z DEBUG nsslapd-plugin-binddn-tracking: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logexpirationtime: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG passwordLockout: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-lockdir: >2013-12-13T13:21:34Z DEBUG /var/lock/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:21:34Z DEBUG nsslapd-certdir: >2013-12-13T13:21:34Z DEBUG /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:21:34Z DEBUG nsslapd-allow-anonymous-access: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-maxlogsperdir: >2013-12-13T13:21:34Z DEBUG 10 >2013-12-13T13:21:34Z DEBUG nsslapd-backendconfig: >2013-12-13T13:21:34Z DEBUG cn=config,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=config,cn=ipaca,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-threadnumber: >2013-12-13T13:21:34Z DEBUG 30 >2013-12-13T13:21:34Z DEBUG nsslapd-schemamod: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-search-return-original-type-switch: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-localhost: >2013-12-13T13:21:34Z DEBUG vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:34Z DEBUG nsslapd-bakdir: >2013-12-13T13:21:34Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/bak >2013-12-13T13:21:34Z DEBUG passwordMin8bit: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-ldapiuidnumbertype: >2013-12-13T13:21:34Z DEBUG uidNumber >2013-12-13T13:21:34Z DEBUG nsslapd-validate-cert: >2013-12-13T13:21:34Z DEBUG warn >2013-12-13T13:21:34Z DEBUG passwordMinCategories: >2013-12-13T13:21:34Z DEBUG 3 >2013-12-13T13:21:34Z DEBUG passwordMinLowers: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG passwordAdminDN: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-versionstring: >2013-12-13T13:21:34Z DEBUG 389-Directory/1.3.2.7 >2013-12-13T13:21:34Z DEBUG passwordMinSpecials: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-rewrite-rfc1274: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-lastmod: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-max-filter-nest-level: >2013-12-13T13:21:34Z DEBUG 40 >2013-12-13T13:21:34Z DEBUG passwordMaxRepeats: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-result-tweak: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-syntaxlogging: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG passwordUnlock: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-schemacheck: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG passwordTrackUpdateTime: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-maxlogsize: >2013-12-13T13:21:34Z DEBUG 100 >2013-12-13T13:21:34Z DEBUG nsslapd-ldapientrysearchbase: >2013-12-13T13:21:34Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logexpirationtime: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-localssf: >2013-12-13T13:21:34Z DEBUG 71 >2013-12-13T13:21:34Z DEBUG passwordisglobalpolicy: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-sizelimit: >2013-12-13T13:21:34Z DEBUG 2000 >2013-12-13T13:21:34Z DEBUG nsslapd-minssf-exclude-rootdse: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logrotationsyncmin: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-ignore-virtual-attrs: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-ndn-cache-enabled: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-defaultnamingcontext: >2013-12-13T13:21:34Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-mode: >2013-12-13T13:21:34Z DEBUG 600 >2013-12-13T13:21:34Z DEBUG nsslapd-pwpolicy-local: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-schemadir: >2013-12-13T13:21:34Z DEBUG /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/schema >2013-12-13T13:21:34Z DEBUG passwordLockoutDuration: >2013-12-13T13:21:34Z DEBUG 3600 >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-list: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-csnlogging: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-maxlogsize: >2013-12-13T13:21:34Z DEBUG 100 >2013-12-13T13:21:34Z DEBUG nsslapd-privatenamespaces: >2013-12-13T13:21:34Z DEBUG cn=schema >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG cn=config >2013-12-13T13:21:34Z DEBUG cn=monitor >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-maxlogsperdir: >2013-12-13T13:21:34Z DEBUG 2 >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog: >2013-12-13T13:21:34Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/audit >2013-12-13T13:21:34Z DEBUG nsslapd-ldapimaprootdn: >2013-12-13T13:21:34Z DEBUG cn=Directory Manager >2013-12-13T13:21:34Z DEBUG nsslapd-rootpw: >2013-12-13T13:21:34Z DEBUG {SSHA}v/YbIvfLZBnzzDiaMPKT2iAZwiDpB6XjDHgWVQ== >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logrotationsynchour: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-ds4-compatible-schema: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-workingdir: >2013-12-13T13:21:34Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:21:34Z DEBUG nsslapd-unhashed-pw-switch: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-accesscontrol: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-schemareplace: >2013-12-13T13:21:34Z DEBUG replication-only >2013-12-13T13:21:34Z DEBUG nsslapd-enable-turbo-mode: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-level: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-securelistenhost: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logrotationtime: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-ioblocktimeout: >2013-12-13T13:21:34Z DEBUG 1800000 >2013-12-13T13:21:34Z DEBUG nsslapd-sslclientauth: >2013-12-13T13:21:34Z DEBUG allowed >2013-12-13T13:21:34Z DEBUG nsslapd-attribute-name-exceptions: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-idletimeout: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-allowed-to-delete-attrs: >2013-12-13T13:21:34Z DEBUG nsslapd-listenhost nsslapd-securelistenhost nsslapd-defaultnamingcontext >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logminfreediskspace: >2013-12-13T13:21:34Z DEBUG 5 >2013-12-13T13:21:34Z DEBUG passwordStorageScheme: >2013-12-13T13:21:34Z DEBUG SSHA >2013-12-13T13:21:34Z DEBUG nsslapd-connection-nocanon: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";)', u'(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";)', u'(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-ldapimaptoentries: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logrotationsynchour: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-port: >2013-12-13T13:21:34Z DEBUG 389 >2013-12-13T13:21:34Z DEBUG nsslapd-betype: >2013-12-13T13:21:34Z DEBUG ldbm database >2013-12-13T13:21:34Z DEBUG nsslapd-nagle: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-list: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-entryusn-global: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-referralmode: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logminfreediskspace: >2013-12-13T13:21:34Z DEBUG 5 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logrotationsynchour: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-reservedescriptors: >2013-12-13T13:21:34Z DEBUG 64 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logmaxdiskspace: >2013-12-13T13:21:34Z DEBUG 500 >2013-12-13T13:21:34Z DEBUG passwordMinAlphas: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-sasl-max-buffer-size: >2013-12-13T13:21:34Z DEBUG 2097152 >2013-12-13T13:21:34Z DEBUG nsslapd-enquote-sup-oc: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-readonly: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-syntaxcheck: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logbuffering: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-disk-monitoring-logging-critical: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG passwordMinDigits: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG passwordMinUppers: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-plugin: >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreIA5SubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=telephoneNumberMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseExactOrderingMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreOrderingMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseExactIA5SubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=octetStringOrderingMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseExactSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Boolean Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseExactMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Numeric String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=OID Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Guide Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreIA5Match,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Delivery Method Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Name And Optional UID Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Enhanced Guide Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Integer Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=uniqueMemberMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Bit String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Postal Address Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=integerFirstComponentMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=integerOrderingMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseExactIA5Match,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Octet String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=booleanMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Case Ignore String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=generalizedTimeOrderingMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=objectIdentifierFirstComponentMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreListMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=octetStringMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=distinguishedNameMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Fax Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Generalized Time Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Internationalization Plugin,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Country String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=telephoneNumberSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=bitStringMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Distinguished Name Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=numericStringOrderingMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=generalizedTimeMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Telephone Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=objectIdentifierMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=numericStringSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreListSubstringsMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Printable String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Telex Number Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Facsimile Telephone Number Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Teletex Terminal Identifier Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Binary Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=JPEG Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=directoryStringFirstComponentMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=integerMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Bitwise Plugin,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=Case Exact String Syntax,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=caseIgnoreMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=numericStringMatch,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logrotationtime: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-dn-validate-strict: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-ndn-cache-max-size: >2013-12-13T13:21:34Z DEBUG 20971520 >2013-12-13T13:21:34Z DEBUG nsslapd-timelimit: >2013-12-13T13:21:34Z DEBUG 3600 >2013-12-13T13:21:34Z DEBUG nsslapd-disk-monitoring: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-rundir: >2013-12-13T13:21:34Z DEBUG /var/run/dirsrv >2013-12-13T13:21:34Z DEBUG passwordMinTokenLength: >2013-12-13T13:21:34Z DEBUG 3 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logrotationsync-enabled: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG passwordMinAge: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logrotationtime: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logmaxdiskspace: >2013-12-13T13:21:34Z DEBUG 100 >2013-12-13T13:21:34Z DEBUG nsslapd-disk-monitoring-grace-period: >2013-12-13T13:21:34Z DEBUG 60 >2013-12-13T13:21:34Z DEBUG nsslapd-maxdescriptors: >2013-12-13T13:21:34Z DEBUG 8192 >2013-12-13T13:21:34Z DEBUG passwordInHistory: >2013-12-13T13:21:34Z DEBUG 6 >2013-12-13T13:21:34Z DEBUG nsslapd-ssl-check-hostname: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-conntablesize: >2013-12-13T13:21:34Z DEBUG 8192 >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logging-enabled: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logrotationsync-enabled: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logexpirationtimeunit: >2013-12-13T13:21:34Z DEBUG month >2013-12-13T13:21:34Z DEBUG nsslapd-saslpath: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG passwordMaxAge: >2013-12-13T13:21:34Z DEBUG 8640000 >2013-12-13T13:21:34Z DEBUG nsslapd-ldapiautobind: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-maxthreadsperconn: >2013-12-13T13:21:34Z DEBUG 5 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logrotationsyncmin: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-ldapigidnumbertype: >2013-12-13T13:21:34Z DEBUG gidNumber >2013-12-13T13:21:34Z DEBUG nsslapd-connection-buffer: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logrotationtimeunit: >2013-12-13T13:21:34Z DEBUG day >2013-12-13T13:21:34Z DEBUG nsslapd-tmpdir: >2013-12-13T13:21:34Z DEBUG /tmp >2013-12-13T13:21:34Z DEBUG passwordResetFailureCount: >2013-12-13T13:21:34Z DEBUG 600 >2013-12-13T13:21:34Z DEBUG nsslapd-counters: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-svrtab: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-allowed-sasl-mechanisms: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-secureport: >2013-12-13T13:21:34Z DEBUG 636 >2013-12-13T13:21:34Z DEBUG nsslapd-minssf: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-maxlogsize: >2013-12-13T13:21:34Z DEBUG 100 >2013-12-13T13:21:34Z DEBUG nsslapd-localuser: >2013-12-13T13:21:34Z DEBUG dirsrv >2013-12-13T13:21:34Z DEBUG nsslapd-security: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG passwordChange: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-force-sasl-external: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-requiresrestart: >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-changelogmaxage >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-plugin >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-maxdescriptors >2013-12-13T13:21:34Z DEBUG cn=config,cn=ldbm:nsslapd-idlistscanlimit >2013-12-13T13:21:34Z DEBUG cn=encryption,cn=config:nsssl2 >2013-12-13T13:21:34Z DEBUG cn=encryption,cn=config:nsssl3 >2013-12-13T13:21:34Z DEBUG cn=config,cn=ldbm:nsslapd-parentcheck >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-changelogsuffix >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-sslclientauth >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-schema-ignore-trailing-spaces >2013-12-13T13:21:34Z DEBUG cn=config,cn=ldbm:nsslapd-dbcachesize >2013-12-13T13:21:34Z DEBUG cn=encryption,cn=config:nssslsessiontimeout >2013-12-13T13:21:34Z DEBUG cn=config,cn=ldbm:nsslapd-cachesize >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-db-locks >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-secureport >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-changelogmaxentries >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-allowed-sasl-mechanisms >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-ldapilisten >2013-12-13T13:21:34Z DEBUG cn=config,cn=ldbm:nsslapd-plugin >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-ldapifilepath >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-changelogdir >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-workingdir >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-port >2013-12-13T13:21:34Z DEBUG cn=encryption,cn=config:nssslclientauth >2013-12-13T13:21:34Z DEBUG cn=config:nsslapd-return-exact-case >2013-12-13T13:21:34Z DEBUG cn=config,cn=ldbm:nsslapd-dbncache >2013-12-13T13:21:34Z DEBUG passwordMaxFailure: >2013-12-13T13:21:34Z DEBUG 3 >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logrotationsync-enabled: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logging-enabled: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logrotationsyncmin: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-pagedsizelimit: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logexpirationtime: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-listen-backlog-size: >2013-12-13T13:21:34Z DEBUG 128 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog: >2013-12-13T13:21:34Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/access >2013-12-13T13:21:34Z DEBUG nsslapd-certmap-basedn: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-plugin-logging: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-anonlimitsdn: >2013-12-13T13:21:34Z DEBUG cn=anonymous-limits,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG nsslapd-ldifdir: >2013-12-13T13:21:34Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ldif >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-mode: >2013-12-13T13:21:34Z DEBUG 600 >2013-12-13T13:21:34Z DEBUG nsslapd-maxbersize: >2013-12-13T13:21:34Z DEBUG 209715200 >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logging-enabled: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-hash-filters: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG passwordMustChange: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG passwordExp: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-list: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-ldapilisten: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logminfreediskspace: >2013-12-13T13:21:34Z DEBUG 5 >2013-12-13T13:21:34Z DEBUG nsslapd-schema-ignore-trailing-spaces: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///uid=pkidbuser,ou= people,o=ipaca";) >2013-12-13T13:21:34Z DEBUG (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG nsslapd-listenhost: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logexpirationtimeunit: >2013-12-13T13:21:34Z DEBUG month >2013-12-13T13:21:34Z DEBUG nsslapd-outbound-ldap-io-timeout: >2013-12-13T13:21:34Z DEBUG 300000 >2013-12-13T13:21:34Z DEBUG passwordMinLength: >2013-12-13T13:21:34Z DEBUG 8 >2013-12-13T13:21:34Z DEBUG nsslapd-require-secure-binds: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-groupevalnestlevel: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-rootdn: >2013-12-13T13:21:34Z DEBUG cn=Directory Manager >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logrotationtimeunit: >2013-12-13T13:21:34Z DEBUG day >2013-12-13T13:21:34Z DEBUG nsslapd-snmp-index: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG config >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG nsslapdConfig >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logrotationtimeunit: >2013-12-13T13:21:34Z DEBUG week >2013-12-13T13:21:34Z DEBUG nsslapd-entryusn-import-initval: >2013-12-13T13:21:34Z DEBUG next >2013-12-13T13:21:34Z DEBUG nsslapd-ignore-time-skew: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-allow-unauthenticated-binds: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logging-hide-unhashed-pw: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-maxlogsperdir: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logmaxdiskspace: >2013-12-13T13:21:34Z DEBUG 100 >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-mode: >2013-12-13T13:21:34Z DEBUG 600 >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog: >2013-12-13T13:21:34Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/errors >2013-12-13T13:21:34Z DEBUG nsslapd-disk-monitoring-threshold: >2013-12-13T13:21:34Z DEBUG 2097152 >2013-12-13T13:21:34Z DEBUG nsslapd-sasl-mapping-fallback: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG passwordlegacypolicy: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-ldapifilepath: >2013-12-13T13:21:34Z DEBUG /var/run/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket >2013-12-13T13:21:34Z DEBUG passwordCheckSyntax: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG passwordGraceLimit: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG passwordWarning: >2013-12-13T13:21:34Z DEBUG 86400 >2013-12-13T13:21:34Z DEBUG nsslapd-instancedir: >2013-12-13T13:21:34Z DEBUG /var/lib/dirsrv/scripts-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:21:34Z DEBUG nsslapd-config: >2013-12-13T13:21:34Z DEBUG cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-level: >2013-12-13T13:21:34Z DEBUG 256 >2013-12-13T13:21:34Z DEBUG nsslapd-return-exact-case: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-maxsasliosize: >2013-12-13T13:21:34Z DEBUG 2097152 >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logexpirationtimeunit: >2013-12-13T13:21:34Z DEBUG month >2013-12-13T13:21:34Z DEBUG nsslapd-rootpwstoragescheme: >2013-12-13T13:21:34Z DEBUG SSHA >2013-12-13T13:21:34Z DEBUG nsslapd-plugin-binddn-tracking: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logexpirationtime: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG passwordLockout: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-lockdir: >2013-12-13T13:21:34Z DEBUG /var/lock/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:21:34Z DEBUG nsslapd-certdir: >2013-12-13T13:21:34Z DEBUG /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:21:34Z DEBUG nsslapd-allow-anonymous-access: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-maxlogsperdir: >2013-12-13T13:21:34Z DEBUG 10 >2013-12-13T13:21:34Z DEBUG nsslapd-backendconfig: >2013-12-13T13:21:34Z DEBUG cn=config,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG cn=config,cn=ipaca,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-threadnumber: >2013-12-13T13:21:34Z DEBUG 30 >2013-12-13T13:21:34Z DEBUG nsslapd-schemamod: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-search-return-original-type-switch: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-localhost: >2013-12-13T13:21:34Z DEBUG vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:34Z DEBUG nsslapd-bakdir: >2013-12-13T13:21:34Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/bak >2013-12-13T13:21:34Z DEBUG passwordMin8bit: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-ldapiuidnumbertype: >2013-12-13T13:21:34Z DEBUG uidNumber >2013-12-13T13:21:34Z DEBUG nsslapd-validate-cert: >2013-12-13T13:21:34Z DEBUG warn >2013-12-13T13:21:34Z DEBUG passwordMinCategories: >2013-12-13T13:21:34Z DEBUG 3 >2013-12-13T13:21:34Z DEBUG passwordMinLowers: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG passwordAdminDN: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-versionstring: >2013-12-13T13:21:34Z DEBUG 389-Directory/1.3.2.7 >2013-12-13T13:21:34Z DEBUG passwordMinSpecials: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-rewrite-rfc1274: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-lastmod: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-max-filter-nest-level: >2013-12-13T13:21:34Z DEBUG 40 >2013-12-13T13:21:34Z DEBUG passwordMaxRepeats: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-result-tweak: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-syntaxlogging: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG passwordUnlock: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-schemacheck: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG passwordTrackUpdateTime: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-maxlogsize: >2013-12-13T13:21:34Z DEBUG 100 >2013-12-13T13:21:34Z DEBUG nsslapd-ldapientrysearchbase: >2013-12-13T13:21:34Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logexpirationtime: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-localssf: >2013-12-13T13:21:34Z DEBUG 71 >2013-12-13T13:21:34Z DEBUG passwordisglobalpolicy: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-sizelimit: >2013-12-13T13:21:34Z DEBUG 2000 >2013-12-13T13:21:34Z DEBUG nsslapd-minssf-exclude-rootdse: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logrotationsyncmin: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-ignore-virtual-attrs: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-ndn-cache-enabled: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-defaultnamingcontext: >2013-12-13T13:21:34Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-mode: >2013-12-13T13:21:34Z DEBUG 600 >2013-12-13T13:21:34Z DEBUG nsslapd-pwpolicy-local: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-schemadir: >2013-12-13T13:21:34Z DEBUG /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/schema >2013-12-13T13:21:34Z DEBUG passwordLockoutDuration: >2013-12-13T13:21:34Z DEBUG 3600 >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-list: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-csnlogging: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-maxlogsize: >2013-12-13T13:21:34Z DEBUG 100 >2013-12-13T13:21:34Z DEBUG nsslapd-privatenamespaces: >2013-12-13T13:21:34Z DEBUG cn=schema >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG cn=config >2013-12-13T13:21:34Z DEBUG cn=monitor >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-maxlogsperdir: >2013-12-13T13:21:34Z DEBUG 2 >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog: >2013-12-13T13:21:34Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/audit >2013-12-13T13:21:34Z DEBUG nsslapd-ldapimaprootdn: >2013-12-13T13:21:34Z DEBUG cn=Directory Manager >2013-12-13T13:21:34Z DEBUG nsslapd-rootpw: >2013-12-13T13:21:34Z DEBUG {SSHA}v/YbIvfLZBnzzDiaMPKT2iAZwiDpB6XjDHgWVQ== >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-logrotationsynchour: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-ds4-compatible-schema: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-workingdir: >2013-12-13T13:21:34Z DEBUG /var/log/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM >2013-12-13T13:21:34Z DEBUG nsslapd-unhashed-pw-switch: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-accesscontrol: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-schemareplace: >2013-12-13T13:21:34Z DEBUG replication-only >2013-12-13T13:21:34Z DEBUG nsslapd-enable-turbo-mode: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-errorlog-level: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-securelistenhost: >2013-12-13T13:21:34Z DEBUG >2013-12-13T13:21:34Z DEBUG nsslapd-auditlog-logrotationtime: >2013-12-13T13:21:34Z DEBUG 1 >2013-12-13T13:21:34Z DEBUG nsslapd-ioblocktimeout: >2013-12-13T13:21:34Z DEBUG 1800000 >2013-12-13T13:21:34Z DEBUG nsslapd-sslclientauth: >2013-12-13T13:21:34Z DEBUG allowed >2013-12-13T13:21:34Z DEBUG nsslapd-attribute-name-exceptions: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-idletimeout: >2013-12-13T13:21:34Z DEBUG 0 >2013-12-13T13:21:34Z DEBUG nsslapd-allowed-to-delete-attrs: >2013-12-13T13:21:34Z DEBUG nsslapd-listenhost nsslapd-securelistenhost nsslapd-defaultnamingcontext >2013-12-13T13:21:34Z DEBUG nsslapd-accesslog-logminfreediskspace: >2013-12-13T13:21:34Z DEBUG 5 >2013-12-13T13:21:34Z DEBUG passwordStorageScheme: >2013-12-13T13:21:34Z DEBUG SSHA >2013-12-13T13:21:34Z DEBUG nsslapd-connection-nocanon: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG [(0, u'aci', ['(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'])] >2013-12-13T13:21:34Z DEBUG Live 1, updated 1 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=IPA DNS,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=IPA DNS,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-pluginPath: >2013-12-13T13:21:34Z DEBUG libipa_dns.so >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG IPA DNS >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG nsslapdPlugin >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:21:34Z DEBUG IPA DNS support plugin >2013-12-13T13:21:34Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-pluginId: >2013-12-13T13:21:34Z DEBUG ipa_dns >2013-12-13T13:21:34Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:21:34Z DEBUG 1.0 >2013-12-13T13:21:34Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:21:34Z DEBUG database >2013-12-13T13:21:34Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:21:34Z DEBUG Red Hat, Inc. >2013-12-13T13:21:34Z DEBUG nsslapd-pluginType: >2013-12-13T13:21:34Z DEBUG preoperation >2013-12-13T13:21:34Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:21:34Z DEBUG ipadns_init >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=IPA DNS,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-pluginPath: >2013-12-13T13:21:34Z DEBUG libipa_dns.so >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG IPA DNS >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG nsslapdPlugin >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:21:34Z DEBUG IPA DNS support plugin >2013-12-13T13:21:34Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-pluginId: >2013-12-13T13:21:34Z DEBUG ipa_dns >2013-12-13T13:21:34Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:21:34Z DEBUG 1.0 >2013-12-13T13:21:34Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:21:34Z DEBUG database >2013-12-13T13:21:34Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:21:34Z DEBUG Red Hat, Inc. >2013-12-13T13:21:34Z DEBUG nsslapd-pluginType: >2013-12-13T13:21:34Z DEBUG preoperation >2013-12-13T13:21:34Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:21:34Z DEBUG ipadns_init >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=Auto Membership Plugin,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=Auto Membership Plugin,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-pluginId: >2013-12-13T13:21:34Z DEBUG Auto Membership >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG Auto Membership Plugin >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG nsSlapdPlugin >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:21:34Z DEBUG Auto Membership plugin >2013-12-13T13:21:34Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-pluginPath: >2013-12-13T13:21:34Z DEBUG libautomember-plugin >2013-12-13T13:21:34Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:21:34Z DEBUG 1.3.2.7 >2013-12-13T13:21:34Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:21:34Z DEBUG database >2013-12-13T13:21:34Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:21:34Z DEBUG 389 Project >2013-12-13T13:21:34Z DEBUG nsslapd-pluginConfigArea: >2013-12-13T13:21:34Z DEBUG cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG nsslapd-pluginType: >2013-12-13T13:21:34Z DEBUG betxnpreoperation >2013-12-13T13:21:34Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:21:34Z DEBUG automember_init >2013-12-13T13:21:34Z DEBUG addifnew: 'cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to nsslapd-pluginConfigArea, current value [ipapython.dn.DN('cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=Auto Membership Plugin,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-pluginId: >2013-12-13T13:21:34Z DEBUG Auto Membership >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG Auto Membership Plugin >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG nsSlapdPlugin >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:21:34Z DEBUG Auto Membership plugin >2013-12-13T13:21:34Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:21:34Z DEBUG on >2013-12-13T13:21:34Z DEBUG nsslapd-pluginPath: >2013-12-13T13:21:34Z DEBUG libautomember-plugin >2013-12-13T13:21:34Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:21:34Z DEBUG 1.3.2.7 >2013-12-13T13:21:34Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:21:34Z DEBUG database >2013-12-13T13:21:34Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:21:34Z DEBUG 389 Project >2013-12-13T13:21:34Z DEBUG nsslapd-pluginConfigArea: >2013-12-13T13:21:34Z DEBUG cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG nsslapd-pluginType: >2013-12-13T13:21:34Z DEBUG betxnpreoperation >2013-12-13T13:21:34Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:21:34Z DEBUG automember_init >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG dnaScope: >2013-12-13T13:21:34Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG dnaThreshold: >2013-12-13T13:21:34Z DEBUG 500 >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG Posix IDs >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG dnaNextValue: >2013-12-13T13:21:34Z DEBUG 346000000 >2013-12-13T13:21:34Z DEBUG dnaMagicRegen: >2013-12-13T13:21:34Z DEBUG -1 >2013-12-13T13:21:34Z DEBUG dnaFilter: >2013-12-13T13:21:34Z DEBUG (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject)) >2013-12-13T13:21:34Z DEBUG dnaType: >2013-12-13T13:21:34Z DEBUG gidNumber >2013-12-13T13:21:34Z DEBUG uidNumber >2013-12-13T13:21:34Z DEBUG dnaMaxValue: >2013-12-13T13:21:34Z DEBUG 346199999 >2013-12-13T13:21:34Z DEBUG dnaSharedCfgDN: >2013-12-13T13:21:34Z DEBUG cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG add: '(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG dnaScope: >2013-12-13T13:21:34Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG dnaThreshold: >2013-12-13T13:21:34Z DEBUG 500 >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG Posix IDs >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG dnaNextValue: >2013-12-13T13:21:34Z DEBUG 346000000 >2013-12-13T13:21:34Z DEBUG dnaMagicRegen: >2013-12-13T13:21:34Z DEBUG -1 >2013-12-13T13:21:34Z DEBUG dnaFilter: >2013-12-13T13:21:34Z DEBUG (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject)) >2013-12-13T13:21:34Z DEBUG dnaType: >2013-12-13T13:21:34Z DEBUG gidNumber >2013-12-13T13:21:34Z DEBUG uidNumber >2013-12-13T13:21:34Z DEBUG dnaMaxValue: >2013-12-13T13:21:34Z DEBUG 346199999 >2013-12-13T13:21:34Z DEBUG dnaSharedCfgDN: >2013-12-13T13:21:34Z DEBUG cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-directory: >2013-12-13T13:21:34Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/db/userRoot >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG userRoot >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG nsBackendInstance >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG nsslapd-require-index: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG nsslapd-suffix: >2013-12-13T13:21:34Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG nsslapd-readonly: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-dncachememsize: >2013-12-13T13:21:34Z DEBUG 10485760 >2013-12-13T13:21:34Z DEBUG nsslapd-cachesize: >2013-12-13T13:21:34Z DEBUG -1 >2013-12-13T13:21:34Z DEBUG nsslapd-cachememsize: >2013-12-13T13:21:34Z DEBUG 10485760 >2013-12-13T13:21:34Z DEBUG add: '(targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >2013-12-13T13:21:34Z DEBUG nsslapd-directory: >2013-12-13T13:21:34Z DEBUG /var/lib/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/db/userRoot >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG userRoot >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG nsBackendInstance >2013-12-13T13:21:34Z DEBUG extensibleObject >2013-12-13T13:21:34Z DEBUG nsslapd-require-index: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG nsslapd-suffix: >2013-12-13T13:21:34Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG nsslapd-readonly: >2013-12-13T13:21:34Z DEBUG off >2013-12-13T13:21:34Z DEBUG nsslapd-dncachememsize: >2013-12-13T13:21:34Z DEBUG 10485760 >2013-12-13T13:21:34Z DEBUG nsslapd-cachesize: >2013-12-13T13:21:34Z DEBUG -1 >2013-12-13T13:21:34Z DEBUG nsslapd-cachememsize: >2013-12-13T13:21:34Z DEBUG 10485760 >2013-12-13T13:21:34Z DEBUG [] >2013-12-13T13:21:34Z DEBUG Live 1, updated 0 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO Updating existing entry: dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG info: >2013-12-13T13:21:34Z DEBUG IPA V2.0 >2013-12-13T13:21:34Z DEBUG associatedDomain: >2013-12-13T13:21:34Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG pilotObject >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG nisDomainObject >2013-12-13T13:21:34Z DEBUG domain >2013-12-13T13:21:34Z DEBUG domainRelatedObject >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) >2013-12-13T13:21:34Z DEBUG (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:34Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:34Z DEBUG (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:34Z DEBUG (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:34Z DEBUG (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG dc: >2013-12-13T13:21:34Z DEBUG dom227 >2013-12-13T13:21:34Z DEBUG nisDomain: >2013-12-13T13:21:34Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG remove: '(targetattr = "description")(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' from aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z WARNING remove: '(targetattr = "description")(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' not in aci >2013-12-13T13:21:34Z DEBUG remove: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG remove: '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' from aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z WARNING remove: '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' not in aci >2013-12-13T13:21:34Z DEBUG remove: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG remove: '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' from aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z WARNING remove: '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' not in aci >2013-12-13T13:21:34Z DEBUG remove: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)'] >2013-12-13T13:21:34Z DEBUG add: '(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)' to aci, current value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)'] >2013-12-13T13:21:34Z DEBUG add: updated value [u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)'] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG info: >2013-12-13T13:21:34Z DEBUG IPA V2.0 >2013-12-13T13:21:34Z DEBUG associatedDomain: >2013-12-13T13:21:34Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG pilotObject >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG nisDomainObject >2013-12-13T13:21:34Z DEBUG domain >2013-12-13T13:21:34Z DEBUG domainRelatedObject >2013-12-13T13:21:34Z DEBUG aci: >2013-12-13T13:21:34Z DEBUG (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) >2013-12-13T13:21:34Z DEBUG (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) >2013-12-13T13:21:34Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:34Z DEBUG (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:34Z DEBUG (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:34Z DEBUG (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:34Z DEBUG dc: >2013-12-13T13:21:34Z DEBUG dom227 >2013-12-13T13:21:34Z DEBUG nisDomain: >2013-12-13T13:21:34Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:34Z DEBUG [(0, u'aci', ['(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'])] >2013-12-13T13:21:34Z DEBUG Live 1, updated 1 >2013-12-13T13:21:34Z INFO Done >2013-12-13T13:21:34Z INFO New entry: cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG addifexist: 'idnsConfigObject' to objectClass, current value [] >2013-12-13T13:21:34Z DEBUG addifexist: '(target = "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)' to aci, current value [] >2013-12-13T13:21:34Z DEBUG addifexist: '(target = "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)' to aci, current value [] >2013-12-13T13:21:34Z DEBUG addifexist: '(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)' to aci, current value [] >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z INFO New entry: cn=radiusproxy,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Initial value >2013-12-13T13:21:34Z DEBUG dn: cn=radiusproxy,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG radiusproxy >2013-12-13T13:21:34Z DEBUG --------------------------------------------- >2013-12-13T13:21:34Z DEBUG Final value after applying updates >2013-12-13T13:21:34Z DEBUG dn: cn=radiusproxy,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:34Z DEBUG objectClass: >2013-12-13T13:21:34Z DEBUG nsContainer >2013-12-13T13:21:34Z DEBUG top >2013-12-13T13:21:34Z DEBUG cn: >2013-12-13T13:21:34Z DEBUG radiusproxy >2013-12-13T13:21:35Z INFO New entry: cn=otp,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=otp,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG nsContainer >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG otp >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=otp,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG nsContainer >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG otp >2013-12-13T13:21:35Z INFO Updating existing entry: cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG nsContainer >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG automember >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG nsContainer >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG automember >2013-12-13T13:21:35Z DEBUG [] >2013-12-13T13:21:35Z DEBUG Live 1, updated 0 >2013-12-13T13:21:35Z INFO Done >2013-12-13T13:21:35Z INFO Updating existing entry: cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG nsContainer >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG aci: >2013-12-13T13:21:35Z DEBUG (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:35Z DEBUG (targetfilter = "(|(objectClass=ipaConfigObject)(dnahostname=*))")(version 3.0;acl "Admins can change GUI config"; allow (delete) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:35Z DEBUG (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG ipa >2013-12-13T13:21:35Z DEBUG add: '(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(|(objectClass=ipaConfigObject)(dnahostname=*))")(version 3.0;acl "Admins can change GUI config"; allow (delete) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:35Z DEBUG add: updated value [u'(target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(|(objectClass=ipaConfigObject)(dnahostname=*))")(version 3.0;acl "Admins can change GUI config"; allow (delete) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:35Z DEBUG add: '(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(|(objectClass=ipaConfigObject)(dnahostname=*))")(version 3.0;acl "Admins can change GUI config"; allow (delete) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:35Z DEBUG add: updated value [u'(target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(|(objectClass=ipaConfigObject)(dnahostname=*))")(version 3.0;acl "Admins can change GUI config"; allow (delete) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG nsContainer >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG aci: >2013-12-13T13:21:35Z DEBUG (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:35Z DEBUG (targetfilter = "(|(objectClass=ipaConfigObject)(dnahostname=*))")(version 3.0;acl "Admins can change GUI config"; allow (delete) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:35Z DEBUG (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:35Z DEBUG (target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:35Z DEBUG (target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG ipa >2013-12-13T13:21:35Z DEBUG [(0, u'aci', ['(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', '(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'])] >2013-12-13T13:21:35Z DEBUG Live 1, updated 1 >2013-12-13T13:21:35Z INFO Done >2013-12-13T13:21:35Z INFO New entry: cn=add dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=add dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG addifexist: 'ipapermission' to objectclass, current value [] >2013-12-13T13:21:35Z DEBUG addifexist: 'cn=DNS Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:35Z DEBUG addifexist: 'cn=DNS Servers,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=add dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z INFO Updating existing entry: cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG ipapermission >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Modify Automount maps >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG ipapermission >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Modify Automount maps >2013-12-13T13:21:35Z DEBUG [] >2013-12-13T13:21:35Z DEBUG Live 1, updated 0 >2013-12-13T13:21:35Z INFO Done >2013-12-13T13:21:35Z INFO Updating existing entry: cn=Host Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=Host Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG nestedgroup >2013-12-13T13:21:35Z DEBUG memberOf: >2013-12-13T13:21:35Z DEBUG cn=modify hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=add hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=remove hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=modify hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Host Group Administrators >2013-12-13T13:21:35Z DEBUG description: >2013-12-13T13:21:35Z DEBUG Host Group Administrators >2013-12-13T13:21:35Z DEBUG add: 'cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:35Z DEBUG add: updated value [ipapython.dn.DN('cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=Host Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG nestedgroup >2013-12-13T13:21:35Z DEBUG memberOf: >2013-12-13T13:21:35Z DEBUG cn=modify hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=add hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=remove hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=modify hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Host Group Administrators >2013-12-13T13:21:35Z DEBUG description: >2013-12-13T13:21:35Z DEBUG Host Group Administrators >2013-12-13T13:21:35Z DEBUG [(0, u'member', ['cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:35Z DEBUG Live 1, updated 1 >2013-12-13T13:21:35Z INFO Done >2013-12-13T13:21:35Z INFO New entry: cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG ipapermission >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=SELinux User Map Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Modify SELinux User Maps >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG ipapermission >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=SELinux User Map Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Modify SELinux User Maps >2013-12-13T13:21:35Z INFO New entry: cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG ipapermission >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Add Sudo command >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG ipapermission >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Add Sudo command >2013-12-13T13:21:35Z INFO Updating existing entry: cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG nestedgroup >2013-12-13T13:21:35Z DEBUG memberOf: >2013-12-13T13:21:35Z DEBUG cn=modify automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=modify automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=add automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=add automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=remove automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=remove automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Automount Administrators >2013-12-13T13:21:35Z DEBUG description: >2013-12-13T13:21:35Z DEBUG Automount Administrators >2013-12-13T13:21:35Z DEBUG add: 'cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:35Z DEBUG add: updated value [ipapython.dn.DN('cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG nestedgroup >2013-12-13T13:21:35Z DEBUG memberOf: >2013-12-13T13:21:35Z DEBUG cn=modify automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=modify automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=add automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=add automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=remove automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=remove automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Automount Administrators >2013-12-13T13:21:35Z DEBUG description: >2013-12-13T13:21:35Z DEBUG Automount Administrators >2013-12-13T13:21:35Z DEBUG [(0, u'member', ['cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:35Z DEBUG Live 1, updated 1 >2013-12-13T13:21:35Z INFO Done >2013-12-13T13:21:35Z INFO New entry: cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG ipapermission >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Manage Sudo command group membership >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG ipapermission >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Manage Sudo command group membership >2013-12-13T13:21:35Z INFO Updating existing entry: cn=Group,cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=Group,cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG autoMemberDefinition >2013-12-13T13:21:35Z DEBUG autoMemberGroupingAttr: >2013-12-13T13:21:35Z DEBUG member:dn >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Group >2013-12-13T13:21:35Z DEBUG autoMemberScope: >2013-12-13T13:21:35Z DEBUG cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG autoMemberFilter: >2013-12-13T13:21:35Z DEBUG objectclass=posixAccount >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=Group,cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG autoMemberDefinition >2013-12-13T13:21:35Z DEBUG autoMemberGroupingAttr: >2013-12-13T13:21:35Z DEBUG member:dn >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Group >2013-12-13T13:21:35Z DEBUG autoMemberScope: >2013-12-13T13:21:35Z DEBUG cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG autoMemberFilter: >2013-12-13T13:21:35Z DEBUG objectclass=posixAccount >2013-12-13T13:21:35Z DEBUG [] >2013-12-13T13:21:35Z DEBUG Live 1, updated 0 >2013-12-13T13:21:35Z INFO Done >2013-12-13T13:21:35Z INFO Updating existing entry: cn=Service Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=Service Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG nestedgroup >2013-12-13T13:21:35Z DEBUG memberOf: >2013-12-13T13:21:35Z DEBUG cn=remove services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=add services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=modify services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Service Administrators >2013-12-13T13:21:35Z DEBUG description: >2013-12-13T13:21:35Z DEBUG Service Administrators >2013-12-13T13:21:35Z DEBUG add: 'cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:35Z DEBUG add: updated value [ipapython.dn.DN('cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=Service Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG nestedgroup >2013-12-13T13:21:35Z DEBUG memberOf: >2013-12-13T13:21:35Z DEBUG cn=remove services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=add services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=modify services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Service Administrators >2013-12-13T13:21:35Z DEBUG description: >2013-12-13T13:21:35Z DEBUG Service Administrators >2013-12-13T13:21:35Z DEBUG [(0, u'member', ['cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:35Z DEBUG Live 1, updated 1 >2013-12-13T13:21:35Z INFO Done >2013-12-13T13:21:35Z INFO Updating existing entry: cn=Netgroups Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=Netgroups Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG nestedgroup >2013-12-13T13:21:35Z DEBUG memberOf: >2013-12-13T13:21:35Z DEBUG cn=remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Netgroups Administrators >2013-12-13T13:21:35Z DEBUG description: >2013-12-13T13:21:35Z DEBUG Netgroups Administrators >2013-12-13T13:21:35Z DEBUG add: 'cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:35Z DEBUG add: updated value [ipapython.dn.DN('cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=Netgroups Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG nestedgroup >2013-12-13T13:21:35Z DEBUG memberOf: >2013-12-13T13:21:35Z DEBUG cn=remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn=modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Netgroups Administrators >2013-12-13T13:21:35Z DEBUG description: >2013-12-13T13:21:35Z DEBUG Netgroups Administrators >2013-12-13T13:21:35Z DEBUG [(0, u'member', ['cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:35Z DEBUG Live 1, updated 1 >2013-12-13T13:21:35Z INFO Done >2013-12-13T13:21:35Z INFO New entry: cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG nestedgroup >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Sudo Administrator >2013-12-13T13:21:35Z DEBUG description: >2013-12-13T13:21:35Z DEBUG Sudo Administrator >2013-12-13T13:21:35Z DEBUG add: 'cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:35Z DEBUG add: updated value [ipapython.dn.DN('cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG nestedgroup >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Sudo Administrator >2013-12-13T13:21:35Z DEBUG description: >2013-12-13T13:21:35Z DEBUG Sudo Administrator >2013-12-13T13:21:35Z INFO New entry: cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG ipapermission >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Delete Group Password Policy costemplate >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG ipapermission >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Delete Group Password Policy costemplate >2013-12-13T13:21:35Z INFO New entry: cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Initial value >2013-12-13T13:21:35Z DEBUG dn: cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG ipapermission >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Delete HBAC rule >2013-12-13T13:21:35Z DEBUG --------------------------------------------- >2013-12-13T13:21:35Z DEBUG Final value after applying updates >2013-12-13T13:21:35Z DEBUG dn: cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG objectClass: >2013-12-13T13:21:35Z DEBUG groupofnames >2013-12-13T13:21:35Z DEBUG ipapermission >2013-12-13T13:21:35Z DEBUG top >2013-12-13T13:21:35Z DEBUG member: >2013-12-13T13:21:35Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:35Z DEBUG cn: >2013-12-13T13:21:35Z DEBUG Delete HBAC rule >2013-12-13T13:21:36Z INFO New entry: cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Initial value >2013-12-13T13:21:36Z DEBUG dn: cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Manage HBAC rule membership >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Final value after applying updates >2013-12-13T13:21:36Z DEBUG dn: cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Manage HBAC rule membership >2013-12-13T13:21:36Z INFO New entry: cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Initial value >2013-12-13T13:21:36Z DEBUG dn: cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=SELinux User Map Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Remove SELinux User Maps >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Final value after applying updates >2013-12-13T13:21:36Z DEBUG dn: cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=SELinux User Map Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Remove SELinux User Maps >2013-12-13T13:21:36Z INFO New entry: cn=Modify Group membership,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Initial value >2013-12-13T13:21:36Z DEBUG dn: cn=Modify Group membership,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG nestedgroup >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=helpdesk,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Modify Group membership >2013-12-13T13:21:36Z DEBUG description: >2013-12-13T13:21:36Z DEBUG Modify Group membership >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Final value after applying updates >2013-12-13T13:21:36Z DEBUG dn: cn=Modify Group membership,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG nestedgroup >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=helpdesk,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Modify Group membership >2013-12-13T13:21:36Z DEBUG description: >2013-12-13T13:21:36Z DEBUG Modify Group membership >2013-12-13T13:21:36Z INFO New entry: cn=Write IPA Configuration,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Initial value >2013-12-13T13:21:36Z DEBUG dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG nestedgroup >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Write IPA Configuration >2013-12-13T13:21:36Z DEBUG description: >2013-12-13T13:21:36Z DEBUG Write IPA Configuration >2013-12-13T13:21:36Z DEBUG add: 'cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:36Z DEBUG add: updated value [ipapython.dn.DN('cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Final value after applying updates >2013-12-13T13:21:36Z DEBUG dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG nestedgroup >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Write IPA Configuration >2013-12-13T13:21:36Z DEBUG description: >2013-12-13T13:21:36Z DEBUG Write IPA Configuration >2013-12-13T13:21:36Z INFO New entry: cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Initial value >2013-12-13T13:21:36Z DEBUG dn: cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Add Sudo command group >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Final value after applying updates >2013-12-13T13:21:36Z DEBUG dn: cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Add Sudo command group >2013-12-13T13:21:36Z INFO New entry: cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Initial value >2013-12-13T13:21:36Z DEBUG dn: cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Modify Sudo rule >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Final value after applying updates >2013-12-13T13:21:36Z DEBUG dn: cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Modify Sudo rule >2013-12-13T13:21:36Z INFO New entry: cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Initial value >2013-12-13T13:21:36Z DEBUG dn: cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Modify Sudo command >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Final value after applying updates >2013-12-13T13:21:36Z DEBUG dn: cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Modify Sudo command >2013-12-13T13:21:36Z INFO New entry: cn=update dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Initial value >2013-12-13T13:21:36Z DEBUG dn: cn=update dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG addifexist: 'ipapermission' to objectclass, current value [] >2013-12-13T13:21:36Z DEBUG addifexist: 'cn=DNS Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:36Z DEBUG addifexist: 'cn=DNS Servers,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Final value after applying updates >2013-12-13T13:21:36Z DEBUG dn: cn=update dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z INFO New entry: cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Initial value >2013-12-13T13:21:36Z DEBUG dn: cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Add Sudo rule >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Final value after applying updates >2013-12-13T13:21:36Z DEBUG dn: cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Add Sudo rule >2013-12-13T13:21:36Z INFO New entry: cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Initial value >2013-12-13T13:21:36Z DEBUG dn: cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=Automember Task Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG ipapermissiontype: >2013-12-13T13:21:36Z DEBUG SYSTEM >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Add Automember Rebuild Membership Task >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Final value after applying updates >2013-12-13T13:21:36Z DEBUG dn: cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG ipapermission >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG member: >2013-12-13T13:21:36Z DEBUG cn=Automember Task Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG ipapermissiontype: >2013-12-13T13:21:36Z DEBUG SYSTEM >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Add Automember Rebuild Membership Task >2013-12-13T13:21:36Z INFO New entry: cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Initial value >2013-12-13T13:21:36Z DEBUG dn: cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG nestedgroup >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Security Architect >2013-12-13T13:21:36Z DEBUG description: >2013-12-13T13:21:36Z DEBUG Security Architect >2013-12-13T13:21:36Z DEBUG --------------------------------------------- >2013-12-13T13:21:36Z DEBUG Final value after applying updates >2013-12-13T13:21:36Z DEBUG dn: cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:36Z DEBUG objectClass: >2013-12-13T13:21:36Z DEBUG groupofnames >2013-12-13T13:21:36Z DEBUG nestedgroup >2013-12-13T13:21:36Z DEBUG top >2013-12-13T13:21:36Z DEBUG cn: >2013-12-13T13:21:36Z DEBUG Security Architect >2013-12-13T13:21:36Z DEBUG description: >2013-12-13T13:21:36Z DEBUG Security Architect >2013-12-13T13:21:37Z INFO New entry: cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Initial value >2013-12-13T13:21:37Z DEBUG dn: cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Delete Group Password Policy >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Final value after applying updates >2013-12-13T13:21:37Z DEBUG dn: cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Delete Group Password Policy >2013-12-13T13:21:37Z INFO Updating existing entry: cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Initial value >2013-12-13T13:21:37Z DEBUG dn: cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG nestedgroup >2013-12-13T13:21:37Z DEBUG memberOf: >2013-12-13T13:21:37Z DEBUG cn=enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=add hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=remove hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=manage host ssh public keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=modify hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Host Administrators >2013-12-13T13:21:37Z DEBUG description: >2013-12-13T13:21:37Z DEBUG Host Administrators >2013-12-13T13:21:37Z DEBUG add: 'cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:37Z DEBUG add: updated value [ipapython.dn.DN('cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Final value after applying updates >2013-12-13T13:21:37Z DEBUG dn: cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG nestedgroup >2013-12-13T13:21:37Z DEBUG memberOf: >2013-12-13T13:21:37Z DEBUG cn=enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=add hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=remove hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=manage host ssh public keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=modify hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Host Administrators >2013-12-13T13:21:37Z DEBUG description: >2013-12-13T13:21:37Z DEBUG Host Administrators >2013-12-13T13:21:37Z DEBUG [(0, u'member', ['cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:37Z DEBUG Live 1, updated 1 >2013-12-13T13:21:37Z INFO Done >2013-12-13T13:21:37Z INFO Updating existing entry: cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Initial value >2013-12-13T13:21:37Z DEBUG dn: cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Revoke Certificate >2013-12-13T13:21:37Z DEBUG add: 'cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [ipapython.dn.DN('cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:37Z DEBUG add: updated value [ipapython.dn.DN('cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), ipapython.dn.DN('cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Final value after applying updates >2013-12-13T13:21:37Z DEBUG dn: cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Revoke Certificate >2013-12-13T13:21:37Z DEBUG [(0, u'member', ['cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:37Z DEBUG Live 1, updated 1 >2013-12-13T13:21:37Z INFO Done >2013-12-13T13:21:37Z INFO New entry: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Initial value >2013-12-13T13:21:37Z DEBUG dn: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG nestedgroup >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=helpdesk,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Modify Users and Reset passwords >2013-12-13T13:21:37Z DEBUG description: >2013-12-13T13:21:37Z DEBUG Modify Users and Reset passwords >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Final value after applying updates >2013-12-13T13:21:37Z DEBUG dn: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG nestedgroup >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=helpdesk,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Modify Users and Reset passwords >2013-12-13T13:21:37Z DEBUG description: >2013-12-13T13:21:37Z DEBUG Modify Users and Reset passwords >2013-12-13T13:21:37Z INFO Updating existing entry: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Initial value >2013-12-13T13:21:37Z DEBUG dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Manage User SSH Public Keys >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Final value after applying updates >2013-12-13T13:21:37Z DEBUG dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Manage User SSH Public Keys >2013-12-13T13:21:37Z DEBUG [] >2013-12-13T13:21:37Z DEBUG Live 1, updated 0 >2013-12-13T13:21:37Z INFO Done >2013-12-13T13:21:37Z INFO New entry: cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Initial value >2013-12-13T13:21:37Z DEBUG dn: cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Add HBAC service groups >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Final value after applying updates >2013-12-13T13:21:37Z DEBUG dn: cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Add HBAC service groups >2013-12-13T13:21:37Z INFO Updating existing entry: cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Initial value >2013-12-13T13:21:37Z DEBUG dn: cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Change a user password >2013-12-13T13:21:37Z DEBUG add: 'cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [ipapython.dn.DN('cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:37Z DEBUG add: updated value [ipapython.dn.DN('cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), ipapython.dn.DN('cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Final value after applying updates >2013-12-13T13:21:37Z DEBUG dn: cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Change a user password >2013-12-13T13:21:37Z DEBUG [(0, u'member', ['cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:37Z DEBUG Live 1, updated 1 >2013-12-13T13:21:37Z INFO Done >2013-12-13T13:21:37Z INFO Updating existing entry: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Initial value >2013-12-13T13:21:37Z DEBUG dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Retrieve Certificates from the CA >2013-12-13T13:21:37Z DEBUG add: 'cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [ipapython.dn.DN('cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:37Z DEBUG add: updated value [ipapython.dn.DN('cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), ipapython.dn.DN('cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Final value after applying updates >2013-12-13T13:21:37Z DEBUG dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=Certificate Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Retrieve Certificates from the CA >2013-12-13T13:21:37Z DEBUG [(0, u'member', ['cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:37Z DEBUG Live 1, updated 1 >2013-12-13T13:21:37Z INFO Done >2013-12-13T13:21:37Z INFO New entry: cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Initial value >2013-12-13T13:21:37Z DEBUG dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG nestedgroup >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Password Policy Administrator >2013-12-13T13:21:37Z DEBUG description: >2013-12-13T13:21:37Z DEBUG Password Policy Administrator >2013-12-13T13:21:37Z DEBUG add: 'cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:37Z DEBUG add: updated value [ipapython.dn.DN('cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Final value after applying updates >2013-12-13T13:21:37Z DEBUG dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG nestedgroup >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Password Policy Administrator >2013-12-13T13:21:37Z DEBUG description: >2013-12-13T13:21:37Z DEBUG Password Policy Administrator >2013-12-13T13:21:37Z INFO New entry: cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Initial value >2013-12-13T13:21:37Z DEBUG dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=Write IPA Configuration,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Write IPA Configuration >2013-12-13T13:21:37Z DEBUG --------------------------------------------- >2013-12-13T13:21:37Z DEBUG Final value after applying updates >2013-12-13T13:21:37Z DEBUG dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG objectClass: >2013-12-13T13:21:37Z DEBUG top >2013-12-13T13:21:37Z DEBUG groupofnames >2013-12-13T13:21:37Z DEBUG ipapermission >2013-12-13T13:21:37Z DEBUG member: >2013-12-13T13:21:37Z DEBUG cn=Write IPA Configuration,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:37Z DEBUG cn: >2013-12-13T13:21:37Z DEBUG Write IPA Configuration >2013-12-13T13:21:38Z INFO New entry: cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG ipapermission >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Delete Sudo rule >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG ipapermission >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Delete Sudo rule >2013-12-13T13:21:38Z INFO New entry: cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG nestedgroup >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG IT Security Specialist >2013-12-13T13:21:38Z DEBUG description: >2013-12-13T13:21:38Z DEBUG IT Security Specialist >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG nestedgroup >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG IT Security Specialist >2013-12-13T13:21:38Z DEBUG description: >2013-12-13T13:21:38Z DEBUG IT Security Specialist >2013-12-13T13:21:38Z INFO New entry: cn=Write DNS Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG addifexist: 'ipapermission' to objectclass, current value [] >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z INFO Updating existing entry: cn=Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG nestedgroup >2013-12-13T13:21:38Z DEBUG memberOf: >2013-12-13T13:21:38Z DEBUG cn=add groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=remove groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Group Administrators >2013-12-13T13:21:38Z DEBUG description: >2013-12-13T13:21:38Z DEBUG Group Administrators >2013-12-13T13:21:38Z DEBUG add: 'cn=User Administrator,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:38Z DEBUG add: updated value [ipapython.dn.DN('cn=User Administrator,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG nestedgroup >2013-12-13T13:21:38Z DEBUG memberOf: >2013-12-13T13:21:38Z DEBUG cn=add groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=remove groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=User Administrator,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Group Administrators >2013-12-13T13:21:38Z DEBUG description: >2013-12-13T13:21:38Z DEBUG Group Administrators >2013-12-13T13:21:38Z DEBUG [(0, u'member', ['cn=User Administrator,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:38Z DEBUG Live 1, updated 1 >2013-12-13T13:21:38Z INFO Done >2013-12-13T13:21:38Z INFO New entry: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG nestedgroup >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG SELinux User Map Administrators >2013-12-13T13:21:38Z DEBUG description: >2013-12-13T13:21:38Z DEBUG SELinux User Map Administrators >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG nestedgroup >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG SELinux User Map Administrators >2013-12-13T13:21:38Z DEBUG description: >2013-12-13T13:21:38Z DEBUG SELinux User Map Administrators >2013-12-13T13:21:38Z INFO Updating existing entry: cn=Delegation Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=Delegation Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG nestedgroup >2013-12-13T13:21:38Z DEBUG memberOf: >2013-12-13T13:21:38Z DEBUG cn=add roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=remove roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Delegation Administrator >2013-12-13T13:21:38Z DEBUG description: >2013-12-13T13:21:38Z DEBUG Role administration >2013-12-13T13:21:38Z DEBUG add: 'cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:38Z DEBUG add: updated value [ipapython.dn.DN('cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=Delegation Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG nestedgroup >2013-12-13T13:21:38Z DEBUG memberOf: >2013-12-13T13:21:38Z DEBUG cn=add roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=remove roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Delegation Administrator >2013-12-13T13:21:38Z DEBUG description: >2013-12-13T13:21:38Z DEBUG Role administration >2013-12-13T13:21:38Z DEBUG [(0, u'member', ['cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:38Z DEBUG Live 1, updated 1 >2013-12-13T13:21:38Z INFO Done >2013-12-13T13:21:38Z INFO New entry: cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG ipapermission >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Delete HBAC services >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG ipapermission >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Delete HBAC services >2013-12-13T13:21:38Z INFO Updating existing entry: cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG ipapermission >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Modify Automount keys >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG ipapermission >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=Automount Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Modify Automount keys >2013-12-13T13:21:38Z DEBUG [] >2013-12-13T13:21:38Z DEBUG Live 1, updated 0 >2013-12-13T13:21:38Z INFO Done >2013-12-13T13:21:38Z INFO Updating existing entry: cn=Replication Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=Replication Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG nestedgroup >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG memberOf: >2013-12-13T13:21:38Z DEBUG cn=remove replication agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify replication agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify dna range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=add replication agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG description: >2013-12-13T13:21:38Z DEBUG Replication Administrators >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Replication Administrators >2013-12-13T13:21:38Z DEBUG add: 'cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:38Z DEBUG add: updated value [ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), ipapython.dn.DN('cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=Replication Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG nestedgroup >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG memberOf: >2013-12-13T13:21:38Z DEBUG cn=remove replication agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify replication agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=modify dna range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn=add replication agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG description: >2013-12-13T13:21:38Z DEBUG Replication Administrators >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Replication Administrators >2013-12-13T13:21:38Z DEBUG [(0, u'member', ['cn=Security Architect,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:38Z DEBUG Live 1, updated 1 >2013-12-13T13:21:38Z INFO Done >2013-12-13T13:21:38Z INFO New entry: cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG ipapermission >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Add Group Password Policy >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG ipapermission >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Add Group Password Policy >2013-12-13T13:21:38Z INFO Updating existing entry: cn=Hostgroup,cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=Hostgroup,cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG autoMemberDefinition >2013-12-13T13:21:38Z DEBUG autoMemberGroupingAttr: >2013-12-13T13:21:38Z DEBUG member:dn >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Hostgroup >2013-12-13T13:21:38Z DEBUG autoMemberScope: >2013-12-13T13:21:38Z DEBUG cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG autoMemberFilter: >2013-12-13T13:21:38Z DEBUG objectclass=ipaHost >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=Hostgroup,cn=automember,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG autoMemberDefinition >2013-12-13T13:21:38Z DEBUG autoMemberGroupingAttr: >2013-12-13T13:21:38Z DEBUG member:dn >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Hostgroup >2013-12-13T13:21:38Z DEBUG autoMemberScope: >2013-12-13T13:21:38Z DEBUG cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG autoMemberFilter: >2013-12-13T13:21:38Z DEBUG objectclass=ipaHost >2013-12-13T13:21:38Z DEBUG [] >2013-12-13T13:21:38Z DEBUG Live 1, updated 0 >2013-12-13T13:21:38Z INFO Done >2013-12-13T13:21:38Z INFO New entry: cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG ipapermission >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Modify HBAC rule >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG ipapermission >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Modify HBAC rule >2013-12-13T13:21:38Z INFO New entry: cn=Realm Domains,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=Realm Domains,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG domainRelatedObject >2013-12-13T13:21:38Z DEBUG nsContainer >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG associatedDomain: >2013-12-13T13:21:38Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Realm Domains >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=Realm Domains,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG domainRelatedObject >2013-12-13T13:21:38Z DEBUG nsContainer >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG associatedDomain: >2013-12-13T13:21:38Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Realm Domains >2013-12-13T13:21:38Z INFO New entry: cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Initial value >2013-12-13T13:21:38Z DEBUG dn: cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG ipapermission >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Modify Group Password Policy costemplate >2013-12-13T13:21:38Z DEBUG --------------------------------------------- >2013-12-13T13:21:38Z DEBUG Final value after applying updates >2013-12-13T13:21:38Z DEBUG dn: cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG objectClass: >2013-12-13T13:21:38Z DEBUG groupofnames >2013-12-13T13:21:38Z DEBUG ipapermission >2013-12-13T13:21:38Z DEBUG top >2013-12-13T13:21:38Z DEBUG member: >2013-12-13T13:21:38Z DEBUG cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:38Z DEBUG cn: >2013-12-13T13:21:38Z DEBUG Modify Group Password Policy costemplate >2013-12-13T13:21:39Z INFO New entry: cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Initial value >2013-12-13T13:21:39Z DEBUG dn: cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG ipapermission >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG member: >2013-12-13T13:21:39Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG Add HBAC services >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Final value after applying updates >2013-12-13T13:21:39Z DEBUG dn: cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG ipapermission >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG member: >2013-12-13T13:21:39Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG Add HBAC services >2013-12-13T13:21:39Z INFO Updating existing entry: cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Initial value >2013-12-13T13:21:39Z DEBUG dn: cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG ipapermission >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG member: >2013-12-13T13:21:39Z DEBUG cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG Modify Users >2013-12-13T13:21:39Z DEBUG add: 'cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [ipapython.dn.DN('cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:39Z DEBUG add: updated value [ipapython.dn.DN('cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), ipapython.dn.DN('cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Final value after applying updates >2013-12-13T13:21:39Z DEBUG dn: cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG ipapermission >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG member: >2013-12-13T13:21:39Z DEBUG cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG Modify Users >2013-12-13T13:21:39Z DEBUG [(0, u'member', ['cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:39Z DEBUG Live 1, updated 1 >2013-12-13T13:21:39Z INFO Done >2013-12-13T13:21:39Z INFO New entry: cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Initial value >2013-12-13T13:21:39Z DEBUG dn: cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG nestedgroup >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG IT Specialist >2013-12-13T13:21:39Z DEBUG description: >2013-12-13T13:21:39Z DEBUG IT Specialist >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Final value after applying updates >2013-12-13T13:21:39Z DEBUG dn: cn=IT Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG nestedgroup >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG IT Specialist >2013-12-13T13:21:39Z DEBUG description: >2013-12-13T13:21:39Z DEBUG IT Specialist >2013-12-13T13:21:39Z INFO New entry: cn=User Administrator,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Initial value >2013-12-13T13:21:39Z DEBUG dn: cn=User Administrator,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG nestedgroup >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG User Administrator >2013-12-13T13:21:39Z DEBUG description: >2013-12-13T13:21:39Z DEBUG Responsible for creating Users and Groups >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Final value after applying updates >2013-12-13T13:21:39Z DEBUG dn: cn=User Administrator,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG nestedgroup >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG User Administrator >2013-12-13T13:21:39Z DEBUG description: >2013-12-13T13:21:39Z DEBUG Responsible for creating Users and Groups >2013-12-13T13:21:39Z INFO New entry: cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Initial value >2013-12-13T13:21:39Z DEBUG dn: cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG ipapermission >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG member: >2013-12-13T13:21:39Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG Delete Sudo command >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Final value after applying updates >2013-12-13T13:21:39Z DEBUG dn: cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG ipapermission >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG member: >2013-12-13T13:21:39Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG Delete Sudo command >2013-12-13T13:21:39Z INFO New entry: cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Initial value >2013-12-13T13:21:39Z DEBUG dn: cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG ipapermission >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG member: >2013-12-13T13:21:39Z DEBUG cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG Modify Group Password Policy >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Final value after applying updates >2013-12-13T13:21:39Z DEBUG dn: cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG ipapermission >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG member: >2013-12-13T13:21:39Z DEBUG cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG Modify Group Password Policy >2013-12-13T13:21:39Z INFO New entry: cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Initial value >2013-12-13T13:21:39Z DEBUG dn: cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG ipapermission >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG member: >2013-12-13T13:21:39Z DEBUG cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG Add Group Password Policy costemplate >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Final value after applying updates >2013-12-13T13:21:39Z DEBUG dn: cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG ipapermission >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG member: >2013-12-13T13:21:39Z DEBUG cn=Password Policy Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG Add Group Password Policy costemplate >2013-12-13T13:21:39Z INFO New entry: cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Initial value >2013-12-13T13:21:39Z DEBUG dn: cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG ipapermission >2013-12-13T13:21:39Z DEBUG member: >2013-12-13T13:21:39Z DEBUG cn=SELinux User Map Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG Add SELinux User Maps >2013-12-13T13:21:39Z DEBUG --------------------------------------------- >2013-12-13T13:21:39Z DEBUG Final value after applying updates >2013-12-13T13:21:39Z DEBUG dn: cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG objectClass: >2013-12-13T13:21:39Z DEBUG top >2013-12-13T13:21:39Z DEBUG groupofnames >2013-12-13T13:21:39Z DEBUG ipapermission >2013-12-13T13:21:39Z DEBUG member: >2013-12-13T13:21:39Z DEBUG cn=SELinux User Map Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:39Z DEBUG cn: >2013-12-13T13:21:39Z DEBUG Add SELinux User Maps >2013-12-13T13:21:40Z INFO Updating existing entry: cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Initial value >2013-12-13T13:21:40Z DEBUG dn: cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG ipapermission >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG Modify Group membership >2013-12-13T13:21:40Z DEBUG add: 'cn=Modify Group membership,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [ipapython.dn.DN('cn=Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:40Z DEBUG add: updated value [ipapython.dn.DN('cn=Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), ipapython.dn.DN('cn=Modify Group membership,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Final value after applying updates >2013-12-13T13:21:40Z DEBUG dn: cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG ipapermission >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=Group Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=Modify Group membership,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG Modify Group membership >2013-12-13T13:21:40Z DEBUG [(0, u'member', ['cn=Modify Group membership,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:40Z DEBUG Live 1, updated 1 >2013-12-13T13:21:40Z INFO Done >2013-12-13T13:21:40Z INFO New entry: cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Initial value >2013-12-13T13:21:40Z DEBUG dn: cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG ipapermission >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG Add HBAC rule >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Final value after applying updates >2013-12-13T13:21:40Z DEBUG dn: cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG ipapermission >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG Add HBAC rule >2013-12-13T13:21:40Z INFO New entry: cn=remove dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Initial value >2013-12-13T13:21:40Z DEBUG dn: cn=remove dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG addifexist: 'ipapermission' to objectclass, current value [] >2013-12-13T13:21:40Z DEBUG addifexist: 'cn=DNS Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:40Z DEBUG addifexist: 'cn=DNS Servers,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Final value after applying updates >2013-12-13T13:21:40Z DEBUG dn: cn=remove dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z INFO Updating existing entry: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Initial value >2013-12-13T13:21:40Z DEBUG dn: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG ipapermission >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=Replication Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG ipaPermissionType: >2013-12-13T13:21:40Z DEBUG SYSTEM >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG Modify DNA Range >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Final value after applying updates >2013-12-13T13:21:40Z DEBUG dn: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG ipapermission >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=Replication Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG ipaPermissionType: >2013-12-13T13:21:40Z DEBUG SYSTEM >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG Modify DNA Range >2013-12-13T13:21:40Z DEBUG [] >2013-12-13T13:21:40Z DEBUG Live 1, updated 0 >2013-12-13T13:21:40Z INFO Done >2013-12-13T13:21:40Z INFO Updating existing entry: cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Initial value >2013-12-13T13:21:40Z DEBUG dn: cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG nestedgroup >2013-12-13T13:21:40Z DEBUG memberOf: >2013-12-13T13:21:40Z DEBUG cn=modify users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=manage user ssh public keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=add users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=remove users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG User Administrators >2013-12-13T13:21:40Z DEBUG description: >2013-12-13T13:21:40Z DEBUG User Administrators >2013-12-13T13:21:40Z DEBUG add: 'cn=User Administrator,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:40Z DEBUG add: updated value [ipapython.dn.DN('cn=User Administrator,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Final value after applying updates >2013-12-13T13:21:40Z DEBUG dn: cn=User Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG nestedgroup >2013-12-13T13:21:40Z DEBUG memberOf: >2013-12-13T13:21:40Z DEBUG cn=modify users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=manage user ssh public keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=add users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=remove users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn=change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=User Administrator,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG User Administrators >2013-12-13T13:21:40Z DEBUG description: >2013-12-13T13:21:40Z DEBUG User Administrators >2013-12-13T13:21:40Z DEBUG [(0, u'member', ['cn=User Administrator,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:40Z DEBUG Live 1, updated 1 >2013-12-13T13:21:40Z INFO Done >2013-12-13T13:21:40Z INFO New entry: cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Initial value >2013-12-13T13:21:40Z DEBUG dn: cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG nestedgroup >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG HBAC Administrator >2013-12-13T13:21:40Z DEBUG description: >2013-12-13T13:21:40Z DEBUG HBAC Administrator >2013-12-13T13:21:40Z DEBUG add: 'cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:40Z DEBUG add: updated value [ipapython.dn.DN('cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Final value after applying updates >2013-12-13T13:21:40Z DEBUG dn: cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG nestedgroup >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=IT Security Specialist,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG HBAC Administrator >2013-12-13T13:21:40Z DEBUG description: >2013-12-13T13:21:40Z DEBUG HBAC Administrator >2013-12-13T13:21:40Z INFO Updating existing entry: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Initial value >2013-12-13T13:21:40Z DEBUG dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG ipapermission >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG Manage Host SSH Public Keys >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Final value after applying updates >2013-12-13T13:21:40Z DEBUG dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG ipapermission >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG Manage Host SSH Public Keys >2013-12-13T13:21:40Z DEBUG [] >2013-12-13T13:21:40Z DEBUG Live 1, updated 0 >2013-12-13T13:21:40Z INFO Done >2013-12-13T13:21:40Z INFO New entry: cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Initial value >2013-12-13T13:21:40Z DEBUG dn: cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG ipapermission >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG Manage HBAC service group membership >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Final value after applying updates >2013-12-13T13:21:40Z DEBUG dn: cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG ipapermission >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG Manage HBAC service group membership >2013-12-13T13:21:40Z INFO New entry: cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Initial value >2013-12-13T13:21:40Z DEBUG dn: cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG ipapermission >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG Delete HBAC service groups >2013-12-13T13:21:40Z DEBUG --------------------------------------------- >2013-12-13T13:21:40Z DEBUG Final value after applying updates >2013-12-13T13:21:40Z DEBUG dn: cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG objectClass: >2013-12-13T13:21:40Z DEBUG groupofnames >2013-12-13T13:21:40Z DEBUG ipapermission >2013-12-13T13:21:40Z DEBUG top >2013-12-13T13:21:40Z DEBUG member: >2013-12-13T13:21:40Z DEBUG cn=HBAC Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:40Z DEBUG cn: >2013-12-13T13:21:40Z DEBUG Delete HBAC service groups >2013-12-13T13:21:41Z INFO New entry: cn=Automember Task Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Initial value >2013-12-13T13:21:41Z DEBUG dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG nestedgroup >2013-12-13T13:21:41Z DEBUG groupofnames >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG Automember Task Administrator >2013-12-13T13:21:41Z DEBUG description: >2013-12-13T13:21:41Z DEBUG Automember Task Administrator >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Final value after applying updates >2013-12-13T13:21:41Z DEBUG dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG nestedgroup >2013-12-13T13:21:41Z DEBUG groupofnames >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG Automember Task Administrator >2013-12-13T13:21:41Z DEBUG description: >2013-12-13T13:21:41Z DEBUG Automember Task Administrator >2013-12-13T13:21:41Z INFO Updating existing entry: cn=Host Enrollment,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Initial value >2013-12-13T13:21:41Z DEBUG dn: cn=Host Enrollment,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG groupofnames >2013-12-13T13:21:41Z DEBUG nestedgroup >2013-12-13T13:21:41Z DEBUG memberOf: >2013-12-13T13:21:41Z DEBUG cn=enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn=manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG Host Enrollment >2013-12-13T13:21:41Z DEBUG description: >2013-12-13T13:21:41Z DEBUG Host Enrollment >2013-12-13T13:21:41Z DEBUG add: 'cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to member, current value [] >2013-12-13T13:21:41Z DEBUG add: updated value [ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Final value after applying updates >2013-12-13T13:21:41Z DEBUG dn: cn=Host Enrollment,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG groupofnames >2013-12-13T13:21:41Z DEBUG nestedgroup >2013-12-13T13:21:41Z DEBUG memberOf: >2013-12-13T13:21:41Z DEBUG cn=enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn=manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG member: >2013-12-13T13:21:41Z DEBUG cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG Host Enrollment >2013-12-13T13:21:41Z DEBUG description: >2013-12-13T13:21:41Z DEBUG Host Enrollment >2013-12-13T13:21:41Z DEBUG [(0, u'member', ['cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'])] >2013-12-13T13:21:41Z DEBUG Live 1, updated 1 >2013-12-13T13:21:41Z INFO Done >2013-12-13T13:21:41Z INFO New entry: cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Initial value >2013-12-13T13:21:41Z DEBUG dn: cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG groupofnames >2013-12-13T13:21:41Z DEBUG ipapermission >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG member: >2013-12-13T13:21:41Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG Delete Sudo command group >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Final value after applying updates >2013-12-13T13:21:41Z DEBUG dn: cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG groupofnames >2013-12-13T13:21:41Z DEBUG ipapermission >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG member: >2013-12-13T13:21:41Z DEBUG cn=Sudo Administrator,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG Delete Sudo command group >2013-12-13T13:21:41Z INFO New entry: cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Initial value >2013-12-13T13:21:41Z DEBUG dn: cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG groupofnames >2013-12-13T13:21:41Z DEBUG ipapermission >2013-12-13T13:21:41Z DEBUG member: >2013-12-13T13:21:41Z DEBUG cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn=Host Enrollment,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG Add krbPrincipalName to a host >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Final value after applying updates >2013-12-13T13:21:41Z DEBUG dn: cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG groupofnames >2013-12-13T13:21:41Z DEBUG ipapermission >2013-12-13T13:21:41Z DEBUG member: >2013-12-13T13:21:41Z DEBUG cn=Host Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn=Host Enrollment,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG Add krbPrincipalName to a host >2013-12-13T13:21:41Z INFO Parsing update file '/usr/share/ipa/updates/50-7_bit_check.update' >2013-12-13T13:21:41Z INFO Parsing update file '/usr/share/ipa/updates/50-groupuuid.update' >2013-12-13T13:21:41Z INFO Parsing update file '/usr/share/ipa/updates/50-hbacservice.update' >2013-12-13T13:21:41Z INFO Parsing update file '/usr/share/ipa/updates/50-ipaconfig.update' >2013-12-13T13:21:41Z INFO Parsing update file '/usr/share/ipa/updates/50-krbenctypes.update' >2013-12-13T13:21:41Z INFO Parsing update file '/usr/share/ipa/updates/50-lockout-policy.update' >2013-12-13T13:21:41Z INFO Parsing update file '/usr/share/ipa/updates/50-nis.update' >2013-12-13T13:21:41Z INFO Parsing update file '/usr/share/ipa/updates/55-pbacmemberof.update' >2013-12-13T13:21:41Z INFO Updating existing entry: cn=7-bit check,cn=plugins,cn=config >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Initial value >2013-12-13T13:21:41Z DEBUG dn: cn=7-bit check,cn=plugins,cn=config >2013-12-13T13:21:41Z DEBUG nsslapd-pluginId: >2013-12-13T13:21:41Z DEBUG NS7bitAttr >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG 7-bit check >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG nsSlapdPlugin >2013-12-13T13:21:41Z DEBUG extensibleObject >2013-12-13T13:21:41Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:21:41Z DEBUG Enforce 7-bit clean attribute values >2013-12-13T13:21:41Z DEBUG nsslapd-pluginarg0: >2013-12-13T13:21:41Z DEBUG uid >2013-12-13T13:21:41Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:21:41Z DEBUG on >2013-12-13T13:21:41Z DEBUG nsslapd-pluginPath: >2013-12-13T13:21:41Z DEBUG libattr-unique-plugin >2013-12-13T13:21:41Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:21:41Z DEBUG 1.3.2.7 >2013-12-13T13:21:41Z DEBUG nsslapd-pluginarg1: >2013-12-13T13:21:41Z DEBUG mail >2013-12-13T13:21:41Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:21:41Z DEBUG 389 Project >2013-12-13T13:21:41Z DEBUG nsslapd-pluginarg3: >2013-12-13T13:21:41Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG nsslapd-pluginarg2: >2013-12-13T13:21:41Z DEBUG , >2013-12-13T13:21:41Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:21:41Z DEBUG database >2013-12-13T13:21:41Z DEBUG nsslapd-pluginType: >2013-12-13T13:21:41Z DEBUG betxnpreoperation >2013-12-13T13:21:41Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:21:41Z DEBUG NS7bitAttr_Init >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Final value after applying updates >2013-12-13T13:21:41Z DEBUG dn: cn=7-bit check,cn=plugins,cn=config >2013-12-13T13:21:41Z DEBUG nsslapd-pluginId: >2013-12-13T13:21:41Z DEBUG NS7bitAttr >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG 7-bit check >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG nsSlapdPlugin >2013-12-13T13:21:41Z DEBUG extensibleObject >2013-12-13T13:21:41Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:21:41Z DEBUG Enforce 7-bit clean attribute values >2013-12-13T13:21:41Z DEBUG nsslapd-pluginarg0: >2013-12-13T13:21:41Z DEBUG uid >2013-12-13T13:21:41Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:21:41Z DEBUG on >2013-12-13T13:21:41Z DEBUG nsslapd-pluginPath: >2013-12-13T13:21:41Z DEBUG libattr-unique-plugin >2013-12-13T13:21:41Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:21:41Z DEBUG 1.3.2.7 >2013-12-13T13:21:41Z DEBUG nsslapd-pluginarg1: >2013-12-13T13:21:41Z DEBUG mail >2013-12-13T13:21:41Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:21:41Z DEBUG 389 Project >2013-12-13T13:21:41Z DEBUG nsslapd-pluginarg3: >2013-12-13T13:21:41Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG nsslapd-pluginarg2: >2013-12-13T13:21:41Z DEBUG , >2013-12-13T13:21:41Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:21:41Z DEBUG database >2013-12-13T13:21:41Z DEBUG nsslapd-pluginType: >2013-12-13T13:21:41Z DEBUG betxnpreoperation >2013-12-13T13:21:41Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:21:41Z DEBUG NS7bitAttr_Init >2013-12-13T13:21:41Z DEBUG [] >2013-12-13T13:21:41Z DEBUG Live 1, updated 0 >2013-12-13T13:21:41Z INFO Done >2013-12-13T13:21:41Z INFO New entry: cn=Update Role memberOf 136062336,cn=memberof task,cn=tasks,cn=config >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Initial value >2013-12-13T13:21:41Z DEBUG dn: cn=Update Role memberOf 136062336,cn=memberof task,cn=tasks,cn=config >2013-12-13T13:21:41Z DEBUG add: 'top' to objectClass, current value [] >2013-12-13T13:21:41Z DEBUG add: updated value [u'top'] >2013-12-13T13:21:41Z DEBUG add: 'extensibleObject' to objectClass, current value [u'top'] >2013-12-13T13:21:41Z DEBUG add: updated value [u'top', u'extensibleObject'] >2013-12-13T13:21:41Z DEBUG add: 'Update Role memberOf 136062336' to cn, current value [] >2013-12-13T13:21:41Z DEBUG add: updated value [u'Update Role memberOf 136062336'] >2013-12-13T13:21:41Z DEBUG add: 'cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to basedn, current value [] >2013-12-13T13:21:41Z DEBUG add: updated value [u'cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'] >2013-12-13T13:21:41Z DEBUG add: '(objectclass=*)' to filter, current value [] >2013-12-13T13:21:41Z DEBUG add: updated value [u'(objectclass=*)'] >2013-12-13T13:21:41Z DEBUG add: '10' to ttl, current value [] >2013-12-13T13:21:41Z DEBUG add: updated value [u'10'] >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Final value after applying updates >2013-12-13T13:21:41Z DEBUG dn: cn=Update Role memberOf 136062336,cn=memberof task,cn=tasks,cn=config >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG extensibleObject >2013-12-13T13:21:41Z DEBUG filter: >2013-12-13T13:21:41Z DEBUG (objectclass=*) >2013-12-13T13:21:41Z DEBUG basedn: >2013-12-13T13:21:41Z DEBUG cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG Update Role memberOf 136062336 >2013-12-13T13:21:41Z DEBUG ttl: >2013-12-13T13:21:41Z DEBUG 10 >2013-12-13T13:21:41Z INFO New entry: cn=Update PBAC memberOf 136062336,cn=memberof task,cn=tasks,cn=config >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Initial value >2013-12-13T13:21:41Z DEBUG dn: cn=Update PBAC memberOf 136062336,cn=memberof task,cn=tasks,cn=config >2013-12-13T13:21:41Z DEBUG add: 'top' to objectClass, current value [] >2013-12-13T13:21:41Z DEBUG add: updated value [u'top'] >2013-12-13T13:21:41Z DEBUG add: 'extensibleObject' to objectClass, current value [u'top'] >2013-12-13T13:21:41Z DEBUG add: updated value [u'top', u'extensibleObject'] >2013-12-13T13:21:41Z DEBUG add: 'IPA PBAC memberOf 136062336' to cn, current value [] >2013-12-13T13:21:41Z DEBUG add: updated value [u'IPA PBAC memberOf 136062336'] >2013-12-13T13:21:41Z DEBUG add: 'cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to basedn, current value [] >2013-12-13T13:21:41Z DEBUG add: updated value [u'cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'] >2013-12-13T13:21:41Z DEBUG add: '(objectclass=*)' to filter, current value [] >2013-12-13T13:21:41Z DEBUG add: updated value [u'(objectclass=*)'] >2013-12-13T13:21:41Z DEBUG add: '10' to ttl, current value [] >2013-12-13T13:21:41Z DEBUG add: updated value [u'10'] >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Final value after applying updates >2013-12-13T13:21:41Z DEBUG dn: cn=Update PBAC memberOf 136062336,cn=memberof task,cn=tasks,cn=config >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG extensibleObject >2013-12-13T13:21:41Z DEBUG filter: >2013-12-13T13:21:41Z DEBUG (objectclass=*) >2013-12-13T13:21:41Z DEBUG basedn: >2013-12-13T13:21:41Z DEBUG cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG IPA PBAC memberOf 136062336 >2013-12-13T13:21:41Z DEBUG ttl: >2013-12-13T13:21:41Z DEBUG 10 >2013-12-13T13:21:41Z INFO New entry: nis-domain=dom227.jenkinsad.idm.lab.eng.brq.redhat.com+nis-map=ethers.byaddr,cn=NIS Server,cn=plugins,cn=config >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Initial value >2013-12-13T13:21:41Z DEBUG dn: nis-domain=dom227.jenkinsad.idm.lab.eng.brq.redhat.com+nis-map=ethers.byaddr,cn=NIS Server,cn=plugins,cn=config >2013-12-13T13:21:41Z DEBUG objectclass: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG extensibleObject >2013-12-13T13:21:41Z DEBUG nis-secure: >2013-12-13T13:21:41Z DEBUG no >2013-12-13T13:21:41Z DEBUG nis-map: >2013-12-13T13:21:41Z DEBUG ethers.byaddr >2013-12-13T13:21:41Z DEBUG nis-filter: >2013-12-13T13:21:41Z DEBUG (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) >2013-12-13T13:21:41Z DEBUG nis-base: >2013-12-13T13:21:41Z DEBUG cn=computers, cn=accounts, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG nis-values-format: >2013-12-13T13:21:41Z DEBUG %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") >2013-12-13T13:21:41Z DEBUG nis-keys-format: >2013-12-13T13:21:41Z DEBUG %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6") >2013-12-13T13:21:41Z DEBUG nis-domain: >2013-12-13T13:21:41Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Final value after applying updates >2013-12-13T13:21:41Z DEBUG dn: nis-domain=dom227.jenkinsad.idm.lab.eng.brq.redhat.com+nis-map=ethers.byaddr,cn=NIS Server,cn=plugins,cn=config >2013-12-13T13:21:41Z DEBUG objectclass: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG extensibleObject >2013-12-13T13:21:41Z DEBUG nis-secure: >2013-12-13T13:21:41Z DEBUG no >2013-12-13T13:21:41Z DEBUG nis-map: >2013-12-13T13:21:41Z DEBUG ethers.byaddr >2013-12-13T13:21:41Z DEBUG nis-filter: >2013-12-13T13:21:41Z DEBUG (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) >2013-12-13T13:21:41Z DEBUG nis-base: >2013-12-13T13:21:41Z DEBUG cn=computers, cn=accounts, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG nis-values-format: >2013-12-13T13:21:41Z DEBUG %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") >2013-12-13T13:21:41Z DEBUG nis-keys-format: >2013-12-13T13:21:41Z DEBUG %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6") >2013-12-13T13:21:41Z DEBUG nis-domain: >2013-12-13T13:21:41Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:41Z INFO Parent DN of nis-domain=dom227.jenkinsad.idm.lab.eng.brq.redhat.com+nis-map=ethers.byaddr,cn=NIS Server,cn=plugins,cn=config may not exist, cannot create the entry >2013-12-13T13:21:41Z INFO New entry: nis-domain=dom227.jenkinsad.idm.lab.eng.brq.redhat.com+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=config >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Initial value >2013-12-13T13:21:41Z DEBUG dn: nis-domain=dom227.jenkinsad.idm.lab.eng.brq.redhat.com+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=config >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Final value after applying updates >2013-12-13T13:21:41Z DEBUG dn: nis-domain=dom227.jenkinsad.idm.lab.eng.brq.redhat.com+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=config >2013-12-13T13:21:41Z INFO New entry: nis-domain=dom227.jenkinsad.idm.lab.eng.brq.redhat.com+nis-map=ethers.byname,cn=NIS Server,cn=plugins,cn=config >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Initial value >2013-12-13T13:21:41Z DEBUG dn: nis-domain=dom227.jenkinsad.idm.lab.eng.brq.redhat.com+nis-map=ethers.byname,cn=NIS Server,cn=plugins,cn=config >2013-12-13T13:21:41Z DEBUG objectclass: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG extensibleObject >2013-12-13T13:21:41Z DEBUG nis-secure: >2013-12-13T13:21:41Z DEBUG no >2013-12-13T13:21:41Z DEBUG nis-map: >2013-12-13T13:21:41Z DEBUG ethers.byname >2013-12-13T13:21:41Z DEBUG nis-filter: >2013-12-13T13:21:41Z DEBUG (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) >2013-12-13T13:21:41Z DEBUG nis-base: >2013-12-13T13:21:41Z DEBUG cn=computers, cn=accounts, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG nis-values-format: >2013-12-13T13:21:41Z DEBUG %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") >2013-12-13T13:21:41Z DEBUG nis-keys-format: >2013-12-13T13:21:41Z DEBUG %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7") >2013-12-13T13:21:41Z DEBUG nis-domain: >2013-12-13T13:21:41Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Final value after applying updates >2013-12-13T13:21:41Z DEBUG dn: nis-domain=dom227.jenkinsad.idm.lab.eng.brq.redhat.com+nis-map=ethers.byname,cn=NIS Server,cn=plugins,cn=config >2013-12-13T13:21:41Z DEBUG objectclass: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG extensibleObject >2013-12-13T13:21:41Z DEBUG nis-secure: >2013-12-13T13:21:41Z DEBUG no >2013-12-13T13:21:41Z DEBUG nis-map: >2013-12-13T13:21:41Z DEBUG ethers.byname >2013-12-13T13:21:41Z DEBUG nis-filter: >2013-12-13T13:21:41Z DEBUG (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) >2013-12-13T13:21:41Z DEBUG nis-base: >2013-12-13T13:21:41Z DEBUG cn=computers, cn=accounts, dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG nis-values-format: >2013-12-13T13:21:41Z DEBUG %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") >2013-12-13T13:21:41Z DEBUG nis-keys-format: >2013-12-13T13:21:41Z DEBUG %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7") >2013-12-13T13:21:41Z DEBUG nis-domain: >2013-12-13T13:21:41Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:41Z INFO Parent DN of nis-domain=dom227.jenkinsad.idm.lab.eng.brq.redhat.com+nis-map=ethers.byname,cn=NIS Server,cn=plugins,cn=config may not exist, cannot create the entry >2013-12-13T13:21:41Z INFO Updating existing entry: cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Initial value >2013-12-13T13:21:41Z DEBUG dn: cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG krbSubTrees: >2013-12-13T13:21:41Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:21:41Z DEBUG krbDefaultEncSaltTypes: >2013-12-13T13:21:41Z DEBUG aes256-cts:special >2013-12-13T13:21:41Z DEBUG des3-hmac-sha1:special >2013-12-13T13:21:41Z DEBUG aes128-cts:special >2013-12-13T13:21:41Z DEBUG arcfour-hmac:special >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG krbrealmcontainer >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG krbticketpolicyaux >2013-12-13T13:21:41Z DEBUG krbSearchScope: >2013-12-13T13:21:41Z DEBUG 2 >2013-12-13T13:21:41Z DEBUG krbSupportedEncSaltTypes: >2013-12-13T13:21:41Z DEBUG aes256-cts:special >2013-12-13T13:21:41Z DEBUG camellia256-cts-cmac:normal >2013-12-13T13:21:41Z DEBUG camellia256-cts-cmac:special >2013-12-13T13:21:41Z DEBUG aes128-cts:normal >2013-12-13T13:21:41Z DEBUG aes128-cts:special >2013-12-13T13:21:41Z DEBUG camellia128-cts-cmac:normal >2013-12-13T13:21:41Z DEBUG arcfour-hmac:normal >2013-12-13T13:21:41Z DEBUG camellia128-cts-cmac:special >2013-12-13T13:21:41Z DEBUG aes256-cts:normal >2013-12-13T13:21:41Z DEBUG des3-hmac-sha1:special >2013-12-13T13:21:41Z DEBUG des3-hmac-sha1:normal >2013-12-13T13:21:41Z DEBUG arcfour-hmac:special >2013-12-13T13:21:41Z DEBUG krbMaxTicketLife: >2013-12-13T13:21:41Z DEBUG 86400 >2013-12-13T13:21:41Z DEBUG krbMKey: >2013-12-13T13:21:41Z DEBUG XXXXXXXX >2013-12-13T13:21:41Z DEBUG krbMaxRenewableAge: >2013-12-13T13:21:41Z DEBUG 604800 >2013-12-13T13:21:41Z DEBUG add: 'camellia128-cts-cmac:normal' to krbSupportedEncSaltTypes, current value [u'aes256-cts:special', u'camellia256-cts-cmac:normal', u'camellia256-cts-cmac:special', u'aes128-cts:normal', u'aes128-cts:special', u'camellia128-cts-cmac:normal', u'arcfour-hmac:normal', u'camellia128-cts-cmac:special', u'aes256-cts:normal', u'des3-hmac-sha1:special', u'des3-hmac-sha1:normal', u'arcfour-hmac:special'] >2013-12-13T13:21:41Z DEBUG add: updated value [u'aes256-cts:special', u'camellia256-cts-cmac:normal', u'camellia256-cts-cmac:special', u'aes128-cts:normal', u'aes128-cts:special', u'arcfour-hmac:normal', u'camellia128-cts-cmac:special', u'aes256-cts:normal', u'des3-hmac-sha1:special', u'des3-hmac-sha1:normal', u'arcfour-hmac:special', u'camellia128-cts-cmac:normal'] >2013-12-13T13:21:41Z DEBUG add: 'camellia128-cts-cmac:special' to krbSupportedEncSaltTypes, current value [u'aes256-cts:special', u'camellia256-cts-cmac:normal', u'camellia256-cts-cmac:special', u'aes128-cts:normal', u'aes128-cts:special', u'arcfour-hmac:normal', u'camellia128-cts-cmac:special', u'aes256-cts:normal', u'des3-hmac-sha1:special', u'des3-hmac-sha1:normal', u'arcfour-hmac:special', u'camellia128-cts-cmac:normal'] >2013-12-13T13:21:41Z DEBUG add: updated value [u'aes256-cts:special', u'camellia256-cts-cmac:normal', u'camellia256-cts-cmac:special', u'aes128-cts:normal', u'aes128-cts:special', u'arcfour-hmac:normal', u'aes256-cts:normal', u'des3-hmac-sha1:special', u'des3-hmac-sha1:normal', u'arcfour-hmac:special', u'camellia128-cts-cmac:normal', u'camellia128-cts-cmac:special'] >2013-12-13T13:21:41Z DEBUG add: 'camellia256-cts-cmac:normal' to krbSupportedEncSaltTypes, current value [u'aes256-cts:special', u'camellia256-cts-cmac:normal', u'camellia256-cts-cmac:special', u'aes128-cts:normal', u'aes128-cts:special', u'arcfour-hmac:normal', u'aes256-cts:normal', u'des3-hmac-sha1:special', u'des3-hmac-sha1:normal', u'arcfour-hmac:special', u'camellia128-cts-cmac:normal', u'camellia128-cts-cmac:special'] >2013-12-13T13:21:41Z DEBUG add: updated value [u'aes256-cts:special', u'camellia256-cts-cmac:special', u'aes128-cts:normal', u'aes128-cts:special', u'arcfour-hmac:normal', u'aes256-cts:normal', u'des3-hmac-sha1:special', u'des3-hmac-sha1:normal', u'arcfour-hmac:special', u'camellia128-cts-cmac:normal', u'camellia128-cts-cmac:special', u'camellia256-cts-cmac:normal'] >2013-12-13T13:21:41Z DEBUG add: 'camellia256-cts-cmac:special' to krbSupportedEncSaltTypes, current value [u'aes256-cts:special', u'camellia256-cts-cmac:special', u'aes128-cts:normal', u'aes128-cts:special', u'arcfour-hmac:normal', u'aes256-cts:normal', u'des3-hmac-sha1:special', u'des3-hmac-sha1:normal', u'arcfour-hmac:special', u'camellia128-cts-cmac:normal', u'camellia128-cts-cmac:special', u'camellia256-cts-cmac:normal'] >2013-12-13T13:21:41Z DEBUG add: updated value [u'aes256-cts:special', u'aes128-cts:normal', u'aes128-cts:special', u'arcfour-hmac:normal', u'aes256-cts:normal', u'des3-hmac-sha1:special', u'des3-hmac-sha1:normal', u'arcfour-hmac:special', u'camellia128-cts-cmac:normal', u'camellia128-cts-cmac:special', u'camellia256-cts-cmac:normal', u'camellia256-cts-cmac:special'] >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Final value after applying updates >2013-12-13T13:21:41Z DEBUG dn: cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG krbSubTrees: >2013-12-13T13:21:41Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:21:41Z DEBUG krbDefaultEncSaltTypes: >2013-12-13T13:21:41Z DEBUG aes256-cts:special >2013-12-13T13:21:41Z DEBUG des3-hmac-sha1:special >2013-12-13T13:21:41Z DEBUG aes128-cts:special >2013-12-13T13:21:41Z DEBUG arcfour-hmac:special >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG krbrealmcontainer >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG krbticketpolicyaux >2013-12-13T13:21:41Z DEBUG krbSearchScope: >2013-12-13T13:21:41Z DEBUG 2 >2013-12-13T13:21:41Z DEBUG krbSupportedEncSaltTypes: >2013-12-13T13:21:41Z DEBUG aes256-cts:special >2013-12-13T13:21:41Z DEBUG aes128-cts:normal >2013-12-13T13:21:41Z DEBUG aes128-cts:special >2013-12-13T13:21:41Z DEBUG arcfour-hmac:normal >2013-12-13T13:21:41Z DEBUG aes256-cts:normal >2013-12-13T13:21:41Z DEBUG des3-hmac-sha1:special >2013-12-13T13:21:41Z DEBUG des3-hmac-sha1:normal >2013-12-13T13:21:41Z DEBUG arcfour-hmac:special >2013-12-13T13:21:41Z DEBUG camellia128-cts-cmac:normal >2013-12-13T13:21:41Z DEBUG camellia128-cts-cmac:special >2013-12-13T13:21:41Z DEBUG camellia256-cts-cmac:normal >2013-12-13T13:21:41Z DEBUG camellia256-cts-cmac:special >2013-12-13T13:21:41Z DEBUG krbMaxTicketLife: >2013-12-13T13:21:41Z DEBUG 86400 >2013-12-13T13:21:41Z DEBUG krbMKey: >2013-12-13T13:21:41Z DEBUG XXXXXXXX >2013-12-13T13:21:41Z DEBUG krbMaxRenewableAge: >2013-12-13T13:21:41Z DEBUG 604800 >2013-12-13T13:21:41Z DEBUG [] >2013-12-13T13:21:41Z DEBUG Live 1, updated 0 >2013-12-13T13:21:41Z INFO Done >2013-12-13T13:21:41Z INFO Updating existing entry: cn=ipaConfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Initial value >2013-12-13T13:21:41Z DEBUG dn: cn=ipaConfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG ipaDefaultLoginShell: >2013-12-13T13:21:41Z DEBUG /bin/sh >2013-12-13T13:21:41Z DEBUG ipaCertificateSubjectBase: >2013-12-13T13:21:41Z DEBUG O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG ipaConfig >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG ipaConfigObject >2013-12-13T13:21:41Z DEBUG nsContainer >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG ipaGuiConfig >2013-12-13T13:21:41Z DEBUG ipaHomesRootDir: >2013-12-13T13:21:41Z DEBUG /home >2013-12-13T13:21:41Z DEBUG ipaPwdExpAdvNotify: >2013-12-13T13:21:41Z DEBUG 4 >2013-12-13T13:21:41Z DEBUG ipaConfigString: >2013-12-13T13:21:41Z DEBUG AllowNThash >2013-12-13T13:21:41Z DEBUG ipaDefaultEmailDomain: >2013-12-13T13:21:41Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:41Z DEBUG ipaUserSearchFields: >2013-12-13T13:21:41Z DEBUG uid,givenname,sn,telephonenumber,ou,title >2013-12-13T13:21:41Z DEBUG ipaSELinuxUserMapDefault: >2013-12-13T13:21:41Z DEBUG unconfined_u:s0-s0:c0.c1023 >2013-12-13T13:21:41Z DEBUG ipaUserObjectClasses: >2013-12-13T13:21:41Z DEBUG ipaobject >2013-12-13T13:21:41Z DEBUG person >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG ipasshuser >2013-12-13T13:21:41Z DEBUG inetorgperson >2013-12-13T13:21:41Z DEBUG organizationalperson >2013-12-13T13:21:41Z DEBUG krbticketpolicyaux >2013-12-13T13:21:41Z DEBUG krbprincipalaux >2013-12-13T13:21:41Z DEBUG inetuser >2013-12-13T13:21:41Z DEBUG posixaccount >2013-12-13T13:21:41Z DEBUG ipaDefaultPrimaryGroup: >2013-12-13T13:21:41Z DEBUG ipausers >2013-12-13T13:21:41Z DEBUG ipaGroupSearchFields: >2013-12-13T13:21:41Z DEBUG cn,description >2013-12-13T13:21:41Z DEBUG ipaMigrationEnabled: >2013-12-13T13:21:41Z DEBUG FALSE >2013-12-13T13:21:41Z DEBUG ipaSearchTimeLimit: >2013-12-13T13:21:41Z DEBUG 2 >2013-12-13T13:21:41Z DEBUG ipaGroupObjectClasses: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG ipaobject >2013-12-13T13:21:41Z DEBUG groupofnames >2013-12-13T13:21:41Z DEBUG ipausergroup >2013-12-13T13:21:41Z DEBUG nestedgroup >2013-12-13T13:21:41Z DEBUG ipaSearchRecordsLimit: >2013-12-13T13:21:41Z DEBUG 100 >2013-12-13T13:21:41Z DEBUG ipaMaxUsernameLength: >2013-12-13T13:21:41Z DEBUG 32 >2013-12-13T13:21:41Z DEBUG ipaSELinuxUserMapOrder: >2013-12-13T13:21:41Z DEBUG guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 >2013-12-13T13:21:41Z DEBUG add: 'guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' to ipaSELinuxUserMapOrder, current value [u'guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'] >2013-12-13T13:21:41Z DEBUG add: updated value [u'guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'] >2013-12-13T13:21:41Z DEBUG add: 'unconfined_u:s0-s0:c0.c1023' to ipaSELinuxUserMapDefault, current value [u'unconfined_u:s0-s0:c0.c1023'] >2013-12-13T13:21:41Z DEBUG add: updated value [u'unconfined_u:s0-s0:c0.c1023'] >2013-12-13T13:21:41Z DEBUG add: 'ipasshuser' to ipaUserObjectClasses, current value [u'ipaobject', u'person', u'top', u'ipasshuser', u'inetorgperson', u'organizationalperson', u'krbticketpolicyaux', u'krbprincipalaux', u'inetuser', u'posixaccount'] >2013-12-13T13:21:41Z DEBUG add: updated value [u'ipaobject', u'person', u'top', u'inetorgperson', u'organizationalperson', u'krbticketpolicyaux', u'krbprincipalaux', u'inetuser', u'posixaccount', u'ipasshuser'] >2013-12-13T13:21:41Z DEBUG remove: 'AllowLMhash' from ipaConfigString, current value [u'AllowNThash'] >2013-12-13T13:21:41Z WARNING remove: 'AllowLMhash' not in ipaConfigString >2013-12-13T13:21:41Z DEBUG remove: updated value [u'AllowNThash'] >2013-12-13T13:21:41Z DEBUG add: 'ipaUserAuthTypeClass' to objectClass, current value [u'ipaConfigObject', u'nsContainer', u'top', u'ipaGuiConfig'] >2013-12-13T13:21:41Z DEBUG add: updated value [u'ipaConfigObject', u'nsContainer', u'top', u'ipaGuiConfig', u'ipaUserAuthTypeClass'] >2013-12-13T13:21:41Z DEBUG --------------------------------------------- >2013-12-13T13:21:41Z DEBUG Final value after applying updates >2013-12-13T13:21:41Z DEBUG dn: cn=ipaConfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:41Z DEBUG ipaDefaultLoginShell: >2013-12-13T13:21:41Z DEBUG /bin/sh >2013-12-13T13:21:41Z DEBUG ipaCertificateSubjectBase: >2013-12-13T13:21:41Z DEBUG O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:21:41Z DEBUG cn: >2013-12-13T13:21:41Z DEBUG ipaConfig >2013-12-13T13:21:41Z DEBUG objectClass: >2013-12-13T13:21:41Z DEBUG ipaConfigObject >2013-12-13T13:21:41Z DEBUG nsContainer >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG ipaGuiConfig >2013-12-13T13:21:41Z DEBUG ipaUserAuthTypeClass >2013-12-13T13:21:41Z DEBUG ipaHomesRootDir: >2013-12-13T13:21:41Z DEBUG /home >2013-12-13T13:21:41Z DEBUG ipaPwdExpAdvNotify: >2013-12-13T13:21:41Z DEBUG 4 >2013-12-13T13:21:41Z DEBUG ipaConfigString: >2013-12-13T13:21:41Z DEBUG AllowNThash >2013-12-13T13:21:41Z DEBUG ipaDefaultEmailDomain: >2013-12-13T13:21:41Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:41Z DEBUG ipaUserSearchFields: >2013-12-13T13:21:41Z DEBUG uid,givenname,sn,telephonenumber,ou,title >2013-12-13T13:21:41Z DEBUG ipaSELinuxUserMapDefault: >2013-12-13T13:21:41Z DEBUG unconfined_u:s0-s0:c0.c1023 >2013-12-13T13:21:41Z DEBUG ipaUserObjectClasses: >2013-12-13T13:21:41Z DEBUG ipaobject >2013-12-13T13:21:41Z DEBUG person >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG inetorgperson >2013-12-13T13:21:41Z DEBUG organizationalperson >2013-12-13T13:21:41Z DEBUG krbticketpolicyaux >2013-12-13T13:21:41Z DEBUG krbprincipalaux >2013-12-13T13:21:41Z DEBUG inetuser >2013-12-13T13:21:41Z DEBUG posixaccount >2013-12-13T13:21:41Z DEBUG ipasshuser >2013-12-13T13:21:41Z DEBUG ipaDefaultPrimaryGroup: >2013-12-13T13:21:41Z DEBUG ipausers >2013-12-13T13:21:41Z DEBUG ipaGroupSearchFields: >2013-12-13T13:21:41Z DEBUG cn,description >2013-12-13T13:21:41Z DEBUG ipaMigrationEnabled: >2013-12-13T13:21:41Z DEBUG FALSE >2013-12-13T13:21:41Z DEBUG ipaSearchTimeLimit: >2013-12-13T13:21:41Z DEBUG 2 >2013-12-13T13:21:41Z DEBUG ipaGroupObjectClasses: >2013-12-13T13:21:41Z DEBUG top >2013-12-13T13:21:41Z DEBUG ipaobject >2013-12-13T13:21:41Z DEBUG groupofnames >2013-12-13T13:21:41Z DEBUG ipausergroup >2013-12-13T13:21:41Z DEBUG nestedgroup >2013-12-13T13:21:41Z DEBUG ipaSearchRecordsLimit: >2013-12-13T13:21:41Z DEBUG 100 >2013-12-13T13:21:41Z DEBUG ipaMaxUsernameLength: >2013-12-13T13:21:41Z DEBUG 32 >2013-12-13T13:21:41Z DEBUG ipaSELinuxUserMapOrder: >2013-12-13T13:21:41Z DEBUG guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 >2013-12-13T13:21:41Z DEBUG [(0, u'objectClass', ['ipaUserAuthTypeClass'])] >2013-12-13T13:21:41Z DEBUG Live 1, updated 1 >2013-12-13T13:21:42Z INFO Done >2013-12-13T13:21:42Z INFO New entry: cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:42Z DEBUG --------------------------------------------- >2013-12-13T13:21:42Z DEBUG Initial value >2013-12-13T13:21:42Z DEBUG dn: cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:42Z DEBUG objectclass: >2013-12-13T13:21:42Z DEBUG ipahbacservice >2013-12-13T13:21:42Z DEBUG ipaobject >2013-12-13T13:21:42Z DEBUG description: >2013-12-13T13:21:42Z DEBUG pure-ftpd >2013-12-13T13:21:42Z DEBUG ipauniqueid: >2013-12-13T13:21:42Z DEBUG autogenerate >2013-12-13T13:21:42Z DEBUG cn: >2013-12-13T13:21:42Z DEBUG pure-ftpd >2013-12-13T13:21:42Z DEBUG --------------------------------------------- >2013-12-13T13:21:42Z DEBUG Final value after applying updates >2013-12-13T13:21:42Z DEBUG dn: cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:42Z DEBUG objectclass: >2013-12-13T13:21:42Z DEBUG ipahbacservice >2013-12-13T13:21:42Z DEBUG ipaobject >2013-12-13T13:21:42Z DEBUG description: >2013-12-13T13:21:42Z DEBUG pure-ftpd >2013-12-13T13:21:42Z DEBUG ipauniqueid: >2013-12-13T13:21:42Z DEBUG autogenerate >2013-12-13T13:21:42Z DEBUG cn: >2013-12-13T13:21:42Z DEBUG pure-ftpd >2013-12-13T13:21:42Z INFO New entry: cn=gssftp,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:42Z DEBUG --------------------------------------------- >2013-12-13T13:21:42Z DEBUG Initial value >2013-12-13T13:21:42Z DEBUG dn: cn=gssftp,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:42Z DEBUG objectclass: >2013-12-13T13:21:42Z DEBUG ipahbacservice >2013-12-13T13:21:42Z DEBUG ipaobject >2013-12-13T13:21:42Z DEBUG description: >2013-12-13T13:21:42Z DEBUG gssftp >2013-12-13T13:21:42Z DEBUG ipauniqueid: >2013-12-13T13:21:42Z DEBUG autogenerate >2013-12-13T13:21:42Z DEBUG cn: >2013-12-13T13:21:42Z DEBUG gssftp >2013-12-13T13:21:42Z DEBUG --------------------------------------------- >2013-12-13T13:21:42Z DEBUG Final value after applying updates >2013-12-13T13:21:42Z DEBUG dn: cn=gssftp,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:42Z DEBUG objectclass: >2013-12-13T13:21:42Z DEBUG ipahbacservice >2013-12-13T13:21:42Z DEBUG ipaobject >2013-12-13T13:21:42Z DEBUG description: >2013-12-13T13:21:42Z DEBUG gssftp >2013-12-13T13:21:42Z DEBUG ipauniqueid: >2013-12-13T13:21:42Z DEBUG autogenerate >2013-12-13T13:21:42Z DEBUG cn: >2013-12-13T13:21:42Z DEBUG gssftp >2013-12-13T13:21:43Z INFO Updating existing entry: cn=global_policy,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Initial value >2013-12-13T13:21:43Z DEBUG dn: cn=global_policy,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG krbMinPwdLife: >2013-12-13T13:21:43Z DEBUG 3600 >2013-12-13T13:21:43Z DEBUG krbPwdMinLength: >2013-12-13T13:21:43Z DEBUG 8 >2013-12-13T13:21:43Z DEBUG objectClass: >2013-12-13T13:21:43Z DEBUG nsContainer >2013-12-13T13:21:43Z DEBUG top >2013-12-13T13:21:43Z DEBUG krbPwdPolicy >2013-12-13T13:21:43Z DEBUG krbPwdMinDiffChars: >2013-12-13T13:21:43Z DEBUG 0 >2013-12-13T13:21:43Z DEBUG krbPwdHistoryLength: >2013-12-13T13:21:43Z DEBUG 0 >2013-12-13T13:21:43Z DEBUG krbPwdLockoutDuration: >2013-12-13T13:21:43Z DEBUG 600 >2013-12-13T13:21:43Z DEBUG krbPwdMaxFailure: >2013-12-13T13:21:43Z DEBUG 6 >2013-12-13T13:21:43Z DEBUG krbMaxPwdLife: >2013-12-13T13:21:43Z DEBUG 7776000 >2013-12-13T13:21:43Z DEBUG krbPwdFailureCountInterval: >2013-12-13T13:21:43Z DEBUG 60 >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG global_policy >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Final value after applying updates >2013-12-13T13:21:43Z DEBUG dn: cn=global_policy,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG krbMinPwdLife: >2013-12-13T13:21:43Z DEBUG 3600 >2013-12-13T13:21:43Z DEBUG krbPwdMinLength: >2013-12-13T13:21:43Z DEBUG 8 >2013-12-13T13:21:43Z DEBUG objectClass: >2013-12-13T13:21:43Z DEBUG nsContainer >2013-12-13T13:21:43Z DEBUG top >2013-12-13T13:21:43Z DEBUG krbPwdPolicy >2013-12-13T13:21:43Z DEBUG krbPwdMinDiffChars: >2013-12-13T13:21:43Z DEBUG 0 >2013-12-13T13:21:43Z DEBUG krbPwdHistoryLength: >2013-12-13T13:21:43Z DEBUG 0 >2013-12-13T13:21:43Z DEBUG krbPwdLockoutDuration: >2013-12-13T13:21:43Z DEBUG 600 >2013-12-13T13:21:43Z DEBUG krbPwdMaxFailure: >2013-12-13T13:21:43Z DEBUG 6 >2013-12-13T13:21:43Z DEBUG krbMaxPwdLife: >2013-12-13T13:21:43Z DEBUG 7776000 >2013-12-13T13:21:43Z DEBUG krbPwdFailureCountInterval: >2013-12-13T13:21:43Z DEBUG 60 >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG global_policy >2013-12-13T13:21:43Z DEBUG [] >2013-12-13T13:21:43Z DEBUG Live 1, updated 0 >2013-12-13T13:21:43Z INFO Done >2013-12-13T13:21:43Z INFO Updating existing entry: cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Initial value >2013-12-13T13:21:43Z DEBUG dn: cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG member: >2013-12-13T13:21:43Z DEBUG uid=admin,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG gidNumber: >2013-12-13T13:21:43Z DEBUG 346000000 >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG admins >2013-12-13T13:21:43Z DEBUG objectClass: >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG top >2013-12-13T13:21:43Z DEBUG ipausergroup >2013-12-13T13:21:43Z DEBUG posixgroup >2013-12-13T13:21:43Z DEBUG groupofnames >2013-12-13T13:21:43Z DEBUG nestedGroup >2013-12-13T13:21:43Z DEBUG memberOf: >2013-12-13T13:21:43Z DEBUG cn=enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=modify replication agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=remove replication agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=replication administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=add replication agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=host enrollment,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=modify dna range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG Account administrators group >2013-12-13T13:21:43Z DEBUG ipaUniqueID: >2013-12-13T13:21:43Z DEBUG 70d454e8-63f8-11e3-bb3c-001a4a2221bd >2013-12-13T13:21:43Z DEBUG add: 'ipaobject' to objectclass, current value [u'ipaobject', u'top', u'ipausergroup', u'posixgroup', u'groupofnames', u'nestedGroup'] >2013-12-13T13:21:43Z DEBUG add: updated value [u'top', u'ipausergroup', u'posixgroup', u'groupofnames', u'nestedGroup', u'ipaobject'] >2013-12-13T13:21:43Z DEBUG addifnew: 'autogenerate' to ipaUniqueID, current value [u'70d454e8-63f8-11e3-bb3c-001a4a2221bd'] >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Final value after applying updates >2013-12-13T13:21:43Z DEBUG dn: cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG member: >2013-12-13T13:21:43Z DEBUG uid=admin,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG gidNumber: >2013-12-13T13:21:43Z DEBUG 346000000 >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG admins >2013-12-13T13:21:43Z DEBUG objectclass: >2013-12-13T13:21:43Z DEBUG top >2013-12-13T13:21:43Z DEBUG ipausergroup >2013-12-13T13:21:43Z DEBUG posixgroup >2013-12-13T13:21:43Z DEBUG groupofnames >2013-12-13T13:21:43Z DEBUG nestedGroup >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG memberOf: >2013-12-13T13:21:43Z DEBUG cn=enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=modify replication agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=remove replication agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=replication administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=add replication agreements,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=host enrollment,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=modify dna range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG Account administrators group >2013-12-13T13:21:43Z DEBUG ipaUniqueID: >2013-12-13T13:21:43Z DEBUG 70d454e8-63f8-11e3-bb3c-001a4a2221bd >2013-12-13T13:21:43Z DEBUG [] >2013-12-13T13:21:43Z DEBUG Live 1, updated 0 >2013-12-13T13:21:43Z INFO Done >2013-12-13T13:21:43Z INFO Updating existing entry: cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Initial value >2013-12-13T13:21:43Z DEBUG dn: cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG objectClass: >2013-12-13T13:21:43Z DEBUG top >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG groupofnames >2013-12-13T13:21:43Z DEBUG ipausergroup >2013-12-13T13:21:43Z DEBUG nestedgroup >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG Default group for all users >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG ipausers >2013-12-13T13:21:43Z DEBUG ipaUniqueID: >2013-12-13T13:21:43Z DEBUG 70fe3808-63f8-11e3-b1f9-001a4a2221bd >2013-12-13T13:21:43Z DEBUG add: 'ipaobject' to objectclass, current value [u'top', u'ipaobject', u'groupofnames', u'ipausergroup', u'nestedgroup'] >2013-12-13T13:21:43Z DEBUG add: updated value [u'top', u'groupofnames', u'ipausergroup', u'nestedgroup', u'ipaobject'] >2013-12-13T13:21:43Z DEBUG addifnew: 'autogenerate' to ipaUniqueID, current value [u'70fe3808-63f8-11e3-b1f9-001a4a2221bd'] >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Final value after applying updates >2013-12-13T13:21:43Z DEBUG dn: cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG objectclass: >2013-12-13T13:21:43Z DEBUG top >2013-12-13T13:21:43Z DEBUG groupofnames >2013-12-13T13:21:43Z DEBUG ipausergroup >2013-12-13T13:21:43Z DEBUG nestedgroup >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG Default group for all users >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG ipausers >2013-12-13T13:21:43Z DEBUG ipaUniqueID: >2013-12-13T13:21:43Z DEBUG 70fe3808-63f8-11e3-b1f9-001a4a2221bd >2013-12-13T13:21:43Z DEBUG [] >2013-12-13T13:21:43Z DEBUG Live 1, updated 0 >2013-12-13T13:21:43Z INFO Done >2013-12-13T13:21:43Z INFO New entry: cn=vsftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Initial value >2013-12-13T13:21:43Z DEBUG dn: cn=vsftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG objectclass: >2013-12-13T13:21:43Z DEBUG ipahbacservice >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG vsftpd >2013-12-13T13:21:43Z DEBUG ipauniqueid: >2013-12-13T13:21:43Z DEBUG autogenerate >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG vsftpd >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Final value after applying updates >2013-12-13T13:21:43Z DEBUG dn: cn=vsftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG objectclass: >2013-12-13T13:21:43Z DEBUG ipahbacservice >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG vsftpd >2013-12-13T13:21:43Z DEBUG ipauniqueid: >2013-12-13T13:21:43Z DEBUG autogenerate >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG vsftpd >2013-12-13T13:21:43Z INFO Updating existing entry: cn=editors,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Initial value >2013-12-13T13:21:43Z DEBUG dn: cn=editors,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG objectClass: >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG top >2013-12-13T13:21:43Z DEBUG ipausergroup >2013-12-13T13:21:43Z DEBUG posixgroup >2013-12-13T13:21:43Z DEBUG groupofnames >2013-12-13T13:21:43Z DEBUG nestedGroup >2013-12-13T13:21:43Z DEBUG gidNumber: >2013-12-13T13:21:43Z DEBUG 346000002 >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG Limited admins who can edit other users >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG editors >2013-12-13T13:21:43Z DEBUG ipaUniqueID: >2013-12-13T13:21:43Z DEBUG 71010088-63f8-11e3-aa7b-001a4a2221bd >2013-12-13T13:21:43Z DEBUG add: 'ipaobject' to objectclass, current value [u'ipaobject', u'top', u'ipausergroup', u'posixgroup', u'groupofnames', u'nestedGroup'] >2013-12-13T13:21:43Z DEBUG add: updated value [u'top', u'ipausergroup', u'posixgroup', u'groupofnames', u'nestedGroup', u'ipaobject'] >2013-12-13T13:21:43Z DEBUG addifnew: 'autogenerate' to ipaUniqueID, current value [u'71010088-63f8-11e3-aa7b-001a4a2221bd'] >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Final value after applying updates >2013-12-13T13:21:43Z DEBUG dn: cn=editors,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG objectclass: >2013-12-13T13:21:43Z DEBUG top >2013-12-13T13:21:43Z DEBUG ipausergroup >2013-12-13T13:21:43Z DEBUG posixgroup >2013-12-13T13:21:43Z DEBUG groupofnames >2013-12-13T13:21:43Z DEBUG nestedGroup >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG gidNumber: >2013-12-13T13:21:43Z DEBUG 346000002 >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG Limited admins who can edit other users >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG editors >2013-12-13T13:21:43Z DEBUG ipaUniqueID: >2013-12-13T13:21:43Z DEBUG 71010088-63f8-11e3-aa7b-001a4a2221bd >2013-12-13T13:21:43Z DEBUG [] >2013-12-13T13:21:43Z DEBUG Live 1, updated 0 >2013-12-13T13:21:43Z INFO Done >2013-12-13T13:21:43Z INFO New entry: cn=crond,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Initial value >2013-12-13T13:21:43Z DEBUG dn: cn=crond,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG objectclass: >2013-12-13T13:21:43Z DEBUG ipahbacservice >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG crond >2013-12-13T13:21:43Z DEBUG ipauniqueid: >2013-12-13T13:21:43Z DEBUG autogenerate >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG crond >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Final value after applying updates >2013-12-13T13:21:43Z DEBUG dn: cn=crond,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG objectclass: >2013-12-13T13:21:43Z DEBUG ipahbacservice >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG crond >2013-12-13T13:21:43Z DEBUG ipauniqueid: >2013-12-13T13:21:43Z DEBUG autogenerate >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG crond >2013-12-13T13:21:43Z INFO New entry: cn=proftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Initial value >2013-12-13T13:21:43Z DEBUG dn: cn=proftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG objectclass: >2013-12-13T13:21:43Z DEBUG ipahbacservice >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG proftpd >2013-12-13T13:21:43Z DEBUG ipauniqueid: >2013-12-13T13:21:43Z DEBUG autogenerate >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG proftpd >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Final value after applying updates >2013-12-13T13:21:43Z DEBUG dn: cn=proftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG objectclass: >2013-12-13T13:21:43Z DEBUG ipahbacservice >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG proftpd >2013-12-13T13:21:43Z DEBUG ipauniqueid: >2013-12-13T13:21:43Z DEBUG autogenerate >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG proftpd >2013-12-13T13:21:43Z INFO New entry: cn=ftp,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Initial value >2013-12-13T13:21:43Z DEBUG dn: cn=ftp,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG objectClass: >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG ipahbacservicegroup >2013-12-13T13:21:43Z DEBUG nestedGroup >2013-12-13T13:21:43Z DEBUG groupOfNames >2013-12-13T13:21:43Z DEBUG top >2013-12-13T13:21:43Z DEBUG member: >2013-12-13T13:21:43Z DEBUG cn=ftp,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=proftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=vsftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=gssftp,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG ipauniqueid: >2013-12-13T13:21:43Z DEBUG autogenerate >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG Default group of ftp related services >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG ftp >2013-12-13T13:21:43Z DEBUG --------------------------------------------- >2013-12-13T13:21:43Z DEBUG Final value after applying updates >2013-12-13T13:21:43Z DEBUG dn: cn=ftp,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG objectClass: >2013-12-13T13:21:43Z DEBUG ipaobject >2013-12-13T13:21:43Z DEBUG ipahbacservicegroup >2013-12-13T13:21:43Z DEBUG nestedGroup >2013-12-13T13:21:43Z DEBUG groupOfNames >2013-12-13T13:21:43Z DEBUG top >2013-12-13T13:21:43Z DEBUG member: >2013-12-13T13:21:43Z DEBUG cn=ftp,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=proftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=vsftpd,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG cn=gssftp,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:43Z DEBUG ipauniqueid: >2013-12-13T13:21:43Z DEBUG autogenerate >2013-12-13T13:21:43Z DEBUG description: >2013-12-13T13:21:43Z DEBUG Default group of ftp related services >2013-12-13T13:21:43Z DEBUG cn: >2013-12-13T13:21:43Z DEBUG ftp >2013-12-13T13:21:43Z INFO Parsing update file '/usr/share/ipa/updates/60-trusts.update' >2013-12-13T13:21:43Z INFO Parsing update file '/usr/share/ipa/updates/61-trusts-s4u2proxy.update' >2013-12-13T13:21:44Z INFO Parsing update file '/usr/share/ipa/updates/62-ranges.update' >2013-12-13T13:21:44Z INFO Updating existing entry: cn=IPA Range-Check,cn=plugins,cn=config >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Initial value >2013-12-13T13:21:44Z DEBUG dn: cn=IPA Range-Check,cn=plugins,cn=config >2013-12-13T13:21:44Z DEBUG nsslapd-pluginId: >2013-12-13T13:21:44Z DEBUG IPA ID range check plugin >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG IPA Range-Check >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG nsSlapdPlugin >2013-12-13T13:21:44Z DEBUG extensibleObject >2013-12-13T13:21:44Z DEBUG nsslapd-basedn: >2013-12-13T13:21:44Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:21:44Z DEBUG Check if newly added or modified ID ranges do not overlap with existing ones >2013-12-13T13:21:44Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:21:44Z DEBUG on >2013-12-13T13:21:44Z DEBUG nsslapd-pluginPath: >2013-12-13T13:21:44Z DEBUG libipa_range_check >2013-12-13T13:21:44Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:21:44Z DEBUG FreeIPA/1.0 >2013-12-13T13:21:44Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:21:44Z DEBUG database >2013-12-13T13:21:44Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:21:44Z DEBUG FreeIPA project >2013-12-13T13:21:44Z DEBUG nsslapd-pluginType: >2013-12-13T13:21:44Z DEBUG preoperation >2013-12-13T13:21:44Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:21:44Z DEBUG ipa_range_check_init >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Final value after applying updates >2013-12-13T13:21:44Z DEBUG dn: cn=IPA Range-Check,cn=plugins,cn=config >2013-12-13T13:21:44Z DEBUG nsslapd-pluginId: >2013-12-13T13:21:44Z DEBUG IPA ID range check plugin >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG IPA Range-Check >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG nsSlapdPlugin >2013-12-13T13:21:44Z DEBUG extensibleObject >2013-12-13T13:21:44Z DEBUG nsslapd-basedn: >2013-12-13T13:21:44Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG nsslapd-pluginDescription: >2013-12-13T13:21:44Z DEBUG Check if newly added or modified ID ranges do not overlap with existing ones >2013-12-13T13:21:44Z DEBUG nsslapd-pluginEnabled: >2013-12-13T13:21:44Z DEBUG on >2013-12-13T13:21:44Z DEBUG nsslapd-pluginPath: >2013-12-13T13:21:44Z DEBUG libipa_range_check >2013-12-13T13:21:44Z DEBUG nsslapd-pluginVersion: >2013-12-13T13:21:44Z DEBUG FreeIPA/1.0 >2013-12-13T13:21:44Z DEBUG nsslapd-plugin-depends-on-type: >2013-12-13T13:21:44Z DEBUG database >2013-12-13T13:21:44Z DEBUG nsslapd-pluginVendor: >2013-12-13T13:21:44Z DEBUG FreeIPA project >2013-12-13T13:21:44Z DEBUG nsslapd-pluginType: >2013-12-13T13:21:44Z DEBUG preoperation >2013-12-13T13:21:44Z DEBUG nsslapd-pluginInitfunc: >2013-12-13T13:21:44Z DEBUG ipa_range_check_init >2013-12-13T13:21:44Z DEBUG [] >2013-12-13T13:21:44Z DEBUG Live 1, updated 0 >2013-12-13T13:21:44Z INFO Done >2013-12-13T13:21:44Z INFO Updating existing entry: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Initial value >2013-12-13T13:21:44Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >2013-12-13T13:21:44Z DEBUG dnaScope: >2013-12-13T13:21:44Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG dnaThreshold: >2013-12-13T13:21:44Z DEBUG 500 >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG Posix IDs >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG extensibleObject >2013-12-13T13:21:44Z DEBUG aci: >2013-12-13T13:21:44Z DEBUG (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG dnaNextValue: >2013-12-13T13:21:44Z DEBUG 346000000 >2013-12-13T13:21:44Z DEBUG dnaMagicRegen: >2013-12-13T13:21:44Z DEBUG -1 >2013-12-13T13:21:44Z DEBUG dnaFilter: >2013-12-13T13:21:44Z DEBUG (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject)) >2013-12-13T13:21:44Z DEBUG dnaType: >2013-12-13T13:21:44Z DEBUG gidNumber >2013-12-13T13:21:44Z DEBUG uidNumber >2013-12-13T13:21:44Z DEBUG dnaMaxValue: >2013-12-13T13:21:44Z DEBUG 346199999 >2013-12-13T13:21:44Z DEBUG dnaSharedCfgDN: >2013-12-13T13:21:44Z DEBUG cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Final value after applying updates >2013-12-13T13:21:44Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >2013-12-13T13:21:44Z DEBUG dnaScope: >2013-12-13T13:21:44Z DEBUG dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG dnaThreshold: >2013-12-13T13:21:44Z DEBUG 500 >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG Posix IDs >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG extensibleObject >2013-12-13T13:21:44Z DEBUG aci: >2013-12-13T13:21:44Z DEBUG (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG dnaNextValue: >2013-12-13T13:21:44Z DEBUG 346000000 >2013-12-13T13:21:44Z DEBUG dnaMagicRegen: >2013-12-13T13:21:44Z DEBUG -1 >2013-12-13T13:21:44Z DEBUG dnaFilter: >2013-12-13T13:21:44Z DEBUG (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject)) >2013-12-13T13:21:44Z DEBUG dnaType: >2013-12-13T13:21:44Z DEBUG gidNumber >2013-12-13T13:21:44Z DEBUG uidNumber >2013-12-13T13:21:44Z DEBUG dnaMaxValue: >2013-12-13T13:21:44Z DEBUG 346199999 >2013-12-13T13:21:44Z DEBUG dnaSharedCfgDN: >2013-12-13T13:21:44Z DEBUG cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG [] >2013-12-13T13:21:44Z DEBUG Live 1, updated 0 >2013-12-13T13:21:44Z INFO Done >2013-12-13T13:21:44Z INFO Updating existing entry: dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Initial value >2013-12-13T13:21:44Z DEBUG dn: dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG info: >2013-12-13T13:21:44Z DEBUG IPA V2.0 >2013-12-13T13:21:44Z DEBUG associatedDomain: >2013-12-13T13:21:44Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG pilotObject >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG nisDomainObject >2013-12-13T13:21:44Z DEBUG domain >2013-12-13T13:21:44Z DEBUG domainRelatedObject >2013-12-13T13:21:44Z DEBUG aci: >2013-12-13T13:21:44Z DEBUG (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) >2013-12-13T13:21:44Z DEBUG (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:44Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:44Z DEBUG (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:44Z DEBUG (targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:44Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG dc: >2013-12-13T13:21:44Z DEBUG dom227 >2013-12-13T13:21:44Z DEBUG nisDomain: >2013-12-13T13:21:44Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:44Z DEBUG add: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z DEBUG add: updated value [u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z DEBUG remove: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' from aci, current value [u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z WARNING remove: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' not in aci >2013-12-13T13:21:44Z DEBUG remove: updated value [u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z DEBUG remove: '(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' from aci, current value [u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z WARNING remove: '(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' not in aci >2013-12-13T13:21:44Z DEBUG remove: updated value [u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z DEBUG remove: '(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' from aci, current value [u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z WARNING remove: '(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' not in aci >2013-12-13T13:21:44Z DEBUG remove: updated value [u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z DEBUG add: '(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z DEBUG add: updated value [u'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)', u'(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)', u'(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)', u'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)', u'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', u'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Final value after applying updates >2013-12-13T13:21:44Z DEBUG dn: dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG info: >2013-12-13T13:21:44Z DEBUG IPA V2.0 >2013-12-13T13:21:44Z DEBUG associatedDomain: >2013-12-13T13:21:44Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG pilotObject >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG nisDomainObject >2013-12-13T13:21:44Z DEBUG domain >2013-12-13T13:21:44Z DEBUG domainRelatedObject >2013-12-13T13:21:44Z DEBUG aci: >2013-12-13T13:21:44Z DEBUG (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) >2013-12-13T13:21:44Z DEBUG (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:44Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:44Z DEBUG (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=costemplates,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com))")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";) >2013-12-13T13:21:44Z DEBUG (targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=hbacservices,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";) >2013-12-13T13:21:44Z DEBUG (targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=hbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=*,cn=roles,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG dc: >2013-12-13T13:21:44Z DEBUG dom227 >2013-12-13T13:21:44Z DEBUG nisDomain: >2013-12-13T13:21:44Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:44Z DEBUG [(0, u'aci', ['(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'])] >2013-12-13T13:21:44Z DEBUG Live 1, updated 1 >2013-12-13T13:21:44Z INFO Done >2013-12-13T13:21:44Z INFO New entry: cn=trusts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Initial value >2013-12-13T13:21:44Z DEBUG dn: cn=trusts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG nsContainer >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG trusts >2013-12-13T13:21:44Z DEBUG add: '(target = "ldap:///cn=trusts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [] >2013-12-13T13:21:44Z DEBUG add: updated value [u'(target = "ldap:///cn=trusts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z DEBUG add: '(target = "ldap:///cn=trusts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)' to aci, current value [u'(target = "ldap:///cn=trusts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z DEBUG add: updated value [u'(target = "ldap:///cn=trusts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)', u'(target = "ldap:///cn=trusts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)'] >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Final value after applying updates >2013-12-13T13:21:44Z DEBUG dn: cn=trusts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG nsContainer >2013-12-13T13:21:44Z DEBUG aci: >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=trusts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG (target = "ldap:///cn=trusts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG trusts >2013-12-13T13:21:44Z INFO Updating existing entry: cn=ipaConfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Initial value >2013-12-13T13:21:44Z DEBUG dn: cn=ipaConfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG ipaDefaultLoginShell: >2013-12-13T13:21:44Z DEBUG /bin/sh >2013-12-13T13:21:44Z DEBUG ipaCertificateSubjectBase: >2013-12-13T13:21:44Z DEBUG O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG ipaConfig >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG ipaConfigObject >2013-12-13T13:21:44Z DEBUG nsContainer >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG ipaGuiConfig >2013-12-13T13:21:44Z DEBUG ipaUserAuthTypeClass >2013-12-13T13:21:44Z DEBUG ipaHomesRootDir: >2013-12-13T13:21:44Z DEBUG /home >2013-12-13T13:21:44Z DEBUG ipaPwdExpAdvNotify: >2013-12-13T13:21:44Z DEBUG 4 >2013-12-13T13:21:44Z DEBUG ipaConfigString: >2013-12-13T13:21:44Z DEBUG AllowNThash >2013-12-13T13:21:44Z DEBUG ipaDefaultEmailDomain: >2013-12-13T13:21:44Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:44Z DEBUG ipaUserSearchFields: >2013-12-13T13:21:44Z DEBUG uid,givenname,sn,telephonenumber,ou,title >2013-12-13T13:21:44Z DEBUG ipaSELinuxUserMapDefault: >2013-12-13T13:21:44Z DEBUG unconfined_u:s0-s0:c0.c1023 >2013-12-13T13:21:44Z DEBUG ipaUserObjectClasses: >2013-12-13T13:21:44Z DEBUG ipaobject >2013-12-13T13:21:44Z DEBUG person >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG ipasshuser >2013-12-13T13:21:44Z DEBUG inetorgperson >2013-12-13T13:21:44Z DEBUG organizationalperson >2013-12-13T13:21:44Z DEBUG krbticketpolicyaux >2013-12-13T13:21:44Z DEBUG krbprincipalaux >2013-12-13T13:21:44Z DEBUG inetuser >2013-12-13T13:21:44Z DEBUG posixaccount >2013-12-13T13:21:44Z DEBUG ipaDefaultPrimaryGroup: >2013-12-13T13:21:44Z DEBUG ipausers >2013-12-13T13:21:44Z DEBUG ipaGroupSearchFields: >2013-12-13T13:21:44Z DEBUG cn,description >2013-12-13T13:21:44Z DEBUG ipaMigrationEnabled: >2013-12-13T13:21:44Z DEBUG FALSE >2013-12-13T13:21:44Z DEBUG ipaSearchTimeLimit: >2013-12-13T13:21:44Z DEBUG 2 >2013-12-13T13:21:44Z DEBUG ipaGroupObjectClasses: >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG ipaobject >2013-12-13T13:21:44Z DEBUG groupofnames >2013-12-13T13:21:44Z DEBUG ipausergroup >2013-12-13T13:21:44Z DEBUG nestedgroup >2013-12-13T13:21:44Z DEBUG ipaSearchRecordsLimit: >2013-12-13T13:21:44Z DEBUG 100 >2013-12-13T13:21:44Z DEBUG ipaMaxUsernameLength: >2013-12-13T13:21:44Z DEBUG 32 >2013-12-13T13:21:44Z DEBUG ipaSELinuxUserMapOrder: >2013-12-13T13:21:44Z DEBUG guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 >2013-12-13T13:21:44Z DEBUG addifnew: 'MS-PAC' to ipaKrbAuthzData, current value [] >2013-12-13T13:21:44Z DEBUG addifnew: set ipaKrbAuthzData to [u'MS-PAC'] >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Final value after applying updates >2013-12-13T13:21:44Z DEBUG dn: cn=ipaConfig,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG ipaDefaultLoginShell: >2013-12-13T13:21:44Z DEBUG /bin/sh >2013-12-13T13:21:44Z DEBUG ipaCertificateSubjectBase: >2013-12-13T13:21:44Z DEBUG O=DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG ipaConfig >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG ipaConfigObject >2013-12-13T13:21:44Z DEBUG nsContainer >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG ipaGuiConfig >2013-12-13T13:21:44Z DEBUG ipaUserAuthTypeClass >2013-12-13T13:21:44Z DEBUG ipaKrbAuthzData: >2013-12-13T13:21:44Z DEBUG MS-PAC >2013-12-13T13:21:44Z DEBUG ipaHomesRootDir: >2013-12-13T13:21:44Z DEBUG /home >2013-12-13T13:21:44Z DEBUG ipaPwdExpAdvNotify: >2013-12-13T13:21:44Z DEBUG 4 >2013-12-13T13:21:44Z DEBUG ipaConfigString: >2013-12-13T13:21:44Z DEBUG AllowNThash >2013-12-13T13:21:44Z DEBUG ipaDefaultEmailDomain: >2013-12-13T13:21:44Z DEBUG dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:21:44Z DEBUG ipaUserSearchFields: >2013-12-13T13:21:44Z DEBUG uid,givenname,sn,telephonenumber,ou,title >2013-12-13T13:21:44Z DEBUG ipaSELinuxUserMapDefault: >2013-12-13T13:21:44Z DEBUG unconfined_u:s0-s0:c0.c1023 >2013-12-13T13:21:44Z DEBUG ipaUserObjectClasses: >2013-12-13T13:21:44Z DEBUG ipaobject >2013-12-13T13:21:44Z DEBUG person >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG ipasshuser >2013-12-13T13:21:44Z DEBUG inetorgperson >2013-12-13T13:21:44Z DEBUG organizationalperson >2013-12-13T13:21:44Z DEBUG krbticketpolicyaux >2013-12-13T13:21:44Z DEBUG krbprincipalaux >2013-12-13T13:21:44Z DEBUG inetuser >2013-12-13T13:21:44Z DEBUG posixaccount >2013-12-13T13:21:44Z DEBUG ipaDefaultPrimaryGroup: >2013-12-13T13:21:44Z DEBUG ipausers >2013-12-13T13:21:44Z DEBUG ipaGroupSearchFields: >2013-12-13T13:21:44Z DEBUG cn,description >2013-12-13T13:21:44Z DEBUG ipaMigrationEnabled: >2013-12-13T13:21:44Z DEBUG FALSE >2013-12-13T13:21:44Z DEBUG ipaSearchTimeLimit: >2013-12-13T13:21:44Z DEBUG 2 >2013-12-13T13:21:44Z DEBUG ipaGroupObjectClasses: >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG ipaobject >2013-12-13T13:21:44Z DEBUG groupofnames >2013-12-13T13:21:44Z DEBUG ipausergroup >2013-12-13T13:21:44Z DEBUG nestedgroup >2013-12-13T13:21:44Z DEBUG ipaSearchRecordsLimit: >2013-12-13T13:21:44Z DEBUG 100 >2013-12-13T13:21:44Z DEBUG ipaMaxUsernameLength: >2013-12-13T13:21:44Z DEBUG 32 >2013-12-13T13:21:44Z DEBUG ipaSELinuxUserMapOrder: >2013-12-13T13:21:44Z DEBUG guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 >2013-12-13T13:21:44Z DEBUG [(0, u'ipaKrbAuthzData', ['MS-PAC'])] >2013-12-13T13:21:44Z DEBUG Live 1, updated 1 >2013-12-13T13:21:44Z INFO Done >2013-12-13T13:21:44Z INFO Updating existing entry: cn=ranges,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Initial value >2013-12-13T13:21:44Z DEBUG dn: cn=ranges,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG nsContainer >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG ranges >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Final value after applying updates >2013-12-13T13:21:44Z DEBUG dn: cn=ranges,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG nsContainer >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG ranges >2013-12-13T13:21:44Z DEBUG [] >2013-12-13T13:21:44Z DEBUG Live 1, updated 0 >2013-12-13T13:21:44Z INFO Done >2013-12-13T13:21:44Z INFO New entry: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Initial value >2013-12-13T13:21:44Z DEBUG dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG GroupOfNames >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG adtrust agents >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Final value after applying updates >2013-12-13T13:21:44Z DEBUG dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG GroupOfNames >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG adtrust agents >2013-12-13T13:21:44Z INFO New entry: cn=trust admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Initial value >2013-12-13T13:21:44Z DEBUG dn: cn=trust admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG member: >2013-12-13T13:21:44Z DEBUG uid=admin,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG trust admins >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG groupofnames >2013-12-13T13:21:44Z DEBUG ipausergroup >2013-12-13T13:21:44Z DEBUG nestedgroup >2013-12-13T13:21:44Z DEBUG ipaobject >2013-12-13T13:21:44Z DEBUG description: >2013-12-13T13:21:44Z DEBUG Trusts administrators group >2013-12-13T13:21:44Z DEBUG nsAccountLock: >2013-12-13T13:21:44Z DEBUG FALSE >2013-12-13T13:21:44Z DEBUG ipaUniqueID: >2013-12-13T13:21:44Z DEBUG autogenerate >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Final value after applying updates >2013-12-13T13:21:44Z DEBUG dn: cn=trust admins,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG member: >2013-12-13T13:21:44Z DEBUG uid=admin,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG trust admins >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG groupofnames >2013-12-13T13:21:44Z DEBUG ipausergroup >2013-12-13T13:21:44Z DEBUG nestedgroup >2013-12-13T13:21:44Z DEBUG ipaobject >2013-12-13T13:21:44Z DEBUG description: >2013-12-13T13:21:44Z DEBUG Trusts administrators group >2013-12-13T13:21:44Z DEBUG nsAccountLock: >2013-12-13T13:21:44Z DEBUG FALSE >2013-12-13T13:21:44Z DEBUG ipaUniqueID: >2013-12-13T13:21:44Z DEBUG autogenerate >2013-12-13T13:21:44Z INFO Updating existing entry: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Initial value >2013-12-13T13:21:44Z DEBUG dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG groupOfPrincipals >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG ipa-cifs-delegation-targets >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Final value after applying updates >2013-12-13T13:21:44Z DEBUG dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG groupOfPrincipals >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG ipa-cifs-delegation-targets >2013-12-13T13:21:44Z DEBUG [] >2013-12-13T13:21:44Z DEBUG Live 1, updated 0 >2013-12-13T13:21:44Z INFO Done >2013-12-13T13:21:44Z INFO Updating existing entry: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Initial value >2013-12-13T13:21:44Z DEBUG dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG groupOfPrincipals >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG ipaKrb5DelegationACL >2013-12-13T13:21:44Z DEBUG memberPrincipal: >2013-12-13T13:21:44Z DEBUG HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:21:44Z DEBUG ipaAllowedTarget: >2013-12-13T13:21:44Z DEBUG cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG ipa-http-delegation >2013-12-13T13:21:44Z DEBUG add: 'cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' to ipaAllowedTarget, current value [ipapython.dn.DN('cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), ipapython.dn.DN('cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:44Z DEBUG add: updated value [ipapython.dn.DN('cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), ipapython.dn.DN('cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com')] >2013-12-13T13:21:44Z DEBUG --------------------------------------------- >2013-12-13T13:21:44Z DEBUG Final value after applying updates >2013-12-13T13:21:44Z DEBUG dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG objectClass: >2013-12-13T13:21:44Z DEBUG groupOfPrincipals >2013-12-13T13:21:44Z DEBUG top >2013-12-13T13:21:44Z DEBUG ipaKrb5DelegationACL >2013-12-13T13:21:44Z DEBUG memberPrincipal: >2013-12-13T13:21:44Z DEBUG HTTP/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >2013-12-13T13:21:44Z DEBUG ipaAllowedTarget: >2013-12-13T13:21:44Z DEBUG cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:44Z DEBUG cn: >2013-12-13T13:21:44Z DEBUG ipa-http-delegation >2013-12-13T13:21:44Z DEBUG [] >2013-12-13T13:21:44Z DEBUG Live 1, updated 0 >2013-12-13T13:21:44Z INFO Done >2013-12-13T13:21:44Z INFO POST_UPDATE >2013-12-13T13:21:44Z DEBUG Created connection context.ldap2 >2013-12-13T13:21:44Z DEBUG raw: update_anonymous_aci >2013-12-13T13:21:44Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache >2013-12-13T13:21:44Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x1ed0710> >2013-12-13T13:21:44Z DEBUG Anonymous ACI already update-to-date >2013-12-13T13:21:44Z DEBUG raw: update_default_range >2013-12-13T13:21:44Z DEBUG default_range: ipaDomainIDRange entry found, skip plugin >2013-12-13T13:21:44Z DEBUG raw: update_dns_limits >2013-12-13T13:21:44Z DEBUG raw: update_dns_permissions >2013-12-13T13:21:44Z DEBUG raw: update_dnszones >2013-12-13T13:21:44Z DEBUG raw: dnszone_find(None, all=True) >2013-12-13T13:21:44Z DEBUG dnszone_find(None, forward_only=False, all=True, raw=False, pkey_only=False) >2013-12-13T13:21:44Z DEBUG raw: update_idrange_type >2013-12-13T13:21:44Z DEBUG update_idrange_type: search for ID ranges with no type set >2013-12-13T13:21:44Z DEBUG update_idrange_type: no ID range without type set found >2013-12-13T13:21:44Z DEBUG raw: update_pacs >2013-12-13T13:21:44Z DEBUG Adding nfs:NONE to default PAC types >2013-12-13T13:21:44Z DEBUG raw: update_service_principalalias >2013-12-13T13:21:44Z DEBUG update_service_principalalias: search for affected services >2013-12-13T13:21:44Z DEBUG update_service_principalalias: no service to update found >2013-12-13T13:21:44Z DEBUG raw: update_upload_cacrt >2013-12-13T13:21:44Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:21:44Z DEBUG Starting external process >2013-12-13T13:21:44Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -L -n DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a >2013-12-13T13:21:44Z DEBUG Process finished, return code=0 >2013-12-13T13:21:44Z DEBUG stdout=-----BEGIN CERTIFICATE----- >MIID7jCCAtagAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMTQwMgYDVQQKDCtET00y >MjcuSkVOS0lOU0FELklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQD >DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMTMxNTU4WhcNMzMxMjEz >MTMxNTU4WjBWMTQwMgYDVQQKDCtET00yMjcuSkVOS0lOU0FELklETS5MQUIuRU5H >LkJSUS5SRURIQVQuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw >ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmsLTpVPDxxXGox6Fx4lP3 >9oZD5AGj0GLfa0VRkWqMHQOWLYjVHJFc1XzwCijrggTYUHYEeWqV8LQj/EMZJ9Fh >o7e2spE/VOJRt82nQEUCi0/PXAnMzvi4g1BtN7oDNE2sjadQ0rZcRdt0tQ5q/Pp1 >oiuQryrXh4eFWAo1/1/HZo6+cxD/S/5jWKfFpc5KP+w5dvkSKb5hJA9Gee4rzVGZ >wzvGe8C+5wImbYT+U0uw7Jpd/k54Q67UxCC8av5uyaG4JzUNQwwniAvacXH0Ub4y >yN6UwtyklOM1l5V/8sI5GdfUvsBqDn4Z1WO79zmiArgYbQGvai1FH8N7cUVUzYAf >AgMBAAGjgcYwgcMwHwYDVR0jBBgwFoAUZ1LMCp2AxM3H3k7PxQB5j/+ETRIwDwYD >VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFGdSzAqdgMTN >x95Oz8UAeY//hE0SMGAGCCsGAQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDov >L3ZtLTIyNy5kb20yMjcuamVua2luc2FkLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQu >Y29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAKO8Ac5pQyc14xs6lQtm >5R8UZsaxDB6CJRe/q/RHsNUvq95uuC9CEpTrkaNtBaOm09DLr1tVoKVsH6Prd0ag >/vzmvGKxW0puoJfp1Kiv1t+Yh1VM68OKPEC8c93zWftDc38SD7aNR+TUHe0Ln9G6 >L+8i74qCe7p4RPQ0hWjhckL7OAfQ+MxwLjpApoHFsDdHHiThT7UZf+9KM+K9imbF >SRfh7ge9B0d+LTHYMSRdwNdTA4YPUnr+th1CaO8SdgVaeT96dho5SINKjQKNpkxB >TrS83zYua+Nf//Yv3r93iS5Y5CPpXHsgJevcnylzeTvrfTOC93jSLWj/1OfyPSB1 >aJw= >-----END CERTIFICATE----- > >2013-12-13T13:21:44Z DEBUG stderr= >2013-12-13T13:21:44Z DEBUG flushing ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 from SchemaCache >2013-12-13T13:21:44Z DEBUG retrieving schema for SchemaCache url=ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4e5e638> >2013-12-13T13:21:45Z INFO Updating existing entry: cn=CAcert,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:45Z DEBUG --------------------------------------------- >2013-12-13T13:21:45Z DEBUG Initial value >2013-12-13T13:21:45Z DEBUG dn: cn=CAcert,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:45Z DEBUG objectClass: >2013-12-13T13:21:45Z DEBUG nsContainer >2013-12-13T13:21:45Z DEBUG top >2013-12-13T13:21:45Z DEBUG pkiCA >2013-12-13T13:21:45Z DEBUG cn: >2013-12-13T13:21:45Z DEBUG CAcert >2013-12-13T13:21:45Z DEBUG cACertificate;binary: >2013-12-13T13:21:45Z DEBUG 0î0Ö 0 *H÷ 0V1402U >+DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM10UCertificate Authority0 131213131558Z 331213131558Z0V1402U >+DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM10UCertificate Authority0"0 *H÷ 0 >æ°´éTðñÅq¨Ç¡qâS÷öCä£ÐbßkEQj-Õ\Õ|ð >(ëØPvyjð´#üC'Ña£·¶²?TâQ·Í§@EOÏ\ ÌÎø¸Pm7º4M¬§PÒ¶\EÛtµjüúu¢+¯*× X >5ÿ_Çf¾sÿKþcX§Å¥ÎJ?ì9vù)¾a$Fyî+ÍQÃ;Æ{À¾ç&mþSK°ì]þNxC®ÔÄ ¼jþnÉ¡¸'5 C'ÚqqôQ¾2ÈÞÂܤã5òÂ9×Ô¾Àj~Õc»÷9¢¸m¯j-EÃ{qETÍ£Æ0Ã0U#0gRÌ >ÄÍÇÞNÏÅyÿM0Uÿ0ÿ0UÿÆ0UgRÌ >ÄÍÇÞNÏÅyÿM0`+T0R0P+0Dhttp://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:80/ca/ocsp0 *H÷ £¼ÎiC'5ã:fåfƱ%¿«ôG°Õ/«Þn¸/Bë£m£¦ÓÐ˯[U ¥l£ëwF þüæ¼b±[Jn éÔ¨¯ÖßULëÃ<@¼sÝóYûCs¶GäÔíѺ/ï"ï{ºxDô4 hárBû8ÐøÌp.:@¦Å°7G$áOµïJ3â½fÅIáî½G~-1Ø1$]À×SRzþ¶BhïvZy?zv9HJ¦LAN´¼ß6.kã_ÿö/Þ¿w.Xä#é\{ %ëÜ)sy;ë}3÷xÒ-hÿÔçò= uh >2013-12-13T13:21:45Z DEBUG --------------------------------------------- >2013-12-13T13:21:45Z DEBUG Final value after applying updates >2013-12-13T13:21:45Z DEBUG dn: cn=CAcert,cn=ipa,cn=etc,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:21:45Z DEBUG objectClass: >2013-12-13T13:21:45Z DEBUG nsContainer >2013-12-13T13:21:45Z DEBUG top >2013-12-13T13:21:45Z DEBUG pkiCA >2013-12-13T13:21:45Z DEBUG cn: >2013-12-13T13:21:45Z DEBUG CAcert >2013-12-13T13:21:45Z DEBUG cACertificate;binary: >2013-12-13T13:21:45Z DEBUG 0î0Ö 0 *H÷ 0V1402U >+DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM10UCertificate Authority0 131213131558Z 331213131558Z0V1402U >+DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM10UCertificate Authority0"0 *H÷ 0 >æ°´éTðñÅq¨Ç¡qâS÷öCä£ÐbßkEQj-Õ\Õ|ð >(ëØPvyjð´#üC'Ña£·¶²?TâQ·Í§@EOÏ\ ÌÎø¸Pm7º4M¬§PÒ¶\EÛtµjüúu¢+¯*× X >5ÿ_Çf¾sÿKþcX§Å¥ÎJ?ì9vù)¾a$Fyî+ÍQÃ;Æ{À¾ç&mþSK°ì]þNxC®ÔÄ ¼jþnÉ¡¸'5 C'ÚqqôQ¾2ÈÞÂܤã5òÂ9×Ô¾Àj~Õc»÷9¢¸m¯j-EÃ{qETÍ£Æ0Ã0U#0gRÌ >ÄÍÇÞNÏÅyÿM0Uÿ0ÿ0UÿÆ0UgRÌ >ÄÍÇÞNÏÅyÿM0`+T0R0P+0Dhttp://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:80/ca/ocsp0 *H÷ £¼ÎiC'5ã:fåfƱ%¿«ôG°Õ/«Þn¸/Bë£m£¦ÓÐ˯[U ¥l£ëwF þüæ¼b±[Jn éÔ¨¯ÖßULëÃ<@¼sÝóYûCs¶GäÔíѺ/ï"ï{ºxDô4 hárBû8ÐøÌp.:@¦Å°7G$áOµïJ3â½fÅIáî½G~-1Ø1$]À×SRzþ¶BhïvZy?zv9HJ¦LAN´¼ß6.kã_ÿö/Þ¿w.Xä#é\{ %ëÜ)sy;ë}3÷xÒ-hÿÔçò= uh >2013-12-13T13:21:45Z DEBUG [] >2013-12-13T13:21:45Z DEBUG Live 1, updated 0 >2013-12-13T13:21:45Z INFO Done >2013-12-13T13:21:45Z DEBUG raw: update_managed_post >2013-12-13T13:21:45Z DEBUG Destroyed connection context.ldap2 >2013-12-13T13:21:45Z DEBUG Restarting the directory server >2013-12-13T13:21:45Z DEBUG Starting external process >2013-12-13T13:21:45Z DEBUG args=/bin/systemctl restart dirsrv.target >2013-12-13T13:21:50Z DEBUG Process finished, return code=0 >2013-12-13T13:21:50Z DEBUG stdout= >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=3 >2013-12-13T13:21:50Z DEBUG stdout=activating > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG Starting external process >2013-12-13T13:21:50Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:50Z DEBUG Process finished, return code=0 >2013-12-13T13:21:50Z DEBUG stdout=active > >2013-12-13T13:21:50Z DEBUG stderr= >2013-12-13T13:21:50Z DEBUG wait_for_open_ports: localhost [389] timeout 120 >2013-12-13T13:21:52Z DEBUG Starting external process >2013-12-13T13:21:52Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:21:52Z DEBUG Process finished, return code=0 >2013-12-13T13:21:52Z DEBUG stdout=active > >2013-12-13T13:21:52Z DEBUG stderr= >2013-12-13T13:21:52Z DEBUG Restarting the KDC >2013-12-13T13:21:52Z DEBUG Starting external process >2013-12-13T13:21:52Z DEBUG args=/bin/systemctl restart krb5kdc.service >2013-12-13T13:21:52Z DEBUG Process finished, return code=0 >2013-12-13T13:21:52Z DEBUG stdout= >2013-12-13T13:21:52Z DEBUG stderr= >2013-12-13T13:21:52Z DEBUG Starting external process >2013-12-13T13:21:52Z DEBUG args=/bin/systemctl is-active krb5kdc.service >2013-12-13T13:21:52Z DEBUG Process finished, return code=0 >2013-12-13T13:21:52Z DEBUG stdout=active > >2013-12-13T13:21:52Z DEBUG stderr= >2013-12-13T13:21:52Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:21:52Z DEBUG Created connection context.ldap2 >2013-12-13T13:21:52Z DEBUG Starting external process >2013-12-13T13:21:52Z DEBUG args=/bin/systemctl stop named.service >2013-12-13T13:21:52Z DEBUG Process finished, return code=0 >2013-12-13T13:21:52Z DEBUG stdout= >2013-12-13T13:21:52Z DEBUG stderr= >2013-12-13T13:21:52Z DEBUG raw: dnszone_show(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com') >2013-12-13T13:21:52Z DEBUG dnszone_show(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', rights=False, all=False, raw=False) >2013-12-13T13:21:52Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache >2013-12-13T13:21:52Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4ce03f8> >2013-12-13T13:21:53Z DEBUG Configuring DNS (named) >2013-12-13T13:21:53Z DEBUG [1/11]: adding DNS container >2013-12-13T13:21:53Z DEBUG Starting external process >2013-12-13T13:21:53Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpOT5lVV -H ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 -x -D cn=Directory Manager -y /tmp/tmpkJCpjj >2013-12-13T13:21:54Z DEBUG Process finished, return code=0 >2013-12-13T13:21:54Z DEBUG stdout=add objectClass: > idnsConfigObject > nsContainer > top >add cn: > dns >add aci: > (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" or userattr = "parent[0,1].managedby#GROUPDN";) > (target = "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) > (target = "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) > (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) >adding new entry "cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add aci: > (target = "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (target = "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) > (targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";) >modifying entry "dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > DNS Administrators >add description: > DNS Administrators >adding new entry "cn=DNS Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > nestedgroup >add cn: > DNS Servers >add description: > DNS Servers >adding new entry "cn=DNS Servers,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > groupofnames > top > ipapermission >add cn: > add dns entries >add description: > Add DNS entries >add member: > cn=DNS Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > cn=DNS Servers,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=add dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > groupofnames > top > ipapermission >add cn: > remove dns entries >add description: > Remove DNS entries >add member: > cn=DNS Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > cn=DNS Servers,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=remove dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > groupofnames > top > ipapermission >add cn: > update dns entries >add description: > Update DNS entries >add member: > cn=DNS Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > cn=DNS Servers,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=update dns entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > top > groupofnames > ipapermission >add cn: > Read DNS Entries >add description: > Read DNS entries >add ipapermissiontype: > SYSTEM >add member: > cn=DNS Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > cn=DNS Servers,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Read DNS Entries,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > >add objectClass: > groupofnames > top > ipapermission >add cn: > Write DNS Configuration >add description: > Write DNS Configuration >add member: > cn=DNS Administrators,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > cn=DNS Servers,cn=privileges,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=Write DNS Configuration,cn=permissions,cn=pbac,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:21:54Z DEBUG stderr=ldap_initialize( ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389/??base ) > >2013-12-13T13:21:54Z DEBUG duration: 0 seconds >2013-12-13T13:21:54Z DEBUG [2/11]: setting up our zone >2013-12-13T13:21:54Z DEBUG raw: dnszone_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', idnssoamname=u'vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com.', idnssoarname=u'hostmaster.dom227.jenkinsad.idm.lab.eng.brq.redhat.com', idnsupdatepolicy=u'grant DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM krb5-self * A; grant DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM krb5-self * AAAA; grant DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM krb5-self * SSHFP;', idnsallowdynupdate=True, idnsallowquery=u'any', idnsallowtransfer=u'none', force=True, ip_address=u'10.34.47.227') >2013-12-13T13:21:54Z DEBUG dnszone_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', idnssoamname=u'vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com.', idnssoarname=u'hostmaster.dom227.jenkinsad.idm.lab.eng.brq.redhat.com.', idnssoaserial=1386940914, idnssoarefresh=3600, idnssoaretry=900, idnssoaexpire=1209600, idnssoaminimum=3600, idnsupdatepolicy=u'grant DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM krb5-self * A; grant DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM krb5-self * AAAA; grant DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM krb5-self * SSHFP;', idnsallowdynupdate=True, idnsallowquery=u'any;', idnsallowtransfer=u'none;', force=True, ip_address=u'10.34.47.227', all=False, raw=False) >2013-12-13T13:21:54Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'vm-227', arecord=u'10.34.47.227') >2013-12-13T13:21:54Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'vm-227', arecord=(u'10.34.47.227',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:54Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'@', nsrecord=u'vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com.', force=True) >2013-12-13T13:21:54Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'@', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, nsrecord=(u'vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com.',), force=True, structured=False, all=False, raw=False) >2013-12-13T13:21:54Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos', txtrecord=u'DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM') >2013-12-13T13:21:54Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, txtrecord=(u'DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:54Z DEBUG duration: 0 seconds >2013-12-13T13:21:54Z DEBUG [3/11]: setting up reverse zone >2013-12-13T13:21:54Z DEBUG raw: dnszone_add(u'47.34.10.in-addr.arpa.', idnssoamname=u'vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com.', idnssoarname=u'hostmaster.dom227.jenkinsad.idm.lab.eng.brq.redhat.com', idnsupdatepolicy=u'grant DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM krb5-subdomain 47.34.10.in-addr.arpa. PTR;', idnsallowdynupdate=True, idnsallowquery=u'any', idnsallowtransfer=u'none', force=True, ip_address=None) >2013-12-13T13:21:54Z DEBUG dnszone_add(u'47.34.10.in-addr.arpa.', idnssoamname=u'vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com.', idnssoarname=u'hostmaster.dom227.jenkinsad.idm.lab.eng.brq.redhat.com.', idnssoaserial=1386940914, idnssoarefresh=3600, idnssoaretry=900, idnssoaexpire=1209600, idnssoaminimum=3600, idnsupdatepolicy=u'grant DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM krb5-subdomain 47.34.10.in-addr.arpa. PTR;', idnsallowdynupdate=True, idnsallowquery=u'any;', idnsallowtransfer=u'none;', force=True, ip_address=None, all=False, raw=False) >2013-12-13T13:21:54Z DEBUG raw: dnsrecord_add(u'47.34.10.in-addr.arpa.', u'@', nsrecord=u'vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com.', force=True) >2013-12-13T13:21:54Z DEBUG dnsrecord_add(u'47.34.10.in-addr.arpa.', u'@', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, nsrecord=(u'vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com.',), force=True, structured=False, all=False, raw=False) >2013-12-13T13:21:54Z DEBUG duration: 0 seconds >2013-12-13T13:21:54Z DEBUG [4/11]: setting up our own record >2013-12-13T13:21:54Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_ldap._tcp', srvrecord=u'0 100 389 vm-227') >2013-12-13T13:21:54Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_ldap._tcp', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 389 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:54Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:21:54Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:21:54Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._tcp', srvrecord=u'0 100 88 vm-227') >2013-12-13T13:21:54Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._tcp', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 88 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:54Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:21:54Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._udp', srvrecord=u'0 100 88 vm-227') >2013-12-13T13:21:54Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._udp', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 88 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:54Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:21:54Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos-master._tcp', srvrecord=u'0 100 88 vm-227') >2013-12-13T13:21:54Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos-master._tcp', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 88 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:54Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:21:54Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos-master._udp', srvrecord=u'0 100 88 vm-227') >2013-12-13T13:21:54Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos-master._udp', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 88 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:55Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:21:55Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kpasswd._tcp', srvrecord=u'0 100 464 vm-227') >2013-12-13T13:21:55Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kpasswd._tcp', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 464 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:55Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:21:55Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kpasswd._udp', srvrecord=u'0 100 464 vm-227') >2013-12-13T13:21:55Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kpasswd._udp', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 464 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:55Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:21:55Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_ntp._udp', srvrecord=u'0 100 123 vm-227') >2013-12-13T13:21:55Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_ntp._udp', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 123 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:55Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:21:55Z DEBUG raw: dnszone_show(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com') >2013-12-13T13:21:55Z DEBUG dnszone_show(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', rights=False, all=False, raw=False) >2013-12-13T13:21:55Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'vm-227', arecord=u'10.34.47.227') >2013-12-13T13:21:55Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'vm-227', arecord=(u'10.34.47.227',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:55Z DEBUG raw: dnszone_show(u'227.47.34.10.in-addr.arpa.') >2013-12-13T13:21:55Z DEBUG dnszone_show(u'227.47.34.10.in-addr.arpa.', rights=False, all=False, raw=False) >2013-12-13T13:21:55Z DEBUG raw: dnszone_show(u'47.34.10.in-addr.arpa.') >2013-12-13T13:21:55Z DEBUG dnszone_show(u'47.34.10.in-addr.arpa.', rights=False, all=False, raw=False) >2013-12-13T13:21:55Z DEBUG raw: dnsrecord_add(u'47.34.10.in-addr.arpa.', u'227', ptrrecord=u'vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com.') >2013-12-13T13:21:55Z DEBUG dnsrecord_add(u'47.34.10.in-addr.arpa.', u'227', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, ptrrecord=(u'vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com.',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:55Z DEBUG duration: 1 seconds >2013-12-13T13:21:55Z DEBUG [5/11]: setting up records for other masters >2013-12-13T13:21:55Z DEBUG duration: 0 seconds >2013-12-13T13:21:55Z DEBUG [6/11]: setting up CA record >2013-12-13T13:21:55Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'ipa-ca', arecord=u'10.34.47.227') >2013-12-13T13:21:55Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'ipa-ca', arecord=(u'10.34.47.227',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False) >2013-12-13T13:21:55Z DEBUG duration: 0 seconds >2013-12-13T13:21:55Z DEBUG [7/11]: setting up kerberos principal >2013-12-13T13:21:55Z DEBUG Starting external process >2013-12-13T13:21:55Z DEBUG args=kadmin.local -q addprinc -randkey DNS/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -x ipa-setup-override-restrictions >2013-12-13T13:21:56Z DEBUG Process finished, return code=0 >2013-12-13T13:21:56Z DEBUG stdout=Authenticating as principal root/admin@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with password. >Principal "DNS/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM" created. > >2013-12-13T13:21:56Z DEBUG stderr=WARNING: no policy specified for DNS/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM; defaulting to no policy > >2013-12-13T13:21:56Z DEBUG Backing up system configuration file '/etc/named.keytab' >2013-12-13T13:21:56Z DEBUG -> Not backing up - '/etc/named.keytab' doesn't exist >2013-12-13T13:21:56Z DEBUG Starting external process >2013-12-13T13:21:56Z DEBUG args=kadmin.local -q ktadd -k /etc/named.keytab DNS/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -x ipa-setup-override-restrictions >2013-12-13T13:21:56Z DEBUG Process finished, return code=0 >2013-12-13T13:21:56Z DEBUG stdout=Authenticating as principal root/admin@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with password. >Entry for principal DNS/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/named.keytab. >Entry for principal DNS/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/named.keytab. >Entry for principal DNS/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/named.keytab. >Entry for principal DNS/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/named.keytab. > >2013-12-13T13:21:56Z DEBUG stderr= >2013-12-13T13:21:56Z DEBUG flushing ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 from SchemaCache >2013-12-13T13:21:56Z DEBUG retrieving schema for SchemaCache url=ldap://vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4ce0f38> >2013-12-13T13:21:57Z DEBUG duration: 2 seconds >2013-12-13T13:21:57Z DEBUG [8/11]: setting up named.conf >2013-12-13T13:21:57Z DEBUG Backing up system configuration file '/etc/named.conf' >2013-12-13T13:21:57Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:21:57Z DEBUG duration: 0 seconds >2013-12-13T13:21:57Z DEBUG [9/11]: restarting named >2013-12-13T13:21:57Z DEBUG Starting external process >2013-12-13T13:21:57Z DEBUG args=/bin/systemctl is-active named.service >2013-12-13T13:21:57Z DEBUG Process finished, return code=3 >2013-12-13T13:21:57Z DEBUG stdout=inactive > >2013-12-13T13:21:57Z DEBUG stderr= >2013-12-13T13:21:57Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:21:57Z DEBUG Starting external process >2013-12-13T13:21:57Z DEBUG args=/bin/systemctl restart named.service >2013-12-13T13:22:13Z DEBUG Process finished, return code=0 >2013-12-13T13:22:13Z DEBUG stdout= >2013-12-13T13:22:13Z DEBUG stderr= >2013-12-13T13:22:13Z DEBUG Starting external process >2013-12-13T13:22:13Z DEBUG args=/bin/systemctl is-active named.service >2013-12-13T13:22:13Z DEBUG Process finished, return code=0 >2013-12-13T13:22:13Z DEBUG stdout=active > >2013-12-13T13:22:13Z DEBUG stderr= >2013-12-13T13:22:13Z DEBUG duration: 15 seconds >2013-12-13T13:22:13Z DEBUG [10/11]: configuring named to start on boot >2013-12-13T13:22:13Z DEBUG Starting external process >2013-12-13T13:22:13Z DEBUG args=/bin/systemctl is-active named.service >2013-12-13T13:22:13Z DEBUG Process finished, return code=0 >2013-12-13T13:22:13Z DEBUG stdout=active > >2013-12-13T13:22:13Z DEBUG stderr= >2013-12-13T13:22:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:22:13Z DEBUG Starting external process >2013-12-13T13:22:13Z DEBUG args=/bin/systemctl disable named.service >2013-12-13T13:22:13Z DEBUG Process finished, return code=0 >2013-12-13T13:22:13Z DEBUG stdout= >2013-12-13T13:22:13Z DEBUG stderr= >2013-12-13T13:22:13Z DEBUG duration: 0 seconds >2013-12-13T13:22:13Z DEBUG [11/11]: changing resolv.conf to point to ourselves >2013-12-13T13:22:13Z DEBUG Backing up system configuration file '/etc/resolv.conf' >2013-12-13T13:22:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:22:13Z DEBUG duration: 0 seconds >2013-12-13T13:22:13Z DEBUG Done configuring DNS (named). >2013-12-13T13:22:13Z DEBUG raw: dnsconfig_show() >2013-12-13T13:22:13Z DEBUG dnsconfig_show(rights=False, all=False, raw=False) >2013-12-13T13:22:14Z DEBUG Restarting the web server >2013-12-13T13:22:14Z DEBUG Starting external process >2013-12-13T13:22:14Z DEBUG args=/bin/systemctl restart httpd.service >2013-12-13T13:22:16Z DEBUG Process finished, return code=0 >2013-12-13T13:22:16Z DEBUG stdout= >2013-12-13T13:22:16Z DEBUG stderr= >2013-12-13T13:22:16Z DEBUG Starting external process >2013-12-13T13:22:16Z DEBUG args=/bin/systemctl is-active httpd.service >2013-12-13T13:22:16Z DEBUG Process finished, return code=0 >2013-12-13T13:22:16Z DEBUG stdout=active > >2013-12-13T13:22:16Z DEBUG stderr= >2013-12-13T13:22:16Z DEBUG Changing admin password >2013-12-13T13:22:16Z DEBUG Starting external process >2013-12-13T13:22:16Z DEBUG args=/usr/bin/ldappasswd -h vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpXhc6Hw -T /var/lib/ipa/tmpYwkY9w uid=admin,cn=users,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >2013-12-13T13:22:16Z DEBUG Process finished, return code=0 >2013-12-13T13:22:16Z DEBUG stdout= >2013-12-13T13:22:16Z DEBUG stderr= >2013-12-13T13:22:16Z DEBUG ldappasswd done >2013-12-13T13:22:16Z DEBUG Starting external process >2013-12-13T13:22:16Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain dom227.jenkinsad.idm.lab.eng.brq.redhat.com --server vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com --realm DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM --hostname vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >2013-12-13T13:22:31Z DEBUG Process finished, return code=0 >2013-12-13T13:22:31Z DEBUG stdout= > >2013-12-13T13:22:31Z DEBUG stderr=Using existing certificate '/etc/ipa/ca.crt'. >Hostname: vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >Realm: DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM >DNS Domain: dom227.jenkinsad.idm.lab.eng.brq.redhat.com >IPA Server: vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com >BaseDN: dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >New SSSD config will be created >Configured /etc/sssd/sssd.conf >Added the CA to the systemwide CA trust database. >Added the CA to the default NSS database. >Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >SSSD enabled >Configured /etc/openldap/ldap.conf >Configured /etc/ssh/ssh_config >Configured /etc/ssh/sshd_config >Client configuration complete. > >2013-12-13T13:22:31Z DEBUG Starting external process >2013-12-13T13:22:31Z DEBUG args=/bin/systemctl enable ipa.service >2013-12-13T13:22:31Z DEBUG Process finished, return code=0 >2013-12-13T13:22:31Z DEBUG stdout= >2013-12-13T13:22:31Z DEBUG stderr=ln -s '/usr/lib/systemd/system/ipa.service' '/etc/systemd/system/multi-user.target.wants/ipa.service' > >2013-12-13T13:22:31Z DEBUG Starting external process >2013-12-13T13:22:31Z DEBUG args=/bin/systemctl restart ipa.service >2013-12-13T13:22:33Z DEBUG Process finished, return code=0 >2013-12-13T13:22:33Z DEBUG stdout= >2013-12-13T13:22:33Z DEBUG stderr= >2013-12-13T13:22:33Z DEBUG Starting external process >2013-12-13T13:22:33Z DEBUG args=/bin/systemctl is-active ipa.service >2013-12-13T13:22:33Z DEBUG Process finished, return code=0 >2013-12-13T13:22:33Z DEBUG stdout=active > >2013-12-13T13:22:33Z DEBUG stderr= >2013-12-13T13:22:33Z DEBUG Starting external process >2013-12-13T13:22:33Z DEBUG args=/bin/systemctl is-active ntpd.service >2013-12-13T13:22:33Z DEBUG Process finished, return code=0 >2013-12-13T13:22:33Z DEBUG stdout=active > >2013-12-13T13:22:33Z DEBUG stderr= >2013-12-13T13:22:33Z INFO The ipa-server-install command was successful >2013-12-13T13:22:34Z DEBUG /usr/sbin/ipa-adtrust-install was invoked with options: {'enable_compat': True, 'unattended': True, 'no_msdcs': False, 'rid_base': 1000, 'secondary_rid_base': 100000000, 'netbios_name': 'DOM227', 'debug': False, 'add_sids': True, 'ip_address': None} >2013-12-13T13:22:34Z DEBUG missing options might be asked for interactively later > >2013-12-13T13:22:34Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:22:34Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >2013-12-13T13:22:34Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' >2013-12-13T13:22:34Z DEBUG Starting external process >2013-12-13T13:22:34Z DEBUG args=klist -V >2013-12-13T13:22:34Z DEBUG Process finished, return code=0 >2013-12-13T13:22:34Z DEBUG stdout=Kerberos 5 version 1.11.3 > >2013-12-13T13:22:34Z DEBUG stderr= >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py' >2013-12-13T13:22:34Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py' >2013-12-13T13:22:35Z DEBUG Starting external process >2013-12-13T13:22:35Z DEBUG args=/sbin/ip -family inet -oneline address show >2013-12-13T13:22:35Z DEBUG Process finished, return code=0 >2013-12-13T13:22:35Z DEBUG stdout=1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever >2: eth0 inet 10.34.47.227/24 brd 10.34.47.255 scope global eth0\ valid_lft forever preferred_lft forever > >2013-12-13T13:22:35Z DEBUG stderr= >2013-12-13T13:22:35Z DEBUG will use ip_address: 10.34.47.227 > >2013-12-13T13:22:35Z DEBUG Starting external process >2013-12-13T13:22:35Z DEBUG args=kinit admin >2013-12-13T13:22:36Z DEBUG Process finished, return code=0 >2013-12-13T13:22:36Z DEBUG stdout=Password for admin@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM: > >2013-12-13T13:22:36Z DEBUG stderr= >2013-12-13T13:22:36Z DEBUG Created connection context.ldap2 >2013-12-13T13:22:36Z DEBUG raw: user_show(u'admin') >2013-12-13T13:22:36Z DEBUG user_show(u'admin', rights=False, all=False, raw=False, no_members=False) >2013-12-13T13:22:36Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x27f3710> >2013-12-13T13:22:36Z DEBUG raw: group_show(u'admins') >2013-12-13T13:22:36Z DEBUG group_show(u'admins', rights=False, all=False, raw=False, no_members=False) >2013-12-13T13:22:36Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:22:36Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache >2013-12-13T13:22:36Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x3ff0a28> >2013-12-13T13:22:36Z DEBUG Configuring CIFS >2013-12-13T13:22:36Z DEBUG [1/21]: stopping smbd >2013-12-13T13:22:36Z DEBUG Starting external process >2013-12-13T13:22:36Z DEBUG args=/bin/systemctl is-active smb.service >2013-12-13T13:22:36Z DEBUG Process finished, return code=3 >2013-12-13T13:22:36Z DEBUG stdout=unknown > >2013-12-13T13:22:36Z DEBUG stderr= >2013-12-13T13:22:36Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:22:36Z DEBUG Starting external process >2013-12-13T13:22:36Z DEBUG args=/bin/systemctl stop winbind.service >2013-12-13T13:22:36Z DEBUG Process finished, return code=0 >2013-12-13T13:22:36Z DEBUG stdout= >2013-12-13T13:22:36Z DEBUG stderr= >2013-12-13T13:22:36Z DEBUG Starting external process >2013-12-13T13:22:36Z DEBUG args=/bin/systemctl stop smb.service >2013-12-13T13:22:36Z DEBUG Process finished, return code=0 >2013-12-13T13:22:36Z DEBUG stdout= >2013-12-13T13:22:36Z DEBUG stderr= >2013-12-13T13:22:36Z DEBUG duration: 0 seconds >2013-12-13T13:22:36Z DEBUG [2/21]: creating samba domain object >2013-12-13T13:22:36Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache >2013-12-13T13:22:36Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x3fe4830> >2013-12-13T13:22:37Z DEBUG duration: 0 seconds >2013-12-13T13:22:37Z DEBUG [3/21]: creating samba config registry >2013-12-13T13:22:37Z DEBUG Starting external process >2013-12-13T13:22:37Z DEBUG args=/usr/bin/net conf import /tmp/tmpB4Add4 >2013-12-13T13:22:38Z DEBUG Process finished, return code=0 >2013-12-13T13:22:38Z DEBUG stdout= >2013-12-13T13:22:38Z DEBUG stderr= >2013-12-13T13:22:38Z DEBUG duration: 1 seconds >2013-12-13T13:22:38Z DEBUG [4/21]: writing samba config file >2013-12-13T13:22:38Z DEBUG duration: 0 seconds >2013-12-13T13:22:38Z DEBUG [5/21]: adding cifs Kerberos principal >2013-12-13T13:22:38Z DEBUG raw: service_add(u'cifs/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM') >2013-12-13T13:22:38Z DEBUG service_add(u'cifs/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM', force=False, all=False, raw=False, no_members=False) >2013-12-13T13:22:38Z DEBUG raw: host_show(u'vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com') >2013-12-13T13:22:38Z DEBUG host_show(u'vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com', rights=False, all=False, raw=False, no_members=False) >2013-12-13T13:22:38Z DEBUG IPA: found 1 records for vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com: 10.34.47.227 >2013-12-13T13:22:38Z DEBUG Starting external process >2013-12-13T13:22:38Z DEBUG args=ipa-getkeytab --server vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com --principal cifs/vm-227.dom227.jenkinsad.idm.lab.eng.brq.redhat.com@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM -k /etc/samba/samba.keytab >2013-12-13T13:22:39Z DEBUG Process finished, return code=0 >2013-12-13T13:22:39Z DEBUG stdout= >2013-12-13T13:22:39Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/samba/samba.keytab > >2013-12-13T13:22:39Z DEBUG duration: 1 seconds >2013-12-13T13:22:39Z DEBUG [6/21]: check for cifs services defined on other replicas >2013-12-13T13:22:39Z DEBUG duration: 0 seconds >2013-12-13T13:22:39Z DEBUG [7/21]: adding cifs principal to S4U2Proxy targets >2013-12-13T13:22:39Z DEBUG duration: 0 seconds >2013-12-13T13:22:39Z DEBUG [8/21]: adding admin(group) SIDs >2013-12-13T13:22:40Z DEBUG duration: 0 seconds >2013-12-13T13:22:40Z DEBUG [9/21]: adding RID bases >2013-12-13T13:22:40Z DEBUG duration: 0 seconds >2013-12-13T13:22:40Z DEBUG [10/21]: updating Kerberos config >2013-12-13T13:22:40Z DEBUG 'dns_lookup_kdc' already set to 'true', nothing to do. >2013-12-13T13:22:40Z DEBUG duration: 0 seconds >2013-12-13T13:22:40Z DEBUG [11/21]: activating CLDAP plugin >2013-12-13T13:22:40Z DEBUG Starting external process >2013-12-13T13:22:40Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpLYE2j0 -H ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL >2013-12-13T13:22:40Z DEBUG Process finished, return code=0 >2013-12-13T13:22:40Z DEBUG stdout=add objectclass: > top > nsSlapdPlugin > extensibleObject >add cn: > ipa_cldap >add nsslapd-pluginpath: > libipa_cldap >add nsslapd-plugininitfunc: > ipa_cldap_init >add nsslapd-plugintype: > postoperation >add nsslapd-pluginenabled: > on >add nsslapd-pluginid: > ipa_cldap_init >add nsslapd-pluginversion: > @PACKAGE_VERSION@ >add nsslapd-pluginvendor: > RedHat >add nsslapd-plugindescription: > CLDAP Server to interoperate with AD >add nsslapd-plugin-depends-on-type: > database >add nsslapd-basedn: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=ipa_cldap,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:22:40Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket/??base ) >SASL/EXTERNAL authentication started >SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >SASL SSF: 0 > >2013-12-13T13:22:40Z DEBUG duration: 0 seconds >2013-12-13T13:22:40Z DEBUG [12/21]: activating sidgen plugin and task >2013-12-13T13:22:40Z DEBUG Starting external process >2013-12-13T13:22:40Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpJOeuKV -H ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL >2013-12-13T13:22:40Z DEBUG Process finished, return code=0 >2013-12-13T13:22:40Z DEBUG stdout=add objectclass: > top > nsSlapdPlugin > extensibleObject >add cn: > IPA SIDGEN >add nsslapd-pluginpath: > libipa_sidgen >add nsslapd-plugininitfunc: > ipa_sidgen_init >add nsslapd-plugintype: > postoperation >add nsslapd-pluginenabled: > on >add nsslapd-pluginid: > ipa_sidgen_postop >add nsslapd-pluginversion: > 1.0 >add nsslapd-pluginvendor: > Red Hat, Inc. >add nsslapd-plugindescription: > IPA SIDGEN post operation >add nsslapd-plugin-depends-on-type: > database >add nsslapd-basedn: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=IPA SIDGEN,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:22:40Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket/??base ) >SASL/EXTERNAL authentication started >SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >SASL SSF: 0 > >2013-12-13T13:22:40Z DEBUG Starting external process >2013-12-13T13:22:40Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmp9wFOqO -H ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL >2013-12-13T13:22:40Z DEBUG Process finished, return code=0 >2013-12-13T13:22:40Z DEBUG stdout=add objectClass: > top > nsSlapdPlugin > extensibleObject >add cn: > ipa-sidgen-task >add nsslapd-pluginPath: > libipa_sidgen_task >add nsslapd-pluginInitfunc: > sidgen_task_init >add nsslapd-pluginType: > object >add nsslapd-pluginEnabled: > on >add nsslapd-pluginId: > ipa_sidgen_task >add nsslapd-pluginVersion: > 1.0 >add nsslapd-pluginVendor: > RedHat >add nsslapd-pluginDescription: > Generate SIDs for existing user and group entries >adding new entry "cn=ipa-sidgen-task,cn=plugins,cn=config" >modify complete > >add objectClass: > top > extensibleObject >add cn: > ipa-sidgen-task >adding new entry "cn=ipa-sidgen-task,cn=tasks,cn=config" >modify complete > > >2013-12-13T13:22:40Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket/??base ) >SASL/EXTERNAL authentication started >SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >SASL SSF: 0 > >2013-12-13T13:22:40Z DEBUG duration: 0 seconds >2013-12-13T13:22:40Z DEBUG [13/21]: activating extdom plugin >2013-12-13T13:22:40Z DEBUG Starting external process >2013-12-13T13:22:40Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpvCR2mQ -H ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL >2013-12-13T13:22:40Z DEBUG Process finished, return code=0 >2013-12-13T13:22:40Z DEBUG stdout=add objectclass: > top > nsSlapdPlugin > extensibleObject >add cn: > ipa_extdom_extop >add nsslapd-pluginpath: > libipa_extdom_extop >add nsslapd-plugininitfunc: > ipa_extdom_init >add nsslapd-plugintype: > extendedop >add nsslapd-pluginenabled: > on >add nsslapd-pluginid: > ipa_extdom_extop >add nsslapd-pluginversion: > 1.0 >add nsslapd-pluginvendor: > RedHat >add nsslapd-plugindescription: > Support resolving IDs in trusted domains to names and back >add nsslapd-plugin-depends-on-type: > database >add nsslapd-basedn: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >adding new entry "cn=ipa_extdom_extop,cn=plugins,cn=config" >modify complete > > >2013-12-13T13:22:40Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket/??base ) >SASL/EXTERNAL authentication started >SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >SASL SSF: 0 > >2013-12-13T13:22:40Z DEBUG duration: 0 seconds >2013-12-13T13:22:40Z DEBUG [14/21]: configuring smbd to start on boot >2013-12-13T13:22:40Z DEBUG Starting external process >2013-12-13T13:22:40Z DEBUG args=/bin/systemctl is-enabled smb.service >2013-12-13T13:22:40Z DEBUG Process finished, return code=1 >2013-12-13T13:22:40Z DEBUG stdout=disabled > >2013-12-13T13:22:40Z DEBUG stderr= >2013-12-13T13:22:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:22:40Z DEBUG Starting external process >2013-12-13T13:22:40Z DEBUG args=/bin/systemctl disable smb.service >2013-12-13T13:22:40Z DEBUG Process finished, return code=0 >2013-12-13T13:22:40Z DEBUG stdout= >2013-12-13T13:22:40Z DEBUG stderr= >2013-12-13T13:22:40Z DEBUG Starting external process >2013-12-13T13:22:40Z DEBUG args=/bin/systemctl disable smb.service >2013-12-13T13:22:40Z DEBUG Process finished, return code=0 >2013-12-13T13:22:40Z DEBUG stdout= >2013-12-13T13:22:40Z DEBUG stderr= >2013-12-13T13:22:40Z DEBUG duration: 0 seconds >2013-12-13T13:22:40Z DEBUG [15/21]: adding special DNS service records >2013-12-13T13:22:40Z DEBUG raw: dns_is_enabled() >2013-12-13T13:22:40Z DEBUG dns_is_enabled() >2013-12-13T13:22:40Z DEBUG raw: dnszone_show(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com') >2013-12-13T13:22:40Z DEBUG dnszone_show(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', rights=False, all=False, raw=False) >2013-12-13T13:22:40Z DEBUG raw: dnsrecord_find(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs') >2013-12-13T13:22:40Z DEBUG dnsrecord_find(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs', structured=False, all=False, raw=False, pkey_only=False) >2013-12-13T13:22:40Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs', srvrecord=u'0 100 389 vm-227') >2013-12-13T13:22:40Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 389 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:22:40Z DEBUG raw: dnsrecord_find(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_ldap._tcp.dc._msdcs') >2013-12-13T13:22:40Z DEBUG dnsrecord_find(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_ldap._tcp.dc._msdcs', structured=False, all=False, raw=False, pkey_only=False) >2013-12-13T13:22:40Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_ldap._tcp.dc._msdcs', srvrecord=u'0 100 389 vm-227') >2013-12-13T13:22:40Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_ldap._tcp.dc._msdcs', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 389 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:22:40Z DEBUG raw: dnsrecord_find(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs') >2013-12-13T13:22:40Z DEBUG dnsrecord_find(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs', structured=False, all=False, raw=False, pkey_only=False) >2013-12-13T13:22:40Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs', srvrecord=u'0 100 88 vm-227') >2013-12-13T13:22:40Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 88 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:22:40Z DEBUG raw: dnsrecord_find(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._tcp.dc._msdcs') >2013-12-13T13:22:40Z DEBUG dnsrecord_find(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._tcp.dc._msdcs', structured=False, all=False, raw=False, pkey_only=False) >2013-12-13T13:22:40Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._tcp.dc._msdcs', srvrecord=u'0 100 88 vm-227') >2013-12-13T13:22:40Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._tcp.dc._msdcs', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 88 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:22:40Z DEBUG raw: dnsrecord_find(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs') >2013-12-13T13:22:40Z DEBUG dnsrecord_find(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs', structured=False, all=False, raw=False, pkey_only=False) >2013-12-13T13:22:40Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs', srvrecord=u'0 100 88 vm-227') >2013-12-13T13:22:40Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 88 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:22:40Z DEBUG raw: dnsrecord_find(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._udp.dc._msdcs') >2013-12-13T13:22:40Z DEBUG dnsrecord_find(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._udp.dc._msdcs', structured=False, all=False, raw=False, pkey_only=False) >2013-12-13T13:22:40Z DEBUG raw: dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._udp.dc._msdcs', srvrecord=u'0 100 88 vm-227') >2013-12-13T13:22:40Z DEBUG dnsrecord_add(u'dom227.jenkinsad.idm.lab.eng.brq.redhat.com', u'_kerberos._udp.dc._msdcs', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 88 vm-227',), force=False, structured=False, all=False, raw=False) >2013-12-13T13:22:41Z DEBUG duration: 0 seconds >2013-12-13T13:22:41Z DEBUG [16/21]: enabling trusted domains support for older clients via Schema Compatibility plugin >2013-12-13T13:22:41Z DEBUG duration: 0 seconds >2013-12-13T13:22:41Z DEBUG [17/21]: restarting Directory Server to take MS PAC and LDAP plugins changes into account >2013-12-13T13:22:41Z DEBUG Starting external process >2013-12-13T13:22:41Z DEBUG args=/bin/systemctl restart dirsrv.target >2013-12-13T13:22:43Z DEBUG Process finished, return code=0 >2013-12-13T13:22:43Z DEBUG stdout= >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=3 >2013-12-13T13:22:43Z DEBUG stdout=activating > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG Starting external process >2013-12-13T13:22:43Z DEBUG args=/bin/systemctl is-active dirsrv@DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.service >2013-12-13T13:22:43Z DEBUG Process finished, return code=0 >2013-12-13T13:22:43Z DEBUG stdout=active > >2013-12-13T13:22:43Z DEBUG stderr= >2013-12-13T13:22:43Z DEBUG wait_for_open_ports: localhost [389] timeout 120 >2013-12-13T13:22:46Z DEBUG duration: 5 seconds >2013-12-13T13:22:46Z DEBUG [18/21]: adding fallback group >2013-12-13T13:22:46Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from SchemaCache >2013-12-13T13:22:46Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x3cb3b48> >2013-12-13T13:22:47Z DEBUG Starting external process >2013-12-13T13:22:47Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmp5cfbD1 -H ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL >2013-12-13T13:22:47Z DEBUG Process finished, return code=0 >2013-12-13T13:22:47Z DEBUG stdout=add cn: > Default SMB Group >add description: > Fallback group for primary group RID, do not add users to this group >add gidnumber: > -1 >add objectclass: > top > ipaobject > posixgroup >adding new entry "cn=Default SMB Group,cn=groups,cn=accounts,dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >modify complete > > >2013-12-13T13:22:47Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket/??base ) >SASL/EXTERNAL authentication started >SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >SASL SSF: 0 > >2013-12-13T13:22:47Z DEBUG duration: 0 seconds >2013-12-13T13:22:47Z DEBUG [19/21]: setting SELinux booleans >2013-12-13T13:22:47Z DEBUG Starting external process >2013-12-13T13:22:47Z DEBUG args=/usr/sbin/selinuxenabled >2013-12-13T13:22:47Z DEBUG Process finished, return code=0 >2013-12-13T13:22:47Z DEBUG stdout= >2013-12-13T13:22:47Z DEBUG stderr= >2013-12-13T13:22:47Z DEBUG Starting external process >2013-12-13T13:22:47Z DEBUG args=/usr/sbin/getsebool samba_portmapper >2013-12-13T13:22:47Z DEBUG Process finished, return code=0 >2013-12-13T13:22:47Z DEBUG stdout=samba_portmapper --> off > >2013-12-13T13:22:47Z DEBUG stderr= >2013-12-13T13:22:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2013-12-13T13:22:47Z DEBUG Starting external process >2013-12-13T13:22:47Z DEBUG args=/usr/sbin/setsebool -P samba_portmapper=true >2013-12-13T13:23:08Z DEBUG Process finished, return code=0 >2013-12-13T13:23:08Z DEBUG stdout= >2013-12-13T13:23:08Z DEBUG stderr= >2013-12-13T13:23:08Z DEBUG duration: 21 seconds >2013-12-13T13:23:08Z DEBUG [20/21]: starting CIFS services >2013-12-13T13:23:08Z DEBUG Starting external process >2013-12-13T13:23:08Z DEBUG args=/bin/systemctl start smb.service >2013-12-13T13:23:09Z DEBUG Process finished, return code=0 >2013-12-13T13:23:09Z DEBUG stdout= >2013-12-13T13:23:09Z DEBUG stderr= >2013-12-13T13:23:09Z DEBUG Starting external process >2013-12-13T13:23:09Z DEBUG args=/bin/systemctl is-active smb.service >2013-12-13T13:23:09Z DEBUG Process finished, return code=0 >2013-12-13T13:23:09Z DEBUG stdout=active > >2013-12-13T13:23:09Z DEBUG stderr= >2013-12-13T13:23:09Z DEBUG Starting external process >2013-12-13T13:23:09Z DEBUG args=/bin/systemctl start winbind.service >2013-12-13T13:23:09Z DEBUG Process finished, return code=0 >2013-12-13T13:23:09Z DEBUG stdout= >2013-12-13T13:23:09Z DEBUG stderr= >2013-12-13T13:23:09Z DEBUG Starting external process >2013-12-13T13:23:09Z DEBUG args=/bin/systemctl is-active winbind.service >2013-12-13T13:23:09Z DEBUG Process finished, return code=0 >2013-12-13T13:23:09Z DEBUG stdout=active > >2013-12-13T13:23:09Z DEBUG stderr= >2013-12-13T13:23:09Z DEBUG duration: 0 seconds >2013-12-13T13:23:09Z DEBUG [21/21]: adding SIDs to existing users and groups >2013-12-13T13:23:09Z DEBUG Starting external process >2013-12-13T13:23:09Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpSwygmo -H ldapi://%2fvar%2frun%2fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL >2013-12-13T13:23:09Z DEBUG Process finished, return code=0 >2013-12-13T13:23:09Z DEBUG stdout=add objectClass: > top > extensibleObject >add cn: > sidgen >add nsslapd-basedn: > dc=dom227,dc=jenkinsad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >add delay: > 0 >adding new entry "cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config" >modify complete > > >2013-12-13T13:23:09Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-DOM227-JENKINSAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket/??base ) >SASL/EXTERNAL authentication started >SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >SASL SSF: 0 > >2013-12-13T13:23:09Z DEBUG duration: 0 seconds >2013-12-13T13:23:09Z DEBUG Done configuring CIFS. >2013-12-13T13:23:09Z DEBUG Starting external process >2013-12-13T13:23:09Z DEBUG args=kinit admin >2013-12-13T13:23:10Z DEBUG Process finished, return code=0 >2013-12-13T13:23:10Z DEBUG stdout=Password for admin@DOM227.JENKINSAD.IDM.LAB.ENG.BRQ.REDHAT.COM: > >2013-12-13T13:23:10Z DEBUG stderr= >2013-12-13T13:23:10Z INFO The ipa-adtrust-install command was successful
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=836335">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 1041732
:
835995
|
836333
|
836334
| 836335 |
836336
|
836356
|
836423