On 03/12/2012 11:06 AM, Stephen Ingram wrote:
On Mon, Mar 12, 2012 at 7:19 AM, Rich Megginson<rmegg...@redhat.com> wrote:
On 03/12/2012 01:34 AM, Martin Kosek wrote:
On Sun, 2012-03-11 at 17:55 -0400, Dmitri Pal wrote:
On 03/11/2012 04:22 PM, Stephen Ingram wrote:
Now I've made it to the WebUI. Login works great (also via the new
form auth). Click on IPA Server tab and then Configuration yields:
IPA Error 4208 - get-effective-rights: missing subject: Invalid syntax
This also happens at several other points in the UI. For example,
click one DNS zone and then the Settings tab within, or the Hosts
section within the Identity tab and clicking Settings. It seems that
any attempt to configure settings yields this error.
Directory server error logs point specifically to the NSACLPlugin:
NSACLPlugin - get-effective-rights: missing subject
Failed to get effective rights for entry
(idnsname=17.168.192.in-addr.arpa.,cn=dns,dc=4test,dc=net), rc=21
I'm guessing some incorrect ACLs?
We will need to investigate.
Petr, Martin any idea?
Looks like 389-ds can't parse/read the ACI. Rich, has anything changed
in this area in F-17?
F-17? Nothing specific to F-17. Is this error with the latest 1.2.10.2 or
.3 in F-17 updates or updates-testing?
I'm using 1.2.10.3 from the fedora 17 updates repo. IPA is from
freeipa-devel repo.
This error means there is an empty GER control value sent with the
request. Did the client code change recently?
ipaserver/plugins/ldap2.py get_effective_rights() looks correct
These should be the relevant ACIs:
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl
"permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns
entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl
"permission:remove dns entries"; allow (delete) groupdn =
"ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl ||
dnsclass || arecord || aaaarecord || a6record || nsrecord ||
cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord
|| hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord ||
locrecord || nxtrecord || naptrrecord || kxrecord || certrecord ||
dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord
|| idnsname || idnszoneactive || idnssoamname || idnssoarname ||
idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire ||
idnssoaminimum || idnsupdatepolicy")(target =
"ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update
dns entries";allow (write) groupdn = "ldap:///cn=update dns
entries,cn=permissions,cn=pbac,$SUFFIX";)
Steve
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
