[Freeipa-devel] Design Review Keytab Retrieval
Simo Sorce
simo at redhat.com
Mon Jun 23 16:48:57 UTC 2014
----- Original Message -----
> > Can you check if ipaProtectedOperation is in the aci attribute in the
> > base tree object ?
> > It should be there as excluded, and that should cause admin to not be
> > able to retrieve keytabs.
>
> It was not. While running ipa-ldap-updater I got the following:
> InvalidSyntax: ACL Syntax Error(-5):(targetattr=
> \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are
> allowed to rekey any entity\22; allow(write) groupdn =
> \22ldap:///cn=admins: Invalid syntax.
Uhmm I do not see anything obviously wrong with ACI instruction, it looks just like the one I replace, Ideas ?
Do you have ipaProtectedOperation in the schema ?
(I rebased patch 3 but will wait to send a patchset until we understand (and fix) why this is failing to update.
Simo.
More information about the Freeipa-devel
mailing list