<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p><br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 31.08.2016 11:49, Deepak Dimri
      wrote:<br>
    </div>
    <blockquote cite="mid:SNT152-W7805A1536DF18D69574478F5E30@phx.gbl"
      type="cite">
      <style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
      <div dir="ltr">
        <p class="p1"><span class="s1"><br>
          </span></p>
        <p class="p1">Hi All,</p>
        <p class="p1">I am getting <b style="font-size: 12pt;">ACL
            Syntax Error(-5) </b><span style="font-size: 12pt;">when
            trying to add ACI to my freeIPA server.  Any idea why i am
            getting this error?</span></p>
      </div>
    </blockquote>
    Maybe your ACI is incorrect?<br>
    <br>
    <blockquote cite="mid:SNT152-W7805A1536DF18D69574478F5E30@phx.gbl"
      type="cite">
      <div dir="ltr">
        <p class="p1"><span style="font-size: 12pt;"><br>
          </span></p>
        <p class="p1"><span style="font-size: 12pt;">This is the error i
            am getting:</span></p>
        <p class="p1"><br>
        </p>
        <p class="p1"><span class="s1">ldap_modify: Invalid syntax (21)</span></p>
        <p class="p1">
        </p>
        <p class="p1"><span class="s1"><span class="Apple-tab-span"> </span><b>additional
              info: ACL Syntax Error(-5)</b>:(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0;
            acl \22permission:Allow admin to modify  hosts membership
            within  permitted hostgroups\22; allow (write) groupdn
=\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;)</span></p>
        <p class="p1"><span class="s1"><br>
          </span></p>
      </div>
    </blockquote>
    Can you try here<span class="s1"> 'version3.0;' to put space between
      version and number<br>
      <br>
      Otherwise it looks good to me.<br>
    </span><br>
    <blockquote cite="mid:SNT152-W7805A1536DF18D69574478F5E30@phx.gbl"
      type="cite">
      <div dir="ltr">
        <p class="p1"><span class="s1">my ldif entries:</span></p>
        <p class="p1"><span class="s1"><br>
          </span></p>
        <p class="p1"><span class="s1">dn:
            cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com</span></p>
        <p class="p1"><span class="s1">add: aci</span></p>
        <p class="p1"><span class="s1">aci: (targetattr =
            "userclass")(targetfilter =
            "(objectclass=ipahost)")(version3.0;acl "permission:Allow
            admin to modify  hosts membership within  permitted
            hostgroups";allow (write) groupdn
=<a class="moz-txt-link-rfc2396E" href="ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com">"ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com"</a>;)</span></p>
        <p class="p1"><span class="s1"><br>
          </span></p>
        <p class="p1">Also, one general question i should be able to
          view the ACI under freeIPA permission tab once it gets created
          correct?</p>
      </div>
    </blockquote>
    No, you have to add FreeIPA permission, custom ACIs are not tracked
    in webUI/CLI<br>
    <br>
    IMO it should be possible to create this permission using webUI<br>
    <br>
    Martin<br>
    <blockquote cite="mid:SNT152-W7805A1536DF18D69574478F5E30@phx.gbl"
      type="cite">
      <div dir="ltr">
        <p class="p1"><br>
        </p>
        <p class="p1">Thanks & regards,</p>
        <p class="p1">Deepak</p>
        <p class="p1"><br>
        </p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
  </body>
</html>