<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 31.08.2016 11:49, Deepak Dimri
wrote:<br>
</div>
<blockquote cite="mid:SNT152-W7805A1536DF18D69574478F5E30@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr">
<p class="p1"><span class="s1"><br>
</span></p>
<p class="p1">Hi All,</p>
<p class="p1">I am getting <b style="font-size: 12pt;">ACL
Syntax Error(-5) </b><span style="font-size: 12pt;">when
trying to add ACI to my freeIPA server. Any idea why i am
getting this error?</span></p>
</div>
</blockquote>
Maybe your ACI is incorrect?<br>
<br>
<blockquote cite="mid:SNT152-W7805A1536DF18D69574478F5E30@phx.gbl"
type="cite">
<div dir="ltr">
<p class="p1"><span style="font-size: 12pt;"><br>
</span></p>
<p class="p1"><span style="font-size: 12pt;">This is the error i
am getting:</span></p>
<p class="p1"><br>
</p>
<p class="p1"><span class="s1">ldap_modify: Invalid syntax (21)</span></p>
<p class="p1">
</p>
<p class="p1"><span class="s1"><span class="Apple-tab-span"> </span><b>additional
info: ACL Syntax Error(-5)</b>:(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0;
acl \22permission:Allow admin to modify hosts membership
within permitted hostgroups\22; allow (write) groupdn
=\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;)</span></p>
<p class="p1"><span class="s1"><br>
</span></p>
</div>
</blockquote>
Can you try here<span class="s1"> 'version3.0;' to put space between
version and number<br>
<br>
Otherwise it looks good to me.<br>
</span><br>
<blockquote cite="mid:SNT152-W7805A1536DF18D69574478F5E30@phx.gbl"
type="cite">
<div dir="ltr">
<p class="p1"><span class="s1">my ldif entries:</span></p>
<p class="p1"><span class="s1"><br>
</span></p>
<p class="p1"><span class="s1">dn:
cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com</span></p>
<p class="p1"><span class="s1">add: aci</span></p>
<p class="p1"><span class="s1">aci: (targetattr =
"userclass")(targetfilter =
"(objectclass=ipahost)")(version3.0;acl "permission:Allow
admin to modify hosts membership within permitted
hostgroups";allow (write) groupdn
=<a class="moz-txt-link-rfc2396E" href="ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com">"ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com"</a>;)</span></p>
<p class="p1"><span class="s1"><br>
</span></p>
<p class="p1">Also, one general question i should be able to
view the ACI under freeIPA permission tab once it gets created
correct?</p>
</div>
</blockquote>
No, you have to add FreeIPA permission, custom ACIs are not tracked
in webUI/CLI<br>
<br>
IMO it should be possible to create this permission using webUI<br>
<br>
Martin<br>
<blockquote cite="mid:SNT152-W7805A1536DF18D69574478F5E30@phx.gbl"
type="cite">
<div dir="ltr">
<p class="p1"><br>
</p>
<p class="p1">Thanks & regards,</p>
<p class="p1">Deepak</p>
<p class="p1"><br>
</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>