[Freeipa-users] 2.1.90 rc1 testing on F17 alpha

Stephen Ingram sbingram at gmail.com
Mon Mar 12 17:06:50 UTC 2012 

On Mon, Mar 12, 2012 at 7:19 AM, Rich Megginson <rmeggins at redhat.com> wrote:
> On 03/12/2012 01:34 AM, Martin Kosek wrote:
>>
>> On Sun, 2012-03-11 at 17:55 -0400, Dmitri Pal wrote:
>>>
>>> On 03/11/2012 04:22 PM, Stephen Ingram wrote:
>>>>
>>>> Now I've made it to the WebUI. Login works great (also via the new
>>>> form auth). Click on IPA Server tab and then Configuration yields:
>>>>
>>>> IPA Error 4208 - get-effective-rights: missing subject: Invalid syntax
>>>>
>>>> This also happens at several other points in the UI. For example,
>>>> click one DNS zone and then the Settings tab within, or the Hosts
>>>> section within the Identity tab and clicking Settings. It seems that
>>>> any attempt to configure settings yields this error.
>>>>
>>>> Directory server error logs point specifically to the NSACLPlugin:
>>>>
>>>> NSACLPlugin - get-effective-rights: missing subject
>>>> Failed to get effective rights for entry
>>>> (idnsname=17.168.192.in-addr.arpa.,cn=dns,dc=4test,dc=net), rc=21
>>>>
>>>> I'm guessing some incorrect ACLs?
>>>>
>>> We will need to investigate.
>>> Petr, Martin any idea?
>>>
>> Looks like 389-ds can't parse/read the ACI. Rich, has anything changed
>> in this area in F-17?
>
> F-17?  Nothing specific to F-17.  Is this error with the latest 1.2.10.2 or
> .3 in F-17 updates or updates-testing?

I'm using 1.2.10.3 from the fedora 17 updates repo. IPA is from
freeipa-devel repo.

>
>> These should be the relevant ACIs:
>>
>> dn: $SUFFIX
>> changetype: modify
>> add: aci
>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
>> "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns
>> entries,cn=permissions,cn=pbac,$SUFFIX";)
>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
>> "permission:remove dns entries";   allow (delete) groupdn =
>> "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
>> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl ||
>> dnsclass || arecord ||           aaaarecord || a6record || nsrecord ||
>> cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord   || mdrecord
>> || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord ||
>> locrecord ||     nxtrecord || naptrrecord || kxrecord || certrecord ||
>> dnamerecord || dsrecord || sshfprecord ||        rrsigrecord || nsecrecord
>> || idnsname || idnszoneactive || idnssoamname || idnssoarname ||
>> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire ||
>> idnssoaminimum ||                  idnsupdatepolicy")(target =
>> "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update
>>  dns entries";allow (write) groupdn = "ldap:///cn=update dns
>> entries,cn=permissions,cn=pbac,$SUFFIX";)

Steve

More information about the Freeipa-users mailing list