[Freeipa-users] 2.1.90 rc1 testing on F17 alpha

Dmitri Pal dpal at redhat.com
Mon Mar 12 18:40:24 UTC 2012 

On 03/12/2012 01:23 PM, Rich Megginson wrote:
> On 03/12/2012 11:06 AM, Stephen Ingram wrote:
>> On Mon, Mar 12, 2012 at 7:19 AM, Rich Megginson<rmeggins at redhat.com> 
>> wrote:
>>> On 03/12/2012 01:34 AM, Martin Kosek wrote:
>>>> On Sun, 2012-03-11 at 17:55 -0400, Dmitri Pal wrote:
>>>>> On 03/11/2012 04:22 PM, Stephen Ingram wrote:
>>>>>> Now I've made it to the WebUI. Login works great (also via the new
>>>>>> form auth). Click on IPA Server tab and then Configuration yields:
>>>>>>
>>>>>> IPA Error 4208 - get-effective-rights: missing subject: Invalid
>>>>>> syntax
>>>>>>
>>>>>> This also happens at several other points in the UI. For example,
>>>>>> click one DNS zone and then the Settings tab within, or the Hosts
>>>>>> section within the Identity tab and clicking Settings. It seems that
>>>>>> any attempt to configure settings yields this error.
>>>>>>
>>>>>> Directory server error logs point specifically to the NSACLPlugin:
>>>>>>
>>>>>> NSACLPlugin - get-effective-rights: missing subject
>>>>>> Failed to get effective rights for entry
>>>>>> (idnsname=17.168.192.in-addr.arpa.,cn=dns,dc=4test,dc=net), rc=21
>>>>>>
>>>>>> I'm guessing some incorrect ACLs?
>>>>>>
>>>>> We will need to investigate.
>>>>> Petr, Martin any idea?
>>>>>
>>>> Looks like 389-ds can't parse/read the ACI. Rich, has anything changed
>>>> in this area in F-17?
>>> F-17?  Nothing specific to F-17.  Is this error with the latest
>>> 1.2.10.2 or
>>> .3 in F-17 updates or updates-testing?
>> I'm using 1.2.10.3 from the fedora 17 updates repo. IPA is from
>> freeipa-devel repo.
> This error means there is an empty GER control value sent with the
> request.  Did the client code change recently? 
> ipaserver/plugins/ldap2.py get_effective_rights() looks correct


openldap?

>>
>>>> These should be the relevant ACIs:
>>>>
>>>> dn: $SUFFIX
>>>> changetype: modify
>>>> add: aci
>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
>>>> "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns
>>>> entries,cn=permissions,cn=pbac,$SUFFIX";)
>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
>>>> "permission:remove dns entries";   allow (delete) groupdn =
>>>> "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
>>>> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl ||
>>>> dnsclass || arecord ||           aaaarecord || a6record || nsrecord ||
>>>> cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord   ||
>>>> mdrecord
>>>> || hinforecord || minforecord || afsdbrecord || sigrecord ||
>>>> keyrecord ||
>>>> locrecord ||     nxtrecord || naptrrecord || kxrecord || certrecord ||
>>>> dnamerecord || dsrecord || sshfprecord ||        rrsigrecord ||
>>>> nsecrecord
>>>> || idnsname || idnszoneactive || idnssoamname || idnssoarname ||
>>>> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire ||
>>>> idnssoaminimum ||                  idnsupdatepolicy")(target =
>>>> "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
>>>> "permission:update
>>>>   dns entries";allow (write) groupdn = "ldap:///cn=update dns
>>>> entries,cn=permissions,cn=pbac,$SUFFIX";)
>> Steve
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list