[Freeipa-users] 2.1.90 rc1 testing on F17 alpha

[Rich Megginson]

On 03/12/2012 01:39 PM, Dmitri Pal wrote:
> On 03/12/2012 03:20 PM, Rich Megginson wrote:
>> On 03/12/2012 12:40 PM, Dmitri Pal wrote:
>>> On 03/12/2012 01:23 PM, Rich Megginson wrote:
>>>> On 03/12/2012 11:06 AM, Stephen Ingram wrote:
>>>>> On Mon, Mar 12, 2012 at 7:19 AM, Rich Megginson<rmeggins at redhat.com>
>>>>> wrote:
>>>>>> On 03/12/2012 01:34 AM, Martin Kosek wrote:
>>>>>>> On Sun, 2012-03-11 at 17:55 -0400, Dmitri Pal wrote:
>>>>>>>> On 03/11/2012 04:22 PM, Stephen Ingram wrote:
>>>>>>>>> Now I've made it to the WebUI. Login works great (also via the new
>>>>>>>>> form auth). Click on IPA Server tab and then Configuration yields:
>>>>>>>>>
>>>>>>>>> IPA Error 4208 - get-effective-rights: missing subject: Invalid
>>>>>>>>> syntax
>>>>>>>>>
>>>>>>>>> This also happens at several other points in the UI. For example,
>>>>>>>>> click one DNS zone and then the Settings tab within, or the Hosts
>>>>>>>>> section within the Identity tab and clicking Settings. It seems
>>>>>>>>> that
>>>>>>>>> any attempt to configure settings yields this error.
>>>>>>>>>
>>>>>>>>> Directory server error logs point specifically to the NSACLPlugin:
>>>>>>>>>
>>>>>>>>> NSACLPlugin - get-effective-rights: missing subject
>>>>>>>>> Failed to get effective rights for entry
>>>>>>>>> (idnsname=17.168.192.in-addr.arpa.,cn=dns,dc=4test,dc=net), rc=21
>>>>>>>>>
>>>>>>>>> I'm guessing some incorrect ACLs?
>>>>>>>>>
>>>>>>>> We will need to investigate.
>>>>>>>> Petr, Martin any idea?
>>>>>>>>
>>>>>>> Looks like 389-ds can't parse/read the ACI. Rich, has anything
>>>>>>> changed
>>>>>>> in this area in F-17?
>>>>>> F-17?  Nothing specific to F-17.  Is this error with the latest
>>>>>> 1.2.10.2 or
>>>>>> .3 in F-17 updates or updates-testing?
>>>>> I'm using 1.2.10.3 from the fedora 17 updates repo. IPA is from
>>>>> freeipa-devel repo.
>>>> This error means there is an empty GER control value sent with the
>>>> request.  Did the client code change recently?
>>>> ipaserver/plugins/ldap2.py get_effective_rights() looks correct
>>> openldap?
>> could be - or could be python-ldap related - python-ldap 2.4 switched
>> to using pyasn1 to do some encoding that used to be done by the ldap
>> library.
> How can we check?
You can use the debug flag in python-ldap when creating the ldap connection
>
>>>>>>> These should be the relevant ACIs:
>>>>>>>
>>>>>>> dn: $SUFFIX
>>>>>>> changetype: modify
>>>>>>> add: aci
>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
>>>>>>> "permission:add dns entries";allow (add) groupdn =
>>>>>>> "ldap:///cn=add dns
>>>>>>> entries,cn=permissions,cn=pbac,$SUFFIX";)
>>>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
>>>>>>> "permission:remove dns entries";   allow (delete) groupdn =
>>>>>>> "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
>>>>>>> aci: (targetattr = "idnsname || cn || idnsallowdynupdate ||
>>>>>>> dnsttl ||
>>>>>>> dnsclass || arecord ||           aaaarecord || a6record ||
>>>>>>> nsrecord ||
>>>>>>> cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord   ||
>>>>>>> mdrecord
>>>>>>> || hinforecord || minforecord || afsdbrecord || sigrecord ||
>>>>>>> keyrecord ||
>>>>>>> locrecord ||     nxtrecord || naptrrecord || kxrecord ||
>>>>>>> certrecord ||
>>>>>>> dnamerecord || dsrecord || sshfprecord ||        rrsigrecord ||
>>>>>>> nsecrecord
>>>>>>> || idnsname || idnszoneactive || idnssoamname || idnssoarname ||
>>>>>>> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire ||
>>>>>>> idnssoaminimum ||                  idnsupdatepolicy")(target =
>>>>>>> "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
>>>>>>> "permission:update
>>>>>>>     dns entries";allow (write) groupdn = "ldap:///cn=update dns
>>>>>>> entries,cn=permissions,cn=pbac,$SUFFIX";)
>>>>> Steve
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>