[Freeipa-users] 2.1.90 rc1 testing on F17 alpha
Rob Crittenden
rcritten at redhat.com
Mon Mar 12 20:09:44 UTC 2012
Dmitri Pal wrote:
> On 03/12/2012 01:23 PM, Rich Megginson wrote:
>> On 03/12/2012 11:06 AM, Stephen Ingram wrote:
>>> On Mon, Mar 12, 2012 at 7:19 AM, Rich Megginson<rmeggins at redhat.com>
>>> wrote:
>>>> On 03/12/2012 01:34 AM, Martin Kosek wrote:
>>>>> On Sun, 2012-03-11 at 17:55 -0400, Dmitri Pal wrote:
>>>>>> On 03/11/2012 04:22 PM, Stephen Ingram wrote:
>>>>>>> Now I've made it to the WebUI. Login works great (also via the new
>>>>>>> form auth). Click on IPA Server tab and then Configuration yields:
>>>>>>>
>>>>>>> IPA Error 4208 - get-effective-rights: missing subject: Invalid
>>>>>>> syntax
>>>>>>>
>>>>>>> This also happens at several other points in the UI. For example,
>>>>>>> click one DNS zone and then the Settings tab within, or the Hosts
>>>>>>> section within the Identity tab and clicking Settings. It seems that
>>>>>>> any attempt to configure settings yields this error.
>>>>>>>
>>>>>>> Directory server error logs point specifically to the NSACLPlugin:
>>>>>>>
>>>>>>> NSACLPlugin - get-effective-rights: missing subject
>>>>>>> Failed to get effective rights for entry
>>>>>>> (idnsname=17.168.192.in-addr.arpa.,cn=dns,dc=4test,dc=net), rc=21
>>>>>>>
>>>>>>> I'm guessing some incorrect ACLs?
>>>>>>>
>>>>>> We will need to investigate.
>>>>>> Petr, Martin any idea?
>>>>>>
>>>>> Looks like 389-ds can't parse/read the ACI. Rich, has anything changed
>>>>> in this area in F-17?
>>>> F-17? Nothing specific to F-17. Is this error with the latest
>>>> 1.2.10.2 or
>>>> .3 in F-17 updates or updates-testing?
>>> I'm using 1.2.10.3 from the fedora 17 updates repo. IPA is from
>>> freeipa-devel repo.
>> This error means there is an empty GER control value sent with the
>> request. Did the client code change recently?
>> ipaserver/plugins/ldap2.py get_effective_rights() looks correct
>
>
> openldap?
Could also be python-ldap, we ran into a schema handling problem already.
It may be possible to duplicate this from the command line using the
--rights option. This executes the same GER control. I'll have to
refresh my F-17 install, it is ancient by current standards.
You could test with something like:
# ipa user-show --all --rights admin
If it worked it would include attributelevelrights with a huge list of
values. This represents the rights you have on the various attributes
(read, write, etc). The UI uses this to determine what it will allow you
to edit.
regards
rob
More information about the Freeipa-users
mailing list