[Freeipa-users] 2.1.90 rc1 testing on F17 alpha
Martin Kosek
mkosek at redhat.com
Tue Mar 13 09:22:51 UTC 2012
On Mon, 2012-03-12 at 13:41 -0600, Rich Megginson wrote:
> On 03/12/2012 01:39 PM, Dmitri Pal wrote:
> > On 03/12/2012 03:20 PM, Rich Megginson wrote:
> >> On 03/12/2012 12:40 PM, Dmitri Pal wrote:
> >>> On 03/12/2012 01:23 PM, Rich Megginson wrote:
> >>>> On 03/12/2012 11:06 AM, Stephen Ingram wrote:
> >>>>> On Mon, Mar 12, 2012 at 7:19 AM, Rich Megginson<rmeggins at redhat.com>
> >>>>> wrote:
> >>>>>> On 03/12/2012 01:34 AM, Martin Kosek wrote:
> >>>>>>> On Sun, 2012-03-11 at 17:55 -0400, Dmitri Pal wrote:
> >>>>>>>> On 03/11/2012 04:22 PM, Stephen Ingram wrote:
> >>>>>>>>> Now I've made it to the WebUI. Login works great (also via the new
> >>>>>>>>> form auth). Click on IPA Server tab and then Configuration yields:
> >>>>>>>>>
> >>>>>>>>> IPA Error 4208 - get-effective-rights: missing subject: Invalid
> >>>>>>>>> syntax
> >>>>>>>>>
> >>>>>>>>> This also happens at several other points in the UI. For example,
> >>>>>>>>> click one DNS zone and then the Settings tab within, or the Hosts
> >>>>>>>>> section within the Identity tab and clicking Settings. It seems
> >>>>>>>>> that
> >>>>>>>>> any attempt to configure settings yields this error.
> >>>>>>>>>
> >>>>>>>>> Directory server error logs point specifically to the NSACLPlugin:
> >>>>>>>>>
> >>>>>>>>> NSACLPlugin - get-effective-rights: missing subject
> >>>>>>>>> Failed to get effective rights for entry
> >>>>>>>>> (idnsname=17.168.192.in-addr.arpa.,cn=dns,dc=4test,dc=net), rc=21
> >>>>>>>>>
> >>>>>>>>> I'm guessing some incorrect ACLs?
> >>>>>>>>>
> >>>>>>>> We will need to investigate.
> >>>>>>>> Petr, Martin any idea?
> >>>>>>>>
> >>>>>>> Looks like 389-ds can't parse/read the ACI. Rich, has anything
> >>>>>>> changed
> >>>>>>> in this area in F-17?
> >>>>>> F-17? Nothing specific to F-17. Is this error with the latest
> >>>>>> 1.2.10.2 or
> >>>>>> .3 in F-17 updates or updates-testing?
> >>>>> I'm using 1.2.10.3 from the fedora 17 updates repo. IPA is from
> >>>>> freeipa-devel repo.
> >>>> This error means there is an empty GER control value sent with the
> >>>> request. Did the client code change recently?
> >>>> ipaserver/plugins/ldap2.py get_effective_rights() looks correct
> >>> openldap?
> >> could be - or could be python-ldap related - python-ldap 2.4 switched
> >> to using pyasn1 to do some encoding that used to be done by the ldap
> >> library.
> > How can we check?
> You can use the debug flag in python-ldap when creating the ldap connection
I did some more poking in this issue and I found that the problem is in
new python-ldap library in F-17. When I updated this component to
python-ldap-2.4.6-2.fc17.x86_64 I got the very same error.
This is the BZ against python-ldap that I filed:
https://bugzilla.redhat.com/show_bug.cgi?id=802675
I have a Python script that can reproduce this issue in a much less
complicated environment (attached).
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testaci.py
Type: text/x-python
Size: 675 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120313/47df65c0/attachment.py>
More information about the Freeipa-users
mailing list