[Freeipa-users] Getting ACL Syntax Error(-5)
Deepak Dimri
deepak_dimri at hotmail.com
Wed Aug 31 10:52:12 UTC 2016
Thanks Martin, That worked.
Though this ACI did not help me achieve what i was looking for. Let me ask this to you if you can advice me something:-
i want to create a permission which should allow an admin to 'add'/'delete' hosts from "foo-hostgroup" list only if the "member attribute"value is equal to "foo". I basically want to restrict the foo admin to not to add any other host in the "foo-hostgroup other than the host having an attribute value as "foo". Why i can achieve this?
Many Thanks,Deepak
Subject: Re: [Freeipa-users] Getting ACL Syntax Error(-5)
To: deepak_dimri at hotmail.com; freeipa-users at redhat.com
From: mbasti at redhat.com
Date: Wed, 31 Aug 2016 12:06:02 +0200
On 31.08.2016 11:49, Deepak Dimri
wrote:
Hi All,
I am getting ACL
Syntax Error(-5) when
trying to add ACI to my freeIPA server. Any idea why i am
getting this error?
Maybe your ACI is incorrect?
This is the error i
am getting:
ldap_modify: Invalid syntax (21)
additional
info: ACL Syntax Error(-5):(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0;
acl \22permission:Allow admin to modify hosts membership
within permitted hostgroups\22; allow (write) groupdn
=\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;)
Can you try here 'version3.0;' to put space between
version and number
Otherwise it looks good to me.
my ldif entries:
dn:
cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com
add: aci
aci: (targetattr =
"userclass")(targetfilter =
"(objectclass=ipahost)")(version3.0;acl "permission:Allow
admin to modify hosts membership within permitted
hostgroups";allow (write) groupdn
="ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com";)
Also, one general question i should be able to
view the ACI under freeIPA permission tab once it gets created
correct?
No, you have to add FreeIPA permission, custom ACIs are not tracked
in webUI/CLI
IMO it should be possible to create this permission using webUI
Martin
Thanks & regards,
Deepak
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160831/e5358307/attachment.htm>
More information about the Freeipa-users
mailing list