<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>typo correction below!<br><br><div><hr id="stopSpelling">From: deepak_dimri@hotmail.com<br>To: abokovoy@redhat.com<br>CC: freeipa-users@redhat.com<br>Subject: RE: [Freeipa-users] Permission not working as expected<br>Date: Tue, 30 Aug 2016 09:04:36 -0400<br><br>

<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}

.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}

--></style>
<div dir="ltr">Hi Alexander,<div><br></div><div>i did try adding the "member" effective attribute in GUI and also from the command prompt But the error is not going away when i try to delete the host from my taphostgroup. for me it only works if i have (&(cn=taphostgroup)(objectclass=<b>ipahostgroup</b>)) in the --filter & <b>dc=us-west-2,dc=compute,dc=amazonaws,dc=com</b> in the subtree BUT then the i am allowed access to all the hosts in all the hostgroups :( I am kinda stuck with this issue.  Would be great if you can suggest any further headway!</div><div><br></div><div>







<p class="ecxp1"><span class="ecxs1"> ipa permission-mod manage-taphostgroup --attrs={'userPassword','description','nshardwareplatform','nsosversion','usercertificate','userclass','macaddress','ipaassignedidview','ipasshpubkey','<b>member</b>'}</span></p>
<p class="ecxp1"><span class="ecxs1">-----------------------------------------</span></p>
<p class="ecxp1"><span class="ecxs1">Modified permission "manage-taphostgroup"</span></p>
<p class="ecxp1"><span class="ecxs1">-----------------------------------------</span></p>
<p class="ecxp1"><span class="ecxs1">  Permission name: manage-taphostgroup</span></p>
<p class="ecxp1"><span class="ecxs1">  Granted rights: all</span></p>
<p class="ecxp1"><span class="ecxs1">  Effective attributes: description, ipaassignedidview, ipasshpubkey, macaddress, member, nshardwareplatform, nsosversion, userPassword, usercertificate, userclass</span></p>
<p class="ecxp1"><span class="ecxs1">  Bind rule type: permission</span></p>
<p class="ecxp1"><span class="ecxs1">  Subtree: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com</span></p>
<p class="ecxp1"><span class="ecxs1">  Extra target filter: (memberOf=cn=taphostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com)</span></p>
<p class="ecxp1"><span class="ecxs1">  Type: host</span></p>
<p class="ecxp1"><span class="ecxs1">  Granted to Privilege: tap-hostgroup-privilege</span></p>
<p class="ecxp1"><span class="ecxs1">  Indirect Member of roles: taphostgroup-role</span></p></div><div><br></div><div>Many thanks,</div><div>Deepak</div><div><br><div>> Date: Tue, 30 Aug 2016 13:27:59 +0300<br>> From: abokovoy@redhat.com<br>> To: deepak_dimri@hotmail.com<br>> CC: freeipa-users@redhat.com<br>> Subject: Re: [Freeipa-users] Permission not working as expected<br>> <br>> On Tue, 30 Aug 2016, Deepak Dimri wrote:<br>> >I did try the  exact steps from the blog but alas still it did not work. getting same error :(<br>> I don't give rights to write to 'member' attribute in the blog. You have<br>> to adopt to your situation, obviously.<br>> <br>> -- <br>> / Alexander Bokovoy<br></div></div>                                         </div></div>                                        </div></body>
</html>