<html> <head> <style></style></head> <body class='hmmessage'><div dir='ltr'>Thanks Martin, <span style="font-size: 12pt;">That worked.</span><div><br></div><div>Though this ACI did not help me achieve what i was looking for. Let me ask this to you if you can advice me something:-</div><div><br></div><div>i want to create a permission which should allow an admin to 'add'/'delete' hosts from "foo-hostgroup" list only if the "member attribute"value is equal to "foo". I basically want to restrict the foo admin to not to add any other host in the "foo-hostgroup other than the host having an attribute value as "foo". Why i can achieve this?</div><div><br></div><div>Many Thanks,</div><div>Deepak</div><div><br></div><div><br></div><div><br><div><hr id="stopSpelling">Subject: Re: [Freeipa-users] Getting ACL Syntax Error(-5)<br>To: deepak_dimri@hotmail.com; freeipa-users@redhat.com<br>From: mbasti@redhat.com<br>Date: Wed, 31 Aug 2016 12:06:02 +0200<br><br> <br> <BR> <br> <div class="ecxmoz-cite-prefix">On 31.08.2016 11:49, Deepak Dimri wrote:<br> </div> <blockquote cite="mid:SNT152-W7805A1536DF18D69574478F5E30@phx.gbl"> <style></style> <div dir="ltr"> <p class="ecxp1"><span class="ecxs1"><br> </span></p> <p class="ecxp1">Hi All,</p> <p class="ecxp1">I am getting <b style="font-size:12pt;">ACL Syntax Error(-5) </b><span style="font-size:12pt;">when trying to add ACI to my freeIPA server. Any idea why i am getting this error?</span></p> </div> </blockquote> Maybe your ACI is incorrect?<br> <br> <blockquote cite="mid:SNT152-W7805A1536DF18D69574478F5E30@phx.gbl"> <div dir="ltr"> <p class="ecxp1"><span style="font-size:12pt;"><br> </span></p> <p class="ecxp1"><span style="font-size:12pt;">This is the error i am getting:</span></p> <p class="ecxp1"><br> </p> <p class="ecxp1"><span class="ecxs1">ldap_modify: Invalid syntax (21)</span></p> <p class="ecxp1"> </p> <p class="ecxp1"><span class="ecxs1"><span class="ecxApple-tab-span"> </span><b>additional info: ACL Syntax Error(-5)</b>:(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0; acl \22permission:Allow admin to modify hosts membership within permitted hostgroups\22; allow (write) groupdn =\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;)</span></p> <p class="ecxp1"><span class="ecxs1"><br> </span></p> </div> </blockquote> Can you try here<span class="ecxs1"> 'version3.0;' to put space between version and number<br> <br> Otherwise it looks good to me.<br> </span><br> <blockquote cite="mid:SNT152-W7805A1536DF18D69574478F5E30@phx.gbl"> <div dir="ltr"> <p class="ecxp1"><span class="ecxs1">my ldif entries:</span></p> <p class="ecxp1"><span class="ecxs1"><br> </span></p> <p class="ecxp1"><span class="ecxs1">dn: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com</span></p> <p class="ecxp1"><span class="ecxs1">add: aci</span></p> <p class="ecxp1"><span class="ecxs1">aci: (targetattr = "userclass")(targetfilter = "(objectclass=ipahost)")(version3.0;acl "permission:Allow admin to modify hosts membership within permitted hostgroups";allow (write) groupdn =<a class="ecxmoz-txt-link-rfc2396E" target="_blank">"ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com"</a>;)</span></p> <p class="ecxp1"><span class="ecxs1"><br> </span></p> <p class="ecxp1">Also, one general question i should be able to view the ACI under freeIPA permission tab once it gets created correct?</p> </div> </blockquote> No, you have to add FreeIPA permission, custom ACIs are not tracked in webUI/CLI<br> <br> IMO it should be possible to create this permission using webUI<br> <br> Martin<br> <blockquote cite="mid:SNT152-W7805A1536DF18D69574478F5E30@phx.gbl"> <div dir="ltr"> <p class="ecxp1"><br> </p> <p class="ecxp1">Thanks & regards,</p> <p class="ecxp1">Deepak</p> <p class="ecxp1"><br> </p> </div> <br> <fieldset class="ecxmimeAttachmentHeader"></fieldset> <br> </blockquote> <br></div></div> </div></body> </html>