----- Original Message ----- > > Can you check if ipaProtectedOperation is in the aci attribute in the > > base tree object ? > > It should be there as excluded, and that should cause admin to not be > > able to retrieve keytabs. > > It was not. While running ipa-ldap-updater I got the following: > InvalidSyntax: ACL Syntax Error(-5):(targetattr= > \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are > allowed to rekey any entity\22; allow(write) groupdn = > \22ldap:///cn=admins: Invalid syntax.
Uhmm I do not see anything obviously wrong with ACI instruction, it looks just like the one I replace, Ideas ? Do you have ipaProtectedOperation in the schema ? (I rebased patch 3 but will wait to send a patchset until we understand (and fix) why this is failing to update. Simo. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel