On Sun, 2012-03-11 at 17:55 -0400, Dmitri Pal wrote:
> On 03/11/2012 04:22 PM, Stephen Ingram wrote:
> > Now I've made it to the WebUI. Login works great (also via the new
> > form auth). Click on IPA Server tab and then Configuration yields:
> >
> > IPA Error 4208 - get-effective-rights: missing subject: Invalid syntax
> >
> > This also happens at several other points in the UI. For example,
> > click one DNS zone and then the Settings tab within, or the Hosts
> > section within the Identity tab and clicking Settings. It seems that
> > any attempt to configure settings yields this error.
> >
> > Directory server error logs point specifically to the NSACLPlugin:
> >
> > NSACLPlugin - get-effective-rights: missing subject
> > Failed to get effective rights for entry
> > (idnsname=17.168.192.in-addr.arpa.,cn=dns,dc=4test,dc=net), rc=21
> >
> > I'm guessing some incorrect ACLs?
> >
> 
> We will need to investigate.
> Petr, Martin any idea?
> 

Looks like 389-ds can't parse/read the ACI. Rich, has anything changed
in this area in F-17? These should be the relevant ACIs:

dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl 
"permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns 
entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl 
"permission:remove dns entries";   allow (delete) groupdn = "ldap:///cn=remove 
dns entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass 
|| arecord ||           aaaarecord || a6record || nsrecord || cnamerecord || 
ptrrecord || srvrecord || txtrecord || mxrecord   || mdrecord || hinforecord || 
minforecord || afsdbrecord || sigrecord || keyrecord || locrecord ||     
nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord 
|| sshfprecord ||        rrsigrecord || nsecrecord || idnsname || 
idnszoneactive || idnssoamname || idnssoarname ||             idnssoaserial || 
idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum ||            
      idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 
3.0;acl "permission:update    dns entries";allow (write) groupdn = 
"ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)

Thanks,
Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to