On 03/12/2012 01:23 PM, Rich Megginson wrote: > On 03/12/2012 11:06 AM, Stephen Ingram wrote: >> On Mon, Mar 12, 2012 at 7:19 AM, Rich Megginson<rmegg...@redhat.com> >> wrote: >>> On 03/12/2012 01:34 AM, Martin Kosek wrote: >>>> On Sun, 2012-03-11 at 17:55 -0400, Dmitri Pal wrote: >>>>> On 03/11/2012 04:22 PM, Stephen Ingram wrote: >>>>>> Now I've made it to the WebUI. Login works great (also via the new >>>>>> form auth). Click on IPA Server tab and then Configuration yields: >>>>>> >>>>>> IPA Error 4208 - get-effective-rights: missing subject: Invalid >>>>>> syntax >>>>>> >>>>>> This also happens at several other points in the UI. For example, >>>>>> click one DNS zone and then the Settings tab within, or the Hosts >>>>>> section within the Identity tab and clicking Settings. It seems that >>>>>> any attempt to configure settings yields this error. >>>>>> >>>>>> Directory server error logs point specifically to the NSACLPlugin: >>>>>> >>>>>> NSACLPlugin - get-effective-rights: missing subject >>>>>> Failed to get effective rights for entry >>>>>> (idnsname=17.168.192.in-addr.arpa.,cn=dns,dc=4test,dc=net), rc=21 >>>>>> >>>>>> I'm guessing some incorrect ACLs? >>>>>> >>>>> We will need to investigate. >>>>> Petr, Martin any idea? >>>>> >>>> Looks like 389-ds can't parse/read the ACI. Rich, has anything changed >>>> in this area in F-17? >>> F-17? Nothing specific to F-17. Is this error with the latest >>> 1.2.10.2 or >>> .3 in F-17 updates or updates-testing? >> I'm using 1.2.10.3 from the fedora 17 updates repo. IPA is from >> freeipa-devel repo. > This error means there is an empty GER control value sent with the > request. Did the client code change recently? > ipaserver/plugins/ldap2.py get_effective_rights() looks correct
openldap? >> >>>> These should be the relevant ACIs: >>>> >>>> dn: $SUFFIX >>>> changetype: modify >>>> add: aci >>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>> "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns >>>> entries,cn=permissions,cn=pbac,$SUFFIX";) >>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>> "permission:remove dns entries"; allow (delete) groupdn = >>>> "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) >>>> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || >>>> dnsclass || arecord || aaaarecord || a6record || nsrecord || >>>> cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || >>>> mdrecord >>>> || hinforecord || minforecord || afsdbrecord || sigrecord || >>>> keyrecord || >>>> locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || >>>> dnamerecord || dsrecord || sshfprecord || rrsigrecord || >>>> nsecrecord >>>> || idnsname || idnszoneactive || idnssoamname || idnssoarname || >>>> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || >>>> idnssoaminimum || idnsupdatepolicy")(target = >>>> "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>> "permission:update >>>> dns entries";allow (write) groupdn = "ldap:///cn=update dns >>>> entries,cn=permissions,cn=pbac,$SUFFIX";) >> Steve > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users