On Mon, Mar 12, 2012 at 12:34 AM, Martin Kosek <mko...@redhat.com> wrote:
> On Sun, 2012-03-11 at 17:55 -0400, Dmitri Pal wrote:
>> On 03/11/2012 04:22 PM, Stephen Ingram wrote:
>> > Now I've made it to the WebUI. Login works great (also via the new
>> > form auth). Click on IPA Server tab and then Configuration yields:
>> >
>> > IPA Error 4208 - get-effective-rights: missing subject: Invalid syntax
>> >
>> > This also happens at several other points in the UI. For example,
>> > click one DNS zone and then the Settings tab within, or the Hosts
>> > section within the Identity tab and clicking Settings. It seems that
>> > any attempt to configure settings yields this error.
>> >
>> > Directory server error logs point specifically to the NSACLPlugin:
>> >
>> > NSACLPlugin - get-effective-rights: missing subject
>> > Failed to get effective rights for entry
>> > (idnsname=17.168.192.in-addr.arpa.,cn=dns,dc=4test,dc=net), rc=21
>> >
>> > I'm guessing some incorrect ACLs?
>> >
>>
>> We will need to investigate.
>> Petr, Martin any idea?
>>
>
> Looks like 389-ds can't parse/read the ACI. Rich, has anything changed
> in this area in F-17? These should be the relevant ACIs:
>
> dn: $SUFFIX
> changetype: modify
> add: aci
> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl 
> "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns 
> entries,cn=permissions,cn=pbac,$SUFFIX";)
> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl 
> "permission:remove dns entries";   allow (delete) groupdn = 
> "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || 
> dnsclass || arecord ||           aaaarecord || a6record || nsrecord || 
> cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord   || mdrecord 
> || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || 
> locrecord ||     nxtrecord || naptrrecord || kxrecord || certrecord || 
> dnamerecord || dsrecord || sshfprecord ||        rrsigrecord || nsecrecord || 
> idnsname || idnszoneactive || idnssoamname || idnssoarname ||             
> idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || 
> idnssoaminimum ||                  idnsupdatepolicy")(target = 
> "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update    
> dns entries";allow (write) groupdn = "ldap:///cn=update dns 
> entries,cn=permissions,cn=pbac,$SUFFIX";)

Just in case, I just checked the directory, and, indeed this exact set
of aci's do exist.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to