On Mon, 2012-03-12 at 13:41 -0600, Rich Megginson wrote:
> On 03/12/2012 01:39 PM, Dmitri Pal wrote:
> > On 03/12/2012 03:20 PM, Rich Megginson wrote:
> >> On 03/12/2012 12:40 PM, Dmitri Pal wrote:
> >>> On 03/12/2012 01:23 PM, Rich Megginson wrote:
> >>>> On 03/12/2012 11:06 AM, Stephen Ingram wrote:
> >>>>> On Mon, Mar 12, 2012 at 7:19 AM, Rich Megginson<rmegg...@redhat.com>
> >>>>> wrote:
> >>>>>> On 03/12/2012 01:34 AM, Martin Kosek wrote:
> >>>>>>> On Sun, 2012-03-11 at 17:55 -0400, Dmitri Pal wrote:
> >>>>>>>> On 03/11/2012 04:22 PM, Stephen Ingram wrote:
> >>>>>>>>> Now I've made it to the WebUI. Login works great (also via the new
> >>>>>>>>> form auth). Click on IPA Server tab and then Configuration yields:
> >>>>>>>>>
> >>>>>>>>> IPA Error 4208 - get-effective-rights: missing subject: Invalid
> >>>>>>>>> syntax
> >>>>>>>>>
> >>>>>>>>> This also happens at several other points in the UI. For example,
> >>>>>>>>> click one DNS zone and then the Settings tab within, or the Hosts
> >>>>>>>>> section within the Identity tab and clicking Settings. It seems
> >>>>>>>>> that
> >>>>>>>>> any attempt to configure settings yields this error.
> >>>>>>>>>
> >>>>>>>>> Directory server error logs point specifically to the NSACLPlugin:
> >>>>>>>>>
> >>>>>>>>> NSACLPlugin - get-effective-rights: missing subject
> >>>>>>>>> Failed to get effective rights for entry
> >>>>>>>>> (idnsname=17.168.192.in-addr.arpa.,cn=dns,dc=4test,dc=net), rc=21
> >>>>>>>>>
> >>>>>>>>> I'm guessing some incorrect ACLs?
> >>>>>>>>>
> >>>>>>>> We will need to investigate.
> >>>>>>>> Petr, Martin any idea?
> >>>>>>>>
> >>>>>>> Looks like 389-ds can't parse/read the ACI. Rich, has anything
> >>>>>>> changed
> >>>>>>> in this area in F-17?
> >>>>>> F-17?  Nothing specific to F-17.  Is this error with the latest
> >>>>>> 1.2.10.2 or
> >>>>>> .3 in F-17 updates or updates-testing?
> >>>>> I'm using 1.2.10.3 from the fedora 17 updates repo. IPA is from
> >>>>> freeipa-devel repo.
> >>>> This error means there is an empty GER control value sent with the
> >>>> request.  Did the client code change recently?
> >>>> ipaserver/plugins/ldap2.py get_effective_rights() looks correct
> >>> openldap?
> >> could be - or could be python-ldap related - python-ldap 2.4 switched
> >> to using pyasn1 to do some encoding that used to be done by the ldap
> >> library.
> > How can we check?
> You can use the debug flag in python-ldap when creating the ldap connection

I did some more poking in this issue and I found that the problem is in
new python-ldap library in F-17. When I updated this component to
python-ldap-2.4.6-2.fc17.x86_64 I got the very same error.

This is the BZ against python-ldap that I filed:
https://bugzilla.redhat.com/show_bug.cgi?id=802675

I have a Python script that can reproduce this issue in a much less
complicated environment (attached).

Martin
#!/usr/bin/python

import ldap

HOST = "ldap://vm-068.idm.lab.bos.redhat.com";
USER_DN = "uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
USER_PWD = "kokos123"


conn = ldap.initialize(HOST)
conn.simple_bind_s(USER_DN, USER_PWD)

print "test search"
conn.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['cn'])

print "test search with effective rights control"
sctrl = [ldap.controls.LDAPControl("1.3.6.1.4.1.42.2.27.9.5.2", True, "dn: %s" % USER_DN)]
conn.set_option(ldap.OPT_SERVER_CONTROLS, sctrl)
conn.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['cn'])
conn.set_option(ldap.OPT_SERVER_CONTROLS, [])
conn.unbind_s()

print "TEST OK"
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to