Thanks Martin, That worked.
Though this ACI did not help me achieve what i was looking for. Let me ask this 
to you if you can advice me something:-
i want to create a permission which should allow an admin to 'add'/'delete' 
hosts from "foo-hostgroup" list only if the "member attribute"value is equal to 
"foo". I basically want to restrict the foo admin to not to add any other host 
in the "foo-hostgroup other than the host having an attribute value as "foo". 
Why i can achieve this?
Many Thanks,Deepak

Subject: Re: [Freeipa-users] Getting ACL Syntax Error(-5)
Date: Wed, 31 Aug 2016 12:06:02 +0200




    On 31.08.2016 11:49, Deepak Dimri


        Hi All,
        I am getting ACL
            Syntax Error(-5) when
            trying to add ACI to my freeIPA server.  Any idea why i am
            getting this error?
    Maybe your ACI is incorrect?



        This is the error i
            am getting:

        ldap_modify: Invalid syntax (21)
              info: ACL Syntax 
            acl \22permission:Allow admin to modify  hosts membership
            within  permitted hostgroups\22; allow (write) groupdn

    Can you try here 'version3.0;' to put space between
      version and number


      Otherwise it looks good to me.


        my ldif entries:

        add: aci
        aci: (targetattr =
            "userclass")(targetfilter =
            "(objectclass=ipahost)")(version3.0;acl "permission:Allow
            admin to modify  hosts membership within  permitted
            hostgroups";allow (write) groupdn

        Also, one general question i should be able to
          view the ACI under freeIPA permission tab once it gets created
    No, you have to add FreeIPA permission, custom ACIs are not tracked
    in webUI/CLI


    IMO it should be possible to create this permission using webUI




        Thanks & regards,



Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to