Thanks Martin, That worked.
Though this ACI did not help me achieve what i was looking for. Let me ask this 
to you if you can advice me something:-
i want to create a permission which should allow an admin to 'add'/'delete' 
hosts from "foo-hostgroup" list only if the "member attribute"value is equal to 
"foo". I basically want to restrict the foo admin to not to add any other host 
in the "foo-hostgroup other than the host having an attribute value as "foo". 
Why i can achieve this?
Many Thanks,Deepak


Subject: Re: [Freeipa-users] Getting ACL Syntax Error(-5)
To: deepak_di...@hotmail.com; freeipa-users@redhat.com
From: mba...@redhat.com
Date: Wed, 31 Aug 2016 12:06:02 +0200


  
    
  
  
    

    

    

    On 31.08.2016 11:49, Deepak Dimri
      wrote:

    
    
      
      
        

          
        Hi All,
        I am getting ACL
            Syntax Error(-5) when
            trying to add ACI to my freeIPA server.  Any idea why i am
            getting this error?
      
    
    Maybe your ACI is incorrect?

    

    
      
        

          
        This is the error i
            am getting:
        

        
        ldap_modify: Invalid syntax (21)
        
        
         additional
              info: ACL Syntax 
Error(-5):(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0;
            acl \22permission:Allow admin to modify  hosts membership
            within  permitted hostgroups\22; allow (write) groupdn
=\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;)
        

          
      
    
    Can you try here 'version3.0;' to put space between
      version and number

      

      Otherwise it looks good to me.

    

    
      
        my ldif entries:
        

          
        dn:
            cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com
        add: aci
        aci: (targetattr =
            "userclass")(targetfilter =
            "(objectclass=ipahost)")(version3.0;acl "permission:Allow
            admin to modify  hosts membership within  permitted
            hostgroups";allow (write) groupdn
="ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com";;)
        

          
        Also, one general question i should be able to
          view the ACI under freeIPA permission tab once it gets created
          correct?
      
    
    No, you have to add FreeIPA permission, custom ACIs are not tracked
    in webUI/CLI

    

    IMO it should be possible to create this permission using webUI

    

    Martin

    
      
        

        
        Thanks & regards,
        Deepak
        

        
      
      

      
      

    
    
                                          
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to