Re: [Freeipa-users] Getting ACL Syntax Error(-5)
Thanks Martin, That worked. Though this ACI did not help me achieve what i was looking for. Let me ask this to you if you can advice me something:- i want to create a permission which should allow an admin to 'add'/'delete' hosts from "foo-hostgroup" list only if the "member attribute"value is equal to "foo". I basically want to restrict the foo admin to not to add any other host in the "foo-hostgroup other than the host having an attribute value as "foo". Why i can achieve this? Many Thanks,Deepak Subject: Re: [Freeipa-users] Getting ACL Syntax Error(-5) To: deepak_di...@hotmail.com; freeipa-users@redhat.com From: mba...@redhat.com Date: Wed, 31 Aug 2016 12:06:02 +0200 On 31.08.2016 11:49, Deepak Dimri wrote: Hi All, I am getting ACL Syntax Error(-5) when trying to add ACI to my freeIPA server. Any idea why i am getting this error? Maybe your ACI is incorrect? This is the error i am getting: ldap_modify: Invalid syntax (21) additional info: ACL Syntax Error(-5):(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0; acl \22permission:Allow admin to modify hosts membership within permitted hostgroups\22; allow (write) groupdn =\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;) Can you try here 'version3.0;' to put space between version and number Otherwise it looks good to me. my ldif entries: dn: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com add: aci aci: (targetattr = "userclass")(targetfilter = "(objectclass=ipahost)")(version3.0;acl "permission:Allow admin to modify hosts membership within permitted hostgroups";allow (write) groupdn ="ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com;;) Also, one general question i should be able to view the ACI under freeIPA permission tab once it gets created correct? No, you have to add FreeIPA permission, custom ACIs are not tracked in webUI/CLI IMO it should be possible to create this permission using webUI Martin Thanks & regards, Deepak -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Getting ACL Syntax Error(-5)
On 31.08.2016 11:49, Deepak Dimri wrote: Hi All, I am getting *ACL Syntax Error(-5) *when trying to add ACI to my freeIPA server. Any idea why i am getting this error? Maybe your ACI is incorrect? This is the error i am getting: ldap_modify: Invalid syntax (21) *additional info: ACL Syntax Error(-5)*:(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0; acl \22permission:Allow admin to modify hosts membership within permitted hostgroups\22; allow (write) groupdn =\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;) Can you try here'version3.0;' to put space between version and number Otherwise it looks good to me. my ldif entries: dn: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com add: aci aci: (targetattr = "userclass")(targetfilter = "(objectclass=ipahost)")(version3.0;acl "permission:Allow admin to modify hosts membership within permitted hostgroups";allow (write) groupdn ="ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com;;) Also, one general question i should be able to view the ACI under freeIPA permission tab once it gets created correct? No, you have to add FreeIPA permission, custom ACIs are not tracked in webUI/CLI IMO it should be possible to create this permission using webUI Martin Thanks & regards, Deepak -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Getting ACL Syntax Error(-5)
Hi All,I am getting ACL Syntax Error(-5) when trying to add ACI to my freeIPA server. Any idea why i am getting this error? This is the error i am getting: ldap_modify: Invalid syntax (21) additional info: ACL Syntax Error(-5):(targetattr=\22userclass\22)(targetfilter=\22(objectclass=ipahost)\22)(version3.0; acl \22permission:Allow admin to modify hosts membership within permitted hostgroups\22; allow (write) groupdn =\22ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com\22;) my ldif entries: dn: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com add: aci aci: (targetattr = "userclass")(targetfilter = "(objectclass=ipahost)")(version3.0;acl "permission:Allow admin to modify hosts membership within permitted hostgroups";allow (write) groupdn ="ldap:///cn=testadmingroup,cn=groups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com;;) Also, one general question i should be able to view the ACI under freeIPA permission tab once it gets created correct? Thanks & regards,Deepak -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project