A fix for https://pagure.io/389-ds-base/issue/51054 now enforces syntax for target* keywords (targetattr, targetfilter, etc) to have quoted attributes. Otherwise the aci that contains unquoted parameters is ignored.
target*
targetattr
targetfilter
The following errors are found in IPA context:
[30/Apr/2020:06:07:05.733279468 -0400] - ERR - NSACLPlugin - __aclp__init_targetattr - targetattr has an invalid value (targetattr=*) [30/Apr/2020:06:07:05.736147358 -0400] - ERR - NSACLPlugin - acllist_insert_aci_needsLock_ext - ACL PARSE ERR(rv=-5): (targetattr=* [30/Apr/2020:06:07:05.739946793 -0400] - ERR - NSACLPlugin - __aclinit_handler - This ((targetattr=*)(version 3.0; acl "cert manager access v2"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)) ACL will not be considered for evaluation because of syntax errors. [30/Apr/2020:06:07:05.831876180 -0400] - ERR - NSACLPlugin - __aclp__init_targetattr - targetattr has an invalid value (targetattr = aci) [30/Apr/2020:06:07:05.835737451 -0400] - ERR - NSACLPlugin - acllist_insert_aci_needsLock_ext - ACL PARSE ERR(rv=-5): (targetattr = aci [30/Apr/2020:06:07:05.838961476 -0400] - ERR - NSACLPlugin - __aclinit_handler - This ((targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)) ACL will not be considered for evaluation because of syntax errors. [30/Apr/2020:06:07:05.841767354 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [30/Apr/2020:06:07:05.845427892 -0400] - ERR - NSACLPlugin - __aclp__init_targetattr - targetattr has an invalid value (targetattr=*) [30/Apr/2020:06:07:05.849741627 -0400] - ERR - NSACLPlugin - acllist_insert_aci_needsLock_ext - ACL PARSE ERR(rv=-5): (targetattr=* [30/Apr/2020:06:07:05.855714684 -0400] - ERR - NSACLPlugin - __aclinit_handler - This ((targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)) ACL will not be considered for evaluation because of syntax errors. [30/Apr/2020:06:07:05.859143447 -0400] - ERR - NSACLPlugin - __aclp__init_targetattr - targetattr has an invalid value (targetattr = aci) [30/Apr/2020:06:07:05.862257289 -0400] - ERR - NSACLPlugin - acllist_insert_aci_needsLock_ext - ACL PARSE ERR(rv=-5): (targetattr = aci [30/Apr/2020:06:07:05.910808477 -0400] - ERR - NSACLPlugin - __aclinit_handler - This ((targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)) ACL will not be considered for evaluation because of syntax errors. [30/Apr/2020:06:07:05.914598717 -0400] - ERR - NSACLPlugin - __aclp__init_targetattr - targetattr has an invalid value (targetattr=*) [30/Apr/2020:06:07:05.917918617 -0400] - ERR - NSACLPlugin - acllist_insert_aci_needsLock_ext - ACL PARSE ERR(rv=-5): (targetattr=* [30/Apr/2020:06:07:05.923850041 -0400] - ERR - NSACLPlugin - __aclinit_handler - This ((targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)) ACL will not be considered for evaluation because of syntax errors. [30/Apr/2020:06:07:05.928224605 -0400] - ERR - NSACLPlugin - __aclp__init_targetattr - targetattr has an invalid value (targetattr=*) [30/Apr/2020:06:07:05.935033037 -0400] - ERR - NSACLPlugin - acllist_insert_aci_needsLock_ext - ACL PARSE ERR(rv=-5): (targetattr=* [30/Apr/2020:06:07:05.941481340 -0400] - ERR - NSACLPlugin - __aclinit_handler - This ((targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)) ACL will not be considered for evaluation because of syntax errors. [30/Apr/2020:06:07:05.944937256 -0400] - ERR - NSACLPlugin - __aclp__init_targetattr - targetattr has an invalid value (targetattr=*) [30/Apr/2020:06:07:05.948432393 -0400] - ERR - NSACLPlugin - acllist_insert_aci_needsLock_ext - ACL PARSE ERR(rv=-5): (targetattr=* [30/Apr/2020:06:07:05.951235185 -0400] - ERR - NSACLPlugin - __aclinit_handler - This ((targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";)) ACL will not be considered for evaluation because of syntax errors. [30/Apr/2020:06:07:05.954039332 -0400] - ERR - NSACLPlugin - __aclp__init_targetattr - targetattr has an invalid value (targetattr=*) [30/Apr/2020:06:07:05.956659702 -0400] - ERR - NSACLPlugin - acllist_insert_aci_needsLock_ext - ACL PARSE ERR(rv=-5): (targetattr=* [30/Apr/2020:06:07:05.959739079 -0400] - ERR - NSACLPlugin - __aclinit_handler - This ((targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)) ACL will not be considered for evaluation because of syntax errors.
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3290
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.