Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1222999
Description of problem: in some cases, some aci's with quite right syntax are being parsed wrong by ipa aci plugin. Version-Release number of selected component (if applicable): I am testing this in RHEL6: ipa-server-3.0.0-42.el6.x86_64 Steps to Reproduce: 1. Add these custom aci's: aci: (targetattr = "memberOf") (version 3.0;acl "memberOf3";allow (read,compare,search)(userdn = "ldap:///anyone");) aci: (targetattr = "*") (version 3.0;acl "proxyagent";allow (read,compare,search,proxy)(userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com");) 2. Try changing self service permission: ipa selfservice-mod "Self can write own password" --permission=read ipa: ERROR: an internal error has occurred [root@ipa ~]# tail -f /var/log/httpd/error_log [Tue May 19 15:50:11 2015] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run [Tue May 19 15:50:11 2015] [error] return self.execute(*args, **options) [Tue May 19 15:50:11 2015] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 582, in execute [Tue May 19 15:50:11 2015] [error] candidate = ACI(a) [Tue May 19 15:50:11 2015] [error] File "/usr/lib/python2.6/site-packages/ipalib/aci.py", line 56, in __init__ [Tue May 19 15:50:11 2015] [error] self._parse_acistr(acistr) [Tue May 19 15:50:11 2015] [error] File "/usr/lib/python2.6/site-packages/ipalib/aci.py", line 144, in _parse_acistr [Tue May 19 15:50:11 2015] [error] raise SyntaxError, "malformed ACI, permissions match failed %s" % acistr [Tue May 19 15:50:11 2015] [error] SyntaxError: malformed ACI, permissions match failed (targetattr = "*") (version 3.0;acl "proxyagent";allow (read,compare,search,proxy)(userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com");) [Tue May 19 15:50:11 2015] [error] ipa: INFO: admin@EXAMPLE.ORG: selfservice_mod(u'Self can write own password', permissions=(u'read',), all=False, raw=False, version=u'2.49'): SyntaxError Additional info: Workaround is to replace the aci's by ones not using parenthesis on the bind rule: ldapmodify -D "cn=directory manager" -W dn: dc=example,dc=com changetype: modify delete: aci aci: (targetattr = "memberOf") (version 3.0;acl "memberOf3";allow (read,compare,search)(userdn = "ldap:///anyone");) aci: (targetattr = "*") (version 3.0;acl "proxyagent";allow (read,compare,search,proxy)(userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com");) And re-add them with a slightly different syntax: ldapmodify -D "cn=directory manager" -W dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr = "memberOf") (version 3.0;acl "memberOf3";allow (read,compare,search) userdn = "ldap:///anyone";) aci: (targetattr = "*") (version 3.0;acl "proxyagent";allow (read,compare,search,proxy) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";) Then, the sefservice mod command will work fine. Thanks to Petr Viktorin for suggesting the workaround.
This issue was seen on RHEL 6.6(IPA 3.?) and also master(IPA 4.2).
master:
ipa-4-2:
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1251854
Metadata Update from @pvoborni: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.