WinSync reports "Insufficient Access"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Bryan Fransman wrote:

> I'm seeking a little guidance in regard to the Windows Sync 
> configuration. I have the Windows Sync service speaking to the Fedora 
> Directory Server (SSL enabled), but passwords are not updated on the 
> FDS side.
>
> Environment is Windows 2000 server, Fedora Core 3 w/ FDS 1.0 w/ the 
> latest PassSync.msi
>
> I have configured WinSync to use cn=replication manager,cn=config as 
> the bind user. This user exists in FDS.
>
> I enabled logging for the password sync service, and found the 
> following entry in the passsync.log log:
>
> 12/09/05 11:17:06: Attempting to sync password for username
> 12/09/05 11:17:06: Searching for (ntuserdomainid=username)
> 12/09/05 11:17:06: Ldap error in ModifyPassword
>     50: Insufficient access
> 12/09/05 11:17:06: Modify password failed for remote entry: 
> uid=username,ou=People, dc=domain, dc=com
> 12/09/05 11:17:06: Deferring password change for username
> 12/09/05 11:17:06: Backing off for 32000ms
>
> So, there it is.. the third line of log entry "Insufficient access".
>
> I assume that its an ACI problem with the cn=replication 
> manager,cn=config user. I attempted to create an ACI to resolve the 
> issue, but no luck.
>
> (targetattr = "*") (target = 
> "ldap:///uid=*,ou=People,dc=domain,dc=com";) (version 3.0;acl 
> "WinSync";allow (all,proxy)(userdn = "ldap:///cn=replication 
> manager,cn=config") <ldap:///cn=replicationmanager,cn=config%22%29>;)
>
> Some help would be greatly appreciated.

I think you are on the general right track.
However, when you used the replication manager DN to bind that
probably led you astray. This is because that DN's special access rights
are _only_ enforced on real replication sessions. The passsync
app is not making a replication connection, just a regular LDAP connection.
And so you will not get any of the magical powers of the replication 
manager DN.

I suspect that your new ACI is not giving the desired result because
another one that denies access is preempting it.

So...quick and dirty way would be to use cn=Directory Manager
for the bind DN. The good but longer solution would be to add
another user for passsync to bind as and make sure that user has the
necessary access rights to userPassword.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20051209/34418be5/attachment.html
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux