Can't add users with admin console, perhaps because I have no use rs in "Directory Administrators" group.

chymes at hymerfania.com (Charles Hymes) · Sat, 19 Jan 2008 13:17:47 -0800

Hi folks,
I've got a bootstrap puzzle using the DS console to create my first users. I
can't create Directory Administrators for my domain unless I am logged in as
a Directory Administrator for that domain. I'm sure this is really simple,
but I know a minimum about ldap management, and I cannot find the relevant
docs on what exactly to do.

This is a brand new installation of FDS 1.1 with a brand new MIT Kerberos
setup on a fresh  Fedora 7 install. There are no "people" in the LDAP
directory. There aren't even any end users in the /etc/passwd file.

When I try to use the FDS console to create a user in the "People"
directory, I get this error dialog after I close the new user form"

netscape.ldap.LDAPException: error result (50); Insufficent 'add' privilige
to the 'userPassword'attribute

I think my slapd error log is telling me that there is no-one in the
"Directory Administrators" 'group' for my "hymesruzicka" 'directory'.

[19/Jan/2008:11:16:39 -0800] NSACLPlugin - Processed attr:userpassword for
entry:uid=installer,ou=people,dc=hymesruzicka,dc=org
[19/Jan/2008:11:16:39 -0800] NSACLPlugin - 1. Evaluating ALLOW aci(4) "
"Directory Administrators Group""
[19/Jan/2008:11:16:39 -0800] NSACLPlugin - Evaluating user
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot in group
cn=Directory Administrators,dc=hymesruzicka,dc=org?
[19/Jan/2008:11:16:39 -0800] NSACLPlugin - -- In cn=Configuration
Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot
[19/Jan/2008:11:16:39 -0800] NSACLPlugin - -- Not in cn=Directory
Administrators,dc=hymesruzicka,dc=org
[19/Jan/2008:11:16:39 -0800] NSACLPlugin - Evaluated ACL_FALSE
[19/Jan/2008:11:16:39 -0800] NSACLPlugin - conn=14 op=22 (main): Deny add on
entry(uid=installer,ou=people,dc=hymesruzicka,dc=org).attr(userpassword) to
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot: no aci
matched the subject by aci(4): aciname= "Directory Administrators Group",
acidn="dc=hymesruzicka,dc=org"

 I get a similar error in the log when I try to create a new aci for the
"hymesruzicka" 'directory'with a user from the "netscaperoot" directory:
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - acl_init_userGroup: found in
cache for
dn:uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - #### conn=14 op=142
binddn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - Searching AVL tree for
update:dc=hymesruzicka,dc=org: container:1
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - Searching AVL tree for
update:dc=org: container:-1
[19/Jan/2008:13:05:02 -0800] NSACLPlugin -     ************ RESOURCE INFO
STARTS *********
[19/Jan/2008:13:05:02 -0800] NSACLPlugin -     Client DN:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
[19/Jan/2008:13:05:02 -0800] NSACLPlugin -     resource type:256(write
target_DN )
[19/Jan/2008:13:05:02 -0800] NSACLPlugin -     Slapi_Entry DN:
dc=hymesruzicka,dc=org
[19/Jan/2008:13:05:02 -0800] NSACLPlugin -     ATTR: aci
[19/Jan/2008:13:05:02 -0800] NSACLPlugin -     rights:write
[19/Jan/2008:13:05:02 -0800] NSACLPlugin -     ************ RESOURCE INFO
ENDS   *********
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - Using ACL Cointainer:0 for
evaluation
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - ***BEGIN ACL INFO[ Name:
"Directory Administrators Group"]***
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - ACL Index:4   ACL_ELEVEL:6
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - ACI type:(compare search read
write delete add self target_attr acltxt allow_rule )
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - ACI RULE type:(groupdn )
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - Slapi_Entry
DN:dc=hymesruzicka,dc=org
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - ***END ACL
INFO*****************************
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - Num of ALLOW Handles:1, DENY
handles:0
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - Processed attr:aci for
entry:dc=hymesruzicka,dc=org
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - 1. Evaluating ALLOW aci(4) "
"Directory Administrators Group""
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - Evaluating user
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot in group
cn=Directory Administrators,dc=hymesruzicka,dc=org?
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - -- In cn=Configuration
Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - -- Not in cn=Directory
Administrators,dc=hymesruzicka,dc=org
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - Evaluated ACL_FALSE
[19/Jan/2008:13:05:02 -0800] NSACLPlugin - conn=14 op=142 (main): Deny write
on entry(dc=hymesruzicka,dc=org).attr(aci) to
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot: no aci
matched the subject by aci(4): aciname= "Directory Administrators Group",
acidn="dc=hymesruzicka,dc=org"