Insufficient access rights for the sync user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am trying to create a sync agreement between an AD server and a 389
directory server. I am following the "Red Hat Directory Server 8.1
Administration Guide"

The Guide instruct you to create a sync user under cn=config like this:

dn: cn=sync user,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: sync user
sn: SU
userPassword: secret
passwordExpirationTime: 20380119031407Z

I added the user using an ldif file:

[root at directory ~]# cat syncuser.ldif 
dn: cn=sync user,cn=config
changetype: add
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: sync user
sn: syncuser
userPassword: secret
passwordExpirationTime: 20380119031407Z

It also says that you should create an ACI rule so that it cam write to
the userPassword attribute: 

aci: (target="ldap:///cn=sync%20user,cn=config";)
(targetattr="userPassword")(version 3.0;acl "aci1";allow (write,compare)
 userdn=all;)

I figured this must be wrong since the target should contain the
replicated tree and the userdn should be the binddn for the sync user.
Correct me if I am wrong. I did try to use the above aci but also didn't
work.

Anyway I modified the aci such as:
[root at directory ~]# /usr/lib/mozldap/ldapsearch -b dc=example,dc=com -h
localhost -p 389 -D "cn=directory manager" -w - \(aci=*\) aci | grep -B
1 -C 1 Sync 

Enter bind password: 

aci: (target="ldap:///dc=example,dc=com";)(targetattr="userPassword")
(version 3.0;acl "Sync Pass User";allow (write,compare)
userdn="ldap:///cn=sync%20user,cn=config";;)"

Is the above ACI correct?

There must be something wrong since when I try to change the password of
a normal user I get the "Insufficient access rights" error:

[root at directory ~]# /usr/lib/mozldap/ldappasswd -v -Z
-P /etc/dirsrv/slapd-directory/cert8.db
-K /etc/dirsrv/slapd-directory/key3.db -D "cn=sync user,cn=config"
uid=pre_user1,ou=People,dc=example.com -w -

Enter bind password: 

ldappasswd: started Tue Jan 12 11:46:28 2010

ldap_init( localhost, 389 )
ldaptool_getcertpath -- /etc/dirsrv/slapd-directory/cert8.db
ldaptool_getkeypath -- /etc/dirsrv/slapd-directory/key3.db
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
ldappasswd: Insufficient access
ldappasswd: additional info: Insufficient access rights

Any help/ideas would be highly appreciated!
Thanks
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux