On Tue, 2010-01-12 at 08:48 -0700, Rich Megginson wrote: > Theodotos Andreou wrote: > > I am trying to create a sync agreement between an AD server and a 389 > > directory server. I am following the "Red Hat Directory Server 8.1 > > Administration Guide" > > > > The Guide instruct you to create a sync user under cn=config like this: > > > > dn: cn=sync user,cn=config > > objectClass: inetorgperson > > objectClass: person > > objectClass: top > > cn: sync user > > sn: SU > > userPassword: secret > > passwordExpirationTime: 20380119031407Z > > > > I added the user using an ldif file: > > > > [root at directory ~]# cat syncuser.ldif > > dn: cn=sync user,cn=config > > changetype: add > > objectClass: inetorgperson > > objectClass: person > > objectClass: top > > cn: sync user > > sn: syncuser > > userPassword: secret > > passwordExpirationTime: 20380119031407Z > > > > It also says that you should create an ACI rule so that it cam write to > > the userPassword attribute: > > > > aci: (target="ldap:///cn=sync%20user,cn=config") > > (targetattr="userPassword")(version 3.0;acl "aci1";allow (write,compare) > > userdn=all;) > > > > I figured this must be wrong since the target should contain the > > replicated tree and the userdn should be the binddn for the sync user. > > Correct me if I am wrong. I did try to use the above aci but also didn't > > work. > > > Right. I've filed a doc bug for this. Thanks for catching it. The aci > should be something like this: > > aci: (targetattr="userPassword")(version 3.0;acl "allow passsync user to update > userPassword"; allow (write,compare) > userdn="ldap:///cn=sync%20user,cn=config";) > > and it should be added to the entry at the base of your tree > (dc=example,dc=com) > > Anyway I modified the aci such as: > > [root at directory ~]# /usr/lib/mozldap/ldapsearch -b dc=example,dc=com -h > > localhost -p 389 -D "cn=directory manager" -w - \(aci=*\) aci | grep -B > > 1 -C 1 Sync > > > > Enter bind password: > > > > aci: (target="ldap:///dc=example,dc=com")(targetattr="userPassword") > > (version 3.0;acl "Sync Pass User";allow (write,compare) > > userdn="ldap:///cn=sync%20user,cn=config";)" > > > > Is the above ACI correct? > > > > There must be something wrong since when I try to change the password of > > a normal user I get the "Insufficient access rights" error: > > > > [root at directory ~]# /usr/lib/mozldap/ldappasswd -v -Z > > -P /etc/dirsrv/slapd-directory/cert8.db > > -K /etc/dirsrv/slapd-directory/key3.db -D "cn=sync user,cn=config" > > uid=pre_user1,ou=People,dc=example.com -w - > > > > Enter bind password: > > > > ldappasswd: started Tue Jan 12 11:46:28 2010 > > > > ldap_init( localhost, 389 ) > > ldaptool_getcertpath -- /etc/dirsrv/slapd-directory/cert8.db > > ldaptool_getkeypath -- /etc/dirsrv/slapd-directory/key3.db > > ldaptool_getmodpath -- (null) > > ldaptool_getdonglefilename -- (null) > > ldappasswd: Insufficient access > > ldappasswd: additional info: Insufficient access rights > > > > Any help/ideas would be highly appreciated! > > > Hmm - Windows PassSync does not use the ldappasswd extended operation, > it just uses ldapmodify with the userPassword attribute - try that. Thanks for your reply Rich. I applied the aci as you suggested and it did work. The ldappasswd c command is no fun and you need to use ldapmodify. I used this ldif: dn: uid=pre_user1,ou=People,dc=example,dc=com changetype: modify replace: userPassword userPassword: changeme! [root at directory ~]# /usr/lib/mozldap/ldapmodify -a -D "cn=directory manager" -w - -p 389 -h localhost -f changepass.ldif Enter bind password: modifying entry uid=pre_user1,ou=People,dc=lim,dc=tepak,dc=int Worked like a charm! Thanks again for the support. > > Thanks > > > > > > > > -- > > 389 users mailing list > > 389-users at lists.fedoraproject.org > > https://admin.fedoraproject.org/mailman/listinfo/389-users > > > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users