Re: WinSync reports "Insufficient Access"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

David,

That did the trick! Thank you for your help.


On 12/9/05, David Boreham <david_list@xxxxxxxxxxx> wrote:
Bryan Fransman wrote:
I'm seeking a little guidance in regard to the Windows Sync configuration. I have the Windows Sync service speaking to the Fedora Directory Server (SSL enabled), but passwords are not updated on the FDS side.

Environment is Windows 2000 server, Fedora Core 3 w/ FDS 1.0 w/ the latest PassSync.msi

I have configured WinSync to use cn=replication manager,cn=config as the bind user. This user exists in FDS.

I enabled logging for the password sync service, and found the following entry in the passsync.log log:

12/09/05 11:17:06: Attempting to sync password for username
12/09/05 11:17:06: Searching for (ntuserdomainid=username)
12/09/05 11:17:06: Ldap error in ModifyPassword
    50: Insufficient access
12/09/05 11:17:06: Modify password failed for remote entry: uid=username,ou=People, dc=domain, dc=com
12/09/05 11:17:06: Deferring password change for username
12/09/05 11:17:06: Backing off for 32000ms

So, there it is.. the third line of log entry "Insufficient access".

I assume that its an ACI problem with the cn=replication manager,cn=config user. I attempted to create an ACI to resolve the issue, but no luck.

(targetattr = "*") (target = "ldap:///uid=*,ou=People,dc=domain,dc=com") (version 3.0;acl "WinSync";allow (all,proxy)(userdn = "ldap:///cn=replication manager,cn=config");)

Some help would be greatly appreciated.
I think you are on the general right track.
However, when you used the replication manager DN to bind that
probably led you astray. This is because that DN's special access rights
are _only_ enforced on real replication sessions. The passsync
app is not making a replication connection, just a regular LDAP connection.
And so you will not get any of the magical powers of the replication manager DN.

I suspect that your new ACI is not giving the desired result because
another one that denies access is preempting it.

So...quick and dirty way would be to use cn=Directory Manager
for the bind DN. The good but longer solution would be to add
another user for passsync to bind as and make sure that user has the
necessary access rights to userPassword.





--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux