[389-users] Insufficient access rights for the sync user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am trying to create a sync agreement between an AD server and a 389
directory server. I am following the "Red Hat Directory Server 8.1
Administration Guide"

The Guide instruct you to create a sync user under cn=config like this:

dn: cn=sync user,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: sync user
sn: SU
userPassword: secret
passwordExpirationTime: 20380119031407Z

I added the user using an ldif file:

[root@directory ~]# cat syncuser.ldif 
dn: cn=sync user,cn=config
changetype: add
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: sync user
sn: syncuser
userPassword: secret
passwordExpirationTime: 20380119031407Z

It also says that you should create an ACI rule so that it cam write to
the userPassword attribute: 

aci: (target="ldap:///cn=sync%20user,cn=config";)
(targetattr="userPassword")(version 3.0;acl "aci1";allow (write,compare)
 userdn=all;)

I figured this must be wrong since the target should contain the
replicated tree and the userdn should be the binddn for the sync user.
Correct me if I am wrong. I did try to use the above aci but also didn't
work.

Anyway I modified the aci such as:
[root@directory ~]# /usr/lib/mozldap/ldapsearch -b dc=example,dc=com -h
localhost -p 389 -D "cn=directory manager" -w - \(aci=*\) aci | grep -B
1 -C 1 Sync 

Enter bind password: 

aci: (target="ldap:///dc=example,dc=com";)(targetattr="userPassword")
(version 3.0;acl "Sync Pass User";allow (write,compare)
userdn="ldap:///cn=sync%20user,cn=config";;)"

Is the above ACI correct?

There must be something wrong since when I try to change the password of
a normal user I get the "Insufficient access rights" error:

[root@directory ~]# /usr/lib/mozldap/ldappasswd -v -Z
-P /etc/dirsrv/slapd-directory/cert8.db
-K /etc/dirsrv/slapd-directory/key3.db -D "cn=sync user,cn=config"
uid=pre_user1,ou=People,dc=example.com -w -

Enter bind password: 

ldappasswd: started Tue Jan 12 11:46:28 2010

ldap_init( localhost, 389 )
ldaptool_getcertpath -- /etc/dirsrv/slapd-directory/cert8.db
ldaptool_getkeypath -- /etc/dirsrv/slapd-directory/key3.db
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
ldappasswd: Insufficient access
ldappasswd: additional info: Insufficient access rights

Any help/ideas would be highly appreciated!
Thanks



--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux