Theodotos Andreou wrote: > I am trying to create a sync agreement between an AD server and a 389 > directory server. I am following the "Red Hat Directory Server 8.1 > Administration Guide" > > The Guide instruct you to create a sync user under cn=config like this: > > dn: cn=sync user,cn=config > objectClass: inetorgperson > objectClass: person > objectClass: top > cn: sync user > sn: SU > userPassword: secret > passwordExpirationTime: 20380119031407Z > > I added the user using an ldif file: > > [root@directory ~]# cat syncuser.ldif > dn: cn=sync user,cn=config > changetype: add > objectClass: inetorgperson > objectClass: person > objectClass: top > cn: sync user > sn: syncuser > userPassword: secret > passwordExpirationTime: 20380119031407Z > > It also says that you should create an ACI rule so that it cam write to > the userPassword attribute: > > aci: (target="ldap:///cn=sync%20user,cn=config";) > (targetattr="userPassword")(version 3.0;acl "aci1";allow (write,compare) > userdn=all;) > > I figured this must be wrong since the target should contain the > replicated tree and the userdn should be the binddn for the sync user. > Correct me if I am wrong. I did try to use the above aci but also didn't > work. > Right. I've filed a doc bug for this. Thanks for catching it. The aci should be something like this: aci: (targetattr="userPassword")(version 3.0;acl "allow passsync user to update userPassword"; allow (write,compare) userdn="ldap:///cn=sync%20user,cn=config";;) and it should be added to the entry at the base of your tree (dc=example,dc=com) > Anyway I modified the aci such as: > [root@directory ~]# /usr/lib/mozldap/ldapsearch -b dc=example,dc=com -h > localhost -p 389 -D "cn=directory manager" -w - \(aci=*\) aci | grep -B > 1 -C 1 Sync > > Enter bind password: > > aci: (target="ldap:///dc=example,dc=com";)(targetattr="userPassword") > (version 3.0;acl "Sync Pass User";allow (write,compare) > userdn="ldap:///cn=sync%20user,cn=config";;)" > > Is the above ACI correct? > > There must be something wrong since when I try to change the password of > a normal user I get the "Insufficient access rights" error: > > [root@directory ~]# /usr/lib/mozldap/ldappasswd -v -Z > -P /etc/dirsrv/slapd-directory/cert8.db > -K /etc/dirsrv/slapd-directory/key3.db -D "cn=sync user,cn=config" > uid=pre_user1,ou=People,dc=example.com -w - > > Enter bind password: > > ldappasswd: started Tue Jan 12 11:46:28 2010 > > ldap_init( localhost, 389 ) > ldaptool_getcertpath -- /etc/dirsrv/slapd-directory/cert8.db > ldaptool_getkeypath -- /etc/dirsrv/slapd-directory/key3.db > ldaptool_getmodpath -- (null) > ldaptool_getdonglefilename -- (null) > ldappasswd: Insufficient access > ldappasswd: additional info: Insufficient access rights > > Any help/ideas would be highly appreciated! > Hmm - Windows PassSync does not use the ldappasswd extended operation, it just uses ldapmodify with the userPassword attribute - try that. > Thanks > > > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
