[389-users] Insufficient access rights for the sync user
Theodotos Andreou
theodotos.andreou at cut.ac.cy
Tue Jan 12 10:10:25 UTC 2010
I am trying to create a sync agreement between an AD server and a 389
directory server. I am following the "Red Hat Directory Server 8.1
Administration Guide"
The Guide instruct you to create a sync user under cn=config like this:
dn: cn=sync user,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: sync user
sn: SU
userPassword: secret
passwordExpirationTime: 20380119031407Z
I added the user using an ldif file:
[root at directory ~]# cat syncuser.ldif
dn: cn=sync user,cn=config
changetype: add
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: sync user
sn: syncuser
userPassword: secret
passwordExpirationTime: 20380119031407Z
It also says that you should create an ACI rule so that it cam write to
the userPassword attribute:
aci: (target="ldap:///cn=sync%20user,cn=config")
(targetattr="userPassword")(version 3.0;acl "aci1";allow (write,compare)
userdn=all;)
I figured this must be wrong since the target should contain the
replicated tree and the userdn should be the binddn for the sync user.
Correct me if I am wrong. I did try to use the above aci but also didn't
work.
Anyway I modified the aci such as:
[root at directory ~]# /usr/lib/mozldap/ldapsearch -b dc=example,dc=com -h
localhost -p 389 -D "cn=directory manager" -w - \(aci=*\) aci | grep -B
1 -C 1 Sync
Enter bind password:
aci: (target="ldap:///dc=example,dc=com")(targetattr="userPassword")
(version 3.0;acl "Sync Pass User";allow (write,compare)
userdn="ldap:///cn=sync%20user,cn=config";)"
Is the above ACI correct?
There must be something wrong since when I try to change the password of
a normal user I get the "Insufficient access rights" error:
[root at directory ~]# /usr/lib/mozldap/ldappasswd -v -Z
-P /etc/dirsrv/slapd-directory/cert8.db
-K /etc/dirsrv/slapd-directory/key3.db -D "cn=sync user,cn=config"
uid=pre_user1,ou=People,dc=example.com -w -
Enter bind password:
ldappasswd: started Tue Jan 12 11:46:28 2010
ldap_init( localhost, 389 )
ldaptool_getcertpath -- /etc/dirsrv/slapd-directory/cert8.db
ldaptool_getkeypath -- /etc/dirsrv/slapd-directory/key3.db
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
ldappasswd: Insufficient access
ldappasswd: additional info: Insufficient access rights
Any help/ideas would be highly appreciated!
Thanks
More information about the 389-users
mailing list