[389-users] Insufficient access rights for the sync user

Theodotos Andreou theodotos.andreou at cut.ac.cy
Tue Jan 12 10:10:25 UTC 2010 

I am trying to create a sync agreement between an AD server and a 389
directory server. I am following the "Red Hat Directory Server 8.1
Administration Guide"

The Guide instruct you to create a sync user under cn=config like this:

dn: cn=sync user,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: sync user
sn: SU
userPassword: secret
passwordExpirationTime: 20380119031407Z

I added the user using an ldif file:

[root at directory ~]# cat syncuser.ldif 
dn: cn=sync user,cn=config
changetype: add
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: sync user
sn: syncuser
userPassword: secret
passwordExpirationTime: 20380119031407Z

It also says that you should create an ACI rule so that it cam write to
the userPassword attribute: 

aci: (target="ldap:///cn=sync%20user,cn=config")
(targetattr="userPassword")(version 3.0;acl "aci1";allow (write,compare)
 userdn=all;)

I figured this must be wrong since the target should contain the
replicated tree and the userdn should be the binddn for the sync user.
Correct me if I am wrong. I did try to use the above aci but also didn't
work.

Anyway I modified the aci such as:
[root at directory ~]# /usr/lib/mozldap/ldapsearch -b dc=example,dc=com -h
localhost -p 389 -D "cn=directory manager" -w - \(aci=*\) aci | grep -B
1 -C 1 Sync 

Enter bind password: 

aci: (target="ldap:///dc=example,dc=com")(targetattr="userPassword")
(version 3.0;acl "Sync Pass User";allow (write,compare)
userdn="ldap:///cn=sync%20user,cn=config";)"

Is the above ACI correct?

There must be something wrong since when I try to change the password of
a normal user I get the "Insufficient access rights" error:

[root at directory ~]# /usr/lib/mozldap/ldappasswd -v -Z
-P /etc/dirsrv/slapd-directory/cert8.db
-K /etc/dirsrv/slapd-directory/key3.db -D "cn=sync user,cn=config"
uid=pre_user1,ou=People,dc=example.com -w -

Enter bind password: 

ldappasswd: started Tue Jan 12 11:46:28 2010

ldap_init( localhost, 389 )
ldaptool_getcertpath -- /etc/dirsrv/slapd-directory/cert8.db
ldaptool_getkeypath -- /etc/dirsrv/slapd-directory/key3.db
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
ldappasswd: Insufficient access
ldappasswd: additional info: Insufficient access rights

Any help/ideas would be highly appreciated!
Thanks

More information about the 389-users mailing list