ACI - on OU services didn't match
by Nizar Montassar
Hello All,
I have added three ACI to authorize a group of permission to manage my Service OU like this:
# To modify attrubutes
dn: ou=services,dc=xxx,dc=yyy
aci: (targetattr="description || cn || memberOf || nsUniqueId || nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable user modify to change services"; allow (write, read)(groupdn="ldap:///cn=service_modify,ou=permissions,dc=xxx,dc=yyy");)
# To permit password reset
dn: ou=services,dc=xxx,dc=yyy
aci: (targetattr="userPassword || nsAccountLock || userCertificate || nsSshPublicKey")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable service password reset"; allow (write, read)(groupdn="ldap:///cn=service_passwd_reset,ou=permissions,dc=xxx,dc=yyy");)
# to allow service account creation
dn: ou=services,dc=xxx,dc=yyy
aci: (targetattr="objectClass || description || nsUniqueId || cn || memberOf || nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable service admin account create"; allow (write, add, delete, read)(groupdn="ldap:///cn=service_admin,ou=permissions,dc=xxx,dc=yyy");)
Then I have created those groups under the permission OU like this:
cn=servce_admin,ou=permissions,dc=xxx,dc=yyy
cn=servce_modify,ou=permissions,dc=xxx,dc=yyy
cn=servce_passwd_reset,ou=permissions,dc=xxx,dc=yyy
And I have addedd my administrator users on those group.
When testing to createt a service account using one of my adinistrator user th got this error:
"Error: 105 - 3 - 50 - Insufficient access - [] - Insufficient 'add' privilege to add the entry 'cn=test,ou=Services,dc=xxx,dc=yyy'.
If I andrestend cery well this message: the ACI didn't take effect on the service OU.
On my log files there no information, I tried th run my creation command on debbug modeand also the same output.
I need your help on this issue.
Best Regards
2 months
err=19 in a BIND operation
by Ciber Center
Hi team,
I'm getting an result err=19 in a BIND operation, Anyone knows why this can happen?
this is the connection trace
conn=2894185 fd=205 slot=205 connection from client_ip to server_ip
conn=2894185 op=0 BIND dn="uid=user1,o=applications,o=school,c=es" method=128 version=3
conn=2894185 op=0 RESULT err=19 tag=97 nentries=0 etime=0.000494384
conn=2894185 op=1 UNBIND
conn=2894185 op=1 fd=205 closed - U1
I understood that error code 19 occurs only in MOD operations, is it correct?
Thanks in advance.
2 months
Setting "lock" time of an account in the future
by Cenk Y.
Hello,
We are running 389-ds-base.2.2.7 .
While creating accounts, sometimes we know until when they need to be
active. Is there a way to manually set a "expiration date" for the account,
so after that date nsAccount is set to true?
Having gone through rhds and 389-ds pages, it seems it's only possible to
create a policy to deactivate accounts after an inactivity limit.
I can always create a mechanism myself (such as adding a new attribute and
checking it by a cron job ...) , but I want to see if there is a native way
to do this?
Thanks
Cenk
2 months, 1 week
389 in Ubuntu 22.04
by morgan jones
Hello,
We are moving to Ubuntu 22.04 across our servers: is there a recommended Ubuntu repo for 389 Directory?
On a related note is there an official Docker image?
We have about 250,000 users and currently have 6 replicas all running CentOS 7.
thanks,
-morgan
2 months, 1 week
