[389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem
Rich Megginson
rmeggins at redhat.com
Thu Jul 23 18:02:37 UTC 2009
Roberto Polli wrote:
> On Thursday 23 July 2009 19:10:26 Rich Megginson wrote:> >>> case1)
>
>>>>> * I bind with uid=admin to the local DS tree to modify the "givenName"
>>>>> of a user on the remote server
>>>>> * the modify is successful, as the uid=admin is proxied and the
>>>>> "uid=admin" is replicated on the remote server
>>>>>
>>>>> case2)
>>>>> * same as case1 but I try to modify "userPassword"
>>>>> * the modify fails as the remote server won't evaluate aci on
>>>>> "uid=admin" but on "dn:proxyuser"
>>>>>
>
>
>> So the user uid=admin - is that the Directory Manager (rootdn)?
>>
> no
>
>
>> If not,
>> is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"?
>>
> yes, and it can modify users' attribute, but password
>
>
>> Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the
>> local and remote servers?
>>
> yes
>
> it seems that when I try to modify userPassword, the reference to uid=admin is
> not forwarded and only the proxyuser rights are used..
>
I suppose you could turn on ACL summary logging to see what's going on.
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
>
> Peace,
> R.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20090723/e382179b/attachment.bin>
More information about the 389-users
mailing list