Wednesday, September 15, 2021

[389-users] Insufficient Access Rights

I set up Self Service Password Tool. https://ltb-project.org/documentation/self-service-password. I configured a bind DN for password reset.

$ldap_binddn = "cn=proxyagent,ou=profile,dc=mycompany,dc=com";
$ldap_bindpw = "mypassword";

I'm getting "Password was refused by the LDAP directory (Insufficient access rights )" error when resetting a user's password. If I change the $ldap_binddn to "Directory Manager", it works.

I then added the "cn=proxyagent,ou=profile,dc=mycompany,dc=com" to "PD Managers" group with ACI:

ldapsearch -x -LLL -H ldap://server.mycompany.com:389 -s base -b 'ou=People,dc=mycompany,dc=com' aci
dn: ou=People,dc=mycompnay,dc=com
aci: (targetattr=*")(targetfilter ="(ou=People)")(version 3.0;acl "Engineering
Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=groups
,dc=mycompany,dc=com");)

ldapsearch -x -LLL -H ldap://server.mycompnay.com:389 -s base -b 'cn=PD Managers,ou=Groups,dc=mycompany,dc=com' uniquemember
dn: cn=PD Managers,ou=Groups,dc=mycompany,dc=com
uniquemember: cn=Directory Manager
uniquemember: cn=proxyagent,ou=profile,dc=mycompany,dc=com

The "PD Managers" group has ACI to allow write for ou=People for all attributes. The proxyagent is member of the group. Why binding proxyagent results in "Insufficient Access Right"?
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment