Wednesday, September 15, 2021

[389-users] Insufficient Access Rights

I set up Self Service Password Tool. I configured a bind DN for password reset.

$ldap_binddn = "cn=proxyagent,ou=profile,dc=mycompany,dc=com";
$ldap_bindpw = "mypassword";

I'm getting "Password was refused by the LDAP directory (Insufficient access rights )" error when resetting a user's password. If I change the $ldap_binddn to "Directory Manager", it works.

I then added the "cn=proxyagent,ou=profile,dc=mycompany,dc=com" to "PD Managers" group with ACI:

ldapsearch -x -LLL -H ldap:// -s base -b 'ou=People,dc=mycompany,dc=com' aci
dn: ou=People,dc=mycompnay,dc=com
aci: (targetattr=*")(targetfilter ="(ou=People)")(version 3.0;acl "Engineering
Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=groups

ldapsearch -x -LLL -H ldap:// -s base -b 'cn=PD Managers,ou=Groups,dc=mycompany,dc=com' uniquemember
dn: cn=PD Managers,ou=Groups,dc=mycompany,dc=com
uniquemember: cn=Directory Manager
uniquemember: cn=proxyagent,ou=profile,dc=mycompany,dc=com

The "PD Managers" group has ACI to allow write for ou=People for all attributes. The proxyagent is member of the group. Why binding proxyagent results in "Insufficient Access Right"?
389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam on the list, report it:

No comments:

Post a Comment