On Tue, 2010-01-12 at 08:48 -0700, Rich Megginson wrote:
Theodotos Andreou wrote:
> I am trying to create a sync agreement between an AD server and a 389
> directory server. I am following the "Red Hat Directory Server 8.1
> Administration Guide"
>
> The Guide instruct you to create a sync user under cn=config like this:
>
> dn: cn=sync user,cn=config
> objectClass: inetorgperson
> objectClass: person
> objectClass: top
> cn: sync user
> sn: SU
> userPassword: secret
> passwordExpirationTime: 20380119031407Z
>
> I added the user using an ldif file:
>
> [root@directory ~]# cat syncuser.ldif
> dn: cn=sync user,cn=config
> changetype: add
> objectClass: inetorgperson
> objectClass: person
> objectClass: top
> cn: sync user
> sn: syncuser
> userPassword: secret
> passwordExpirationTime: 20380119031407Z
>
> It also says that you should create an ACI rule so that it cam write to
> the userPassword attribute:
>
> aci: (target="ldap:///cn=sync%20user,cn=config")
> (targetattr="userPassword")(version 3.0;acl "aci1";allow
(write,compare)
> userdn=all;)
>
> I figured this must be wrong since the target should contain the
> replicated tree and the userdn should be the binddn for the sync user.
> Correct me if I am wrong. I did try to use the above aci but also didn't
> work.
>
Right. I've filed a doc bug for this. Thanks for catching it. The aci
should be something like this:
aci: (targetattr="userPassword")(version 3.0;acl "allow passsync user to
update
userPassword"; allow (write,compare)
userdn="ldap:///cn=sync%20user,cn=config";)
and it should be added to the entry at the base of your tree
(dc=example,dc=com)
> Anyway I modified the aci such as:
> [root@directory ~]# /usr/lib/mozldap/ldapsearch -b dc=example,dc=com -h
> localhost -p 389 -D "cn=directory manager" -w - \(aci=*\) aci | grep -B
> 1 -C 1 Sync
>
> Enter bind password:
>
> aci:
(target="ldap:///dc=example,dc=com")(targetattr="userPassword")
> (version 3.0;acl "Sync Pass User";allow (write,compare)
> userdn="ldap:///cn=sync%20user,cn=config";)"
>
> Is the above ACI correct?
>
> There must be something wrong since when I try to change the password of
> a normal user I get the "Insufficient access rights" error:
>
> [root@directory ~]# /usr/lib/mozldap/ldappasswd -v -Z
> -P /etc/dirsrv/slapd-directory/cert8.db
> -K /etc/dirsrv/slapd-directory/key3.db -D "cn=sync user,cn=config"
>
uid=pre_user1,ou=People,dc=example.com -w -
>
> Enter bind password:
>
> ldappasswd: started Tue Jan 12 11:46:28 2010
>
> ldap_init( localhost, 389 )
> ldaptool_getcertpath -- /etc/dirsrv/slapd-directory/cert8.db
> ldaptool_getkeypath -- /etc/dirsrv/slapd-directory/key3.db
> ldaptool_getmodpath -- (null)
> ldaptool_getdonglefilename -- (null)
> ldappasswd: Insufficient access
> ldappasswd: additional info: Insufficient access rights
>
> Any help/ideas would be highly appreciated!
>
Hmm - Windows PassSync does not use the ldappasswd extended operation,
it just uses ldapmodify with the userPassword attribute - try that.
Thanks for your reply Rich.
I applied the aci as you suggested and it did work. The ldappasswd c
command is no fun and you need to use ldapmodify. I used this ldif:
dn: uid=pre_user1,ou=People,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: changeme!
[root@directory ~]# /usr/lib/mozldap/ldapmodify -a -D "cn=directory
manager" -w - -p 389 -h localhost -f changepass.ldif
Enter bind password:
modifying entry uid=pre_user1,ou=People,dc=lim,dc=tepak,dc=int
Worked like a charm!
Thanks again for the support.
> Thanks
>
>
>
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users