I set up Self Service Password Tool.
https://ltb-project.org/documentation/self-service-password. I configured a bind DN for
password reset.
$ldap_binddn = "cn=proxyagent,ou=profile,dc=mycompany,dc=com";
$ldap_bindpw = "mypassword";
I'm getting "Password was refused by the LDAP directory (Insufficient access
rights )" error when resetting a user's password. If I change the $ldap_binddn to
"Directory Manager", it works.
I then added the "cn=proxyagent,ou=profile,dc=mycompany,dc=com" to "PD
Managers" group with ACI:
ldapsearch -x -LLL -H ldap://server.mycompany.com:389 -s base -b
'ou=People,dc=mycompany,dc=com' aci
dn: ou=People,dc=mycompnay,dc=com
aci: (targetattr=*")(targetfilter ="(ou=People)")(version 3.0;acl
"Engineering
Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=groups
,dc=mycompany,dc=com");)
ldapsearch -x -LLL -H ldap://server.mycompnay.com:389 -s base -b 'cn=PD
Managers,ou=Groups,dc=mycompany,dc=com' uniquemember
dn: cn=PD Managers,ou=Groups,dc=mycompany,dc=com
uniquemember: cn=Directory Manager
uniquemember: cn=proxyagent,ou=profile,dc=mycompany,dc=com
The "PD Managers" group has ACI to allow write for ou=People for all attributes.
The proxyagent is member of the group. Why binding proxyagent results in
"Insufficient Access Right"?