Hi Quanah,
I really appreciate your help. I just started some debugging on the master side, and I found out that the root of my issue was permission. I got the following messages on the masters side:
5418a353 conn=1064 op=6 MOD dn="cn=Lisa Hayes,ou=Quality,dc=example,dc=com" 5418a353 conn=1064 op=6 MOD attr=pwdFailureTime 5418a353 conn=1064 op=6 RESULT tag=103 err=50 text=
tag=103 err=50 ----> This usually means insufficient access. I look over the my HDB access configuration, and realize that my chaining (cn=syncrepluser,ou=security,dc=example,dc=com) user had "write" permissions on userPassword, pwdFailuretime, pwdChangedTime, pwdHistory, pwdAccountLockedTime attributes and that wasn't enough. I changed the "write" permission to "manage" and everything started working.
#----- # Master #----- dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,pwdFailuretime,pwdChangedTime,pwdHistory,pwdAccountLockedTime by self write by dn="cn=admin,dc=example,dc=com" write by dn="cn=syncReplUser,ou=Security,dc=example,dc=com" manage by * none
Hope this can help others. Thanks a lot for your help!
--On Tuesday, September 16, 2014 6:06 PM -0430 Raul Hernandez hernandezr@gmail.com wrote:
Hi Quanah,
I really appreciate your help. I just started some debugging on the master side, and I found out that the root of my issue was permission. I got the following messages on the masters side:
Hope this can help others. Thanks a lot for your help!
Excellent, thanks for the follow up!
--Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Raul Hernandez hernandezr@gmail.com schrieb am 16.09.2014 um 23:36 in
Nachricht CAL3GdwNJfDBDvwHmxFntggndsRC=wZ+SHM0LVeBbYQEm3ZGaEw@mail.gmail.com:
[...]
the my HDB access configuration, and realize that my chaining (cn=syncrepluser,ou=security,dc=example,dc=com) user had "write" permissions on userPassword, pwdFailuretime, pwdChangedTime, pwdHistory, pwdAccountLockedTime attributes and that wasn't enough. I changed the "write" permission to "manage" and everything started working.
[...]
I read the slapd.access manual page, aand could not get it: -- The level access model relies on an incremental interpretation of the access privileges. The possible levels are none, disclose, auth, com- pare, search, read, write, and manage. Each access level implies all the preceding ones, thus manage grants all access including administra- tive access. The write access is actually the combination of add and delete, which respectively restrict the write privilege to add or delete the specified <what>. -- "administrative access" is nowhere explained. So what does "manage" allow that "write" does not?
Regards, Ulrich
Ulrich Windl wrote:
"administrative access" is nowhere explained. So what does "manage" allow that "write" does not?
"manage" privilege e.g. allows to write operational attributes by using the Relax Rules Control and to switch off constraints.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Quanah Gibson-Mount -
Raul Hernandez -
Ulrich Windl