Fedora directory users - Dec 2005 - WinSync reports "Insufficient Access"

I''m seeking a little guidance in regard to the Windows Sync
configuration. I
have the Windows Sync service speaking to the Fedora Directory Server (SSL
enabled), but passwords are not updated on the FDS side.

Environment is Windows 2000 server, Fedora Core 3 w/ FDS 1.0 w/ the latest
PassSync.msi

I have configured WinSync to use cn=replication manager,cn=config as the
bind user. This user exists in FDS.

I enabled logging for the password sync service, and found the following
entry in the passsync.log log:

12/09/05 11:17:06: Attempting to sync password for username
12/09/05 11:17:06: Searching for (ntuserdomainid=username)
12/09/05 11:17:06: Ldap error in ModifyPassword
    50: Insufficient access
12/09/05 11:17:06: Modify password failed for remote entry:
uid=username,ou=People, dc=domain, dc=com
12/09/05 11:17:06: Deferring password change for username
12/09/05 11:17:06: Backing off for 32000ms

So, there it is.. the third line of log entry "Insufficient access".

I assume that its an ACI problem with the cn=replication manager,cn=config
user. I attempted to create an ACI to resolve the issue, but no luck.

(targetattr = "*") (target =
"ldap:///uid=*,ou=People,dc=domain,dc=com")
(version 3.0;acl "WinSync";allow (all,proxy)(userdn =
"ldap:///cn=replication
manager,cn=config")
<ldap:///cn=replicationmanager,cn=config")>;)

Some help would be greatly appreciated.

Thanks,

Bryan

Bryan Fransman wrote:
> I''m seeking a little guidance in regard to the Windows Sync 
> configuration. I have the Windows Sync service speaking to the Fedora 
> Directory Server (SSL enabled), but passwords are not updated on the 
> FDS side.
>
> Environment is Windows 2000 server, Fedora Core 3 w/ FDS 1.0 w/ the 
> latest PassSync.msi
>
> I have configured WinSync to use cn=replication manager,cn=config as 
> the bind user. This user exists in FDS.
>
> I enabled logging for the password sync service, and found the 
> following entry in the passsync.log log:
>
> 12/09/05 11:17:06: Attempting to sync password for username
> 12/09/05 11:17:06: Searching for (ntuserdomainid=username)
> 12/09/05 11:17:06: Ldap error in ModifyPassword
>     50: Insufficient access
> 12/09/05 11:17:06: Modify password failed for remote entry: 
> uid=username,ou=People, dc=domain, dc=com
> 12/09/05 11:17:06: Deferring password change for username
> 12/09/05 11:17:06: Backing off for 32000ms
>
> So, there it is.. the third line of log entry "Insufficient
access".
>
> I assume that its an ACI problem with the cn=replication 
> manager,cn=config user. I attempted to create an ACI to resolve the 
> issue, but no luck.
>
> (targetattr = "*") (target = 
> "ldap:///uid=*,ou=People,dc=domain,dc=com") (version 3.0;acl 
> "WinSync";allow (all,proxy)(userdn = "ldap:///cn=replication
> manager,cn=config")
<ldap:///cn=replicationmanager,cn=config%22%29>;)
>
> Some help would be greatly appreciated.
I think you are on the general right track.
However, when you used the replication manager DN to bind that
probably led you astray. This is because that DN''s special access
rights
are _only_ enforced on real replication sessions. The passsync
app is not making a replication connection, just a regular LDAP connection.
And so you will not get any of the magical powers of the replication 
manager DN.

I suspect that your new ACI is not giving the desired result because
another one that denies access is preempting it.

So...quick and dirty way would be to use cn=Directory Manager
for the bind DN. The good but longer solution would be to add
another user for passsync to bind as and make sure that user has the
necessary access rights to userPassword.

David,

That did the trick! Thank you for your help.


On 12/9/05, David Boreham <david_list@boreham.org>
wrote:
>
> Bryan Fransman wrote:
>
> I''m seeking a little guidance in regard to the Windows Sync
configuration.
> I have the Windows Sync service speaking to the Fedora Directory Server
(SSL
> enabled), but passwords are not updated on the FDS side.
>
> Environment is Windows 2000 server, Fedora Core 3 w/ FDS 1.0 w/ the latest
> PassSync.msi
>
> I have configured WinSync to use cn=replication manager,cn=config as the
> bind user. This user exists in FDS.
>
> I enabled logging for the password sync service, and found the following
> entry in the passsync.log log:
>
> 12/09/05 11:17:06: Attempting to sync password for username
> 12/09/05 11:17:06: Searching for (ntuserdomainid=username)
> 12/09/05 11:17:06: Ldap error in ModifyPassword
>     50: Insufficient access
> 12/09/05 11:17:06: Modify password failed for remote entry:
> uid=username,ou=People, dc=domain, dc=com
> 12/09/05 11:17:06: Deferring password change for username
> 12/09/05 11:17:06: Backing off for 32000ms
>
> So, there it is.. the third line of log entry "Insufficient
access".
>
> I assume that its an ACI problem with the cn=replication manager,cn=config
> user. I attempted to create an ACI to resolve the issue, but no luck.
>
> (targetattr = "*") (target =
"ldap:///uid=*,ou=People,dc=domain,dc=com")
> (version 3.0;acl "WinSync";allow (all,proxy)(userdn =
"ldap:///cn=replication
> manager,cn=config");)
>
> Some help would be greatly appreciated.
>
> I think you are on the general right track.
> However, when you used the replication manager DN to bind that
> probably led you astray. This is because that DN''s special access
rights
> are _only_ enforced on real replication sessions. The passsync
> app is not making a replication connection, just a regular LDAP
> connection.
> And so you will not get any of the magical powers of the replication
> manager DN.
>
> I suspect that your new ACI is not giving the desired result because
> another one that denies access is preempting it.
>
> So...quick and dirty way would be to use cn=Directory Manager
> for the bind DN. The good but longer solution would be to add
> another user for passsync to bind as and make sure that user has the
> necessary access rights to userPassword.
>
>
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>