AD Permissions for ObjectClass

[Adrian Bettesworth]

I'm beginning to feel like I might be banging my head against a wall. For some reason it seems that I cannot set the right permissions in AD that allow my PWM Proxy user to have suffient rights to add the pwmUser ObjectClass to a users that logs in.

I see this line in the log file: ERROR, ldap.LdapOperationsHelper, {9lfs9} error adding objectclass 'pwmUser' to user [full distinguished name] com.novell.ldapchai.exception.ChaiOperationException: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

I have downloaded and inported the ldif files and every seems to be good except for this one permission.

Does anyone have a AD screen shot of the permission they have set for this?

Thanks.

[jason.e...@gmail.com]

It is because it is of course Microsoft's own take on LDAP, so anyways..

PWM is trying to add "pwmUser" to the "objectClass" attribute for the user, you need to add permissions for your proxy user to modify/update/delete the "objectClass" attribute itself.

[jason.e...@gmail.com]

In easier terms, when adding the permissions,

Choose,

Principal-> Your PWM Proxy User

Type-> Allow

Applies To -> Descendant InetOrgPerson Objects

Scroll down and select "Write objectClass"

Should be good after,

[Ricardo Ramos]

Adrian Bettesworth

how did you imported the ldif files ????

i tried

    ldifde -b xpto, W2K19-AD.xptosolutions.com.br * -i -f AD-schema.ldif -j C:\SOFTWARE -c "dc=x"
    
    i get
    
    Invalid Parameter: Requires 'From DN' and 'To DN'

[Adrian Bettesworth]

The ldif file for AD has pretty decent command example at the top of the file. I ran exactly that command replacing the bit specific for my domain. You need to run the command from an admin command prompt from the same directory the ldif file resides.

The command I ran was : ldifde -i -f AD-schema.ldif -c "DC=x" "dc=xxxxx,dc=xxxxx" replace teh xxxxx with you domain dname elements.

--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/AdiiaQnlMlI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/d56137aa-2cc5-44bc-b228-de8c2a15d475n%40googlegroups.com.

[Ricardo Ramos]

I was doing this command : ldifde -i -f AD-schema.ldif -c "DC=x" "dc=my,dc=domain,dc=br"

with my USER  that as  administrator privileges in  the domain, and i was getting this error

Logging in as current user using SSPI
Importing directory from file "AD-schema.ldif"
Loading entries.
Add error on entry starting on line 20: Insufficient Rights
The server side error is: 0x5 Access is denied.
The extended server error is:
00000005: SecErr: DSID-031528D2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option.

Them i logged in as  Administrator and  with the same command : : ldifde -i -f AD-schema.ldif -c "DC=x" "dc=my,dc=domain,dc=br"

and it worked  :)

[Adrian Bettesworth]

Make sure the user you are using is a member of the Schema Admins group. By default domain admins are not so you might need to add yourself to that group. 

On 11 Feb 2021, at 14:03, Ricardo Ramos <rjgr...@gmail.com> wrote:



To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/09435c07-74c1-4440-8be2-0472630eaee6n%40googlegroups.com.