[pwm-general] Help with 389 DS and Sun Directory Server
592 views
Skip to first unread message
Joshua Ellsworth
Jul 26, 2011, 2:31:39 PM7/26/11
to pwm-g...@googlegroups.com
I'm having trouble getting PWM to work with either Sun or 389 DS. I have created the pwmUser objectClass and it gets added to the user object correctly. However, when I try to save my challenge question responses I get the following error:
An error occurred during the save of your response questions. Please contact your administrator. { 5045 ERROR_WRITING_RESPONSES (error writing user responses to ldap attribute 'pwmResponseSet': [LDAP: error code 50 - Insufficient 'write' privilege to the 'pwmResponseSet' attribute of entry 'uid=jellsworth,ou=xxxxx,ou=people,dc=example,dc=com'.]) }
I have a wide open ACI that I set up for testing that should allow the user to do anything they want. Any idea why this doesn't work on either LDAP backend?
Thanks!
Josh
Menno Pieters
Jul 26, 2011, 2:57:19 PM7/26/11
to pwm-g...@googlegroups.com
Hi Joshua,
To whom is this ACI open? It should be open to the user, since PWM will (normally) set the pwmResponseSet with the user's own credentials, unless you have configured PWM to always use the proxy user.
You could take a look at the access and error logs, which should be in <instance-dir>/log/ (slapd-<instance-name>)/log/). If the log level is high enough you should be able to see what PWM is trying to do and with whose rights and modify you ACI accordingly.
Regards,
Menno Pieters
You could take a look at the access and error logs, which should be in <instance-dir>/log/ (slapd-<instance-name>)/log/). If the log level is high enough you should be able to see what PWM is trying to do and with whose rights and modify you ACI accordingly.
Regards,
Menno Pieters
Jason Rivard
Jul 26, 2011, 2:59:47 PM7/26/11
to pwm-g...@googlegroups.com
Try connecting with an ldap browser like apache directory studio or the like. Connect as the user and try to set/modify the pwmResponseSet attribute.
That should be all pwm is doing at that point. The error in your trace is coming from the ldap server so I cant really tell you why.
-Jason
I'm having trouble getting PWM to work with either Sun or 389 DS. I have created the pwmUser objectClass and it gets added to the user object correctly. However, when I try to save my challenge question responses I get the following error:
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.
That should be all pwm is doing at that point. The error in your trace is coming from the ldap server so I cant really tell you why.
-Jason
----- Reply message -----
From: "Joshua Ellsworth" <jrell...@gmail.com>
To: <pwm-g...@googlegroups.com>
Subject: [pwm-general] Help with 389 DS and Sun Directory Server
Date: Tue, Jul 26, 2011 2:31 pm
From: "Joshua Ellsworth" <jrell...@gmail.com>
To: <pwm-g...@googlegroups.com>
Subject: [pwm-general] Help with 389 DS and Sun Directory Server
Date: Tue, Jul 26, 2011 2:31 pm
I'm having trouble getting PWM to work with either Sun or 389 DS. I have created the pwmUser objectClass and it gets added to the user object correctly. However, when I try to save my challenge question responses I get the following error:
An error occurred during the save of your response questions. Please contact your administrator. { 5045 ERROR_WRITING_RESPONSES (error writing user responses to ldap attribute 'pwmResponseSet': [LDAP: error code 50 - Insufficient 'write' privilege to the 'pwmResponseSet' attribute of entry 'uid=jellsworth,ou=xxxxx,ou=people,dc=example,dc=com'.]) }
I have a wide open ACI that I set up for testing that should allow the user to do anything they want. Any idea why this doesn't work on either LDAP backend?
Thanks!
Josh
-- You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.
Joshua Ellsworth
Jul 27, 2011, 10:28:22 AM7/27/11
to pwm-g...@googlegroups.com
You folks are great. I hadn't noticed that it was trying to set that attribute as the user, so I was editing the wrong ACI.
Allowing the user the rights to change that attribute did the trick perfectly.
pethams
Aug 29, 2011, 4:43:16 PM8/29/11
to pwm-general
I am having similar issue,
I do see the the Objectclass for the user accounts doesn't not have
pwmUser and the attribute pwmResponseSet is part of this objectclass.
Do i have to recreate all the useraccounts with this 'pwmUser' class?
thanks
Please contact your administrator. { 5045 ERROR_WRITING_RESPONSES
(error writing user responses to ldap attribute 'pwmResponseSet':
[LDAP: error code 65 - attribute "pwmResponseSet" not allowed ]) }
(error writing user responses to ldap attribute 'pwmResponseSet':
I do see the the Objectclass for the user accounts doesn't not have
pwmUser and the attribute pwmResponseSet is part of this objectclass.
Do i have to recreate all the useraccounts with this 'pwmUser' class?
thanks
Jason Rivard
Aug 29, 2011, 4:47:08 PM8/29/11
to pwm-g...@googlegroups.com
PWM will try to append to the object class 'pwmUser' (configurable under LDAP settings) upon login. It's defined as auxiliary class so you can add it to existing user classes without recreating the entry. If you set log level to trace, you'll probably see an LDAP error when PWM tries to add the object class. Probably because the proxy user lacks rights.
Joshua Ellsworth
Aug 29, 2011, 4:47:13 PM8/29/11
to pwm-g...@googlegroups.com
My solution was to add rights to those attributes to the appropriate ACL.
Let me know if you aren't sure how to do that and I'll send what I have as ACLs.
On Mon, Aug 29, 2011 at 4:43 PM, pethams <pet...@gmail.com> wrote:
pschakr...@gmail.com
Sep 21, 2012, 8:50:58 AM9/21/12
to pwm-g...@googlegroups.com
Josh,
Can you please help me in setting up ACLS to get pwmResponseSet updated?
Regards
Chakri
Can you please help me in setting up ACLS to get pwmResponseSet updated?
Regards
Chakri
Joshua Ellsworth
Sep 21, 2012, 9:16:12 AM9/21/12
to pwm-g...@googlegroups.com
Hi Chakri,
We migrated off Sun early this year. My 389ds install doesn't seem to specify anything in regards to users self-writing the pwm attributes - I guess I'm not sure why it's working.
I'm sorry I can't be more help.
Josh
To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/Agz2e9dVXNYJ.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages