LDAP: error code 50 - Insufficient Access Rights
58 views
Skip to first unread message
WeiXuan Wu
Dec 10, 2021, 1:56:25 AM12/10/21
to pwm-general
I installed pwm-1.7.0 in tomcat 8.5.73.
After I configured pwm finished then I want to change user password , it said:
Unexpected error. If this error occurs repeatedly please contact your helpdesk. { 5015 ERROR_UNKNOWN (error setting password for user 'uid=XXX,ou=people,dc=XXXX,dc=com'' [LDAP: error code 50 - Insufficient Access Rights]) }
Here is my pwm setting:
LDAP Proxy User:
cn=ldapadm,dc=XXXXXX,dc=com(this is the user what I login to ldapadmin)
Administrator Query String
(objectClass=pwmUser)
By the way I already gave user objectClass with pwmUser value
what can I do ?
Jason Rivard
Dec 12, 2021, 4:56:36 PM12/12/21
to pwm-general
You appear to have a rights issue with your LDAP directory. You didn't mention which directory product your using. Your proxy user needs permission to reset user passwords.
WeiXuan Wu
Dec 12, 2021, 9:28:35 PM12/12/21
to pwm-general
Hi Jason Rivard,
How can I create a proxy user with enough permission to reset user password?
Now I only have "ldapadmin" this admin user ,it's the user which I login to ldapadmin and it can change user password.
I created it as below:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=XXXldap,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=XXXXldap,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}tGRcL01nQz+31wErYS4LfMtclJ
changetype: modify
replace: olcSuffix
olcSuffix: dc=XXXldap,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=XXXXldap,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}tGRcL01nQz+31wErYS4LfMtclJ
Jason Rivard 在 2021年12月13日 星期一上午5:56:36 [UTC+8] 的信中寫道:
jason.e...@gmail.com
Dec 13, 2021, 10:32:25 AM12/13/21
to pwm-general
You need to create a new user and give them rights, something like below would allow the new user (pwmsvc) to change/reset passwords and also update other attributes for all users under ou=people,dc=example,dc=com subtree, this example is used for another piece of software I test on openldap and *should* work for pwm as well.
dn: olcDatabase={2}hdb,cn=config
changetype: modify
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=pwmsvc,dc=example,dc=com" write by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to dn.subtree="ou=people,dc=example,dc=com" by dn="cn=pwmsvc,dc=example,dc=com" write
olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by dn="cn=pwmsvc,dc=example,dc=com" read by self read by * none
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=pwmsvc,dc=example,dc=com" write by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to dn.subtree="ou=people,dc=example,dc=com" by dn="cn=pwmsvc,dc=example,dc=com" write
olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by dn="cn=pwmsvc,dc=example,dc=com" read by self read by * none
Reply all
Reply to author
Forward
0 new messages