I'm migrating from the internal user data store to external with Sun Directory Server as the LDAP backend and I'm unable to provision new users. I use unidssearch to list the unprovisioned accounts and it lists the user I'd like to provision. I then execute 'uniuser -user -add "DID=uid=testy,ou=People,dc=domain,dc=com" -n 10' which returns an Insufficient access right error. When I look at das.log I see the following entry...
DATE = Thu May 10 10:25:09 2007
PID = 440; TID = 1095888896
LOG TYPE -> DEBUG
FUNCTION NAME -> ctldap_CalUserUpdateByDirectoryId
o: Domain Corporation
This entry tells me that uniuser is try to do an LDAP_ADD on an existing object in the directory when it should do a LDAP_MODIFY.
Does anyone know why this is?
This might be just an error in the logging.
Did you grant the proper access right to the calendar administrator account?
Can you also verify the directory server access log and verify whether the operation indeed return insufficient access right?
I set the writedn and writednpassword to the Directory Manager user/password, though i just came across the dir_usewritednforadmin directive which is not set. I figured setting the writedn and password should have been all that i needed to do. Granted I'd rather not have the calendar access the directory as the manager, I was just testing to see if it actually worked.
When you run the uniuser -add, do you authenticate as the node calendar administrator (SYSOP) or as end user who has been granted some access right. If it's the sysop entry, then you don't need to set the "writedn..." parameters.
Simply grant the sysop entry some access right to be able to perform some modification in the directory. I believe there should be a documentation on what access rights are required for these entries. Directory server access log is always useful to find whom the operation is performed as.
the unidsacisetup(8) command can be used to add the ACI for Sun Directory server. The ACI it sets is a little to loose for my liking so I modified it slightly.
(target="ldap:///dc=domain,dc=com") (targetattr = "*") (version 3.0; acl "Calendar Administrators Group"; allow(all) groupdn = "ldap:///cn=OracleCalendarAdminGroup,ou=OracleCalendar,dc=domain,dc=com";)
(target="ldap:///dc=domain,dc=com") (targetattr = "*") (version 3.0; acl "Calendar Administrators Group"; allow(read,write,compare) groupdn = "ldap:///cn=OracleCalendarAdminGroup,ou=OracleCalendar,dc=domain,dc=com";)