4 Replies Latest reply on May 14, 2007 9:15 PM by 576963

    User provisioning with Sun Directory Server

      I'm migrating from the internal user data store to external with Sun Directory Server as the LDAP backend and I'm unable to provision new users. I use unidssearch to list the unprovisioned accounts and it lists the user I'd like to provision. I then execute 'uniuser -user -add "DID=uid=testy,ou=People,dc=domain,dc=com" -n 10' which returns an Insufficient access right error. When I look at das.log I see the following entry...

      DATE = Thu May 10 10:25:09 2007
      PID = 440; TID = 1095888896
      FUNCTION NAME -> ctldap_CalUserUpdateByDirectoryId
      dn: uid=testy,ou=People,dc=domain,dc=com
      changetype: add
      ctCalXItemId: 00010:00500
      o: Domain Corporation
      objectClass: ctCalUser

      This entry tells me that uniuser is try to do an LDAP_ADD on an existing object in the directory when it should do a LDAP_MODIFY.

      Does anyone know why this is?
        • 1. Re: User provisioning with Sun Directory Server
          This might be just an error in the logging.

          Did you grant the proper access right to the calendar administrator account?
          Can you also verify the directory server access log and verify whether the operation indeed return insufficient access right?
          • 2. Re: User provisioning with Sun Directory Server
            I set the writedn and writednpassword to the Directory Manager user/password, though i just came across the dir_usewritednforadmin directive which is not set. I figured setting the writedn and password should have been all that i needed to do. Granted I'd rather not have the calendar access the directory as the manager, I was just testing to see if it actually worked.
            • 3. Re: User provisioning with Sun Directory Server
              When you run the uniuser -add, do you authenticate as the node calendar administrator (SYSOP) or as end user who has been granted some access right. If it's the sysop entry, then you don't need to set the "writedn..." parameters.

              Simply grant the sysop entry some access right to be able to perform some modification in the directory. I believe there should be a documentation on what access rights are required for these entries. Directory server access log is always useful to find whom the operation is performed as.
              • 4. Re: User provisioning with Sun Directory Server
                the unidsacisetup(8) command can be used to add the ACI for Sun Directory server. The ACI it sets is a little to loose for my liking so I modified it slightly.

                (target="ldap:///dc=domain,dc=com") (targetattr = "*") (version 3.0; acl "Calendar Administrators Group"; allow(all) groupdn = "ldap:///cn=OracleCalendarAdminGroup,ou=OracleCalendar,dc=domain,dc=com";)

                (target="ldap:///dc=domain,dc=com") (targetattr = "*") (version 3.0; acl "Calendar Administrators Group"; allow(read,write,compare) groupdn = "ldap:///cn=OracleCalendarAdminGroup,ou=OracleCalendar,dc=domain,dc=com";)