I set up Self Service Password Tool. https://ltb-project.org/documentation/self-service-password. I configured a bind DN for password reset.
$ldap_binddn = "cn=proxyagent,ou=profile,dc=mycompany,dc=com"; $ldap_bindpw = "mypassword"; I'm getting "Password was refused by the LDAP directory (Insufficient access rights )" error when resetting a user's password. If I change the $ldap_binddn to "Directory Manager", it works. I then added the "cn=proxyagent,ou=profile,dc=mycompany,dc=com" to "PD Managers" group with ACI: ldapsearch -x -LLL -H ldap://server.mycompany.com:389 -s base -b 'ou=People,dc=mycompany,dc=com' aci dn: ou=People,dc=mycompnay,dc=com aci: (targetattr=*")(targetfilter ="(ou=People)")(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=groups ,dc=mycompany,dc=com");) ldapsearch -x -LLL -H ldap://server.mycompnay.com:389 -s base -b 'cn=PD Managers,ou=Groups,dc=mycompany,dc=com' uniquemember dn: cn=PD Managers,ou=Groups,dc=mycompany,dc=com uniquemember: cn=Directory Manager uniquemember: cn=proxyagent,ou=profile,dc=mycompany,dc=com The "PD Managers" group has ACI to allow write for ou=People for all attributes. The proxyagent is member of the group. Why binding proxyagent results in "Insufficient Access Right"? _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
