Knowledge Partner
Knowledge Partner
376 views

Minimum ACL rights to write to nspmDistributionPassword?

Have a client who uses minimal rights in each driver. Bit painful, but
smart! Very hard to screw up stuff you cannot touch.

Now adding passwords to one driver, getting a 222 on password set.
validated the value in:
<add-attr attr-name="nspmDistributionPassword"><!-- content
suppressed -->
</add-attr>

is valid per policy, and works when set in iManager. NMAS trace shows only:

10:20:02 62CC0940 NMAS: ERROR: -222 Failed set distribution password for
spumpkin.People.acme.com
10:20:02 62CC0940 NMAS: ERROR: -16049 Failed get distribution password
for spumpkin.People.acme.com

I am wondering if it is a permission issue. I will test with All
Attributes rigths, but I need to be able to filter it down.

nspmDistributionPassword is not available to select to add W rights
too... (I know it is hidden, as is nspmPassword and Private Key) but
how do we grant the right, minimally?

Labels (1)
0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Minimum ACL rights to write to nspmDistributionPassword?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Try the 'Password Management' pseudo-attribute, perhaps.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPbI9uAAoJEF+XTK08PnB5ADwP/1Vtc+A6LWBHjfXQW2eq6qa7
8flhMUYGztXTcd8vxzeMlqSUao2+U1LNVPWN4gMz0JIF1T3wTR0kt7Q1h26sR/LG
8wXm9/EHPN+04TA4pL7h4EVQMeV5Am52uQrDk1HFhGAq240ZWSzcrXOHBeWFcs5z
3BUXOKhS5jTLXpPU+8qBSTbMhkbSpvhhKs23pgnAUQ1hK3y++Vw+bDRTKZwtTsDt
w1d4FOwIUwmo99dArhDlwqzLnDkYDMHhNID1iLzDsScJVk9I/XaQNK8W5bBu7jsP
y4YZAOSbMxcLC7afVKP/dQfpq1S0ikpHCDFjKKtmY2sAemAmk2CxKSjz0Bf/wMSb
bHtr/cPQlv4YIeT4Mt/ap7Kqswt6+6RlHDWyyfT7liIJ3SWe4Mfu6oxSK6ypesJl
ivHV42w2yh3cTnH4orAXKa5Hpd8s8Fgl9Bxj9AEJl5WRvfc5MKYZcyp9JnDD3ilR
YKRjOCCu8esKDbt9tqfv0M4jzJS+5rP6T3YEJk4lMb1mEAvaF3Y4Zf3Octbvms93
ZLkT5QxgJxIKnj9n1Zc2SGyS9m5iPOT4UXvGnyu162/5h2h+s/s65ODeUpXEejaq
zXUk5pDv67aZp0MIrD5l8ZcveMqtEKFf2354sam9cI/L5FX2a99KtPW2VbXhpjLc
4a023QZDqFfbbYgvCopz
=CtW8
-----END PGP SIGNATURE-----
0 Likes
Knowledge Partner
Knowledge Partner

Re: Minimum ACL rights to write to nspmDistributionPassword?


> Try the 'Password Management' pseudo-attribute, perhaps.


That is where I am leaning. Looks like W rights.

Thought maybe nspmPasswordACl but that looks like it is the list of DN's
that can retrieve passwords and belongs on a password policy.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Minimum ACL rights to write to nspmDistributionPassword?

On Fri, 23 Mar 2012 14:37:48 +0000, Geoffrey Carman wrote:

> nspmDistributionPassword is not available to select to add W rights
> too...


Set the ACL on the "password management" pseudo attribute, and they'll
have rights to set passwords.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Minimum ACL rights to write to nspmDistributionPassword?

On 3/23/2012 11:30 AM, David Gersic wrote:
> On Fri, 23 Mar 2012 14:37:48 +0000, Geoffrey Carman wrote:
>
>> nspmDistributionPassword is not available to select to add W rights
>> too...

>
> Set the ACL on the "password management" pseudo attribute, and they'll
> have rights to set passwords.


Interestingly Sec Equals Admin is not working either! So something is
up. S to the container is not sufficing? What else could it be?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Minimum ACL rights to write to nspmDistributionPassword?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is your Universal Password (UP) policy setup to allow admins to retrieve
password?

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPbKOnAAoJEF+XTK08PnB5wdcP/inE3VCjWMN5A6VziUni6G8+
Ghir638+hxFSwxdDmsqlwZlh2FregYXzDlTpWj7NPYxUXFzTr/p0Et4jv2joZaFT
719zAN7uRXWoV4dR063MNnZUpUbcyNAULr1Dk646ANXLhfENzfsvE1KKImRS48+9
90DBOJBiUpGONgodlBFetH7Yhfugg8XZC1gAAbqmk2us/45miaJvH6fnM+A+eF2/
e0b+bL2ZzlQpKPHRcyxv6BN95slgszvCkbpN6bgS4PvRyTRQAXkKZomCSVKYOXG+
A4TE+p5TGXkECuQ2n9KvSa2w5FxXi3Gew6HAbMromHruSf/gSV4NfmDIwJj4cs1d
YaEZPwQHvYgP7oJ5UFIe3OYoALFyEm984/MUj13cKI2F0yK4QV3hPhXf8oIV2aWl
mdtq1xjlGNPrzHK3winyRMJ1BAWDNYBpdmtiRl6iROSSZtXfaPRf50bu9Qvl5hoK
Zu4O3DCYpBnyQa48gCZgoieifj4mPftCAL7ogWwK0AAWPRdas33qEacZr45ZuiYr
EyW/5ycq2zBcudvdUvEX1xYcj7OzBk5g5Z0cDJJYpmxI/E0EjbUSv3jRN1CdnVMz
ZT5lPrMC0xvWGjnsxOqEAwgcsORtXJkWIt3WSiNb16WjJ/g5JYYuiCsBaBmx38CB
GHFML5wT8dH8uZh8YFbk
=Agod
-----END PGP SIGNATURE-----
0 Likes
Knowledge Partner
Knowledge Partner

Re: Minimum ACL rights to write to nspmDistributionPassword?

> Is your Universal Password (UP) policy setup to allow admins to retrieve
> password?


Yes.

And we are getting nothing back.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Minimum ACL rights to write to nspmDistributionPassword?

So Password Management attribute suffices to get the rights.

However my issue was more interesting.

While the password policy enabled UP, and synced to DP, it was NOT set
to "Allow Users to change password".

IDM's password change comes through as a user change, not an Admin
change, so set that way, IDM cannot set the password.

Changed it and it worked. Go figure.

On 3/23/2012 10:37 AM, Geoffrey Carman wrote:
> Have a client who uses minimal rights in each driver. Bit painful, but
> smart! Very hard to screw up stuff you cannot touch.
>
> Now adding passwords to one driver, getting a 222 on password set.
> validated the value in:
> <add-attr attr-name="nspmDistributionPassword"><!-- content suppressed -->
> </add-attr>
>
> is valid per policy, and works when set in iManager. NMAS trace shows only:
>
> 10:20:02 62CC0940 NMAS: ERROR: -222 Failed set distribution password for
> spumpkin.People.acme.com
> 10:20:02 62CC0940 NMAS: ERROR: -16049 Failed get distribution password
> for spumpkin.People.acme.com
>
> I am wondering if it is a permission issue. I will test with All
> Attributes rigths, but I need to be able to filter it down.
>
> nspmDistributionPassword is not available to select to add W rights
> too... (I know it is hidden, as is nspmPassword and Private Key) but how
> do we grant the right, minimally?
>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.