InmaGP Absent Member.
Absent Member.
1246 views

ldap_add: Insufficient access NDS error: no access (-672)

Hi everyone!

I'm very new in the management of this software, sorry if i don't explain well...

I install eDirectory 9.0 SP4 in a Red Hat Enterprise 7.3 in a clean system, no eDirectory installed and any updates, it is an environment test and there is no active firewall.
I am installing and configuring with root user.

Then i create a new tree like this:

ndsconfig new -t TREE -a cn=admin.ou=sa.o=cs -n ou=servers.o=system

All it's OK.
Then i install iManager 3.0.4 and i add more "ou" and "objects". All runs OK.

But now, i want to add a config ldif file (departments.ldif) with the ldapadd tool like this:

ldapadd -v -H ldap://xxx.xx.x.xxx -v -D cn=admin,ou=users,o=avs -f departments.ldif

And i get this error: ldap_add: Insufficient access (50)
additional info: NDS error: no access (-672)


I make the installation with root and, i guess i have the right permissions.
I check the lapd.conf:

cat /etc/openldap/ldap.conf 
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

#TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/cacerts

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
URI ldaps://server_IP ldaps://server_IP ldap://server_IP ldaps://server_IP ldap://localhost.localdomain
BASE dc=test,dc=example,dc=domain,dc=com


Any idea where I have to check the permits?
What can i be doing wrong?

Thanks for any help!
Labels (1)
0 Likes
17 Replies
Micro Focus Expert
Micro Focus Expert

Re: ldap_add: Insufficient access NDS error: no access (-672)

On 2018-04-13 09:34, InmaGP wrote:
> LDAPADD -V -H LDAP://XXX.XX.X.XXX -V -D CN=ADMIN,OU=USERS,O=AVS -F
> DEPARTMENTS.LDIF


Please don't upper case commands. Case is important.

Add the command line option "-W" to be prompted for your password.
Otherwise ldapadd will do an anonymous bind.

--
Norbert
0 Likes
InmaGP Absent Member.
Absent Member.

Re: ldap_add: Insufficient access NDS error: no access (-672

Thanks for the quick response klasen!!

klasen;2479150 wrote:
On 2018-04-13 09:34, InmaGP wrote:
> LDAPADD -V -H LDAP://XXX.XX.X.XXX -V -D CN=ADMIN,OU=USERS,O=AVS -F
> DEPARTMENTS.LDIF


Please don't upper case commands. Case is important.


I don't user upper case commands nowhere

klasen;2479150 wrote:
Add the command line option "-W" to be prompted for your password.
Otherwise ldapadd will do an anonymous bind.

--
Norbert


if i put the -W, i write the password and i have a SSL error but I do not need the connection to be secure to load the data.

Thanks anyway!
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_add: Insufficient access NDS error: no access (-672)

InmaGP wrote:

> klasen;2479150 Wrote:
> > On 2018-04-13 09:34, InmaGP wrote:
> > > LDAPADD -V -H LDAP://XXX.XX.X.XXX -V -D CN=ADMIN,OU=USERS,O=AVS -F
> > > DEPARTMENTS.LDIF

> >
> > Please don't upper case commands. Case is important.

>
> I don't user upper case commands nowhere


"LDAPADD" as quoted above is uppercase, isn't it?

> klasen;2479150 Wrote:
> > Add the command line option "-W" to be prompted for your password.
> > Otherwise ldapadd will do an anonymous bind.

>
> if i put the -W, i write the password and i have a SSL error but I do
> not need the connection to be secure to load the data.


"-W" is required to prompt for the password (or you can use "-w <password>"
instead) and has nothing to do with enabling SSL. Your server may be configured
to require SSL/TLS for authenticated binds, though, in which case you need to
fix the SSL error in order to use ldapadd successfully.

A common issue is that openldap does not trust your CA, which can be worked
around by prefixing your ldapadd command with "LDAPTLS_REQCERT=never"


--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
InmaGP Absent Member.
Absent Member.

Re: ldap_add: Insufficient access NDS error: no access (-672

lhaeger;2479152 wrote:
InmaGP wrote:

> klasen;2479150 Wrote:
> > On 2018-04-13 09:34, InmaGP wrote:
> > > LDAPADD -V -H LDAP://XXX.XX.X.XXX -V -D CN=ADMIN,OU=USERS,O=AVS -F
> > > DEPARTMENTS.LDIF

> >
> > Please don't upper case commands. Case is important.

>
> I don't user upper case commands nowhere


"LDAPADD" as quoted above is uppercase, isn't it?



I don't write anything in upper case, at least I do not see it, only in klasen response

Thanks! i check the -W command and i got confuse like i said, sorry for that.

lhaeger;2479152 wrote:
A common issue is that openldap does not trust your CA, which can be worked
around by prefixing your ldapadd command with "LDAPTLS_REQCERT=never"

I will try it, thanks lhaeger!

I got other error now,
ldap_add: Constraint violation (19)
additional info: NDS error: syntax violation (-613)


I'll see if I solve it.
Thanks to all!
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_add: Insufficient access NDS error: no access (-672)

InmaGP wrote:

> I got other error now,
> *ldap_add: Constraint violation (19)
> additional info: NDS error: syntax violation (-613)*


Can you post the ldif you are trying to import? "syntax violation" can be
several things, e.g. trying to add an attribute that's not part of the listed
object classes or trying to write longer text to a size-limited attribute (e.g.
surname, givenName and fullName are limited to 32, 64 and 127 chars
respectively).

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
InmaGP Absent Member.
Absent Member.

Re: ldap_add: Insufficient access NDS error: no access (-672

lhaeger;2479155 wrote:
InmaGP wrote:

> I got other error now,
> *ldap_add: Constraint violation (19)
> additional info: NDS error: syntax violation (-613)*


Can you post the ldif you are trying to import? "syntax violation" can be
several things, e.g. trying to add an attribute that's not part of the listed
object classes or trying to write longer text to a size-limited attribute (e.g.
surname, givenName and fullName are limited to 32, 64 and 127 chars
respectively).

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)


Hi lhaeger!

This is the section where the error:



dn: ou=C.G. DEPARTAMENTO DE SALUD DE VALENCIA - CLINICO - MALVARROSA - HOSP MALVARROSA,ou=IS,ou=users,o=cs
objectClass: organizationalUnit
ouTipoCentro: DEPARTAMENTO
ouCodigoCentrodeTrabajo: 0
ouCodigoCategoriaPuestoTrabajo: 0
ouCodigoPuestoTrabajo: 0
ou: C.G. DEPARTAMENTO DE SALUD DE VALENCIA - CLINICO - MALVARROSA - HOSP MALVARROSA


I think is that you say, i will try to shorten it

Thanks!

EDITED: As you suggested the problem was the length of the string, i solved it
Thank you so much!!
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_add: Insufficient access NDS error: no access (-672)

The OU attribute has a length limit of sixty-four characters per the
schema definition.

On 04/13/2018 03:04 AM, InmaGP wrote:
> C.G. DEPARTAMENTO DE SALUD DE VALENCIA - CLINICO - MALVARROSA - HOSP

MALVARROSA


attributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{64} X-NDS_NAME 'OU' X-NDS_LOWER_BOUND '1'
X-NDS_UPPER_BOUND '64' X-NDS_NONREMOVABLE '1' )



I do not know if you are just starting out with eDirectory, or with LDAP
too, but if the latter you may want to go download Apache Directory Studio
as it is a great, free, cross-platform LDAP tool that can help with
eDirectory management via LDAP specifically, including viewing the schema
definition via its schema browsing component:
http://directory.apache.org/studio/downloads.html

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_add: Insufficient access NDS error: no access (-672)

InmaGP wrote:

> I don't write anything in upper case, at least I do not see it, only in
> klasen response


I just checked in the web interface and there your command is indeed displayed
as bold lower-case text. Norbert and I are using the NNTP interface, which
seems to do some funny bold-to-uppercase conversion I was not aware of.
Sorry for that, will have to keep the different display styles in mind in the
future.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_add: Insufficient access NDS error: no access (-672)

On 4/13/2018 4:27 AM, Lothar Haeger wrote:
> InmaGP wrote:
>
>> I don't write anything in upper case, at least I do not see it, only in
>> klasen response

>
> I just checked in the web interface and there your command is indeed displayed
> as bold lower-case text. Norbert and I are using the NNTP interface, which
> seems to do some funny bold-to-uppercase conversion I was not aware of.
> Sorry for that, will have to keep the different display styles in mind in the
> future.


I had noticed that in the past, and thought it odd. You think it is the
gateway doing it? Neat. Wonder why it does that.


0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_add: Insufficient access NDS error: no access (-672)

On 06/10/2018 04:03 PM, Geoffrey Carman wrote:
> On 4/13/2018 4:27 AM, Lothar Haeger wrote:
>> InmaGP wrote:
>>
>> I just checked in the web interface and there your command is indeed
>> displayed
>> as bold lower-case text. Norbert and I are using the NNTP interface, which
>> seems to do some funny bold-to-uppercase conversion I was not aware of.
>> Sorry for that, will have to keep the different display styles in mind
>> in the
>> future.

>
> I had noticed that in the past, and thought it odd. You think it is the
> gateway doing it? Neat. Wonder why it does that.


This is an old thread; we changed the NNTP interface's gateway since then,
maybe because of this thread, to stop doing that because of the problems
with transferring command and output properly.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_add: Insufficient access NDS error: no access (-672)

On 6/10/2018 10:44 PM, ab wrote:
> On 06/10/2018 04:03 PM, Geoffrey Carman wrote:
>> On 4/13/2018 4:27 AM, Lothar Haeger wrote:
>>> InmaGP wrote:
>>>
>>> I just checked in the web interface and there your command is indeed
>>> displayed
>>> as bold lower-case text. Norbert and I are using the NNTP interface, which
>>> seems to do some funny bold-to-uppercase conversion I was not aware of.
>>> Sorry for that, will have to keep the different display styles in mind
>>> in the
>>> future.

>>
>> I had noticed that in the past, and thought it odd. You think it is the
>> gateway doing it? Neat. Wonder why it does that.

>
> This is an old thread; we changed the NNTP interface's gateway since then,
> maybe because of this thread, to stop doing that because of the problems
> with transferring command and output properly.


Oh, I was just browsing and thought it was interesting. I thought I was
still seeing it, but maybe I am misremembering.


0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_add: Insufficient access NDS error: no access (-672)

On 4/13/2018 4:14 AM, InmaGP wrote:
>
> lhaeger;2479152 Wrote:
>> InmaGP wrote:
>>
>>> klasen;2479150 Wrote:
>>>> On 2018-04-13 09:34, InmaGP wrote:
>>>>> LDAPADD -V -H LDAP://XXX.XX.X.XXX -V -D CN=ADMIN,OU=USERS,O=AVS

>> -F
>>>>> DEPARTMENTS.LDIF
>>>>
>>>> Please don't upper case commands. Case is important.
>>>
>>> I don't user upper case commands nowhere

>>
>> "LDAPADD" as quoted above is uppercase, isn't it?
>>
>>

>
> I don't write anything in upper case, at least I do not see it, only in
> klasen response
>
> Thanks! i check the -W command and i got confuse like i said, sorry for
> that.
>
> lhaeger;2479152 Wrote:
>> A common issue is that openldap does not trust your CA, which can be
>> worked
>> around by prefixing your ldapadd command with "LDAPTLS_REQCERT=never"
>>

> I will try it, thanks lhaeger!
>
> I got other error now,
> *ldap_add: Constraint violation (19)
> additional info: NDS error: syntax violation (-613)*


A good 613 syntax example is, an attribute that has a size contraint of
1-64 and you try to write an empty value, is a syntax error.

A DN reference (like Group Membership on the User, or Member on the
group object) in LDAP is a cn=object, ou=Someou,o=cs and if that object
is incorrect or the target doesnot yet exist, causes a 613 syntax error,
since a requirement of DN syntax is that the object exist.


0 Likes
InmaGP Absent Member.
Absent Member.

Re: ldap_add: Insufficient access NDS error: no access (-672

InmaGP;2479151 wrote:
Thanks for the quick response klasen!!



I don't user upper case commands nowhere



if i put the -W, i write the password and i have a SSL error but I do not need the connection to be secure to load the data.

Thanks anyway!



Sorry klasen, you 're totally right, i got confused, the -W it does not have to do with secure connections, sorry for that.
Now it works! Thanks so much, i have lot to learn..
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_add: Insufficient access NDS error: no access (-672)

On 04/13/2018 01:54 AM, InmaGP wrote:
>
> if i put the -W, i write the password and i have a SSL error but I do
> not need the connection to be secure to load the data.


The error you likely received was a note about "Confidentiality required"
because eDirectory requires, by default, that passwords for LDAP
authentication be sent over the wire encrypted, if not using the LDAPS
(LDAP + SSL) port, then using the StartTLS extension over the LDAP port
which negotiates the TLS bit at the application layer (similar to how
other protocols like SMTP can do it). You can disable this requirement,
but generally it is better to just use TLS/SSL from the start so that you
do not accidentally leak the top rights in the tree to a third party:


LDAPTLS_REQCERT=allow /usr/bin/ldapmodify -H
ldaps://ip.address.goes.here:636 -D cn=admin,ou=users,o=avs -W -f
departments.ldi


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.