Knowledge Partner
Knowledge Partner

Re: ldap_add: Insufficient access NDS error: no access (-672)

On 04/13/2018 01:41 AM, Norbert Klasen wrote:
> On 2018-04-13 09:34, InmaGP wrote:
>> LDAPADD -V -H LDAP://XXX.XX.X.XXX -V -D CN=ADMIN,OU=USERS,O=AVS -F
>> DEPARTMENTS.LDIF

>
> Please don't upper case commands. Case is important.


The reason it is upper case is because it was made bold in the web
interface. Please do not "bold" commands in the web UI for this reason.

Also, as a way to specifically avoid issues with literal commands like
this, Please use the code button (#) in the web UI so that code is treated
specially by the forum software, specifically by NOT interpreting it like
regular message text. In the web UI the button is at the bottom of the
message window, as I recall.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
InmaGP Absent Member.
Absent Member.

Re: ldap_add: Insufficient access NDS error: no access (-672

ab;2479174 wrote:
On 04/13/2018 01:41 AM, Norbert Klasen wrote:
> On 2018-04-13 09:34, InmaGP wrote:
>> LDAPADD -V -H LDAP://XXX.XX.X.XXX -V -D CN=ADMIN,OU=USERS,O=AVS -F
>> DEPARTMENTS.LDIF

>
> Please don't upper case commands. Case is important.


The reason it is upper case is because it was made bold in the web
interface. Please do not "bold" commands in the web UI for this reason.

Also, as a way to specifically avoid issues with literal commands like
this, Please use the code button (#) in the web UI so that code is treated
specially by the forum software, specifically by NOT interpreting it like
regular message text. In the web UI the button is at the bottom of the
message window, as I recall.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.



OK, I'll keep it in mind from now on. Thanks ab
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_add: Insufficient access NDS error: no access (-672)

On 4/13/2018 3:34 AM, InmaGP wrote:
>
> Hi everyone!
>
> I'm very new in the management of this software, sorry if i don't
> explain well...



> I make the installation with root and, i guess i have the right


There are several rights 'regimes' here. First off the OS level (root
as you noted) which is application and file system level.

However, eDirectory is a directory service that has its own entire
rights regime. That is, the Admin account you created as part of the
tree has a permission to the [Root].

Once you get connectivity (I think the issue is you are doing an
implicit anonymous bind, since a bind with an empty/blank password,
succeeds, per the standard, as an anonymous bind, and only has the
rights in eDir that the [Public] object is granted.) you can look, and
you will see (via LDAP) that there is an attribute named ACL (Access
Control List) wherever permissions are granted.

Now it happens, LDAP is a bit tricky to look at the [Root] object of the
tree, since it should be the RootDSE in LDAP land, but I do not think
the ACL's on eDir [Root] show up on LDAP's view of RootDSE. However
iManager can show it to you.

ACL is a structured attribute. It has a DN referencing which object has
permissions to THIS object. It has an integer for a bitmask reflecting
which specific permission you added, and a string for a subreference.
So for example, if you wanted to grant a permission at the o=cs level,
(Since you can see that in LDAP easily) to the cn=admin,o=cs object, the
o=cs object will have an ACL attribute value which contains a DN of
cn=admin,o=cs, an integer representing the specific value you assigned
(Browse, Compare, Supervisor, Inherited, etc) and then a string with
perhaps the name of the specific attribute you granted permission to.
Say c for country.



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.