LDAP write access to Domino Directory
Hello
I am trying to write into a Domino 6.02CF1 Directory using LDAP. I followed the instructions from the Admin help, ie:
- Server Config document/ LDAP Tab: Allow LDAP users write access" set to 'yes'
- In the Domino Directory's ACL, the user has Manager access with User modifier role
I have following error:
Failed to update entry, Root error: [LDAP: error code 50 - Insufficient Access Rights]
I'm using LDAP Browser/Editor ver2.82 to access the Domino Directory via LDAP. I'm binding with the LDAP syntax and the bind is successful. I can read the Directory but I can't update any attribute in a Person document.
I can't see what is blocking the access in write mode.
Thanks in advance for any help
Samir
Software/Hardware used:
Software/Hardware used:
ASKED:
December 1, 2004 4:18 AM
UPDATED:
December 2, 2004 6:56 PM
Answer Wiki:
I'm not an expert in this particular area, but you could try some elimination...
You say the user has access? If this is a normal user, as a temporary measure to try and narrow down the problem area, try using an administrative ID and password to authenticate the LDAP client and see if the response is the same. If so, it's probably the LDAP client or the LDAP setup of Domino. If not, then it's related to the access control that you've set on the directory. From memory, there are some gotcha's in access control on the directory to prevent inadvertent errors by users.
To see all answers submitted to the Answer Wiki: View Answer History.
Thanks for your reply, I did try with the main Admin ID, same result. It must be something with the LDAP access setup in Domino (or maybe the Dmomino Directory’s ACL).
I suppose if I use the LDAP syntax on my LDAP client (ie CN=Joe User/O=MYCERT) and the Notes syntax in the ACL (ie: Joe User/MYCERT) it does recognize them as being the same person?
It must be, as I can retreive all attributes in my LDAP client (as opposed to an anonymous bind)
Samir
When you checked the ACL, you only mention what the user’s rights were. What is the setting on the Advanced tab for ‘Maximum Internet Name & password’? I believe that’s where you might by hitting the rights problem.
Fixed!
Some kind adminguy (whose answer I couldn’t find on the site, I just got the first few words in the e-mail notification) suggested I look at the ACL’s advanced tab, ‘Maximum Internet Name & password access’.
I thought I had changed this to ‘Editor’, but it was on ‘Reader’ again.
Turns out you have to recycle the server after this change! Same thing after a change in LDAP access rights
Thanks to all
Samir
Hi Samir,
Just some troubleshooting thoughts:
> R U using xACL on the DD?
> Did you tell router update config or restart the server?
> using an admin account, can you add a new person entry?
> There is a debug ini variable LDAPDEBUG=1 -as always use debug variables with great care for a short period and constant monitoring.
And check out this really useful posting … http://www-10.lotus.com/ldd/nd6forum.nsf/55c38d716d632d9b8525689b005ba1c0/5c4bf25f844b9ac785256e4c005998b7?OpenDocument
GL
8!8