Hi,
Thanks for your answers.
I was able to start the ADS 1.5.4 server after changing
"allowAnonymousAccess" to true. I can connect to this server using apache
directory studio, without specifying any authentication.
But when i browse to an entry and try to change value of an attribute, I get
following error on studio. Looks like its a permission issue that I have hit
now.
Error while modifying value
- [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for Modify
Reques
javax.naming.NoPermissionException: [LDAP: error code 50 -
INSUFFICIENT_ACCESS_RIGHTS: failed for Modify Request
Object :
'0.9.2342.19200300.100.1.1=tdsadmin,2.5.4.11=people,0.9.2342.19200300.100.1.25=test,0.9.2342.19200300.100.1.25=com'
Modification[0]
Operation : replace
Modification
rdsisuseraccountlocked: 43265
: null]; remaining name 'uid=tdsadmin,ou=People,dc=test,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3008)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2946)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2752)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1452)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:270)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:187)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$2.run(JNDIConnectionWrapper.java:494)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1116)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1047)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.modifyEntry(JNDIConnectionWrapper.java:534)
at
org.apache.directory.studio.ldapbrowser.core.jobs.ModifyValueJob.modifyValue(ModifyValueJob.java:190)
at
org.apache.directory.studio.ldapbrowser.core.jobs.ModifyValueJob.executeAttributeModificationJob(ModifyValueJob.java:90)
at
org.apache.directory.studio.ldapbrowser.core.jobs.AbstractAttributeModificationJob.executeNotificationJob(AbstractAttributeModificationJob.java:46)
at
org.apache.directory.studio.ldapbrowser.core.jobs.AbstractNotificationJob.executeAsyncJob(AbstractNotificationJob.java:43)
at
org.apache.directory.studio.ldapbrowser.core.jobs.AbstractEclipseJob.run(AbstractEclipseJob.java:101)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
[LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for Modify
Request
Object :
'0.9.2342.19200300.100.1.1=tdsadmin,2.5.4.11=people,0.9.2342.19200300.100.1.25=test,0.9.2342.19200300.100.1.25=com'
Modification[0]
Operation : replace
Modification
rdsisuseraccountlocked: 43265
: null]
Any ideas?
Regards
Sumit
Joan Crawford<http://www.brainyquote.com/quotes/authors/j/joan_crawford.html>
- "I, Joan Crawford, I believe in the dollar. Everything I earn, I
spend."
On Sat, Sep 19, 2009 at 8:04 PM, Alex Karasulu <[email protected]> wrote:
> On Sat, Sep 19, 2009 at 4:36 PM, Stefan Zoerner <[email protected]> wrote:
>
> > Alex Karasulu wrote:
> >
> >> The administrator entry is just like any other entry and the
> userPassword
> >> field is like any other attribute. You can use these LDAP client tools
> >> to
> >> update this attribute just the same way even on your SUN machine since
> >> this
> >> goes over the wire.
> >>
> >> Hence this mechanism also works for ApacheDS however note that you'll
> need
> >> either the SUN or the OpenLDAP client since we don't have command line
> >> tools.
> >>
> >
> > I assume the question is: How to reset the password, if forgotten. The
> only
> > idea I currently have:
> >
> > - Allow anonymous bind with complete authorization.
> > - Reset the password attribute, just as Alex proposes
> > - disallow anonymous bind with complete authorization.
> >
> > But I am not sure, whether opening the server that way is possible (be
> sure
> > that it is not available over the wire for others at that time).
> >
> >
> If you've forgotten the administrator password and cannot bind to reset
> then
> Stefan is absolutely right about having to open up the server. There are 2
> things you'll need to do. Remove all the authorization interceptors and
> enable anonymous binds. This way you'll be able to have anyone reset the
> administrator password. Then you can re-enable the authorization and shut
> off anonymous binds. It would be nice to have some self service
> applications to run in the embedded Jetty container now that we have the
> container integrated. This would make it really easy for users to manage
> and reset their passwords.
>
> Really I recommend setting the admin password to something and stowing it
> away. You can elevate regular users to administrator status by putting
> them
> in the Administrator group. The authorization subsystem checks to see if
> users are in this group to give them administrator rights.
>
> Regards,
> --
> Alex Karasulu
> My Blog :: http://www.jroller.com/akarasulu/
> Apache Directory Server :: http://directory.apache.org
> Apache MINA :: http://mina.apache.org
>
