directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@gmail.com>
Subject Re: Restting the password for admin user
Date Tue, 22 Sep 2009 15:54:51 GMT
Comment out the DefaultAuthorizationService if you have the interceptor
chain defined in your server.xml file.  This is what is causing the
insufficient rights exception.

Alex

On Tue, Sep 22, 2009 at 6:52 PM, sumit goyal <sumit.goyal84@gmail.com>wrote:

> Hi,
>
> Thanks for your answers.
>
> I was able to start the ADS 1.5.4 server after changing
> "allowAnonymousAccess" to true. I can connect to this server using apache
> directory studio, without specifying any authentication.
>
> But when i browse to an entry and try to change value of an attribute, I
> get
> following error on studio. Looks like its a permission issue that I have
> hit
> now.
>
> Error while modifying value
>  - [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for     Modify
> Reques
>  javax.naming.NoPermissionException: [LDAP: error code 50 -
> INSUFFICIENT_ACCESS_RIGHTS: failed for     Modify Request
>        Object :
>
> '0.9.2342.19200300.100.1.1=tdsadmin,2.5.4.11=people,0.9.2342.19200300.100.1.25=test,0.9.2342.19200300.100.1.25=com'
>            Modification[0]
>                Operation :  replace
>                Modification
>    rdsisuseraccountlocked: 43265
> : null]; remaining name 'uid=tdsadmin,ou=People,dc=test,dc=com'
>    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3008)
>    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2946)
>    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2752)
>    at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1452)
>    at
>
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:270)
>    at
>
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:187)
>    at
>
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$2.run(JNDIConnectionWrapper.java:494)
>    at
>
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1116)
>    at
>
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1047)
>    at
>
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.modifyEntry(JNDIConnectionWrapper.java:534)
>    at
>
> org.apache.directory.studio.ldapbrowser.core.jobs.ModifyValueJob.modifyValue(ModifyValueJob.java:190)
>    at
>
> org.apache.directory.studio.ldapbrowser.core.jobs.ModifyValueJob.executeAttributeModificationJob(ModifyValueJob.java:90)
>    at
>
> org.apache.directory.studio.ldapbrowser.core.jobs.AbstractAttributeModificationJob.executeNotificationJob(AbstractAttributeModificationJob.java:46)
>    at
>
> org.apache.directory.studio.ldapbrowser.core.jobs.AbstractNotificationJob.executeAsyncJob(AbstractNotificationJob.java:43)
>    at
>
> org.apache.directory.studio.ldapbrowser.core.jobs.AbstractEclipseJob.run(AbstractEclipseJob.java:101)
>    at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
>
>  [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for     Modify
> Request
>        Object :
>
> '0.9.2342.19200300.100.1.1=tdsadmin,2.5.4.11=people,0.9.2342.19200300.100.1.25=test,0.9.2342.19200300.100.1.25=com'
>            Modification[0]
>                Operation :  replace
>                Modification
>    rdsisuseraccountlocked: 43265
> : null]
>
> Any ideas?
>
> Regards
> Sumit
> Joan Crawford<
> http://www.brainyquote.com/quotes/authors/j/joan_crawford.html>
> - "I, Joan Crawford, I believe in the dollar. Everything I earn, I
> spend."
>
> On Sat, Sep 19, 2009 at 8:04 PM, Alex Karasulu <akarasulu@gmail.com>
> wrote:
>
> > On Sat, Sep 19, 2009 at 4:36 PM, Stefan Zoerner <stefan@labeo.de> wrote:
> >
> > > Alex Karasulu wrote:
> > >
> > >> The administrator entry is just like any other entry and the
> > userPassword
> > >> field is like any other attribute.   You can use these LDAP client
> tools
> > >> to
> > >> update this attribute just the same way even on your SUN machine since
> > >> this
> > >> goes over the wire.
> > >>
> > >> Hence this mechanism also works for ApacheDS however note that you'll
> > need
> > >> either the SUN or the OpenLDAP client since we don't have command line
> > >> tools.
> > >>
> > >
> > > I assume the question is: How to reset the password, if forgotten. The
> > only
> > > idea I currently have:
> > >
> > > - Allow anonymous bind with complete authorization.
> > > - Reset the password attribute, just as Alex proposes
> > > - disallow anonymous bind with complete authorization.
> > >
> > > But I am not sure, whether opening the server that way is possible (be
> > sure
> > > that it is not available over the wire for others at that time).
> > >
> > >
> > If you've forgotten the administrator password and cannot bind to reset
> > then
> > Stefan is absolutely right about having to open up the server.  There are
> 2
> > things you'll need to do.  Remove all the authorization interceptors and
> > enable anonymous binds.  This way you'll be able to have anyone reset the
> > administrator password.  Then you can re-enable the authorization and
> shut
> > off anonymous binds.  It would be nice to have some self service
> > applications to run in the embedded Jetty container now that we have the
> > container integrated.  This would make it really easy for users to manage
> > and reset their passwords.
> >
> > Really I recommend setting the admin password to something and stowing it
> > away.  You can elevate regular users to administrator status by putting
> > them
> > in the Administrator group.  The authorization subsystem checks to see if
> > users are in this group to give them administrator rights.
> >
> > Regards,
> > --
> > Alex Karasulu
> > My Blog :: http://www.jroller.com/akarasulu/
> > Apache Directory Server :: http://directory.apache.org
> > Apache MINA :: http://mina.apache.org
> >
>



-- 
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message