Hello. I’m configuring a 389 Directory Server on SLES 15. I created a LDAPUsersAdministrators group and made it member of cn=user_admin,ou=permissions,dc=example,dc=com. Then I created a new administration user and made it member of the LDAPUsersAdministrators group.
Now with this new administrator user I’m able to create other users using ldapadd utility and a ldif file, but this works only if the userPassword attribute is NOT present in the ldif file.
LDIF file example
dn: uid=johndoe,ou=people,dc=example,dc=com
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
objectClass: posixAccount
uid: johndoe
cn: John Doe
displayName: John Doe
legalName: John Doe
uidNumber: 99998
gidNumber: 99998
homeDirectory: /var/empty
loginShell: /bin/false
userPassword: bigsecret
If I remove the userPassword attribute from the ldif file the user is created, if I add it I’m getting this error:
ldap_add: Insufficient access (50)
additional info: Insufficient ‘add’ privilege to the ‘userPassword’ attribute
Of course if I use cn=Directory Manager I am able to create a new user with a password, but I wish to be able to do that with the new administrator user that I just created.
This document describe how to define a group of users as “Password Administrators”:
https://www.port389.org/docs/389ds/design/password-administrator.html
I followed these istructions but it still don’t work, so I’m stuck. Any suggestion?
Thank you & Kind regards - Cristian