ADS Endpoint: LDAP error code 50 - Insufficient Rights
Article ID: 144044
Updated On:
Products
Issue/Introduction
When a user attribute is updated on an endpoint via CA Identity Manager (IM) the task reports as failed in the VST (View Submitted Tasks). Upon closer inspection the global user is updated successfully but one associated account failed. A deeper review of the Provisioning Server (etatrans) log files, the following error is report
LDAP: error code 50 - Insufficient Rights
Sample Log extract from the Provisioning Server's etatrans log:
20200122:092000:TID=9e8b70:Modify :C350:C326:F: FAILURE: Child Modify (eTADSAccountName=Test User)
20200122:092000:TID=9e8b70:Modify :C350:C326:F: rc: 0x0032 (Insufficient access)
20200122:092000:TID=9e8b70:Modify :C350:C326:F: msg: :ETA_E_0008<MAC>, Active Dir. Account 'Test User' on 'DOMAIN
20200122:092000:TID=9e8b70:Modify :C350:C326:F:+' modification failed: Connector Server Modify failed: code 50 (INSUFFICIENT_ACCE
20200122:092000:TID=9e8b70:Modify :C350:C326:F:+SS_RIGHTS): failed to modify entry: eTADSAccountName=Test User,eTADSOrgNa
20200122:092000:TID=9e8b70:Modify :C350:C326:F:+me=MyOrg,eTADSDirectoryName=DOMAIN,eTNamespaceName=ActiveDirectory,dc=im,dc
20200122:092000:TID=9e8b70:Modify :C350:C326:F:+=etasa: JCS@hostname: JNDI: [LDAP: error code 50 - Insufficient Rights]: failed t
20200122:092000:TID=9e8b70:Modify :C350:C326:F:+o modify eTADSAccountName=Test User,eTADSOrgUnitName=MyOrg,eTADSDirectory
Environment
All Identity Manager
Cause
This error appears if the endpoint attributes cannot be updated due to a permissions issue.
Resolution
You will need to work with your ADS administrator to ensure that the ID used to acquire the ADS Endpoint has the permissions needed to perform the operations Identity Manager is trying to do. Please also refer to the following product documentation:
Feedback
