IMPS: LDAP error code 50 - Insufficient Rights

book

Article ID: 144044

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

When a user attribute is updated on an endpoint via CA Identity Manager (IM) the task reports as failed in the VST (View Submitted Tasks).  Upon closer inspection the global user is updated successfully but one associated account failed.  A deeper review of the Provisioning Server (etatrans) log files, the following error is report

LDAP: error code 50 - Insufficient Rights

Sample Log extract

20200122:092000:TID=9e8b70:Modify    :C350:C326:F: FAILURE: Child Modify (eTADSAccountName=Anne User)
20200122:092000:TID=9efb70:EtaServer :----:----:I: Retrieving common BLS Connectivity Configuration
20200122:092000:TID=9e8b70:Modify    :C350:C326:F:     rc:  0x0032 (Insufficient access)
20200122:092000:TID=9e8b70:Modify    :C350:C326:F:     msg: :ETA_E_0008<MAC>, Active Dir. Account 'Anne User' on 'DOMAIN
20200122:092000:TID=9e8b70:Modify    :C350:C326:F:+' modification failed: Connector Server Modify failed: code 50 (INSUFFICIENT_ACCE
20200122:092000:TID=9e8b70:Modify    :C350:C326:F:+SS_RIGHTS): failed to modify entry: eTADSAccountName=Anne User,eTADSOrg
20200122:092000:TID=9e8b70:Modify    :C350:C326:F:+UnitName=ProxyFull,eTADSOrgUnitName=Interni,eTADSOrgUnitName=Users,eTADSOrgUnitNa
20200122:092000:TID=9e8b70:Modify    :C350:C326:F:+me=Corporate,eTADSDirectoryName=DOMAIN,eTNamespaceName=ActiveDirectory,dc=im,dc
20200122:092000:TID=9e8b70:Modify    :C350:C326:F:+=etasa: [email protected]: JNDI: [LDAP: error code 50 - Insufficient Rights]: failed t
20200122:092000:TID=9e8b70:Modify    :C350:C326:F:+o modify eTADSAccountName=Anne User,eTADSOrgUnitName=ProxyFull,eTADSOrg
20200122:092000:TID=9e8b70:Modify    :C350:C326:F:+UnitName=Interni,eTADSOrgUnitName=Users,eTADSOrgUnitName=Corporate,eTADSDirectory

Cause

This error appears if the endpoint attributes cannot be updated due to a permissions issue, but there can be several causes for this error, for example 

 

  • The Connector Server service account has insufficient rights at the endpoint to update attributes.
  • The endpoint attributes are protected and cannot be updated (read-only)
  • Or in some reported cases a firewall rule misconfiguration rule has blocked access.

 

Environment

Release : 14.x

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

Resolution to this issue is outside the scope of CA Broadcom Technical Support.  Please work with your system administrators to ensure you have sufficient and unhindered access to the endpoint.