search cancel

Error : Status: Error 50 . Insufficient access SmLimitauthLogin

book

Article ID: 238400

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

Running Policy Server with SmLimitauthLogin GD module, Policy Server
reports error :

  [58618/140113157805824][Mon Mar 28 2022 12:37:06.981][SmDsLdapFunctionImpl.cpp:1410]
  [ERROR][sm-Ldap-00880] (SetUserProp) DN: 'cn=jsmith,dc=training,dc=com',
  PropName: 'smlimitauth', PropValue: '3O9cxARPSslwllLskk90aO1VcU='
  . Status: Error 50 . Insufficient access

 

Resolution

 

The problem is on the LDAP server side.

  - The error : Status: Error 50 . Insufficient access comes from the
    LDAP Server;

  - There are missing ACI configuration in LDAP Server;

  - From support pespective, to understand the reason why the LDAP
    server returns that error, get matching logs and traces from the
    Policy Server, along with the LDAP Server traces. Then investigate
    with the LDAP Vendor support to understand the reason why the LDAP
    Server returns error 50;

  - Our documentation recommend to keep the ACI configuration as
    simple as possible (1).

 

Additional Information

 

(1)

  
    Known Directory Idiosyncrasies

      Some LDAP implementations impose security within the directory,
      most notably iPlanet with its Access Control Information
      (ACIs). This is not part of the LDAP specification at all and
      can make troubleshooting APS very difficult. Broadcom generally
      recommends using administrator credentials with full rights to
      user entries. In the case of iPlanet, the cn=Directory Manager
      administrator bypasses ACI checking altogether.

      For iPlanet User Directories, the cn=Directory Manager
      administrator has some special processing on the directory
      server. Specifically, it bypasses all security (ACIs), it has no
      limits on its resource limitations (timeouts and size limits),
      and it receives priority processing.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/advanced-password-services-configuration/user-directories-schema-storage-and-capabilities/ldap-directories.html