Running Policy Server with SmLimitauthLogin GD module, Policy Server
reports error :
[58618/140113157805824][Mon Mar 28 2022 12:37:06.981][SmDsLdapFunctionImpl.cpp:1410]
[ERROR][sm-Ldap-00880] (SetUserProp) DN: 'cn=jsmith,dc=training,dc=com',
PropName: 'smlimitauth', PropValue: '3O9cxARPSslwllLskk90aO1VcU='
. Status: Error 50 . Insufficient access
The problem is on the LDAP server side.
- The error : Status: Error 50 . Insufficient access comes from the
- There are missing ACI configuration in LDAP Server;
- From support pespective, to understand the reason why the LDAP
server returns that error, get matching logs and traces from the
Policy Server, along with the LDAP Server traces. Then investigate
with the LDAP Vendor support to understand the reason why the LDAP
Server returns error 50;
- Our documentation recommend to keep the ACI configuration as
simple as possible (1).
Known Directory Idiosyncrasies
Some LDAP implementations impose security within the directory,
most notably iPlanet with its Access Control Information
(ACIs). This is not part of the LDAP specification at all and
can make troubleshooting APS very difficult. Broadcom generally
recommends using administrator credentials with full rights to
user entries. In the case of iPlanet, the cn=Directory Manager
administrator bypasses ACI checking altogether.
For iPlanet User Directories, the cn=Directory Manager
administrator has some special processing on the directory
server. Specifically, it bypasses all security (ACIs), it has no
limits on its resource limitations (timeouts and size limits),
and it receives priority processing.