Hello,

Iv'e recently implemented a user-sync from an eDirectory to an Active
Directory via an IDM-AD-Driver. The User sync goes smoothly for the most
part, but the driver should also add all users to a given AD-Group right
after creaqting them in the AD. This fails with an
LDAP_INSUFFICIENT_RIGHTS error.

The problem is that the User the driver uses to log into AD is a
DomainAdmin. Also, if I log into an ADSI-Editor with the same Account
and add the Group membership manually, everything works fine. Iv'e
doublechecked the name of the group and the value added to its member
attribute, there is no difference between the values the Driver tries to
use and the values that are in the AD after the Group Membership was
added manually.

I'm basically out of ideas.

I have added the logs of the Driver as attachment and am posting the
remoteloader Log in this entry. Has anybody seen this and cann telle me
what I'm doing wrong?

Thanks for your time.

Best regards.

RemoteLoader-Log:

DirXML: [03/15/10 17:07:42.12]: Loader: Received 'subscriber execute'
document
DirXML: [03/15/10 17:07:42.12]: Loader: XML Document:
DirXML: [03/15/10 17:07:42.12]: <nds dtdversion="3.5"
ndsversion="8.x">
<source>
<product version="3.5.0.20070315 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="group"
dest-dn="CN=Remotedesktopbenutzer,CN=Builtin,DC=CITRIX, DC=ADS,DC=AIRBERLIN,DC=COM"
event-id="METADIR1-NDS#20100315160727#99#1">
<modify-attr attr-name="member">
<add-value>
<value>CN=aic-tr07,ou=extern,ou=AB-User,DC=CITRIX,DC=ADS,DC=AIRBERLIN,DC=COM</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [03/15/10 17:07:42.12]: Loader: Calling
subscriptionShim->execute()
DirXML: [03/15/10 17:07:42.12]: Loader: XML Document:
DirXML: [03/15/10 17:07:42.12]: <nds dtdversion="3.5"
ndsversion="8.x">
<source>
<product version="3.5.0.20070315 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="group"
dest-dn="CN=Remotedesktopbenutzer,CN=Builtin,DC=CITRIX, DC=ADS,DC=AIRBERLIN,DC=COM"
event-id="METADIR1-NDS#20100315160727#99#1">
<modify-attr attr-name="member">
<add-value>
<value>CN=aic-tr07,ou=extern,ou=AB-User,DC=CITRIX,DC=ADS,DC=AIRBERLIN,DC=COM</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [03/15/10 17:07:42.12]: ADDriver: parse command

className group
destDN
CN=Remotedesktopbenutzer,CN=Builtin,DC=CITRIX,DC=A DS,DC=AIRBERLIN,DC=COM
eventId METADIR1-NDS#20100315160727#99#1
association
DirXML: [03/15/10 17:07:42.12]: ADDriver: parse modify class = group
DirXML: [03/15/10 17:07:42.12]: ADDriver: modify-attr
DirXML: [03/15/10 17:07:42.12]: ADDriver: add-value
DirXML: [03/15/10 17:07:42.12]: ADDriver: value
DirXML: [03/15/10 17:07:42.12]: ADDriver:
CN=aic-tr07,ou=extern,ou=AB-User,DC=CITRIX,DC=ADS,DC=AIRBERLIN,DC=COM
DirXML: [03/15/10 17:07:42.12]: ADDriver: ldap_modify group
CN=Remotedesktopbenutzer,CN=Builtin,DC=CITRIX,DC=A DS,DC=AIRBERLIN,DC=COM
LDAPMod operations:
add attribute member
>>

CN=aic-tr07,ou=extern,ou=AB-User,DC=CITRIX,DC=ADS,DC=AIRBERLIN,DC=COM
DirXML: [03/15/10 17:07:42.12]: Loader: subscriptionShim->execute()
returned:
DirXML: [03/15/10 17:07:42.12]: Loader: XML Document:
DirXML: [03/15/10 17:07:42.12]: <nds ndsversion="8.7"
dtdversion="1.1">
<source>
<product version="3.5.0" asn1id="" build="20070122_093000"
instance="\AB_META\System\IDM-DriverSet\AD-CITRIXADS">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status level="error" type="driver-general"
event-id="METADIR1-NDS#20100315160727#99#1">
<ldap-err ldap-rc="50" ldap-rc-name="LDAP_INSUFFICIENT_RIGHTS">
<client-err ldap-rc="50"
ldap-rc-name="LDAP_INSUFFICIENT_RIGHTS">Keine ausreichenden
Rechte</client-err>
<server-err>00002098: SecErr: DSID-03150BB9, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0
</server-err>
<server-err-ex win32-rc="8344"/>
</ldap-err>
</status>
</output>
</nds>
DirXML: [03/15/10 17:07:42.12]:
DirXML Log Event -------------------
Driver = \AB_META\System\IDM-DriverSet\AD-CITRIXADS
Thread = Subscriber Channel
Object =
CN=Remotedesktopbenutzer,CN=Builtin,DC=CITRIX,DC=A DS,DC=AIRBERLIN,DC=COM
Level = error
Message = <ldap-err ldap-rc="50"
ldap-rc-name="LDAP_INSUFFICIENT_RIGHTS">
<client-err ldap-rc="50" ldap-rc-name="LDAP_INSUFFICIENT_RIGHTS">Keine
ausreichenden Rechte</client-err>
<server-err>00002098: SecErr: DSID-03150BB9, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0
</server-err>
<server-err-ex win32-rc="8344"/>
</ldap-err>
DirXML: [03/15/10 17:09:12.39]: Loader: Sending 'keep-alive' packet


+----------------------------------------------------------------------+
|Filename: eDir_ADDriver_Excerpt.log |
|Download: http://forums.novell.com/attachment....achmentid=4121 |
+----------------------------------------------------------------------+

--
Peot
------------------------------------------------------------------------
Peot's Profile: http://forums.novell.com/member.php?userid=53635
View this thread: http://forums.novell.com/showthread.php?t=404722