Active Directory AFX Connector fails to create or modify accounts due to an 'LDAPException: Insufficient Access Rights' error in RSA Identity Governance & Lifecycle

Header

Title	Active Directory AFX Connector fails to create or modify accounts due to an 'LDAPException: Insufficient Access Rights' error in RSA Identity Governance & Lifecycle

URL Name	Active-Directory-AFX-Connector-fails-to-create-or-modify-accounts-due-to-an-LDAPException-Insufficient-Access-Rights-error-in-RSA-Identity-Governance-Lifecycle

Summary	Active Directory AFX Connector fails to create or modify accounts due to an 'LDAPException: Insufficient Access Rights' error in RSA Identity Governance & Lifecycle

Validation Status	Work in Progress

Age	2,153.73

Article Content

Translate To

Applies To

RSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.0.x, 7.1.x

Issue

When the Access Fulfillment Express (AFX) Connector for Active Directory attempts to create or modify an account, the action fails and the following error is seen in the AFX log files:

The $AFX_HOME/esb/logs/esb.AFX-MAIN.log has the following error:

2018-05-31 16:29:35.675 [INFO] org.mule.api.processor.LoggerMessageProcessor:193 - returning: -1 -> 
LDAPException: Insufficient Access Rights (50) Insufficient Access Rights
LDAPException: Server Message: 00000005: SecErr: DSID-03152612, 
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

LDAPException: Matched DN

The $AFX_HOME/esb/logs/esb.AFX-CONN-{connector-name}.log (the connector log for the specific AFX connector that is failing) has the same error:

Root Exception stack trace:
LDAPException: Insufficient Access Rights (50) Insufficient Access Rights
LDAPException: Server Message: 00000005: SecErr: DSID-03152612, 
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

LDAPException: Matched DN:

Cause

The Active Directory AFX connector Login Distinguished Name account that is being used to access the Microsoft Active Directory does not have administrator access to Active Directory.

Resolution

Use an Active Directory account with administrator privileges to bind to the Active Directory Server. Enter this username into the Login Distinguished Name field of the Active Directory AFX connector.

Workaround

Notes

Legacy Article ID 000036423

Article Settings

Audience	External

Article Source	Case

Original Article Author	Andrew Wilson

Original Created Date	6/8/2018 2:02 AM

Owner	Andrew Wilson

Article Assignment

Assigned To

Assigned By

Assignment Note

Assignment Due Date

Article Properties

Publication Status	Published

Article Type	Knowledge

Article Number	000041897

Created By	Andrew Wilson

Last Modified By	Admin9 Integration (AWS)

Language	English