000020046 - How to create new Microsoft Active Directory administrator to be used with RSA ClearTrust

Document created by RSA Customer Support Employee on Sep 23, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000020046
Applies ToRSA Product Set: ClearTrust, Access Manager
RSA Version/Condition: RSA ClearTrust 4.7 through RSA Access Manager 6.2
Platform: Microsoft Active Directory
O/S Version: Microsoft Windows 2000 through 2012
IssueWhen the Entitlements Manager starts and then binds with a login name that does not have the appropriate rights, the following messages are displayed:

All LDAP connections have been started.
Failed on try 0
Sleep 5 seconds before retry...
Unexpected DataStoreException sirrus.da.exception.DataStoreException: 00002098: SecErr: DSID-03150620,  problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
CauseThe user configured with the 'cleartrust.data.ldap.directory.activedirectory.binddn' parameter in the LDAP.CONF file and does not have enough privileges for RSA ClearTrust to operate correctly.
ResolutionThe following approach is just an example of rights assignment in Microsoft Active Directory. Please consult with your security administrator and with your security policies about rights management before proceeding:
  1. Open the LDAP.CONF file with a text editor and enter the login name of the user the RSA ClearTrust Entitlements Manager (Admin GUI) uses to bind to Active Directory.

    cleartrust.data.ldap.directory.activedirectory.binddn   :cn=NewAdminUser, cn=users, dc=rsasecurity,dc=com

  2. Enter the corresponding password.

    cleartrust.data.ldap.directory.activedirectory.password :EnterYourPasswordHere

  3. Assign the required administrative rights to the New Administrator in Active Directory:
    1. Navigate to Start Menu -->Programs -->Administrative Tools -->Active Directory Users and Computers.
    2. Repeat the following steps for each of the following organizational units and/or containers:

      ou=ctscAdminRepository, ou=ctscApplicationDataRepository, ou=ctscPolicyRepository, and cn=users (or whichever container where you located the ClearTrust users)

      1. Right-click on the OU/CN and select Delegate Control.
      2. Click Add.
      3. Browse and select the new administrator user object.
      4. Click OK and then Next.
      5. Leave the Default 'This folder, existing objects in this folder, and creation of new objects in this folder' and click Next.
      6. Under Show these permissions select only General.
      7. Assign the required Permissions as defined in your security policies. For instance, in a LAB environment you can select the 'Full Control' permission to allow the new administrator user to add, remove, and modify objects and its attributes.
      8. Click Next and then Finish.
  4. Restart the RSA ClearTrust Entitlements Manager.
Legacy Article IDa14010