|Applies To||RSA Product Set: ClearTrust, Access Manager|
RSA Version/Condition: RSA ClearTrust 4.7 through RSA Access Manager 6.2
Platform: Microsoft Active Directory
O/S Version: Microsoft Windows 2000 through 2012
|Issue||When the Entitlements Manager starts and then binds with a login name that does not have the appropriate rights, the following messages are displayed:|
All LDAP connections have been started.
Failed on try 0
Sleep 5 seconds before retry...
Unexpected DataStoreException sirrus.da.exception.DataStoreException: 00002098: SecErr: DSID-03150620, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
|Cause||The user configured with the 'cleartrust.data.ldap.directory.activedirectory.binddn' parameter in the LDAP.CONF file and does not have enough privileges for RSA ClearTrust to operate correctly.|
|Resolution||The following approach is just an example of rights assignment in Microsoft Active Directory. Please consult with your security administrator and with your security policies about rights management before proceeding:|
- Open the LDAP.CONF file with a text editor and enter the login name of the user the RSA ClearTrust Entitlements Manager (Admin GUI) uses to bind to Active Directory.
cleartrust.data.ldap.directory.activedirectory.binddn :cn=NewAdminUser, cn=users, dc=rsasecurity,dc=com
- Enter the corresponding password.
- Assign the required administrative rights to the New Administrator in Active Directory:
- Navigate to Start Menu -->Programs -->Administrative Tools -->Active Directory Users and Computers.
- Repeat the following steps for each of the following organizational units and/or containers:
ou=ctscAdminRepository, ou=ctscApplicationDataRepository, ou=ctscPolicyRepository, and cn=users (or whichever container where you located the ClearTrust users)
- Right-click on the OU/CN and select Delegate Control.
- Click Add.
- Browse and select the new administrator user object.
- Click OK and then Next.
- Leave the Default 'This folder, existing objects in this folder, and creation of new objects in this folder' and click Next.
- Under Show these permissions select only General.
- Assign the required Permissions as defined in your security policies. For instance, in a LAB environment you can select the 'Full Control' permission to allow the new administrator user to add, remove, and modify objects and its attributes.
- Click Next and then Finish.
- Restart the RSA ClearTrust Entitlements Manager.
|Legacy Article ID||a14010|