RSA Authentication Manager 8.1 and 8.2 show a system message that administrator "trustedapp" attempted to update a principal, Failure Unexpected directory operation failure
Originally Published: 2016-10-25
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0, 8.1.1, 8.2.0
Issue
Description: Administrator "trustedapp" attempted to update a principal
Activity Result Key: Failure,
Result: Unexpected directory operation failure
Component Key: system.com.rsa.ims.admin.dal.ldap.BaseAccessLDAP
Arg1: AD
Arg2: cn=riddick\, rena a.,ou=endusers,ou=div17,ou=hqhq,dc=fbi,dc=gov
Exception: javax.naming.NoPermissionsException: [LDAP: error code 50 - 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS)
Result: Unexpected directory operation failure
Component Key: system.com.rsa.ims.admin.dal.ldap.BaseAccessLDAP
Arg1: AD
Arg2: cn=riddick\, rena a.,ou=endusers,ou=div17,ou=hqhq,dc=fbi,dc=gov
Exception: javax.naming.NoPermissionsException: [LDAP: error code 50 - 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS)
Cause
- An Authentication Manager administrator attempted to change an LDAP user's password in the Security Console, or
- A user attempted to change their own LDAP password through the agent, but the external identity source directory user ID does not have write permissions into LDAP.
Resolution
- From the Operations Console, navigate to Deployment Configuration > Identity Sources > Manage Existing and click on the identity source that you wish to update.
- Select Edit. Scroll to the Identity Source Directory Connection and define an external identity source user ID account, also called a binding account, that has write permissions to the AD.
- Use LDAPS (with a certificate) for the identity source directory connection (Deployment Configuration > Identity Source Certificates > Add New). For more information, please review this article on Identity Source SSL Certificates.
