Tivoli Directory Server: "Insufficient access --- Error, Password may not be modified"

When you create a normal interOrgPerson entry using cn=root in Tivoli Directory Server, it has this attribute

entryOwner: access-id:CN=ROOT


Because of this when you try to change the password, you will see an error like below

[root@localhost etc]# idsldapchangepwd -D "cn=chirag,ou=users,ou=JK Enterprise,O=sample" -w passwd -n chirag1! -p 1389
ldap_simple_bind:  Error, Password must be changed after reset
changing password for entry cn=chirag,ou=users,ou=JK Enterprise,O=sample
Insufficient access --- Error, Password may not be modified

Change the attribute like this and then attempt to change the password

entryOwner: access-id:CN=this

[root@localhost etc]# idsldapchangepwd -D "cn=chirag,ou=users,ou=JK Enterprise,O=IDAAS" -w passwd -n chirag1! -p 1389

ldap_simple_bind:  Error, Password must be changed after reset

changing password for entry cn=chirag,ou=users,ou=JK Enterprise,O=sample

Configuring SNMP on Tivoli Directory Server.

Configuring SNMP on Tivoli Directory Server.

I was following this link to setup SNMP for TDS. Although, it shows you how to configure TDS for SNMP, I couldn't verify if it really worked.

After lot reading about how SNMP works, I finally managed to get this to work/tested.

[A] Configuration needed on the TDS side:

• Configuring the idssnmp.conf and idssnmp.properties

idssnmp.properties:

server: 127.0.0.1
port: 2389
isSSL: false
ldapbindDN: cn=root
bindDNPwd: mypass
systemuser: Admin
systemuserpwd: mypass

idssnmp.conf:
Port 161
Community     public
View 1.3.6.1.4.1.2.6.199
Trap 9.120.98.165 162 public 

Poll 60

Some explanation here:

1.3.6.1.4.1.2.6.199 is the enterperise-oid for TDS

9.120.98.165 is the server where your snmptrapd daemon is running (in my case its a RHEL6 box with all snmp related packages installed)

• Configuring TDS to use the installed TDI

You need to edit the sbin/idssnmp file 

set IDS_LDAP_TDI_HOME=C:\Progra~1\IBM\TDI\V7.1

• Start the SNMP configuration

C:\Program Files\IBM\LDAP\V6.3\sbin>idssnmp.cmd
-Logging to file: C:\PROGRA~1\IBM\LDAP\V6.3\var\idssnmp.log
-SNMPAgent started

Your TDS SNMP agent is now running on port 161. As soon as it receives snmp request, it will send back a trap to 9.120.98.165 using community string public.

[B] Configuration needed on the SNMP machine (RHEL6)

• Copy the files from to IBM-DIRECTORYSERVER-MIB, INET-ADDRESS-MIB from TDS:/idstools/snmp to RHEL6:/usr/share/snmp/mibs
• Edit the INET-ADDRESS-MIB to have following entries, just above the final END

InetVersion ::= TEXTUAL-CONVENTION

    STATUS  current

    DESCRIPTION

        "A value representing a version of the IP protocol.

         unknown(0)  An unknown or unspecified version of the IP

                     protocol.

         ipv4(1)     The IPv4 protocol as defined in RFC 791 (STD 5).

         ipv6(2)     The IPv6 protocol as defined in RFC 2460.

         Note that this textual convention SHOULD NOT be used to

         distinguish different address types associated with IP

         protocols.  The InetAddressType has been designed for this

         purpose."

    REFERENCE   "RFC 791, RFC 2460"

    SYNTAX       INTEGER {

                     unknown(0),

                     ipv4(1),

                     ipv6(2)

                 }

InetZoneIndex ::= TEXTUAL-CONVENTION

    DISPLAY-HINT "d"

    STATUS       current

    DESCRIPTION

        "A zone index identifies an instance of a zone of a

         specific scope.

         The zone index MUST disambiguate identical address

         values.  For link-local addresses, the zone index will

         typically be the interface index (ifIndex as defined in the

         IF-MIB) of the interface on which the address is configured.

         The zone index may contain the special value 0, which refers

         to the default zone.  The default zone may be used in cases

         where the valid zone index is not known (e.g., when a

         management application has to write a link-local IPv6

         address without knowing the interface index value).  The

         default zone SHOULD NOT be used as an easy way out in

         cases where the zone index for a non-global IPv6 address

         is known."

    REFERENCE   "RFC4007"

    SYNTAX       Unsigned32

• Move the original INET-ADDRESS-MIB.txt from /usr/share/snmp/mibs to /root, just to create a backup.

• Add the following line to /etc/snmp/snmptrapd.conf

disableAuthorization yes

• Restart snmpd and snmptrapd

• Send snmp trap message to the TDS machine

snmptrap -v 1 -c public 9.118.46.248 1.3.6.1.4.1.2.6.199 "" 6 1 ""

Some explanation: We're sending the snmptrap message to TDS hosted on 9.118.46.248, using enterprise-oid 1.3.6.1.4.1.2.6.199. Since this is non-standard trap, we send 6 and 1.

Check man snmptrap for more details on this message.

• Check if you got back a trap in /var/log/messages

Apr  7 21:37:31 idiwebworm snmptrapd[8275]: 2014-04-07 21:37:30 idisparks.in.ibm.com [9.118.46.248] (via UDP: [9.118.46.248]:49178->[9.120.98.165]) TRAP, SNMP v1, community public#012#011SNMPv2-SMI::enterprises.2 Enterprise Specific Trap (1) Uptime: 0:00:10.87#012#011SNMPv2-SMI::enterprises.2.6.199.1.1.5.1.1.127.0.0.1.2389 = NULL#011SNMPv2-SMI::enterprises.2.6.199.1.1.7.1.1.127.0.0.1.2389 = NULL#011SNMPv2-SMI::enterprises.2.6.199.1.1.4.1.1.127.0.0.1.2389 = NULL#011SNMPv2-SMI::enterprises.2.6.199.1.1.6.1.1.127.0.0.1.2389 = NULL

How to fetch ibm-pwdAccountLocked attribute using ldapsearch.

When you perform a normal ldapsearch against an Tivoli Directory Server, you'll probably not see all the attributes, especially the operational attributes.
For my tests, I needed to see the value of ibm-pwdAccountLocked, so here's how I could get it.

• Enable Password Policy on Tivoli Directory Server.

This is pretty straight forward if you have web console installed. 

1. Navigate to "Server Administration" -> "Manage Password Policy.
2. Select the default policy -> Click on Edit.
3. Click on Next -> Enable Password Policy -> Click Next
4. Click on Finish

• Now that password policy is enabled, we can search for the attribute. Remember ibm-pwdAccountLocked will return ONLY when it is set to true. If it is false, you won't see the attribute in the search output.

So, for eg, I have 2 entries uid=Chirag inside o=sample. One has ibm-pwdAccountLocked true and other one false. Hence when I search like this, I see a corresponding output.
ldapsearch -x -LLL -h 9.9.0.1 -p 1389 -D cn=root -w pass123# -b o=sample uid=Chirag* +ibmpwdpolicy

dn: UID=Chirag Radhakrishnan,OU=users,ou=ad2,ou=oslo,o=sample

dn: UID=Chirag Radhakrishnan,OU=users,ou=chirag-test1,o=sample
ibm-pwdAccountLocked: true

In the above output, you can see the user under ou=chirag-test1 has this attribute set to true, hence I see it in the ldapsearch output. Not the same for user under ou=oslo

Adding an administrative user (cn=root like) in Tivoli Directory Server.

This is picked from the paper: http://www.ibm.com/developerworks/tivoli/library/t-dartds/


For my records:

• Use idsldapadd to add the following user:

C:\Program Files\IBM\LDAP\V6.3\bin>idsldapadd.cmd -p 1389 -D "cn=root" -w "mysecret123"

dn: cn=sdi-admin, cn=AdminGroup, cn=Configuration

cn: sdi-admin

ibm-slapdAdminDN: cn=sdi-admin

ibm-slapdAdminPW: mypass

ibm-slapdAdminRole: AuditAdmin

ibm-slapdAdminRole: DirDataAdmin

ibm-slapdAdminRole: SchemaAdmin

ibm-slapdAdminRole: ServerStartStopAdmin

objectclass: top

objectclass: ibm-slapdConfigEntry

objectclass: ibm-slapdAdminGroupMember

Operation 0 adding new entry cn=sdi-admin, cn=AdminGroup, cn=Configuration

• Restart Tivoli Directory Server.