IBM Support

Update IBM Security Directory Server ACLs for use with IBM Security Access Manager

Question & Answer


Question

When a suffix is added after an ISAM environment is configured the LDAP ACLs must be updated to allow access by ISAM. During migration of an SDS server the ACLs may not be copied and must be updated. Operations such as a user create or import may fail with: Error: HPDMG0769E There were insufficient LDAP access privileges to allow Security Access Manager to create and delete entries in the registry. In the software stack the entries could be updated using the ivrgy_tool command shipped with the ISAM C Runtime. This command is no longer shipped when using the appliance. How can the LDAP ACLs be updated?

Cause

The ivgry_tool is no longer shipped. The C Runtime has been deprecated.

Answer

The ACLs may be updated manually using the attached add-aclentry.ldif file and idsldapmodify command. Command syntax is:

idsldapmodify -h ldaphost -p 389 -D cn=root -w ? -i add-aclentry.ldif



Double check the name of the ISAM Management domain and location in SDS. Some different examples are:

secAuthority=Lab
secAuthority=Sales,OU=ISAM_Data

The entries above are the same for all User/Group suffixes and also the secAuthority=Default tree.

add-aclentry.ldifadd-aclentry.ldif

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Base","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"All versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

ISAM

Document Information

Modified date:
16 June 2018

UID

swg21991821

Page Feedback