I’m trying to change the attributes of a user in the LDAP server and when I try to change any attribute of a user in LDAP I get a NoPermissionException however if the user is admin them I’m able to change/add the attributes. my goal is to change the password as well.
javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150F93, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]; remaining name 'CN=test,CN=Users,DC=myid,DC=com,DC=local'
ModificationItem mods = new ModificationItem; mods = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("department")); mods = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("department", "New Department")); ldapCtx.modifyAttributes("CN=test,CN=Users,DC=myid,DC=com,DC=local", mods);
After a little research I figured it out. You can delegate those permissions to that user by granting them permission in the Active Directory.
In ADUC (Active Directory Users and Computers), right-click on the OU (Organizational Unit) which contains all the users that you want another user to be able to modify their attributes. Choose “Delegate Control”.
Add the user that you would like to give the ability to. Next.
Choose “Create a custom task to delegate”. Next.
Choose “Only the following objects in the folder” then “User objects” in the list. Next.
Uncheck General. Only check Property-specific.
Under Permissions list, check the entries per your requirement such as
Write Telephone Number
Write Street Address
- Click Next and Finish.