Description of problem:

In section 12.3.3, the instructions have this line:

aci: (targetattr="userPassword")(version 3.0;aci "password sync";allow (write,compare) userdn="ldap:///cn=sync user,cn=config";)

Note the line begins with aci, which is correct. However, notice the spot after the Version 3.0. It also uses aci which is NOT correct. Looking at section 13.3.1 which describes the ACI syntax, we get this line:

aci: (target)(version 3.0;acl "name";permissionbind_rules;)

Note that that after the Version info, the word is acl, not another aci. Therefore, the command in 12.3.3 "2. Set an ACI..." that is listed as:

aci: (targetattr="userPassword")(version 3.0;aci "password sync";allow (write,compare) userdn="ldap:///cn=sync user,cn=config";)

Should be:

aci: (targetattr="userPassword")(version 3.0;acl "password sync";allow (write,compare) userdn="ldap:///cn=sync user,cn=config";)

It is a subtle difference, but it does make a big difference. The first gives a syntax error and does not allow the Password Sync to update passwords, while the second line works. The first line also generates many hours of troubleshooting and frustration.


Version-Release number of selected component (if applicable):

Revision 10.1-3


Additional info:

Located by customer Frank Coons on Customer Portal Discussions, though he does not have access to Bugzilla:
https://access.redhat.com/discussions/2941731