none
ADAM proxy object add - error 8358 RRS feed

  • Question

  • Hello,

    I am getting an error when trying to add a proxy object in ADAM, using instructions on this page: http://technet.microsoft.com/en-us/library/cc784622.aspx. The test setup is as follows:

    AD and ADAM are installed on 2 separate Windows 2003 server hosts. The AD test user account "testuser1" is in an AD domain that is in the same forest as the domain of the ADAM host. The SID of testuser1 is S-1-5-21-2767564697-1885188838-431979746-87783 (as given by dsquery user -samid testuser1 | dsget user -sid). The ADAM instance has a custom objectclass "testproxyclass", which has the following attribute in its LDIF create definition:
    systemAuxiliaryClass: msDS-BindProxy

    I am using an account with full Admin rights and privileges to bind to ADAM. I tried adding the testuser1 proxy object using LDIFDE with an LDIF file using Base64-encoded binary SID value, and also using LDP using the string representation of the SID. In both cases, I get the same error.

    LDIF file =>
    dn: cn=testuser1,o=testorg,c=US
    changetype: add
    objectclass: testproxyclass
    cn: testuser1
    objectSid:: AQUAAAAAAAUVAAAAma/1pOayXXDifL8Z51YBAA==

    LDP Add Child =>
    objectclass: testproxyclass
    cn: testuser1
    objectSid: S-1-5-21-2767564697-1885188838-431979746-87783

    Error =>
    ldap_add_s(ld, "cn=testuser1,o=testorg,c=US", [3] attrs)
    Error: Add: Unwilling To Perform. <53>
    Server error: 000020E7: SvcErr: DSID-03152AA9, problem 5003 (WILL_NOT_PERFORM), data 8358

    Error 0x20E7 The modification was not permitted for security reasons.

    I looked up the error code 8358, it means "It is not permitted to add an attribute which is owned by the system". This is very confusing since the ADAM bind proxy mechanism should allow adding objectSID at create time.

    After getting the error, I tried granting all permissions explicitly on objectSid attribute for testproxyclass to the ADAM bind user. I also checked that within the same LDP session, the SID lookup menu option resolves the SID correctly to testuser1. Nothing seems to work and the error persists.

    Can someone please help me to resolve this error?

    Thank you!!!

    Thursday, April 9, 2009 3:31 PM

Answers