Security Software

Hello,

We have a perplexing issue with modding an RDN. The most perplexing thing is: we don't want users to be able to mod RDNs!

Here is the situation:

1) "Allow the modify DN operation" is not checked in the admin console.
2) We have restricted a particular bind from being able to see a this particular part of the directory tree, i.e., the user has no access to this part of the tree:

# LDAPv3
# base <cn=hrms,ou=names,ou=namespace,dc=berkeley,dc=edu> with scope one
# filter: objectclass=*
# requesting: ALL
#

# search result
search: 3
result: 32 No such object
matchedDN: ou=names,ou=namespace,dc=berkeley,dc=edu

3) The user can mod a dn from the command line using an ldif:

dn: cn=hrms,ou=names,ou=namespace,dc=berkeley,dc=edu
changetype: moddn
newrdn: cn=hrms1
deleteoldrdn: 1

4) The user cannot mod the dn back to the way it was, something like this:

dn: cn=hrms1,ou=names,ou=namespace,dc=berkeley,dc=edu
changetype: moddn
newrdn: cn=hrms
deleteoldrdn: 1

The user gets an "Insufficient access" error (which is what we would have expected from step 3!).

5) Directory Manager can apply the above ldif without any problems.

Does the previous scenario make sense to anyone? If so, can you explain what we are doing wrong?

Thanks.

Server: Sun Java System Directory Server 5.2_Patch_4 2005.230.0041

-lucas