5015 or 672 error received trying to update profile with SSPR

  • 7016742
  • 07-Aug-2015
  • 18-Aug-2015


NetIQ Self Service Password Reset


After configuring attributes a user can update on their profile with the "Update Profile" option in SSRP, the user receives a -672 No Access error trying to update the attribute values.

The user has Compare, Read, Write rights to the attribute that it is trying to update.

If the user has a current value in the attribute, then they are able to update the attribute value without any errors.

Error in Log

2015-08-07T13:44:13Z, ERROR, servlet.UpdateProfileServlet, {cn=denchris4,ou=users,o=mountain} 5015 ERROR_UNKNOWN (error setting 'Description' attribute on user cn=denchris4,ou=users,o=mountain, error: [LDAP: error code 50 - NDS error: no access (-672)]) []
2015-08-07T13:44:13Z, TRACE, provider.JNDIProviderImpl, error during write of attribute 'Description', error: [LDAP: error code 50 - NDS error: no access (-672)]


In order to be able to update attributes on a user object with the update profile option, the user has to be able to read all attributes, and write to the attribute you want to update.

If you are using eDirectory on the back-end of SSPR, you can modify the "This" trustee at the root of the tree, and add Read, Compare rights to all properties, and Read, Compare, Write, Inherit rights to the attribute you want to update with update profile.

"This" grants rights for each user to themselves, but not others.

If you are using Active Directory on the backend, then granting the user rights to allow the user to read their own account should resolve the issue in Active Directory as well.