Environment
NetIQ Self Service Password Reset 3.2.0.3
Situation
After configuring attributes a user can update on their profile with the "Update Profile" option in SSRP, the user receives a -672 No Access error trying to update the attribute values.
The user has Compare, Read, Write rights to the attribute that it is trying to update.
If the user has a current value in the attribute, then they are able to update the attribute value without any errors.
Error in Log
2015-08-07T13:44:13Z, ERROR, servlet.UpdateProfileServlet, {cn=denchris4,ou=users,o=mountain} 5015 ERROR_UNKNOWN (error setting 'Description' attribute on user cn=denchris4,ou=users,o=mountain, error: [LDAP: error code 50 - NDS error: no access (-672)]) [151.155.214.1/denchris1.lab.novell.com]
2015-08-07T13:44:13Z, TRACE, provider.JNDIProviderImpl, error during write of attribute 'Description', error: [LDAP: error code 50 - NDS error: no access (-672)]
The user has Compare, Read, Write rights to the attribute that it is trying to update.
If the user has a current value in the attribute, then they are able to update the attribute value without any errors.
Error in Log
2015-08-07T13:44:13Z, ERROR, servlet.UpdateProfileServlet, {cn=denchris4,ou=users,o=mountain} 5015 ERROR_UNKNOWN (error setting 'Description' attribute on user cn=denchris4,ou=users,o=mountain, error: [LDAP: error code 50 - NDS error: no access (-672)]) [151.155.214.1/denchris1.lab.novell.com]
2015-08-07T13:44:13Z, TRACE, provider.JNDIProviderImpl, error during write of attribute 'Description', error: [LDAP: error code 50 - NDS error: no access (-672)]
Resolution
In order to be able to update attributes on a user object with the update profile option, the user has to be able to read all attributes, and write to the attribute you want to update.
If you are using eDirectory on the back-end of SSPR, you can modify the "This" trustee at the root of the tree, and add Read, Compare rights to all properties, and Read, Compare, Write, Inherit rights to the attribute you want to update with update profile.
"This" grants rights for each user to themselves, but not others.
If you are using Active Directory on the backend, then granting the user rights to allow the user to read their own account should resolve the issue in Active Directory as well.
If you are using eDirectory on the back-end of SSPR, you can modify the "This" trustee at the root of the tree, and add Read, Compare rights to all properties, and Read, Compare, Write, Inherit rights to the attribute you want to update with update profile.
"This" grants rights for each user to themselves, but not others.
If you are using Active Directory on the backend, then granting the user rights to allow the user to read their own account should resolve the issue in Active Directory as well.