A client of ours has a problem with the C# LDAP interface available from

There are some objects that don't allow modifications to their
membership attribute. The application is supposed to add a user to a
group, so it should add the group to the membership attribute of the
user object and the user to the member attribute of the group object.
When trying to add the group to the membership, the interface returns an
error 'NDS error: no access (-672)' even when it's used with supervisor
or whole-tree write access rights. The exact same modification works
fine when issued from Java interface. The objects that fail are usually
'bigger', they have more attributes, are members of more groups.

The code and connection traces are available here:

The modification for the DanielS object is refused while the one for
LRakow works fine.

We suspect that the problem is the LDAP library itself, but maybe there's
something we can't see in the sourcecode.

Michał Sawicz, Novell Professional Services Poland