This error message means the dn you used to bind LDAP server doesn't have privilege to update certain object.

Which dn did you use to bind LDAP server in phpLDAPadmin and iRedAdmin? You should use 'cn=Manager,dc=xxx,dc=xxx' or 'cn=vmailadmin,dc=xxx,dc=xxx'. You can find them in file '/path/to/iRedMail-0.7.3-rc2/iRedMail.tips'.

Search 'Search' in this page, you will find it.

The try adding a new POSIX Group using Openldap reads the following log:

<quote>

conn=25 fd=12 ACCEPT from IP=127.0.0.1:35382 (IP=0.0.0.0:389)
conn=25 op=0 BIND dn="cn=manager,dc=example,dc=de" method=128
conn=25 op=0 BIND dn="cn=manager,dc=example,dc=de" mech=SIMPLE ssf=0
conn=25 op=0 RESULT tag=97 err=0 text=
conn=25 op=1 SRCH base="ou=Groups,domainName=example.de,o=domains,dc=example,dc=de" scope=0 deref=0 filter="(&(objectClass=*))"
conn=25 op=1 SRCH attr=* +
conn=25 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=25 op=2 SRCH base="" scope=0 deref=0 filter="(&(objectClass=*))"
conn=25 op=2 SRCH attr=* +
conn=25 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=25 op=3 SRCH base="" scope=0 deref=3 filter="(&(objectClass=*))"
conn=25 op=3 SRCH attr=namingContexts subschemaSubentry altServer supportedExtension supportedControl supportedSASLMechanisms supportedLDAPVersion currentTime dsServiceName defaultNamingContext schemaNamingContext configurationNamingContext rootDomainNamingContext supportedLDAPPolicies highestCommittedUSN dnsHostName ldapServiceName serverName supportedCapabilities changeLog tlsAvailableCipherSuites tlsImplementationVersion supportedSASLMechanisms dsaVersion myAccessPoint dseType + *
conn=25 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=25 op=4 SRCH base="" scope=0 deref=3 filter="(&(objectClass=*))"
conn=25 op=4 SRCH attr=namingContexts subschemaSubentry altServer supportedExtension supportedControl supportedSASLMechanisms supportedLDAPVersion currentTime dsServiceName defaultNamingContext schemaNamingContext configurationNamingContext rootDomainNamingContext supportedLDAPPolicies highestCommittedUSN dnsHostName ldapServiceName serverName supportedCapabilities changeLog tlsAvailableCipherSuites tlsImplementationVersion supportedSASLMechanisms dsaVersion myAccessPoint dseType + *
conn=25 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=25 op=5 SRCH base="cn=manager,dc=example,dc=de" scope=0 deref=0 filter="(&(objectClass=*))"
conn=25 op=5 SRCH attr=* +
conn=25 op=5 SEARCH RESULT tag=101 err=32 nentries=0 text=
conn=25 op=6 UNBIND
conn=25 fd=12 closed

</quote>

The final execute has no react on the log and hangs as described on the Updating Object ... screen.

The next log has been taken inside of the iredadmin trying to add a new user:

<quote>

conn=34 fd=12 ACCEPT from IP=127.0.0.1:51906 (IP=0.0.0.0:389)
conn=34 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" method=128
conn=34 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" mech=SIMPLE ssf=0
conn=34 op=0 RESULT tag=97 err=0 text=
conn=34 op=1 SRCH base="o=domains,dc=example,dc=de" scope=1 deref=0 filter="(objectClass=mailDomain)"
conn=34 op=1 SRCH attr=domainName accountSetting domainCurrentQuotaSize
conn=34 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=34 op=2 UNBIND
conn=34 fd=12 closed
conn=35 fd=12 ACCEPT from IP=127.0.0.1:51908 (IP=0.0.0.0:389)
conn=35 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" method=128
conn=35 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" mech=SIMPLE ssf=0
conn=35 op=0 RESULT tag=97 err=0 text=
conn=35 op=1 SRCH base="o=domains,dc=example,dc=de" scope=1 deref=0 filter="(objectClass=mailDomain)"
conn=35 op=1 SRCH attr=domainName accountSetting domainCurrentQuotaSize
conn=35 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=36 fd=15 ACCEPT from IP=127.0.0.1:51909 (IP=0.0.0.0:389)
conn=36 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" method=128
conn=36 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" mech=SIMPLE ssf=0
conn=36 op=0 RESULT tag=97 err=0 text=
conn=36 op=1 SRCH base="ou=Users,domainName=example.de,o=domains,dc=example,dc=de" scope=2 deref=0 filter="(&(objectClass=mailUser)(!(mail=@example.de)))"
conn=36 op=1 SRCH attr=dn
conn=36 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=36 op=2 SRCH base="ou=Users,domainName=example.de,o=domains,dc=example,dc=de" scope=2 deref=0 filter="(&(objectClass=mailUser)(!(mail=@example.de)))"
conn=36 op=2 SRCH attr=mail cn accountStatus mailQuota employeeNumber title shadowAddress memberOfGroup storageBaseDirectory mailMessageStore lastLoginDate createTimestamp
conn=36 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=36 op=3 MOD dn="domainName=example.de,o=domains,dc=example,dc=de"
conn=36 op=3 MOD attr=domainCurrentUserNumber
conn=36 op=3 RESULT tag=103 err=50 text=
conn=35 op=2 UNBIND
conn=35 fd=12 closed
conn=36 op=4 UNBIND
conn=36 fd=15 closed
conn=37 fd=12 ACCEPT from IP=127.0.0.1:51911 (IP=0.0.0.0:389)
conn=37 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" method=128
conn=37 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" mech=SIMPLE ssf=0
conn=37 op=0 RESULT tag=97 err=0 text=
conn=38 fd=15 ACCEPT from IP=127.0.0.1:51912 (IP=0.0.0.0:389)
conn=38 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" method=128
conn=38 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" mech=SIMPLE ssf=0
conn=38 op=0 RESULT tag=97 err=0 text=
conn=38 op=1 SRCH base="domainName=example.de,o=domains,dc=example,dc=de" scope=2 deref=0 filter="(mail=dm@example.de)"
conn=38 op=1 SRCH attr=dn
conn=38 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=39 fd=17 ACCEPT from IP=127.0.0.1:51913 (IP=0.0.0.0:389)
conn=39 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" method=128
conn=39 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" mech=SIMPLE ssf=0
conn=39 op=0 RESULT tag=97 err=0 text=
conn=39 op=1 SRCH base="domainName=example.de,o=domains,dc=example,dc=de" scope=0 deref=0 filter="(&(objectClass=mailDomain)(domainName=example.de))"
conn=39 op=1 SRCH attr=domainName domainAliasName cn description accountStatus domainBackupMX domainAdmin mtaTransport enabledService domainRecipientBccAddress domainSenderBccAddress disclaimer domainCurrentQuotaSize domainCurrentUserNumber domainCurrentListNumber domainCurrentAliasNumber accountSetting createTimestamp
conn=39 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=37 op=1 ADD dn="mail=dm@example.de,ou=Users,domainName=example.de,o=domains,dc=example,dc=de"
conn=37 op=1 RESULT tag=105 err=50 text=no write access to parent
conn=38 op=2 UNBIND
conn=38 fd=15 closed
conn=39 op=2 UNBIND
conn=39 fd=17 closed
conn=37 op=2 UNBIND
conn=37 fd=12 closed
conn=40 fd=12 ACCEPT from IP=127.0.0.1:51915 (IP=0.0.0.0:389)
conn=40 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" method=128
conn=40 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" mech=SIMPLE ssf=0
conn=40 op=0 RESULT tag=97 err=0 text=
conn=40 op=1 SRCH base="o=domains,dc=example,dc=de" scope=1 deref=0 filter="(objectClass=mailDomain)"
conn=40 op=1 SRCH attr=domainName accountSetting domainCurrentQuotaSize
conn=40 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=41 fd=15 ACCEPT from IP=127.0.0.1:51916 (IP=0.0.0.0:389)
conn=41 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" method=128
conn=41 op=0 BIND dn="cn=vmailadmin,dc=example,dc=de" mech=SIMPLE ssf=0
conn=41 op=0 RESULT tag=97 err=0 text=
conn=41 op=1 SRCH base="ou=Users,domainName=example.de,o=domains,dc=example,dc=de" scope=2 deref=0 filter="(&(objectClass=mailUser)(!(mail=@example.de)))"
conn=41 op=1 SRCH attr=dn
conn=41 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=41 op=2 SRCH base="ou=Users,domainName=example.de,o=domains,dc=example,dc=de" scope=2 deref=0 filter="(&(objectClass=mailUser)(!(mail=@example.de)))"
conn=41 op=2 SRCH attr=mail cn accountStatus mailQuota employeeNumber title shadowAddress memberOfGroup storageBaseDirectory mailMessageStore lastLoginDate createTimestamp
conn=41 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=41 op=3 MOD dn="domainName=example.de,o=domains,dc=example,dc=de"
conn=41 op=3 MOD attr=domainCurrentUserNumber
conn=41 op=3 RESULT tag=103 err=50 text=
conn=40 op=2 UNBIND
conn=40 fd=12 closed
conn=41 op=4 UNBIND
conn=41 fd=15 closed

</quote>

Leading to the failure already mentioned in the initial message.

All this has been done using the follwing slapd.conf:

<quote>

# File generated by iRedMail (2011.08.08.11.12.58):
#
# Version:  0.7.3-rc2
# Project:  http://www.iredmail.org/
#
# Community: http://www.iredmail.org/forum/
#

# Schemas.
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
# Integrate Amavisd-new.
include     /etc/openldap/schema/amavisd-new.schema
# Schema provided by iRedMail.
include     /etc/openldap/schema/iredmail.schema

# Where the pid file is put. The init.d script will not stop the
# server if you change this.
pidfile     /var/run/openldap/slapd.pid

# List of arguments that were passed to the server
argsfile    /var/run/openldap/slapd.args

# TLS files.
TLSCACertificateFile /etc/pki/tls/certs/iRedMail_CA.pem
TLSCertificateFile /etc/pki/tls/certs/iRedMail_CA.pem
TLSCertificateKeyFile /etc/pki/tls/private/iRedMail.key

# Modules.
modulepath  /usr/lib/openldap
moduleload  back_bdb

# Disallow bind as anonymous.
disallow    bind_anon

# Uncomment below line to allow binding as anonymouse.
#allow bind_anon_cred

# Specify LDAP protocol version.
require     LDAPv3
#allow       bind_v2

# Log level.
#   -1:     enable all debugging
#    0:     no debugging
#   128:    access control list processing
#   256:    stats log connections/operations/results
loglevel    0
database monitor
#
# Access Control List. Used for LDAP bind.
#
# NOTE: Every domain have a administrator. e.g.
#   Domain Name: 'example.de'
#   Admin Name: mail=postmaster@example.de, domainName=example.de, o=domains,dc=example,dc=de
#

# Personal LDAP address book.
access to dn.regex="cn=[^,]+,mail=([^,]+)@([^,]+),ou=Users,domainName=([^,]+),o=domains,dc=example,dc=de$"
    by anonymous                    none
    by self                         none
    by dn.exact="cn=vmail,dc=example,dc=de"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=de"  write
    by dn.regex="mail=$1@$2,ou=Users,domainName=$3,o=domains,dc=example,dc=de$" write
    by users                        none

# Allow users to change their own passwords and mail forwarding addresses.
access to attrs="userPassword,mailForwardingAddress"
    by anonymous    auth
    by self         write
    by dn.exact="cn=vmail,dc=example,dc=de"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=de"  write
    by users        none

# Allow to read others public info.
access to attrs="cn,sn,gn,givenName,telephoneNumber"
    by anonymous    auth
    by self         write
    by dn.exact="cn=vmail,dc=example,dc=de"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=de"  write
    by users        read

# Domain attrs.
access to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBccAddress,domainRecipientBccAddress,domainBackupMX,domainMaxQuotaSize,domainMaxUserNumber"
    by anonymous    auth
    by self         read
    by dn.exact="cn=vmail,dc=example,dc=de"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=de"  write
    by users        read

access to attrs="domainAdmin,domainGlobalAdmin,domainSenderBccAddress,domainRecipientBccAddress"
    by anonymous    auth
    by self         read
    by dn.exact="cn=vmail,dc=example,dc=de"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=de"  write
    by users        none

# User attrs.
access to attrs="employeeNumber,homeDirectory,mailMessageStore,mail,accountStatus,userSenderBccAddress,userRecipientBccAddress,mailQuota,backupMailAddress,shadowAddress"
    by anonymous    auth
    by self         read
    by dn.exact="cn=vmail,dc=example,dc=de"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=de"  write
    by users        read

#
# Set ACL for vmail/vmailadmin.
#
access to dn="cn=vmail,dc=example,dc=de"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=vmailadmin,dc=example,dc=de"  write
    by users                        none

access to dn="cn=vmailadmin,dc=example,dc=de"
    by anonymous                    auth
    by self                         write
    by users                        none

#
# Allow users to access their own domain subtree.
# Allow domain admin to modify accounts under same domain.
#
access to dn.regex="domainName=([^,]+),o=domains,dc=example,dc=de$"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=vmail,dc=example,dc=de"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=de"  write
    by dn.regex="mail=[^,]+@$1,o=domainAdmins,dc=example,dc=de$" write
    by dn.regex="mail=[^,]+@$1,ou=Users,domainName=$1,o=domains,dc=example,dc=de$" read
    by users                        none

#
# Grant correct privileges to vmail/vmailadmin.
#
access to dn.subtree="o=domains,dc=example,dc=de"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=vmail,dc=example,dc=de"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=de"  write
    by dn.regex="mail=[^,]+,ou=Users,domainName=$1,o=domains,dc=example,dc=de$" read
    by users                        read

access to dn.subtree="o=domainAdmins,dc=example,dc=de"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=vmail,dc=example,dc=de"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=de"  write
    by users                        none

#
# Set permission for "cn=*,dc=example,dc=de".
#
access to dn.regex="cn=[^,]+,dc=example,dc=de"
    by anonymous                    auth
    by self                         write
    by users                        none

#
# Set default permission.
#
access to *
    by anonymous                    auth
    by self                         write
    by users                        read

#######################################################################
# BDB database definitions
#######################################################################

database    bdb
suffix      dc=example,dc=de
directory   /var/lib/ldap/example.de

rootdn      cn=Manager,dc=example,dc=de
rootpw      {SSHA}wbfulsjJ0LpRQzWsdXbiC2EYOW0zUcVL

sizelimit   1000
cachesize   1000

#
# Set directory permission.
#
mode        0700

#
# Default index.
#
index objectClass                                   eq,pres
index uidNumber,gidNumber,uid,memberUid,loginShell  eq,pres
index homeDirectory,mailMessageStore                eq,pres
index ou,cn,mail,surname,givenname,telephoneNumber  eq,pres,sub
index nisMapName,nisMapEntry                        eq,pres,sub
index shadowLastChange                              eq,pres

#
# Index for mail attrs.
#
# ---- Domain related ----
index domainName,mtaTransport,accountStatus,enabledService  eq,pres,sub
index domainAliasName    eq,pres,sub
index domainMaxUserNumber eq,pres
index domainAdmin,domainGlobalAdmin,domainBackupMX    eq,pres,sub
index domainSenderBccAddress,domainRecipientBccAddress  eq,pres,sub
# ---- Group related ----
index accessPolicy,hasMember,listAllowedUser   eq,pres,sub
# ---- User related ----
index mailForwardingAddress,shadowAddress   eq,pres,sub
index backupMailAddress,memberOfGroup   eq,pres,sub
index userRecipientBccAddress,userSenderBccAddress  eq,pres,sub

</quote>

The iredmail side is config to :

<quote>
[general]

# Site webmaster's mail address.
webmaster = www@example.de

# Debug mode: True, False.
# Warning: Do *NOT* enable debug in product server.
debug = False

# Mail detail message of '500 internal server error' to webmaster: True, False.
# If set to True, iredadmin will mail detail error to webmaster when
# it catches 'internal server error' via LOCAL mail server to aid
# in debugging production servers.
mail_error_to_webmaster = False

# Default language.
lang = en_US

# Database backend: ldap.
backend = ldap

# Base directory used to store all mail data.
# iRedMail uses '/var/vmail/vmail1' as default storage directory.
# Tip: You can set a per-domain storage directory in domain profile page.
storage_base_directory = /var/vmail/vmail1

# Default mta transport.
# iRedMail uses 'dovecot' as defualt transport.
# Tip: You can set a per-domain or per-user transport in domain or user
#      profile page.
mtaTransport = dovecot

# Show user login date instead of created date: True, False.
# Please refer to iRedAdmin FAQ if you don't know how to track user last
# login data: http://www.iredmail.org/admin_faq.html
show_login_date = False

# Show percentage of mailbox quota usage. Used in LDAP backend.
# Make sure you have correct dovecot setting by following this tutorial:
# http://iredmail.org/wiki/index.php?titl … a.In.MySQL
show_used_quota = True

# Min/Max admin password length.
#   - min_passwd_length: 0 means unlimited, but at least 1 character
#                        is required.
#   - max_passwd_length: 0 means unlimited.
# User password length is controlled in domain profile.
min_passwd_length = 0
max_passwd_length = 0

[iredadmin]
# Database used to store iRedAdmin data. e.g. sessions, log.
host = 127.0.0.1
port = 3306
db = iredadmin
user = iredadmin
passwd = XUEPGM9WGfXi3Nhvs2joNV8dEiCkED

############################################################################
# Settings used for LDAP backend.
#
[ldap]

# LDAP server uri.
# Use 'ldaps://127.0.0.1' for SSL/TLS-based secure connection.
uri = ldap://127.0.0.1:389

# LDAP suffix.
# basedn: dn which contains virtual domains.
# domainadmin_dn: dn which contains virtual domain admins.
basedn = o=domains,dc=example,dc=de
domainadmin_dn = o=domainAdmins,dc=example,dc=de

# Bind dn and password.
#   - bind dn should have write privilege in LDAP.
#   - bind pw is plain text, not encryped/hashed.
bind_dn = cn=vmailadmin,dc=example,dc=de
bind_pw = T2W9EUQCATundBgNk6t6dZM8YRZfL2

############################################################################
# Settings used for Policyd (1.8.x) integration. Provides global
# white-/blacklist, sender/recipient throttling, etc.
#
[policyd]

# Enable policyd integration: True, False.
enabled = True

# SQL Database used to store policyd data, eg. whitelist, blacklist.
# You can find related information in policyd config files:
#   - On RHEL/CentOS:   /etc/policyd.conf
#   - On Debian/Ubuntu: /etc/postfix-policyd.conf
#   - On FreeBSD:       /usr/local/etc/policyd.conf
# Related parameters:
#   host    -> MYSQLHOST
#   port    -> 3306 (Default)
#   db      -> MYSQLDBASE
#   user    -> MYSQLUSER
#   passwd  -> MYSQLPASS
host = 127.0.0.1
port = 3306
db = policyd
user = policyd
passwd = VymTmR5WweNwrP6hJOTNkUSsv1sRBr

##############################################################################
# Settings used for Amavisd-new integration. Provides spam/virus quaranting,
# releasing, etc.
#
[amavisd]

# #### Quarantining ####
# Release quarantined SPAM/Virus mails: True, False.
# iRedAdmin-Pro will connect to @quarantine_server to release quarantined mails.
# How to enable quarantining in Amavisd-new:
quarantine = True

# Amavisd server address.
server = 127.0.0.1

# Port of 'AM.PDP-INET'. Default is 9998.
quarantine_port = 9998

########### Logging into SQL (@storage_sql_dsn) ##########
# Logging into SQL: True, False.
# Log info of incoming/outgoing emails into SQL.
# It's @storage_sql_dsn setting in amavisd. You can find this setting
# in amavisd-new config files:
#   - On RHEL/CentOS:   /etc/amavisd.conf
#   - On Debian/Ubuntu: /etc/amavis/conf.d/50-user.conf
#   - On FreeBSD:       /usr/local/etc/amavisd.conf
logging_into_sql = True

host = 127.0.0.1
port = 3306
db = amavisd
user = amavisd
passwd = Y7QMj2a0dB29UqA3ODnarkalpsKIUw
</quote>

I am not sure but could this have something to with apache/php and the ldap module?

After switching the WebBrowser from IE9 to FireFox, at least i was able to get phpldapadmin to work, means adding modifying and deleting is possible. After having changed the user in the iRedAdmin setting to cn=manager,... anything is working, despite this fact i would prefer getting the whole thing work with cn=vmailadmin. Do you have another idea who to get this to work?