OID ACI Rule Works In One OID Node But Not In Another: ldap_modify: Insufficient access (Doc ID 1302425.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Internet Directory - Version: 9.0.4 and later   [Release: 10gR1 and later ]
Information in this document applies to any platform.

Symptoms

Custom ACI rule fails with LDAP: error code 50 - insufficient access in one Oracle Internet Directory (OID) 10g node, whereas the same rule works fine in another OID node.

An admin user is able to modify users ok in the working node, but the same admin user with same privileges fails to modify users in the second non-working OID node; for example:

ldapmodify -p 389 -h myoidhost -D "cn=myadminuser,cn=Users,dc=mycompany,dc=com" -w <password> -v -f /tmp/update.ldif
replace telexnumber:
20100629094004.2299999
modifying entry CN=user1,cn=Users,dc=mycompany,dc=com
ldap_modify: Insufficient access

The same error occurs if using different applications, such as Jxplorer or custom java code.

Comparing OID debugged level 8193 (Access Control List processing and Heavy Trace Debugging) as per <Note 397821.1> from both nodes, the nonworking node shows attribute access denied at the users container level, which corresponds to where the aci custom change was made:

...<snip>...
14:01:51 * gslfacVGetNearestACP:Parsing the node cn=user1,cn=users,dc=mycompany,dc=com
14:01:51 * gslfacVGetNearestACP:Parsing the node cn=users,dc=mycompany,dc=com
14:01:51 * gslfacZEvaluate_Attributes:Operation id:(1) Entry DN:(cn=user1,cn=users,dc=mycompany,dc=com)
14:01:51 * gslfacZEvaluate_Attributes:Operation id:(1) User DN:(cn=myadminuser,cn=users,dc=mycompany,dc=com)
14:01:51 * gslfacZEvaluate_Atributes:Operation id:(1) Visiting ACP at: (cn=users,dc=mycompany,dc=com)
14:01:51 * gslfacZEvaluate_Attributes:Operation id:(1) Attribute Accees denied by ACP: (cn=users,dc=mycompany,dc=com)
...<snip>....

Doublechecked that the admin user is member of the same groups on both OIDs, and also that the aci's under the cn=users,dc=mycompany,dc=com container look the same on both OID nodes .

Also tried restarting OID since the aci changes, to no avail.

Changes

Added custom aci to both OID nodes.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms