My Oracle Support Banner

OID ACI Rule Works In One OID Node But Not In Another: ldap_modify: Insufficient access (Doc ID 1302425.1)

Last updated on AUGUST 29, 2019

Applies to:

Oracle Internet Directory - Version 9.0.4 and later
Information in this document applies to any platform.


Custom ACI rule fails with LDAP: error code 50 - insufficient access in one Oracle Internet Directory (OID) 10g node, whereas the same rule works fine in another OID node.

An admin user is able to modify users ok in the working node, but the same admin user with same privileges fails to modify users in the second non-working OID node; for example:

ldapmodify -p <OID_NON_SSL_PORT> -h <OID_HOSTNAME> -D "cn=<MY_ADMIN_USER>,cn=Users,dc=<COMPANY>,dc=com" -w <password> -v -f /tmp/update.ldif
replace telexnumber:
modifying entry CN=<USERID>,cn=Users,dc=<COMPANY>,dc=com
ldap_modify: Insufficient access

The same error occurs if using different applications, such as Jxplorer or custom java code.

Comparing OID debugged level 8193 (Access Control List processing and Heavy Trace Debugging) as per <Note 397821.1> from both nodes, the nonworking node shows attribute access denied at the users container level, which corresponds to where the aci custom change was made:

14:01:51 * gslfacVGetNearestACP:Parsing the node CN=<USERID>,cn=Users,dc=<COMPANY>,dc=com
14:01:51 * gslfacVGetNearestACP:Parsing the node cn=users,dc=<COMPANY>,dc=com
14:01:51 * gslfacZEvaluate_Attributes:Operation id:(1) Entry DN:(CN=<USERID>,cn=Users,dc=<COMPANY>,dc=com)
14:01:51 * gslfacZEvaluate_Attributes:Operation id:(1) User DN:(cn=<MY_ADMIN_USER>,cn=Users,dc=<COMPANY>,dc=com)
14:01:51 * gslfacZEvaluate_Atributes:Operation id:(1) Visiting ACP at: (cn=users,dc=<COMPANY>,dc=com)
14:01:51 * gslfacZEvaluate_Attributes:Operation id:(1) Attribute Accees denied by ACP: (cn=users,dc=<COMPANY>,dc=com)

Doublechecked that the admin user is member of the same groups on both OIDs, and also that the aci's under the cn=users,dc=<COMPANY>,dc=com container look the same on both OID nodes .

Also tried restarting OID since the aci changes, to no avail.


Added custom aci to both OID nodes.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.