OID ACI Rule Works In One OID Node But Not In Another: ldap_modify: Insufficient access (Doc ID 1302425.1)

Last updated on AUGUST 29, 2019

Applies to:

Symptoms

Custom ACI rule fails with LDAP: error code 50 - insufficient access in one Oracle Internet Directory (OID) 10g node, whereas the same rule works fine in another OID node.

An admin user is able to modify users ok in the working node, but the same admin user with same privileges fails to modify users in the second non-working OID node; for example:

The same error occurs if using different applications, such as Jxplorer or custom java code.

Comparing OID debugged level 8193 (Access Control List processing and Heavy Trace Debugging) as per <Note 397821.1> from both nodes, the nonworking node shows attribute access denied at the users container level, which corresponds to where the aci custom change was made:

Doublechecked that the admin user is member of the same groups on both OIDs, and also that the aci's under the cn=users,dc=<COMPANY>,dc=com container look the same on both OID nodes .

Also tried restarting OID since the aci changes, to no avail.

Changes

Added custom aci to both OID nodes.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.