LDAP Error Code 50 During AD to OID 10g / 11g DIP Synchronization
(Doc ID 1336930.1)
Last updated on FEBRUARY 01, 2021
Applies to:
Oracle Internet Directory - Version 10.1.2.2 and laterInformation in this document applies to any platform.
Symptoms
LDAP Error Code 50 During AD to OID 10g/11g DIP Synchronization
SYMPTOM 1
OID 11g AD-> OID synchronization stops working.
In wls_ods1_diagnostic.log the following error appear:
BEGIN
ConnID:25 mesgID:107 OpID:106 OpName:modify ConnIP:10.10.10.1 ConnDN:orclodipagentname=ad2oid,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
INFO : gslfmeADoModify: dn = cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com
2011-05-17T09:15:57 * gslfmeADoModify: dn (cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com)
END
]]
[2011-05-17T09:15:57+01:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: server123] [pid: 16462] [tid: 10] [ecid: <ECID#>] ServerWorker (REG):[[
BEGIN
ConnID:25 mesgID:107 OpID:106 OpName:modify ConnIP:10.10.10.1 ConnDN:orclodipagentname=ad2oid,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
gslfmeADoModify: modifications:
2011-05-17T09:15:57 * delete: description
2011-05-17T09:15:57 * add: description
2011-05-17T09:15:57 * gslfmeADoModify:conn=25 op=106 MOD dn="cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com"
2011-05-17T09:15:57 * gslaudegGetNearestACP:Parsing the node cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com
2011-05-17T09:15:57 * gslaudegGetNearestACP:Parsing the node cn=users,dc=<COMPANY NAME>,dc=com
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Entry DN:(cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User DN:(orclodipagentname=ad2oid,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (cn=users,dc=<COMPANY NAME>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Accees denied by ACP: (cn=users,dc=<COMPANY NAME>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User being a Privileged group member, Evaluation continues
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (dc=<COMPANY NAME>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Accees denied by ACP: (dc=<COMPANY NAME>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User being a Privileged group member, Evaluation continues
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (c=<COMPANY NAME2>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Accees denied by ACP: (c=<COMPANY NAME2>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User being a Privileged group member, Evaluation continues
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (cn=root)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Accees denied by ACP: (cn=root)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User being a Privileged group member, Evaluation continues
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation: Operation id:(106) Enforcing Server Default Access Policy
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Access to entry (cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com) not allowed
2011-05-17T09:15:57 * gslaudekModsEvaluation: Access to attributes not allowed
2011-05-17T09:15:57 * INFO:gsleswrASndResult OPtime=32130 micro sec RESULT=50 nentries=0
ConnID:25 mesgID:107 OpID:106 OpName:modify ConnIP:10.10.10.1 ConnDN:orclodipagentname=ad2oid,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
INFO : gslfmeADoModify: dn = cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com
2011-05-17T09:15:57 * gslfmeADoModify: dn (cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com)
END
]]
[2011-05-17T09:15:57+01:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: server123] [pid: 16462] [tid: 10] [ecid: <ECID#>] ServerWorker (REG):[[
BEGIN
ConnID:25 mesgID:107 OpID:106 OpName:modify ConnIP:10.10.10.1 ConnDN:orclodipagentname=ad2oid,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
gslfmeADoModify: modifications:
2011-05-17T09:15:57 * delete: description
2011-05-17T09:15:57 * add: description
2011-05-17T09:15:57 * gslfmeADoModify:conn=25 op=106 MOD dn="cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com"
2011-05-17T09:15:57 * gslaudegGetNearestACP:Parsing the node cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com
2011-05-17T09:15:57 * gslaudegGetNearestACP:Parsing the node cn=users,dc=<COMPANY NAME>,dc=com
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Entry DN:(cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User DN:(orclodipagentname=ad2oid,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (cn=users,dc=<COMPANY NAME>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Accees denied by ACP: (cn=users,dc=<COMPANY NAME>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User being a Privileged group member, Evaluation continues
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (dc=<COMPANY NAME>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Accees denied by ACP: (dc=<COMPANY NAME>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User being a Privileged group member, Evaluation continues
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (c=<COMPANY NAME2>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Accees denied by ACP: (c=<COMPANY NAME2>,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User being a Privileged group member, Evaluation continues
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (cn=root)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Accees denied by ACP: (cn=root)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User being a Privileged group member, Evaluation continues
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation: Operation id:(106) Enforcing Server Default Access Policy
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Access to entry (cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com) not allowed
2011-05-17T09:15:57 * gslaudekModsEvaluation: Access to attributes not allowed
2011-05-17T09:15:57 * INFO:gsleswrASndResult OPtime=32130 micro sec RESULT=50 nentries=0
SYMPTOM 2
Active Directory (AD) to OID 10g import synchronization profile (using the DirSync control) is failing with LDAP: error code 50 LDAP_INSUFFICIENT_RIGHTS.
Bootstrap was performed successfully using the same synchronization profile.
Debug profile trace shows that the problem occurs when DIP tries to execute the search against the Active Directory.
Example trace output:
-------------------------------------------------------------------------------
Trace Log Started at Wed Sep 01 13:00:00 WEST 2010
-------------------------------------------------------------------------------
[LDAP: error code 50 - 00002105: LdapErr: DSID-0C0907C9, comment: Error processing control, data 0, vece]
activeimport:Error in Mapping EngineODIException: DIP_GEN_SEARCH_EXCEPTION
javax.naming.NoPermissionException: [LDAP: error code 50 - 00002105: LdapErr: DSID-0C0907C9, comment: Error processing control, data 0, vece]; remaining name 'DC=<COMPANY NAME>,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2996)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1811)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1734)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:328)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:313)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:238)
at oracle.ldap.odip.gsi.ActiveReader.searchChanges(ActiveReader.java:293)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:528)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
activeimport:about to Update exec status
Updated Attributes
orclodipLastExecutionTime: 20100901130000
orclodipConDirLastAppliedChgNum: 0
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors: Failure During Searchv Sleeping for 1secs
Trace Log Started at Wed Sep 01 13:00:00 WEST 2010
-------------------------------------------------------------------------------
[LDAP: error code 50 - 00002105: LdapErr: DSID-0C0907C9, comment: Error processing control, data 0, vece]
activeimport:Error in Mapping EngineODIException: DIP_GEN_SEARCH_EXCEPTION
javax.naming.NoPermissionException: [LDAP: error code 50 - 00002105: LdapErr: DSID-0C0907C9, comment: Error processing control, data 0, vece]; remaining name 'DC=<COMPANY NAME>,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2996)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1811)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1734)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:328)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:313)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:238)
at oracle.ldap.odip.gsi.ActiveReader.searchChanges(ActiveReader.java:293)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:528)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
activeimport:about to Update exec status
Updated Attributes
orclodipLastExecutionTime: 20100901130000
orclodipConDirLastAppliedChgNum: 0
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors: Failure During Searchv Sleeping for 1secs
SYMPTOM 3
OID 10g
Applied 10.1.2.2 patchset
If delete the user from OID, the sync continues, but it seems that it stops when it finds a user to delete.
The error is :
Exception Doing ModRDN operation : javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com'
[LDAP: error code 50 - Insufficient Access Rights]
javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining
name 'cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2996)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.c_rename(LdapCtx.java:692)
at com.sun.jndi.toolkit.ctx.ComponentContext.p_rename(ComponentContext.java:693)
at com.sun.jndi.toolkit.ctx.PartialCompositeContext.rename(PartialCompositeContext.java:245)
at com.sun.jndi.toolkit.ctx.PartialCompositeContext.rename(PartialCompositeContext.java:236)
at javax.naming.InitialContext.rename(InitialContext.java:379)
at oracle.ldap.odip.gsi.LDAPWriter.performModDN(LDAPWriter.java:666)
at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:329)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:581)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
DIP_LDAPWRITER_ERROR_MODRDN
DIP_LDAPWRITER_ERROR_MODRDN
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:722)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
DIP_LDAPWRITER_ERROR_MODRDN
ActiveChgImp:Error in Mapping EngineDIP_LDAPWRITER_ERROR_MODRDN
DIP_LDAPWRITER_ERROR_MODRDN
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:741)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
ActiveChgImp:about to Update exec status
Updated Attributes
orclodipLastExecutionTime: 20080131112629
orclodipConDirLastAppliedChgNum: 26761997
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors:
[LDAP: error code 50 - Insufficient Access Rights]
javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining
name 'cn=<USERNAME>,cn=users,dc=<COMPANY NAME>,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2996)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.c_rename(LdapCtx.java:692)
at com.sun.jndi.toolkit.ctx.ComponentContext.p_rename(ComponentContext.java:693)
at com.sun.jndi.toolkit.ctx.PartialCompositeContext.rename(PartialCompositeContext.java:245)
at com.sun.jndi.toolkit.ctx.PartialCompositeContext.rename(PartialCompositeContext.java:236)
at javax.naming.InitialContext.rename(InitialContext.java:379)
at oracle.ldap.odip.gsi.LDAPWriter.performModDN(LDAPWriter.java:666)
at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:329)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:581)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
DIP_LDAPWRITER_ERROR_MODRDN
DIP_LDAPWRITER_ERROR_MODRDN
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:722)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
DIP_LDAPWRITER_ERROR_MODRDN
ActiveChgImp:Error in Mapping EngineDIP_LDAPWRITER_ERROR_MODRDN
DIP_LDAPWRITER_ERROR_MODRDN
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:741)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
ActiveChgImp:about to Update exec status
Updated Attributes
orclodipLastExecutionTime: 20080131112629
orclodipConDirLastAppliedChgNum: 26761997
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors:
Observation
-------------
a) Applied patch for Bug 6007863: AFTER PATCH TO VERSION 10.1.2.2 MEMBERSHIP MODIFICATIONS FAIL TO SYNC, to no avail.
b) Also applied the following ACI, to no avail:
### --- cut here -aci1.ldif--
dn: dc=<COMPANY NAME>,dc=com
changetype: modify
add: orclaci
orclaci: access to entry by dn="orclodipagentname=ActiveChgImp,cn=subscriber profile,cn=changelog
subscriber,cn=oracle internet directory" (browse,add,delete)
orclaci: access to attr=(*) by dn="orclodipagentname=ActiveChgImp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" (read,search,write,compare)
### --- cut here ---
dn: dc=<COMPANY NAME>,dc=com
changetype: modify
add: orclaci
orclaci: access to entry by dn="orclodipagentname=ActiveChgImp,cn=subscriber profile,cn=changelog
subscriber,cn=oracle internet directory" (browse,add,delete)
orclaci: access to attr=(*) by dn="orclodipagentname=ActiveChgImp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" (read,search,write,compare)
### --- cut here ---
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Cause |
| Solution |
| References |