LDAP Error Code 50 During AD to OID 10g / 11g DIP Synchronization

(Doc ID 1336930.1)

Last updated on NOVEMBER 02, 2016

Applies to:

Oracle Internet Directory - Version 10.1.2.2 and later
Information in this document applies to any platform.

Symptoms

LDAP Error Code 50 During AD to OID 10g/11g DIP Synchronization

SYMPTOM 1

OID 11g AD-> OID synchronization stops working.
In wls_ods1_diagnostic.log the following error appear:

BEGIN
ConnID:25 mesgID:107 OpID:106 OpName:modify ConnIP:10.10.10.1 ConnDN:orclodipagentname=ad2oid,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
INFO : gslfmeADoModify: dn = cn=u413a12,cn=users,dc=company,dc=com
2011-05-17T09:15:57 * gslfmeADoModify: dn (cn=u413a12,cn=users,dc=company,dc=com)
END
]]
[2011-05-17T09:15:57+01:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: server123] [pid: 16462] [tid: 10] [ecid: 0000Izx1_p55mZG6yzedMG1DoYtZ000002,0:3] ServerWorker (REG):[[
BEGIN
ConnID:25 mesgID:107 OpID:106 OpName:modify ConnIP:10.10.10.1 ConnDN:orclodipagentname=ad2oid,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
gslfmeADoModify: modifications:
2011-05-17T09:15:57 * delete: description
2011-05-17T09:15:57 * add: description
2011-05-17T09:15:57 * gslfmeADoModify:conn=25 op=106 MOD dn="cn=u413a12,cn=users,dc=company,dc=com"
2011-05-17T09:15:57 * gslaudegGetNearestACP:Parsing the node cn=u413a12,cn=users,dc=company,dc=com
2011-05-17T09:15:57 * gslaudegGetNearestACP:Parsing the node cn=users,dc=company,dc=com
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Entry DN:(cn=u413a12,cn=users,dc=company,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User DN:(orclodipagentname=ad2oid,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (cn=users,dc=company,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Accees denied by ACP: (cn=users,dc=company,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User being a Privileged group member, Evaluation continues
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (dc=company,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Accees denied by ACP: (dc=company,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User being a Privileged group member, Evaluation continues
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (dc=gam,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Accees denied by ACP: (dc=gam,dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User being a Privileged group member, Evaluation continues
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (dc=com)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Visiting ACP at: (cn=root)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Accees denied by ACP: (cn=root)
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) User being a Privileged group member, Evaluation continues
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation: Operation id:(106) Enforcing Server Default Access Policy
2011-05-17T09:15:57 * gslaudeaAttributesEvaluation:Operation id:(106) Attribute Access to entry (cn=u413a12,cn=users,dc=company,dc=com) not allowed
2011-05-17T09:15:57 * gslaudekModsEvaluation: Access to attributes not allowed
2011-05-17T09:15:57 * INFO:gsleswrASndResult OPtime=32130 micro sec RESULT=50 nentries=0

 

SYMPTOM 2

Active Directory (AD) to OID 10g import synchronization profile (using the DirSync control) is failing with LDAP: error code 50 LDAP_INSUFFICIENT_RIGHTS.
Bootstrap was performed successfully using the same synchronization profile.
Debug profile trace shows that the problem occurs when DIP tries to execute the search against the Active Directory.
Example trace output:

-------------------------------------------------------------------------------
Trace Log Started at Wed Sep 01 13:00:00 WEST 2010
-------------------------------------------------------------------------------
[LDAP: error code 50 - 00002105: LdapErr: DSID-0C0907C9, comment: Error processing control, data 0, vece]
activeimport:Error in Mapping EngineODIException: DIP_GEN_SEARCH_EXCEPTION
javax.naming.NoPermissionException: [LDAP: error code 50 - 00002105: LdapErr: DSID-0C0907C9, comment: Error processing control, data 0, vece]; remaining name 'DC=oracle,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2996)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1811)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1734)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:328)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:313)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:238)
at oracle.ldap.odip.gsi.ActiveReader.searchChanges(ActiveReader.java:293)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:528)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
activeimport:about to Update exec status
Updated Attributes
orclodipLastExecutionTime: 20100901130000
orclodipConDirLastAppliedChgNum: 0
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors: Failure During Searchv Sleeping for 1secs

 SYMPTOM 3

OID 10g

Applied 10.1.2.2 patchset

If delete the user from OID, the sync continues, but it seems that it stops when it finds a user to delete.

The error is :

Exception Doing ModRDN operation : javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'cn=myuser,cn=users,dc=mycompany,dc=com'
[LDAP: error code 50 - Insufficient Access Rights]
javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining
name 'cn=myuser,cn=users,dc=mycompany,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2996)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.c_rename(LdapCtx.java:692)
at com.sun.jndi.toolkit.ctx.ComponentContext.p_rename(ComponentContext.java:693)
at com.sun.jndi.toolkit.ctx.PartialCompositeContext.rename(PartialCompositeContext.java:245)
at com.sun.jndi.toolkit.ctx.PartialCompositeContext.rename(PartialCompositeContext.java:236)
at javax.naming.InitialContext.rename(InitialContext.java:379)
at oracle.ldap.odip.gsi.LDAPWriter.performModDN(LDAPWriter.java:666)
at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:329)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:581)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
DIP_LDAPWRITER_ERROR_MODRDN
DIP_LDAPWRITER_ERROR_MODRDN
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:722)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
DIP_LDAPWRITER_ERROR_MODRDN
ActiveChgImp:Error in Mapping EngineDIP_LDAPWRITER_ERROR_MODRDN
DIP_LDAPWRITER_ERROR_MODRDN
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:741)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
ActiveChgImp:about to Update exec status
Updated Attributes
orclodipLastExecutionTime: 20080131112629
orclodipConDirLastAppliedChgNum: 26761997
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors:

Observation
-------------
a) Applied  patch for Bug 6007863: AFTER PATCH TO VERSION 10.1.2.2 MEMBERSHIP MODIFICATIONS FAIL TO SYNC, to no avail.

b) Also applied the following ACI, to no avail:

### --- cut here -aci1.ldif--
dn: dc=prpmalaga,dc=es
changetype: modify
add: orclaci
orclaci: access to entry by dn="orclodipagentname=ActiveChgImp,cn=subscriber profile,cn=changelog
subscriber,cn=oracle internet directory" (browse,add,delete)
orclaci: access to attr=(*) by dn="orclodipagentname=ActiveChgImp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" (read,search,write,compare)
### --- cut here ---

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms