Opening ODSM or Executing LDAP Operations in OID 11g (with 10gDB) Fails With "Could not load schema from OID server ... Details: [LDAP: error code 50 - Insufficient Access Rights]" / OID Log Show Many MissingEdn Messages During ACP Loading at Startup Time
(Doc ID 1382098.1)
Last updated on FEBRUARY 15, 2019
Applies to:
Oracle Internet Directory - Version 11.1.1 and laterInformation in this document applies to any platform.
Symptoms
Oracle Internet Directory (OID) 11g, e.g., 11.1.1.5.0, with Oracle Database (DB) 10g (10.2) as OID store.
When attempting to open Oracle Directory Services Manager (ODSM), or execute a privileged LDAP operation the following error occurs:
Could not load schema from OID server. Closed the connection. Search Failed. Host='<OID HOSTNAME>' Details: [LDAP: error code 50 - Insufficient Access Rights]
OID debug log error shows:
BEGIN
ConnID:0 mesgID:6 OpID:5 OpName:search ConnIP: ConnDN:cn=orcladmin
INFO :gslfseADoSearch BASE = cn=subschemasubentry FILTER = (objectclass=*) #REQDATTR = 17 SCOPE = 0 REQDATTRS = * createtimestamp creatorsname modifytimestamp modifiersname pwdchangedtime pwdfailuretime pwdaccountlockedtime pwdexpirationwarned pwdreset pwdhistory pwdgraceusetime orclpwdaccountunlock orclguid orclnormdn orclpwdipaccountlockedtime orclpwdipfailuretime
TIMELIMIT = 0 SIZELIMIT = 0 DEREF = 0
2011-11-28T12:16:30 * gslaudegGetNearestACP:Parsing the node cn=subschemasubentry
2011-11-28T12:16:30 * gslaudelLoadEntryACP: ACI line: 1 and ACI: (access to entry by group="cn=OID Schema Admins, cn=groups, cn=OracleContext" (browse, nodelete))
2011-11-28T12:16:30 * gslaudelLoadEntryACP: ACI line: 2 and ACI: (access to attr=(*) by group="cn=OID Schema Admins, cn=groups, cn=OracleContext" (read, write, compare, search))
2011-11-28T12:16:30 * gslaudeFilterEvaluation:Operation id:(5) Entry DN:(cn=subschemasubentry)
2011-11-28T12:16:30 * gslaudeFilterEvaluation: Operation id:(5) User DN: (cn=orcladmin)
2011-11-28T12:16:30 * gslaudeFilterEvaluation: Operation id:(5) Evaluating Entrylevel ACP at: (cn=subschemasubentry)
2011-11-28T12:16:30 * gslaudeFilterEvaluation:Operation id:(5) Visiting ACP at: (cn=root)
2011-11-28T12:16:30 * gslaudeFilterEvaluation:Operation id:(5) Filter Accees denied by ACP: (cn=root)
2011-11-28T12:16:30 * gslaudeFilterEvaluation:Operation id:(5) User being Privileged group member, Evaluation continues
2011-11-28T12:16:30 * gslaudeFilterEvaluation: Op id:(5) Filter Access to entry (cn=subschemasubentry) not allowed
2011-11-28T12:16:30 * INFO: gsleswrDsndseaEntry : Access to filter attributes not allowed
2011-11-28T12:16:30 * INFO:gsleswrASndResult OPtime=60732 micro sec RESULT=50 tag=101 nentries=0
ConnID:0 mesgID:6 OpID:5 OpName:search ConnIP: ConnDN:cn=orcladmin
INFO :gslfseADoSearch BASE = cn=subschemasubentry FILTER = (objectclass=*) #REQDATTR = 17 SCOPE = 0 REQDATTRS = * createtimestamp creatorsname modifytimestamp modifiersname pwdchangedtime pwdfailuretime pwdaccountlockedtime pwdexpirationwarned pwdreset pwdhistory pwdgraceusetime orclpwdaccountunlock orclguid orclnormdn orclpwdipaccountlockedtime orclpwdipfailuretime
TIMELIMIT = 0 SIZELIMIT = 0 DEREF = 0
2011-11-28T12:16:30 * gslaudegGetNearestACP:Parsing the node cn=subschemasubentry
2011-11-28T12:16:30 * gslaudelLoadEntryACP: ACI line: 1 and ACI: (access to entry by group="cn=OID Schema Admins, cn=groups, cn=OracleContext" (browse, nodelete))
2011-11-28T12:16:30 * gslaudelLoadEntryACP: ACI line: 2 and ACI: (access to attr=(*) by group="cn=OID Schema Admins, cn=groups, cn=OracleContext" (read, write, compare, search))
2011-11-28T12:16:30 * gslaudeFilterEvaluation:Operation id:(5) Entry DN:(cn=subschemasubentry)
2011-11-28T12:16:30 * gslaudeFilterEvaluation: Operation id:(5) User DN: (cn=orcladmin)
2011-11-28T12:16:30 * gslaudeFilterEvaluation: Operation id:(5) Evaluating Entrylevel ACP at: (cn=subschemasubentry)
2011-11-28T12:16:30 * gslaudeFilterEvaluation:Operation id:(5) Visiting ACP at: (cn=root)
2011-11-28T12:16:30 * gslaudeFilterEvaluation:Operation id:(5) Filter Accees denied by ACP: (cn=root)
2011-11-28T12:16:30 * gslaudeFilterEvaluation:Operation id:(5) User being Privileged group member, Evaluation continues
2011-11-28T12:16:30 * gslaudeFilterEvaluation: Op id:(5) Filter Access to entry (cn=subschemasubentry) not allowed
2011-11-28T12:16:30 * INFO: gsleswrDsndseaEntry : Access to filter attributes not allowed
2011-11-28T12:16:30 * INFO:gsleswrASndResult OPtime=60732 micro sec RESULT=50 tag=101 nentries=0
The OID log also shows many messages like the following during ACP loading at startup time, which can prevent load of access controls to memory properly:
gsldValidteEntry * MissingEdn eid=1,scp=2,nRows=1200,basedn=,fltr=
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Cause |
| Solution |
| References |