OAM Base Search To OVD 11g Requesting "1.1" Attribute Returns [LDAP: error code 16 - No Such Attribute] When It Should Return Just 0 Matches / No Entries
Last updated on MARCH 08, 2017
Applies to:Oracle Virtual Directory - Version 184.108.40.206.0 and later
Information in this document applies to any platform.
Oracle Virtual Directory (OVD) 11g, i.e., 220.127.116.11, integrated with Oracle Access Manager (OAM).
A query run by OAM 10g to OVD 11g, to determine whether a user is a member of a dynamic group, is not working.
When trying the same query via command line directly against OVD 11g, on an object where the filter attribute (businessCategory for example) is empty, should get an empty result set. Instead, OVD returns LDAP error 16:
ldap_search: No such attribute
ldap_search: additional info: LDAP Error 16 : [LDAP: error code 16 - No Such Attribute]
(Note: The "1.1" is a special attribute name used to indicate that an LDAP client only wants the object DN in the result, with no other attribute values. OAM uses this in its LDAP queries to determine whether a user meets an LDAP rule in a policy.)
Issuing the same search directly against the backend LDAP directory works as expected and returns no results and no error 16 - for example for an Oracle Internet Directory (OID) backend:
ldap_open( myoidhost, 3060 )
filter pattern: (businesscategory=IT)
filter is: ((businesscategory=IT))
ldap_search: No such object
ldap_search: matched: dc=us,dc=oracle,dc=com
Looking at the backend LDAP directory log, OVD is sending an ldapcompare request, instead of an ldapsearch as requested by the client. An ldapcompare in this scenario will indeed return an error, whereas the ldapsearch will not.
Verified that the attribute, i.e. businessCategory, is a retrievable attribute on the adapter, although it is not populated for the test user.
The issue is specific to the search with base scope and the 1.1 return attribute. If changing the scope to something other than base, or if requesting return attribute(s) other than 1.1, then the ldapsearch returns zero matches and no error, as expected / desired. The behavior of ldapcompare is consistent with these results.
Tested with both a local store and an LDAP adapter to an external directory; get the same results for both.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms