My Oracle Support Banner

OUD - Can Regular Users Be Given Permission to Search on "cn=config" via the Administration Port? (Doc ID 2030690.1)

Last updated on FEBRUARY 25, 2019

Applies to:

Oracle Unified Directory - Version 11.1.1.5.0 and later
Information in this document applies to any platform.

Goal

A regular user entry is assigned the "config-read" privilege...

$> ./ldapsearch -ZX -h localhost -p 1636 -D "uid=ckent,dc=example,dc=com" -b "dc=example,dc=com" -T "uid=ckent" ds-privilege-name
dn: uid=ckent,dc=example,dc=com
ds-privilege-name: bypass-acl
ds-privilege-name: modify-acl
ds-privilege-name: config-read
ds-privilege-name: config-write
ds-privilege-name: ldif-import
ds-privilege-name: ldif-export
ds-privilege-name: backend-backup
ds-privilege-name: backend-restore
ds-privilege-name: server-shutdown
ds-privilege-name: server-restart
ds-privilege-name: disconnect-client
ds-privilege-name: cancel-request
ds-privilege-name: password-reset
ds-privilege-name: update-schema
ds-privilege-name: privilege-change
ds-privilege-name: unindexed-search

The expectation is for the user to be able to search on "cn=config".  However, when attempting to do so, error 49 is returned even though the correct user password is provided...

$> ./ldapsearch -ZX -h localhost -p 4444 -D "uid=ckent,dc=example,dc=com" -b "cn=config" -T "objectclass=*"
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)

The following is logged to the OUD DS instance's admin log...

[20/May/2015:19:53:53 +0000] CONNECT conn=4252736 from=127.0.0.1:NNNNN to=127.0.0.1:4444 protocol=LDAPS
[20/May/2015:19:53:53 +0000] BIND REQ conn=4252736 op=0 msgID=1 type=SIMPLE dn="uid=ckent,dc=example,dc=com"
[20/May/2015:19:53:53 +0000] BIND RES conn=4252736 op=0 msgID=1 result=49 authFailureID=196826 authFailureReason="Unable to bind to the Directory Server as user uid=ckent,dc=example,dc=com because no such user exists in the server" etime=0
[20/May/2015:19:53:53 +0000] DISCONNECT conn=4252736 reason="Client Disconnect"

So, is it possible for a regular user to search on "cn=config" via the administration port?

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.