OUD - Can Regular Users Be Given Permission to Search on "cn=config" via the Administration Port?
(Doc ID 2030690.1)
Last updated on MAY 29, 2024
Applies to:
Oracle Unified Directory - Version 11.1.1.5.0 and laterInformation in this document applies to any platform.
Goal
A regular user entry is assigned the "config-read" privilege...
$> ./ldapsearch -ZX -h <HOST> -p <PORT> -D "<UID>" -b "<SUFFIX>" -T "uid=<UID>" ds-privilege-name
dn: <DN>
ds-privilege-name: bypass-acl
ds-privilege-name: modify-acl
ds-privilege-name: config-read
ds-privilege-name: config-write
ds-privilege-name: ldif-import
ds-privilege-name: ldif-export
ds-privilege-name: backend-backup
ds-privilege-name: backend-restore
ds-privilege-name: server-shutdown
ds-privilege-name: server-restart
ds-privilege-name: disconnect-client
ds-privilege-name: cancel-request
ds-privilege-name: password-reset
ds-privilege-name: update-schema
ds-privilege-name: privilege-change
ds-privilege-name: unindexed-search
dn: <DN>
ds-privilege-name: bypass-acl
ds-privilege-name: modify-acl
ds-privilege-name: config-read
ds-privilege-name: config-write
ds-privilege-name: ldif-import
ds-privilege-name: ldif-export
ds-privilege-name: backend-backup
ds-privilege-name: backend-restore
ds-privilege-name: server-shutdown
ds-privilege-name: server-restart
ds-privilege-name: disconnect-client
ds-privilege-name: cancel-request
ds-privilege-name: password-reset
ds-privilege-name: update-schema
ds-privilege-name: privilege-change
ds-privilege-name: unindexed-search
The expectation is for the user to be able to search on "cn=config". However, when attempting to do so, error 49 is returned even though the correct user password is provided...
$> ./ldapsearch -ZX -h <HOST> -p <ADMIN_PORT> -D " DN>" -b "cn=config" -T "objectclass=*"
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)
The following is logged to the OUD DS instance's admin log...
[20/May/2015:19:53:53 +0000] CONNECT conn=4252736 from=<IP>:<PORT> to=<IP>:<PORT> protocol=LDAPS
[20/May/2015:19:53:53 +0000] BIND REQ conn=4252736 op=0 msgID=1 type=SIMPLE dn="<DN>"
[20/May/2015:19:53:53 +0000] BIND RES conn=4252736 op=0 msgID=1 result=49 authFailureID=196826 authFailureReason="Unable to bind to the Directory Server as user <DN> because no such user exists in the server" etime=0
[20/May/2015:19:53:53 +0000] DISCONNECT conn=4252736 reason="Client Disconnect"
[20/May/2015:19:53:53 +0000] BIND REQ conn=4252736 op=0 msgID=1 type=SIMPLE dn="<DN>"
[20/May/2015:19:53:53 +0000] BIND RES conn=4252736 op=0 msgID=1 result=49 authFailureID=196826 authFailureReason="Unable to bind to the Directory Server as user <DN> because no such user exists in the server" etime=0
[20/May/2015:19:53:53 +0000] DISCONNECT conn=4252736 reason="Client Disconnect"
So, is it possible for a regular user to search on "cn=config" via the administration port?
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |
References |