OVD - The ldapsearch Command Does Not Return Any Entries With "deny-b-null" in Diagnostic Log
(Doc ID 2286565.1)
Last updated on NOVEMBER 01, 2022
Applies to:
Oracle Virtual Directory - Version 11.1.1.9.0 and laterInformation in this document applies to any platform.
Symptoms
On : 11.1.1.9.0 version, Virtual Directory Server
OVD Read only access
Can query user entry through ODSM but can not query user successfully using ldapsearch
Entry can be queried successfully as orcladmin
ERROR
-----------------------
Filename = access.log
See the following error:
Authentication successful but with nentries=0; Search filter uid=<UID22> with base DN ""
[2017-07-07T14:47:51.132+10:00] [octetstring] [NOTIFICATION] [OVD-20038] [com.octetstring.accesslog] [tid: xx] [ecid: <ECID>] conn=37 op=0 BIND dn=CN=<ADMIN_USER>,OU=<OU4>,OU=<OU3>,OU=<OU2>,dc=<CONTAINER1>,dc=<DOMAIN>,dc=<COMPANY>,dc=com method=0 version=3
[2017-07-07T14:47:51.139+10:00] [octetstring] [NOTIFICATION] [OVD-20039] [com.octetstring.accesslog] [tid: xx] [ecid: <ECID>] conn=37 op=0 RESULT err=0 tag=0 nentries=0 etime={3}
[2017-07-07T14:47:51.142+10:00] [octetstring] [NOTIFICATION] [OVD-20043] [com.octetstring.accesslog] [tid: xx] [ecid: <ECID>] conn=37 op=1 SRCH base= scope=2 filter=uid=<UID22> requestedAttributes=[] sizelimit=0 timelimit=0 typesOnly=FALSE
[2017-07-07T14:47:51.223+10:00] [octetstring] [NOTIFICATION] [OVD-20044] [com.octetstring.accesslog] [tid: xx] [ecid: <ECID>] conn=37 op=1 RESULT err=0 tag=0 nentries=0 etime=81 dbtime=0 mem=1,524,894,552/2,066,743,296
Using ECID from SRCH operation in access log found deny-b-null in diagnostic log --
[2017-07-07T14:47:51.221+10:00] [octetstring] [TRACE] [] [com.octetstring.vde.acl.ACLChecker] [tid: xx] [ecid: <ECID>] [SRC_CLASS:
com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] deny-b-null--CN=<ADMIN_USER>,OU=<OU4,OU=<OU3>,OU=<OU2>,dc=<CONTAINER1>,dc=<DOMAIN>,dc=<COMPANY>,dc=com-CN=<UID22>,OU=<OU1>,OU=<DOMAIN_USERS>,dc=<DOMAIN>,dc=<COMPANY>,dc=com
BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, can not search for user using ldapsearch with a user other than orcladmin.
Changes
Followed this KM doc to allow non-orcladmin user to authenticate and search / administer users in ODSM -
How To Configure / Create / Setup Multiple Administrators (More Than One Superadmin / Superuser Like cn=orcladmin) In OVD 11g For ODSM (Doc ID 1340236.1)
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |