OVD - The ldapsearch Command Does Not Return Any Entries With "deny-b-null" in Diagnostic Log (Doc ID 2286565.1)

Last updated on JULY 21, 2017

Applies to:

Oracle Virtual Directory - Version 11.1.1.9.0 and later
Information in this document applies to any platform.

Symptoms

On : 11.1.1.9.0 version, Virtual Directory Server 

OVD Read only access

Can query user entry through ODSM but can not query user successfully using ldapsearch

Entry can be queried successfully as orcladmin


ERROR
-----------------------
Filename = access.log
See the following error:

Authentication successful but with nentries=0; Search filter uid=testoutlook with base DN ""

[2017-07-07T14:47:51.132+10:00] [octetstring] [NOTIFICATION] [OVD-20038] [com.octetstring.accesslog] [tid: 44] [ecid: 0000LoRO25RFCC75rJ8DyY1PNl1u00000S,0] conn=37 op=0 BIND dn=CN=adm,OU=TfNSW,OU=Support Admins,OU=SYSOPS,dc=CAD-DEV,dc=xxx2,dc=xxx1,dc=xx method=0 version=3
[2017-07-07T14:47:51.139+10:00] [octetstring] [NOTIFICATION] [OVD-20039] [com.octetstring.accesslog] [tid: 44] [ecid: 0000LoRO25RFCC75rJ8DyY1PNl1u00000S,0] conn=37 op=0 RESULT err=0 tag=0 nentries=0 etime={3}
[2017-07-07T14:47:51.142+10:00] [octetstring] [NOTIFICATION] [OVD-20043] [com.octetstring.accesslog] [tid: 45] [ecid: 0000LoRO25_FCC75rJ8DyY1PNl1u00000T,0] conn=37 op=1 SRCH base= scope=2 filter=uid=testoutlook requestedAttributes=[] sizelimit=0 timelimit=0 typesOnly=FALSE
[2017-07-07T14:47:51.223+10:00] [octetstring] [NOTIFICATION] [OVD-20044] [com.octetstring.accesslog] [tid: 45] [ecid: 0000LoRO25_FCC75rJ8DyY1PNl1u00000T,0] conn=37 op=1 RESULT err=0 tag=0 nentries=0 etime=81 dbtime=0 mem=1,524,894,552/2,066,743,296

Using ECID from SRCH operation in access log (0000LoRO25_FCC75rJ8DyY1PNl1u00000T,0) found deny-b-null in diagnostic log --

[2017-07-07T14:47:51.221+10:00] [octetstring] [TRACE] [] [com.octetstring.vde.acl.ACLChecker] [tid: 45] [ecid: 0000LoRO25_FCC75rJ8DyY1PNl1u00000T,0] [SRC_CLASS:
com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] deny-b-null--CN=adm,OU=TfNSW,OU=Support Admins,OU=SYSOPS,dc=CAD-DEV,dc=xxx2,dc=xxx1,dc=xx-CN=testoutlook,OU=TNSW,OU=DomainUsers,dc=xxx2,dc=xxx1,dc=xx


BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, can not search for user using ldapsearch with a user other than orcladmin.

Changes

Followed this KM doc to allow non-orcladmin user to authenticate and search / administer users in ODSM -


How To Configure / Create / Setup Multiple Administrators (More Than One Superadmin / Superuser Like cn=orcladmin) In OVD 11g For ODSM (Doc ID 1340236.1)

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms