My Oracle Support Banner

OUD 11g / 12c - Appending Data via Import-ldif Causes ACI Privileges to be Incorrectly Evaluated (Doc ID 2443137.1)

Last updated on MAY 31, 2021

Applies to:

Oracle Unified Directory - Version 11.1.2.3.161018 and later
Information in this document applies to any platform.

Symptoms

The issue is illustrated by the following example...

1. Prior to assigning the user account uid=new_admin to the cn=OracleContextAdmins group, new_admin does not have the necessary privileges to update anything under cn=OracleContext,dc=SUFFIX_DN...

$ ./ldapmodify -p PORT -D "uid=new_admin,ou=People,dc=SUFFIX_DN" -w <PASSWORD>
dn: cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,dc=SUFFIX_DN
changetype: modify
add: uniquemember
uniquemember: uid=USER_TEST,ou=People,dc=SUFFIX_DN

Processing MODIFY request for cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,dc=SUFFIX_DN
MODIFY operation failed
Result Code: 50 (Insufficient Access Rights)
Additional Information: The entry cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,dc=SUFFIX_DN cannot be modified due to insufficient access rights
$

 

2. Add the user account uid=new_admin to the cn=OracleContextAdmins group, which grants the necessary write privileges to update cn=OracleContext,dc=SUFFIX_DN and any entries underneath it...

$ ./ldapmodify -p PORT -D "cn=DS_ADMIN" -w <PASSWORD>
dn: cn=OracleContextAdmins,cn=Groups,cn=OracleContext,dc=SUFFIX_DN
changetype: modify
add: uniquemember
uniquemember: uid=new_admin,ou=People,dc=SUFFIX_DN

Processing MODIFY request for cn=OracleContextAdmins,cn=Groups,cn=OracleContext,dc=SUFFIX_DN
MODIFY operation successful for DN cn=OracleContextAdmins,cn=Groups,cn=OracleContext,dc=SUFFIX_DN

^C
$

3. The same attempt to make an update under cn=OracleContext,dc=SUFFIX_DN by new_admin now succeeds...

$ ./ldapmodify -p PORT -D "uid=new_admin,ou=People,dc=SUFFIX_DN" -w <PASSWORD>
dn: cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,dc=SUFFIX_DN
changetype: modify
add: uniquemember
uniquemember: uid=USER_TEST,ou=People,dc=SUFFIX_DN

Processing MODIFY request for cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,dc=SUFFIX_DN
MODIFY operation successful for DN cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,dc=SUFFIX_DN

^C
$

 

4. Run the import-ldif command to append 10 new user entries to dc=SUFFIX_DN...

$ ./import-ldif -p ADMIN_PORT -D "cn=DS_ADMIN" -j ./pwd.txt -X -l /home/oracle/ldif/exampleLoad10.ldif -n userRoot --append --rejectFile /home/oracle/ldif/rejects.ldif
Import task 20171026120219781 scheduled to start immediately
[26/Oct/2017:12:02:19 -0600] severity="NOTICE" msgCount=0 msgID=9896349 message="Import task 20171026120219781 started execution"
[26/Oct/2017:12:02:19 -0600] severity="NOTICE" msgCount=1 msgID=9896306 message="The backend cn=userRoot,cn=Workflow Elements,cn=config is now taken offline"
[26/Oct/2017:12:02:19 -0600] severity="NOTICE" msgCount=2 msgID=20381717 message="Installation Directory: /PATH/TO/INSTANCE/oud"
[26/Oct/2017:12:02:19 -0600] severity="NOTICE" msgCount=3 msgID=20381719 message="Instance Directory: /PATH/TO/INSTANCE/asinst_3/OUD"
[26/Oct/2017:12:02:19 -0600] severity="NOTICE" msgCount=4 msgID=20381713 message="JVM Information: 1.7.0_80-b15 by Oracle Corporation, 64-bit architecture, 1042022400 bytes heap size"
[26/Oct/2017:12:02:19 -0600] severity="NOTICE" msgCount=5 msgID=20381714 message="JVM Host: <HOSTNAME>, running Linux 3.8.13-118.19.7.el6uek.x86_64 amd64, 33644511232 bytes physical memory size, number of processors available 8"
[26/Oct/2017:12:02:19 -0600] severity="NOTICE" msgCount=6 msgID=20381715 message="JVM Arguments: "-Xms1028m", "-Xmx1028m", "-XX:+UseCompressedOops", "-XX:MaxTenuringThreshold=1", "-XX:+UseConcMarkSweepGC", "-XX:CMSInitiatingOccupancyFraction=55", "-Dorg.opends.server.scriptName=start-ds""
[26/Oct/2017:12:02:20 -0600] severity="NOTICE" msgCount=7 msgID=8847533 message="Oracle Unified Directory 11.1.2.3.170117 starting import (build 20161215142016Z, R1612150506)"
[26/Oct/2017:12:02:20 -0600] severity="NOTICE" msgCount=8 msgID=8847591 message="The import is a sequence of two phases: phase one imports the entries and phase two builds the indexes"
[26/Oct/2017:12:02:20 -0600] severity="NOTICE" msgCount=9 msgID=8847592 message="Starting phase one (importing entries)"
[26/Oct/2017:12:02:20 -0600] severity="NOTICE" msgCount=10 msgID=8847456 message="Processed 10 entries, skipped 0, rejected 0, and migrated 0 (recent rate 588.2/sec)"
[26/Oct/2017:12:02:20 -0600] severity="NOTICE" msgCount=11 msgID=8847593 message="Starting phase two (building indexes)"
[26/Oct/2017:12:02:20 -0600] severity="NOTICE" msgCount=12 msgID=8847569 message="Total import time was 0 seconds. Phase one processing completed in 0 seconds, phase two processing completed in 0 seconds"
[26/Oct/2017:12:02:20 -0600] severity="NOTICE" msgCount=13 msgID=8847454 message="Processed 10 entries, imported 10, skipped 0, rejected 0 and migrated 0 in 0 seconds (average rate 28.9/sec)"
[26/Oct/2017:12:02:20 -0600] severity="NOTICE" msgCount=14 msgID=8847453 message="Flushing data to disk, cleaning up and closing the database environment, this may take a while"
[26/Oct/2017:12:02:20 -0600] severity="INFORMATION" msgCount=15 msgID=9437595 message="Local DB backend userRoot does not specify the number of lock tables: defaulting to 97"
[26/Oct/2017:12:02:20 -0600] severity="INFORMATION" msgCount=16 msgID=9437594 message="Local DB backend userRoot does not specify the number of cleaner threads: defaulting to 24 threads"
[26/Oct/2017:12:02:20 -0600] severity="INFORMATION" msgCount=17 msgID=9437615 message="Local DB backend userRoot does not specify the percentage of the heap space to allocate to the database cache: defaulting to 35 percent"
[26/Oct/2017:12:02:20 -0600] severity="INFORMATION" msgCount=18 msgID=9437613 message="Local DB backend userRoot does not specify the size of the file handle cache: sizing automatically to use 100 file descriptors"
[26/Oct/2017:12:02:20 -0600] severity="NOTICE" msgCount=19 msgID=8847402 message="The database backend cn=userRoot,cn=Workflow Elements,cn=config containing 167 entries has started"
[26/Oct/2017:12:02:20 -0600] severity="INFORMATION" msgCount=20 msgID=12582962 message="Added 7 Access Control Instruction (ACI) attribute types found in context "dc=SUFFIX_DN" to the access control evaluation engine"
[26/Oct/2017:12:02:20 -0600] severity="NOTICE" msgCount=21 msgID=9896350 message="Import task 20171026120219781 finished execution"
Import task 20171026120219781 has been successfully completed

5. Subsequent attempt to make an update under cn=OracleContext,dc=SUFFIX_DN by new_admin now fails...

$ ./ldapmodify -p PORT -D "uid=new_admin,ou=People,dc=SUFFIX_DN" -w <PASSWORD>
dn: cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,dc=SUFFIX_DN
changetype: modify
add: uniquemember
uniquemember: uid=TEST_USER,ou=People,dc=SUFFIX_DN

Processing MODIFY request for cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,dc=SUFFIX_DN
MODIFY operation failed
Result Code: 50 (Insufficient Access Rights)
Additional Information: The entry cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,dc=SUFFIX_DN cannot be modified due to insufficient access rights
$

The update ACI privilege that had been granted to new_admin is no longer in effect after data was added via the import-ldif command.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.