OUD with PTA (Pass Through Authentication) - The "ldapsearch" Command Fails for AD Users with 'self read' ACI Configured
(Doc ID 2808522.1)
Last updated on JULY 10, 2023
Applies to:
Oracle Unified Directory - Version 12.2.1.3 and laterInformation in this document applies to any platform.
Symptoms
1. AD users are provisioned to OUD via OIM or AD users can be synchronized to OUD via DIP.
2. PTA ( Pass Through Authentication ) is configured and thus AD user authentication in OUD works fine.
3.ACI on PTA enabled suffix is not working for self read. ( same works fine for non-PTA enabled suffix ) .
Example:
The self read ACI is applied for PTA enabled suffix as seen by below search.
./ldapsearch -h <OUD_hostname> -p <OUD_non_ssl_port> -D "<cn=DIRECTORY_ADMIN_ID>" -w <password> -s base -b "<PTA_enabled_suffix,for example,dc=<COMPANY>,dc=<COM&parent=EXTERNAL_SEARCH" rel="nofollow" "objectclass=*" aci
dn: dc=<COMPANY>,dc=<COM>
aci: (targetattr=*)(version 3.0; acl "Self entry read - all entry"; allow (read,
search,compare) userdn="ldap:///self";)
2. Still ldapsearch fails for self read as below and return to command prompt.
$OUD_INSTANCE/OUD/binldapsearch -h <OUD_hostname> -p <OUD_non_ssl_port> -D "cn=<user_ID-1>,ou=<OU-1>,dc=<COMPANY>,dc=<COM>" -w "<Password>" -s sub -b "cn=<user_ID-1>,ou=<OU-1>,dc=<COMPANY>,dc=<COM>" "objectclass=*"
<<< Returns to the prompt without data of this cn=<user_ID-1> >>>
Due to this issue PTA enabled user is not able to read his own attributes via ldapsearch.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Cause |
Solution |
References |