My Oracle Support Banner

OUD with PTA (Pass Through Authentication) - The "ldapsearch" Command Fails for AD Users with 'self read' ACI Configured (Doc ID 2808522.1)

Last updated on JULY 10, 2023

Applies to:

Oracle Unified Directory - Version 12.2.1.3 and later
Information in this document applies to any platform.

Symptoms

1. AD users are provisioned to OUD via OIM or AD users can be synchronized to OUD via DIP.

2. PTA ( Pass Through Authentication ) is configured and thus AD user authentication in OUD works fine.

3.ACI on PTA enabled suffix is not working for self read. ( same works fine for non-PTA enabled suffix ) .

  Example:

   The self read ACI is applied for PTA enabled suffix as seen by below search.
./ldapsearch -h <OUD_hostname> -p <OUD_non_ssl_port> -D "<cn=DIRECTORY_ADMIN_ID>" -w <password> -s base -b "<PTA_enabled_suffix,for example,dc=<COMPANY>,dc=<COM&parent=EXTERNAL_SEARCH" rel="nofollow" "objectclass=*" aci
dn: dc=<COMPANY>,dc=<COM>
aci: (targetattr=*)(version 3.0; acl "Self entry read - all entry"; allow (read,
search,compare) userdn="ldap:///self";)

2. Still ldapsearch fails for self read as below and return to command prompt.

$OUD_INSTANCE/OUD/binldapsearch -h <OUD_hostname> -p <OUD_non_ssl_port> -D "cn=<user_ID-1>,ou=<OU-1>,dc=<COMPANY>,dc=<COM>" -w "<Password>" -s sub -b "cn=<user_ID-1>,ou=<OU-1>,dc=<COMPANY>,dc=<COM>" "objectclass=*"
<<<  Returns to the prompt without data of this cn=<user_ID-1> >>>


Due to this issue PTA enabled user is not able to read his own attributes via ldapsearch.

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.