ODSEE to OUD 12c - Migrated ACIs not Visible in OUDSM - WLS Admin Log Error: "...could not be parsed as a valid Access Control Instruction (ACI) because it failed general ACI syntax evaluation"
(Doc ID 2847633.1)
Last updated on MAY 31, 2024
Applies to:
Oracle Unified Directory - Version 12.2.1.3.0 and laterInformation in this document applies to any platform.
Symptoms
Migrated from Oracle Directory Server Enterprise Edition (ODSEE / DSEE) to Oracle Unified Directory (OUD) 12c.
Ran the import-ldif and the data comes over properly to OUD.
However the Access Control Instructions (ACI / ACIs) within the data are not visible / not shown / not displayed in Oracle Unified Directory Services Manager (OUDSM).
The error log shows many (e.g., hundreds) ACI's were processed, for example:
[03/Feb/2022:08:18:35 -0500] severity="INFORMATION" msgCount=26 msgID=12582962 message="Added 100 Access Control Instruction (ACI) attribute types found in context "<dn>" to the access control evaluation engine"
After enabling access control logging, can see that OUD is processing the ACIs.
There are no import errors, and ds2oud utility did not identify ACI issues.
Just cannot see the aci's in the GUI OUDSM.
The WebLogic Server (WLS) Admin Server log shows different OUDSM errors with the ACI's, for example:
[2022-02-03T16:17:43.180-05:00] [AdminServer] [WARNING] [] [oracle.idm.directoryservices.odsm.ctrl.ojd.OJDACICtrl] [tid: [ACTIVE].ExecuteThread: '26' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: <ecid>] [APP: oudsm] [partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID: <dsid>] The provided string "<long aci string>" could not be parsed as a valid Access Control Instruction (ACI) because it failed general ACI syntax evaluation[[
oracle.idm.directoryservices.odsm.common.ODSMException: The provided string "<long aci string>" could not be parsed as a valid Access Control Instruction (ACI) because it failed general ACI syntax evaluation
at oracle.idm.directoryservices.odsm.model.ojd.OJDAcl.parseAcis(OJDAcl.java:242)
at oracle.idm.directoryservices.odsm.model.ojd.OJDAcl.parseAttributes(OJDAcl.java:135)
at oracle.idm.directoryservices.odsm.ctrl.ojd.OJDACICtrl.onAcpTreeSelection(OJDACICtrl.java:5654)
at oracle.idm.directoryservices.odsm.ctrl.ojd.OJDACICtrl.acpEntryTreeSelection(OJDACICtrl.java:694)
...
[2022-02-03T16:17:44.204-05:00] [AdminServer] [WARNING] [] [oracle.idm.directoryservices.odsm.ctrl.ojd.OJDACICtrl] [tid: [ACTIVE].ExecuteThread: '26' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: <ecid>] [APP: oudsm] [partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID: <dsid>] The provided Access Control Instruction access type value "<ACCESS_TYPE>" is invalid. A valid access type value is either allow or deny[[
oracle.idm.directoryservices.odsm.common.ODSMException: The provided Access Control Instruction access type value "<ACCESS_TYPE>" is invalid. A valid access type value is either allow or deny
at oracle.idm.directoryservices.odsm.model.ojd.OJDAcl.parseAcis(OJDAcl.java:242)
at oracle.idm.directoryservices.odsm.model.ojd.OJDAcl.parseAttributes(OJDAcl.java:135)
at oracle.idm.directoryservices.odsm.ctrl.ojd.OJDACICtrl.onAcpTreeSelection(OJDACICtrl.java:5654)
at oracle.idm.directoryservices.odsm.ctrl.ojd.OJDACICtrl.acpEntryTreeSelection(OJDACICtrl.java:694)
...
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |