My Oracle Support Banner

ODSEE to OUD 12c - Migrated ACIs not Visible in OUDSM - WLS Admin Log Error: "...could not be parsed as a valid Access Control Instruction (ACI) because it failed general ACI syntax evaluation" (Doc ID 2847633.1)

Last updated on APRIL 28, 2023

Applies to:

Oracle Unified Directory - Version 12.2.1.3.0 and later
Information in this document applies to any platform.

Symptoms

Migrated from Oracle Directory Server Enterprise Edition (ODSEE / DSEE) to Oracle Unified Directory (OUD) 12c.
  
Ran the import-ldif and the data comes over properly to OUD.

However the Access Control Instructions (ACI / ACIs) within the data are not visible / not shown / not displayed in Oracle Unified Directory Services Manager (OUDSM).

The error log shows many (e.g., hundreds) ACI's were processed, for example:
[03/Feb/2022:08:18:35 -0500] severity="INFORMATION" msgCount=26 msgID=12582962 message="Added 100 Access Control Instruction (ACI) attribute types found in context "<dn>" to the access control evaluation engine"

After enabling access control logging, can see that OUD is processing the ACIs.

There are no import errors, and ds2oud utility did not identify ACI issues.

Just cannot see the aci's in the GUI OUDSM.


The WebLogic Server (WLS) Admin Server log shows different OUDSM errors with the ACI's, for example:

...
[2022-02-03T16:17:43.180-05:00] [AdminServer] [WARNING] [] [oracle.idm.directoryservices.odsm.ctrl.ojd.OJDACICtrl] [tid: [ACTIVE].ExecuteThread: '26' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: <ecid>] [APP: oudsm] [partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID: <dsid>] The provided string  "<long aci string>" could not be parsed as a valid Access Control Instruction (ACI) because it failed general ACI syntax evaluation[[
oracle.idm.directoryservices.odsm.common.ODSMException: The provided string  "<long aci string>" could not be parsed as a valid Access Control Instruction (ACI) because it failed general ACI syntax evaluation
   at oracle.idm.directoryservices.odsm.model.ojd.OJDAcl.parseAcis(OJDAcl.java:242)
   at oracle.idm.directoryservices.odsm.model.ojd.OJDAcl.parseAttributes(OJDAcl.java:135)
   at oracle.idm.directoryservices.odsm.ctrl.ojd.OJDACICtrl.onAcpTreeSelection(OJDACICtrl.java:5654)
   at oracle.idm.directoryservices.odsm.ctrl.ojd.OJDACICtrl.acpEntryTreeSelection(OJDACICtrl.java:694)
...
[2022-02-03T16:17:44.204-05:00] [AdminServer] [WARNING] [] [oracle.idm.directoryservices.odsm.ctrl.ojd.OJDACICtrl] [tid: [ACTIVE].ExecuteThread: '26' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: <ecid>] [APP: oudsm] [partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID: <dsid>] The provided Access Control Instruction access type value  "<ACCESS_TYPE>" is invalid. A valid access type value is either allow or deny[[
oracle.idm.directoryservices.odsm.common.ODSMException: The provided Access Control Instruction access type value  "<ACCESS_TYPE>" is invalid. A valid access type value is either allow or deny
   at oracle.idm.directoryservices.odsm.model.ojd.OJDAcl.parseAcis(OJDAcl.java:242)
   at oracle.idm.directoryservices.odsm.model.ojd.OJDAcl.parseAttributes(OJDAcl.java:135)
   at oracle.idm.directoryservices.odsm.ctrl.ojd.OJDACICtrl.onAcpTreeSelection(OJDACICtrl.java:5654)
   at oracle.idm.directoryservices.odsm.ctrl.ojd.OJDACICtrl.acpEntryTreeSelection(OJDACICtrl.java:694)
...

 

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.