Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

OID Synchronization import LDIF-file Insufficient Access Rights

140 views
Skip to first unread message

Mattias

unread,
Feb 5, 2008, 9:26:10 AM2/5/08
to
Export synchronization works fins now (for thouse of you that have
followed my struggle learning OID...). But import does not.

I am trying to do an OID import Synchronization from an LDIF-file.
When I look in the log-file

C:\OraHome_1\ldap\odi\log\MYPROFILE.trc

I can see this error:

Total # of Mod Items : 1
Exception Modifying Entry : javax.naming.NoPermissionException: [LDAP:
error code 50 - Insufficient Access Rights]; remaining name
'cn=hans,dc=mu'
[LDAP: error code 50 - Insufficient Access Rights]
javax.naming.NoPermissionException: [LDAP: error code 50 -
Insufficient Access Rights]; remaining name 'cn=hans,dc=mu'

According to
http://forums.oracle.com/forums/thread.jspa?threadID=262585
this error can be corrected by modifying a file called grantrole.ldif
which is provided in the samples that can be downloaded from here:
http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/samplefiles.zip

This is the contetns of the grantrole.ldif

dn: cn=Users,dc=acme,dc=com
changetype: modify
add: orclaci
orclaci: access to entry by group="cn=IASAdmins,
cn=groups,cn=OracleContext,dc=acme,dc=com"
added_object_constraint=(objectclass=orclcontainer) (browse,add)
orclaci: access to entry by group="cn=oracledascreategroup,
cn=groups,cn=OracleContext,dc=acme,dc=com"
added_object_constraint=(objectclass=orclgroup*) (browse,add) by
group="cn=Common Group Attributes,
cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse)
orclaci: access to entry filter=(&(objectclass=orclgroup)
(orclisvisible=false)) by groupattr=(owner) (browse, add, delete) by
dnattr=(owner) (browse, add, delete) by group="cn=Common Group
Attributes, cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse) by *
(none)
orclaci: access to entry filter=(&(objectclass=orclgroup)(!
(orclisvisible=false))) by group="cn=oracledascreategroup,
cn=groups,cn=OracleContext,dc=acme,dc=com"
added_object_constraint=(objectclass=orclgroup) (browse,add) by
group="cn=oracledasdeletegroup,
cn=groups,cn=OracleContext,dc=acme,dc=com" (browse,delete) by
group="cn=oracledaseditgroup,
cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse) by
groupattr=(owner) (browse, add, delete) by dnattr=(owner) (browse,
add, delete) by group="cn=Common Group Attributes,
cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse)
orclaci: access to attr=(*) filter=(&(objectclass=orclgroup)
(orclisvisible=false)) by groupattr=(owner)
(read,search,write,compare) by dnattr=(owner)
(read,search,write,compare) by * (none) by group="cn=Common Group
Attributes, cn=Groups,cn=OracleContext,dc=acme,dc=com" (read, search,
compare)
orclaci: access to attr=(*) filter=(&(objectclass=orclgroup)(!
(orclisvisible=false))) by groupattr=(owner)
(read,search,write,compare) by dnattr=(owner)
(read,search,write,compare) by group="cn=oracledaseditgroup,
cn=groups,cn=OracleContext,dc=acme,dc=com" (read,search,write,compare)
by group="cn=Common Group Attributes,
cn=Groups,cn=OracleContext,dc=acme,dc=com" (read, search, compare)

dn: cn=Users,dc=acme,dc=com
changetype: modify
add: orclentrylevelaci
orclentrylevelaci: access to entry by group="cn=oracledascreategroup,
cn=groups,cn=OracleContext,dc=acme,dc=com"
added_object_constraint=(objectclass=orclgroup) (browse, add) by
group="cn=IASAdmins, cn=groups,cn=OracleContext,dc=acme,dc=com"
added_object_constraint=(objectclass=orclcontainer) (browse,add) by *
(browse)


This is my DIT:

dn: dc=mu
dc: mu
objectclass: top
objectclass: domain

dn: cn=Hans,dc=mu
cn: Hans
sn: Malmgren
objectclass: top
objectclass: person
telephonenumber: 100000

How can I modify the grantrole.ldif so it will allow changes to my DIT
from the synchronization profile? I tryed to follow the instructions
found here:
http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics02.htm#Grant

But I can't get it to work.

Please help!

This is my mapping file:
DomainRules
dc=mu:dc=mu
AttributeRules
cn: : :person:cn: :person:
sn: : :person:sn: :person:
telephonenumber: : :person :telephonenumber : :person :

And this is an example of a LDIF file that I put in
C:\OraHome_1\ldap\odi\data\import

dn: cn=hans,dc=mu
changetype: MODIFY
REPLACE: telephonenumber
telephonenumber: 145542
-


/ Mattias

shakespeare

unread,
Feb 5, 2008, 9:36:18 AM2/5/08
to

"Mattias" <mattias_at_...@yahoo.com> schreef in bericht
news:b0959cc7-d2d0-4fa5...@s8g2000prg.googlegroups.com...

Mattias,

if you use the account orcladmin for your import profile, I think it should
work without extra grants. I do this all the time and never had to change an
ACL. Did you specify the right credentials in the profile?


Shakespeare


shakespeare

unread,
Feb 5, 2008, 9:51:26 AM2/5/08
to

"Mattias" <mattias_at_...@yahoo.com> schreef in bericht
news:b0959cc7-d2d0-4fa5...@s8g2000prg.googlegroups.com...

Mattias,

I checked out the link you put in your post. I think it is a lot easier and
less error prone to create profiles with dipassistant.
And you place your users directly under your realm (mu). It's better to
create a user container (users) and to place the users there.

In the grant ldif replace
dc=us,dc=oracle,dc=com
with dc=mu

And if you have a users container, replace
dn: cn=Users,dc=us,dc=oracle,dc=com
with cn=Users,dc=mu

If you don't you should replace
dn: cn=Users,dc=us,dc=oracle,dc=com
with dc=mu
but you would grant too much privileges then....

And I doubt about the ldif import file containing changetype modify
commands. I think it should just be a plain LDIF file with entries, no
commands...


Shakespeare


Mattias

unread,
Feb 5, 2008, 10:06:14 AM2/5/08
to
Thanks for a quick repl!

I will test thouse changes.

I also made a try using the graphical Oracle Directory Manager. That
also could fix it. I made a few screen dumps of what I did.

http://www.freefarm.se/oid/aci.htm

But I think it is better to have a script to use. Also I guess that I
opened up the restrictions to mutch when I used the graphical Oracle
Directory Manager.

But, finaly, I can make both import and export synchronization
profiles from an LDIF-file. That feels good!

Thanks for all help!

/ Mattias

shakespeare

unread,
Feb 5, 2008, 10:29:36 AM2/5/08
to

"Mattias" <mattias_at_...@yahoo.com> schreef in bericht
news:2cd3912d-8e8e-446c...@f10g2000hsf.googlegroups.com...


Right, doing this from the gui is a lot easier.
Well, if this was production, you would be in serious trouble here, you
opened up almost any/everything.... But for learning, it should do the
trick....

Shakespeare


Mattias

unread,
Feb 7, 2008, 9:23:52 AM2/7/08
to

> if you use the account orcladmin for your import profile, I think it should
> work without extra grants. I do this all the time and never had to change an
> ACL. Did you specify the right credentials in the profile?

How do I specify the right credentials in the profile when I do an
_IMPORT_ from LDIF-file to OID.

/ Mattias

Mattias

unread,
Feb 7, 2008, 9:58:15 AM2/7/08
to

> How do I specify the right credentials in the profile when I do an _IMPORT_ from LDIF-file to OID.

To be more specific in this question. In the properties-file one can
specify username och password for a connected directory with the
parameters:
odip.profile.condirurl
odip.profile.condiraccount
odip.profile.condirpassword

But I do not want to connect to a _remote_ directory. I want to use
the LDIF-import file to import changes to my OID which is running the
the sync-profile. I have not seen any documentation on how to do
specify username and password in the syncprofile.

So what would be the correct solution to this access rights problem?

shakespeare

unread,
Feb 7, 2008, 3:59:53 PM2/7/08
to

"Mattias" <mattias_at_...@yahoo.com> schreef in bericht
news:9c8c2e94-2a1b-401c...@i12g2000prf.googlegroups.com...

Sorry, you're right about that... credentials are obsolete here...

Shakespeare


shakespeare

unread,
Feb 7, 2008, 4:00:43 PM2/7/08
to

"Mattias" <mattias_at_...@yahoo.com> schreef in bericht
news:595c9769-5878-4eab...@n20g2000hsh.googlegroups.com...

I thought you solved the case?

Shakespeare


Mattias

unread,
Feb 8, 2008, 2:54:07 AM2/8/08
to
> I thought you solved the case?

Well, I did get it to work. But I thought that it would be nice to
open up access for the profile to make changes to the oid directory
without granting full access to everyone. I made a few trys to run the
granrole.ldif file but when I did, I could not get the import profile
to work.

I started to work on a compleat example: http://www.freefarm.se/oid/dip

In the example I picked a new base-domain that I called dc=gm
After running the grantrole.ldif-file and not getting it to work, I
resigned and thought that I would try to go back to the GUI and the
wizard. But now dc=gm does not show up in the list of access control
points.

I am pretty lost here. I guess that I must read the documentation to
understand what access control raely is. There is some info on it here
http://download.oracle.com/docs/cd/A91202_01/901_doc/network.901/a90151/odip_sec.htm#106812

But I don't understand it. At least not yet...

Mattias

unread,
Feb 8, 2008, 6:36:58 AM2/8/08
to
Hi

OK, now I see. I have to create an access control point myselfe! It
does not show up automatically just becouse I create a new root-entry
in the DIT.
Now I get it! I'll be back soon with my example http://www.freefarm.se/oid/dip
more compleat.

/ M

0 new messages