Currently we have a DSEE backend with the suffix "dc=example,dc=com" and a DPS LDAP view with the suffix "dc=sample,dc=com" for the DSEE backend.
We have an application, Oracle Access Manager (OAM), that is configured to bind to the DPS view and it needs to search "cn=schema". I have defined a view that presents "cn=schema" from DSEE but the problem is that when the following search is performed, it fails.
$ ldapsearch -b cn=schema -h DPS -D uid=user,ou=people,dc=sample,dc=com cn=schema
ldap_search: No such object
ldap_search: additional info: Unable to process the search request. Reason: [Original error=32] Silent BIND failed: err=32, error message "", matched DN ""
If I don't specify a bind user, then the ldapsearch works as expected.
In the DSEE error logs, it shows where it's trying to bind with the DN from the DPS view, i.e. uid=user,ou=people,dc=sample,dc=com. It should be remapped to uid=user,ou=people,dc=example,dc=com.
I understand what the problem is, I am just having a difficult time in figuring out where/how I can define the base-dn and dn-mapping-source-base-dn properties for this.
I have schema-check-enabled on the connection handler but that doesn't work either.
Anyone else solve this problem already?
I can't have OAM just bind to the DSEE instance.
Edited by: user10751400 on Aug 21, 2012 10:14 AM
Edited by: user10751400 on Aug 21, 2012 10:20 AM
Edited by: user10751400 on Aug 21, 2012 10:25 AM
One easy way to address the problem is to configure the schema data view to always use the anonymous account instead of forwarding the original user credentials. To do so, you must first create a new data source that points to the backend server holding the schema,
then execute the following command on that data source object:
dpconf set-ldap-data-source-prop -h host -p port data-source-name \
client-cred-mode:use-specific-identity bind-dn: bind-pwd-file:
DPS restart might be required to take the new config into account
Edited by: Sylvain Duloutre on Aug 22, 2012 12:36 PM