8 Replies Latest reply on Feb 2, 2010 5:37 PM by 750878

    LDAP: error code 50 - Insufficient Access Rgiths


      I am newbie at Oracle Internet Directory. I hope you help me to resolve the following problem:
      When I signed in the Oracle Director Manager with user "cn=orcladmin,cn=Users,dc=localhost,dc=com" and blank password
      to create an entry (or attribute). I got error: [LDAP: error code 50 - Insufficient Access Rgiths]

      How do I resolve this problem?
        • 1. Re: LDAP: error code 50 - Insufficient Access Rgiths

          The error bluntly means that caller does not have sufficient rights to perform the requested operation ( add, modify, etc...).

          Can you give us some more information about the process you are using to connect to the OID ?

          1. What is the API you are using to connect to the OID ? Java ? PL/SQl ? or, are you attempting a simple ldapbind ?

          2. If you are using a Java API ( JNDI ), what is the SECURITY_AUTHENTICATION mode that you are using ? "simple","strong" or "none" ?

          3. Is the DN of the orcladmin correct ?

          4. Is the password correct ?

          5. Did you try with cn=orcladmin instead of the DAS Administrator cn=orcladmin,cn=Users,dc=localhost,dc=com ?

          If you are using an API, can you also post the code snippet ? ( of course, by blanking out the passwords ..:) )


          • 2. Re: LDAP: error code 50 - Insufficient Access Rgiths
            Thank Sandeep for your help,

            Now I only use Oracle Director Manager Version Production to manage OID.
            I have already used both "cn=orcladmin,cn=Users,dc=localhost,dc=com" and "cn=orcladmin" users with the same blank password to sign in successfully. And when creating an entry (or attribute) I got the same result with error code 50 - Insufficient Access Rights.

            How do I do?

            • 3. Re: LDAP: error code 50 - Insufficient Access Rgiths
              Hi QuanND,

              I am sorry - I didn't see that you had mentioned " Oracle Directory Manager ".

              If you use a blank password to connect to the OID via the Oracle Directory Manager ( or, by any other method ), the OID server may treat it as an " anonymous " bind.

              A session is described as anonymous if no user DN or secret ( password ) is supplied when initiating the session (sending the bind). The LDAP protocol refers to a " zero length " username or authentication as an " Anonymous Bind ".

              This is an excerpt from the Oracle Internet Directory Administrator's Guide
              Release 9.2 (A96574-01) : Chapter 10 :


              Direct Authentication

              There are three direct authentication options:

              Anonymous Authentication

              When users authenticate anonymously, they simply leave the user name and password fields blank when they log in. Each anonymous user then exercises whatever privileges are specified for anonymous users.

              Simple Authentication

              When using simple authentication, the client identifies itself to the server by means of a DN and a password that are not encrypted when sent over the network.

              Secure Sockets Layer (SSL) Authentication

              This involves the exchange of certificates issued by trusted certificate authorities.


              Hence, if you are using the anonymus bind, you may not have the priviliges to create Users. You may only have permissions to view the directory - you may not even have the necessary priviliges to search the direcotry.

              Thus, I would suggest that if you wish to create users under the cn=Users entry, login as the orcladmin with a valid password. If not, you need to login as a user with the proper priviliges to create users.

              Oracle Interent Direcotry is fascinating - I am sure you will love working with it.

              I hope this information is useful to you.


              • 4. Re: LDAP: error code 50 - Insufficient Access Rgiths
                Connecting as orcladmin requires using a password. The password has been established during installation of OID. By default from (9.0.4) on it is set to be the same password as the ias_admin password you provided during installation of the Oracle Infrastructure installation.

                Notice that there are two (2) orcladmin entries in OID.

                One cn=orcladmin is the OID superuser (same as root on UNIX) the other one is cn=orcladmin, cn=users,dc=your.default.domain

                When you login to OID using ODM and specify only orcladmin ODM assumes by default this will be cn=orcladmin (aka root)

                • 5. Re: LDAP: error code 50 - Insufficient Access Rgiths
                  Thank Sandeep and Olaf a lot,
                  It have done.

                  • 6. Re: LDAP: error code 50 - Insufficient Access Rgiths
                    We just upgraded our OID to version Now when users login and try to create a user, they get you have insufficient access rights error and can't use any workflows. Everything looks normal, looks like they still have the dynamic roles they need. I opened a tar with sev 1 but no response yet.
                    • 7. Re: LDAP: error code 50 - Insufficient Access Rgiths
                      Are you asking this question in reference to OAM?

                      • 8. Re: LDAP: error code 50 - Insufficient Access Rgiths
                        I'm getting the same error when I try to look at a policy on our OID installation. My code can look at users and groups without problems, and is logging in with simple authentication as "cn=orcladmin" (although the same happens when logging in as "cn=orcladmin,cn=users,..." or "poladmin" (the owner of policies)), but keep getting that error when trying to view the uniquemember's of policies (I just tried, and it seems to be all of them). When I use oracle's ldapsearch tool, with any of those users, I have no trouble.

                        I am supplying a password, so that isn't the issue.

                        I tried changing authentication to 'strong', but got an AuthenticationNotSupportedException on that one.

                        Anyone have any ideas?

                        Update: Ugh. Ok, never mind. I did something really, amazingly stupid.

                        Edited by: user8761865 on Feb 2, 2010 9:32 AM