This content has been marked as final. Show 8 replies
The error bluntly means that caller does not have sufficient rights to perform the requested operation ( add, modify, etc...).
Can you give us some more information about the process you are using to connect to the OID ?
1. What is the API you are using to connect to the OID ? Java ? PL/SQl ? or, are you attempting a simple ldapbind ?
2. If you are using a Java API ( JNDI ), what is the SECURITY_AUTHENTICATION mode that you are using ? "simple","strong" or "none" ?
3. Is the DN of the orcladmin correct ?
4. Is the password correct ?
5. Did you try with cn=orcladmin instead of the DAS Administrator cn=orcladmin,cn=Users,dc=localhost,dc=com ?
If you are using an API, can you also post the code snippet ? ( of course, by blanking out the passwords ..:) )
Thank Sandeep for your help,
Now I only use Oracle Director Manager Version 188.8.131.52.0 Production to manage OID.
I have already used both "cn=orcladmin,cn=Users,dc=localhost,dc=com" and "cn=orcladmin" users with the same blank password to sign in successfully. And when creating an entry (or attribute) I got the same result with error code 50 - Insufficient Access Rights.
How do I do?
I am sorry - I didn't see that you had mentioned " Oracle Directory Manager ".
If you use a blank password to connect to the OID via the Oracle Directory Manager ( or, by any other method ), the OID server may treat it as an " anonymous " bind.
A session is described as anonymous if no user DN or secret ( password ) is supplied when initiating the session (sending the bind). The LDAP protocol refers to a " zero length " username or authentication as an " Anonymous Bind ".
This is an excerpt from the Oracle Internet Directory Administrator's Guide
Release 9.2 (A96574-01) : Chapter 10 :
There are three direct authentication options:
When users authenticate anonymously, they simply leave the user name and password fields blank when they log in. Each anonymous user then exercises whatever privileges are specified for anonymous users.
When using simple authentication, the client identifies itself to the server by means of a DN and a password that are not encrypted when sent over the network.
Secure Sockets Layer (SSL) Authentication
This involves the exchange of certificates issued by trusted certificate authorities.
Hence, if you are using the anonymus bind, you may not have the priviliges to create Users. You may only have permissions to view the directory - you may not even have the necessary priviliges to search the direcotry.
Thus, I would suggest that if you wish to create users under the cn=Users entry, login as the orcladmin with a valid password. If not, you need to login as a user with the proper priviliges to create users.
Oracle Interent Direcotry is fascinating - I am sure you will love working with it.
I hope this information is useful to you.
Connecting as orcladmin requires using a password. The password has been established during installation of OID. By default from (9.0.4) on it is set to be the same password as the ias_admin password you provided during installation of the Oracle Infrastructure installation.
Notice that there are two (2) orcladmin entries in OID.
One cn=orcladmin is the OID superuser (same as root on UNIX) the other one is cn=orcladmin, cn=users,dc=your.default.domain
When you login to OID using ODM and specify only orcladmin ODM assumes by default this will be cn=orcladmin (aka root)
Thank Sandeep and Olaf a lot,
It have done.
We just upgraded our OID to version 10.1.4.0.1. Now when users login and try to create a user, they get you have insufficient access rights error and can't use any workflows. Everything looks normal, looks like they still have the dynamic roles they need. I opened a tar with sev 1 but no response yet.
Are you asking this question in reference to OAM?
I'm getting the same error when I try to look at a policy on our OID installation. My code can look at users and groups without problems, and is logging in with simple authentication as "cn=orcladmin" (although the same happens when logging in as "cn=orcladmin,cn=users,..." or "poladmin" (the owner of policies)), but keep getting that error when trying to view the uniquemember's of policies (I just tried, and it seems to be all of them). When I use oracle's ldapsearch tool, with any of those users, I have no trouble.
I am supplying a password, so that isn't the issue.
I tried changing authentication to 'strong', but got an AuthenticationNotSupportedException on that one.
Anyone have any ideas?
Update: Ugh. Ok, never mind. I did something really, amazingly stupid.
Edited by: user8761865 on Feb 2, 2010 9:32 AM