OID Synchronization import LDIF-file Insufficient Access Rights

From: Mattias <mattias_at_freefarm_se_at_yahoo.com>
Date: Tue, 5 Feb 2008 06:26:10 -0800 (PST)
Message-ID: <b0959cc7-d2d0-4fa5-a8e9-3e553f855900@s8g2000prg.googlegroups.com>


Export synchronization works fins now (for thouse of you that have followed my struggle learning OID...). But import does not.

I am trying to do an OID import Synchronization from an LDIF-file. When I look in the log-file

C:\OraHome_1\ldap\odi\log\MYPROFILE.trc

I can see this error:

Total # of Mod Items : 1
Exception Modifying Entry : javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'cn=hans,dc=mu'
[LDAP: error code 50 - Insufficient Access Rights] javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'cn=hans,dc=mu'

According to
http://forums.oracle.com/forums/thread.jspa?threadID=262585 this error can be corrected by modifying a file called grantrole.ldif which is provided in the samples that can be downloaded from here: http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/samplefiles.zip

This is the contetns of the grantrole.ldif

dn: cn=Users,dc=acme,dc=com
changetype: modify
add: orclaci
orclaci: access to entry by group="cn=IASAdmins, cn=groups,cn=OracleContext,dc=acme,dc=com" added_object_constraint=(objectclass=orclcontainer) (browse,add) orclaci: access to entry by group="cn=oracledascreategroup, cn=groups,cn=OracleContext,dc=acme,dc=com" added_object_constraint=(objectclass=orclgroup*) (browse,add) by group="cn=Common Group Attributes,
cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse) orclaci: access to entry filter=(&(objectclass=orclgroup)
(orclisvisible=false)) by groupattr=(owner) (browse, add, delete) by
dnattr=(owner) (browse, add, delete) by group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse) by *
(none)

orclaci: access to entry filter=(&(objectclass=orclgroup)(!
(orclisvisible=false))) by group="cn=oracledascreategroup,
cn=groups,cn=OracleContext,dc=acme,dc=com" added_object_constraint=(objectclass=orclgroup) (browse,add) by group="cn=oracledasdeletegroup,
cn=groups,cn=OracleContext,dc=acme,dc=com" (browse,delete) by group="cn=oracledaseditgroup,
cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse) by groupattr=(owner) (browse, add, delete) by dnattr=(owner) (browse, add, delete) by group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse) orclaci: access to attr=(*) filter=(&(objectclass=orclgroup)
(orclisvisible=false)) by groupattr=(owner)
(read,search,write,compare) by dnattr=(owner)
(read,search,write,compare) by * (none) by group="cn=Common Group
Attributes, cn=Groups,cn=OracleContext,dc=acme,dc=com" (read, search, compare)
orclaci: access to attr=(*) filter=(&(objectclass=orclgroup)(!
(orclisvisible=false))) by groupattr=(owner)
(read,search,write,compare) by dnattr=(owner)
(read,search,write,compare) by group="cn=oracledaseditgroup,

cn=groups,cn=OracleContext,dc=acme,dc=com" (read,search,write,compare)
by group="cn=Common Group Attributes,
cn=Groups,cn=OracleContext,dc=acme,dc=com" (read, search, compare)

dn: cn=Users,dc=acme,dc=com
changetype: modify
add: orclentrylevelaci
orclentrylevelaci: access to entry by group="cn=oracledascreategroup, cn=groups,cn=OracleContext,dc=acme,dc=com"

added_object_constraint=(objectclass=orclgroup) (browse, add) by
group="cn=IASAdmins, cn=groups,cn=OracleContext,dc=acme,dc=com"
added_object_constraint=(objectclass=orclcontainer) (browse,add) by *

(browse)

This is my DIT:

dn: dc=mu
dc: mu
objectclass: top
objectclass: domain

dn: cn=Hans,dc=mu
cn: Hans
sn: Malmgren

objectclass: top
objectclass: person
telephonenumber: 100000

How can I modify the grantrole.ldif so it will allow changes to my DIT from the synchronization profile? I tryed to follow the instructions found here:
http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics02.htm#Grant

But I can't get it to work.

Please help!

This is my mapping file:
DomainRules
dc=mu:dc=mu
AttributeRules
cn: : :person:cn: :person:
sn: : :person:sn: :person:
telephonenumber: : :person :telephonenumber : :person :

And this is an example of a LDIF file that I put in C:\OraHome_1\ldap\odi\data\import

dn: cn=hans,dc=mu
changetype: MODIFY
REPLACE: telephonenumber
telephonenumber: 145542
-

 / Mattias Received on Tue Feb 05 2008 - 08:26:10 CST

Original text of this message