Re: OID Synchronization import LDIF-file Insufficient Access Rights

From: shakespeare <whatsin_at_xs4all.nl>
Date: Tue, 5 Feb 2008 15:51:26 +0100
Message-ID: <47a877f1$0$85782$e4fe514c@news.xs4all.nl>

"Mattias" <mattias_at_freefarm_se_at_yahoo.com> schreef in bericht news:b0959cc7-d2d0-4fa5-a8e9-3e553f855900_at_s8g2000prg.googlegroups.com...
> Export synchronization works fins now (for thouse of you that have
> followed my struggle learning OID...). But import does not.
>
> I am trying to do an OID import Synchronization from an LDIF-file.
> When I look in the log-file
>
> C:\OraHome_1\ldap\odi\log\MYPROFILE.trc
>
> I can see this error:
>
> Total # of Mod Items : 1
> Exception Modifying Entry : javax.naming.NoPermissionException: [LDAP:
> error code 50 - Insufficient Access Rights]; remaining name
> 'cn=hans,dc=mu'
> [LDAP: error code 50 - Insufficient Access Rights]
> javax.naming.NoPermissionException: [LDAP: error code 50 -
> Insufficient Access Rights]; remaining name 'cn=hans,dc=mu'
>
> According to
> http://forums.oracle.com/forums/thread.jspa?threadID=262585
> this error can be corrected by modifying a file called grantrole.ldif
> which is provided in the samples that can be downloaded from here:
> http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/samplefiles.zip
>
> This is the contetns of the grantrole.ldif
>
> dn: cn=Users,dc=acme,dc=com
> changetype: modify
> add: orclaci
> orclaci: access to entry by group="cn=IASAdmins,
> cn=groups,cn=OracleContext,dc=acme,dc=com"
> added_object_constraint=(objectclass=orclcontainer) (browse,add)
> orclaci: access to entry by group="cn=oracledascreategroup,
> cn=groups,cn=OracleContext,dc=acme,dc=com"
> added_object_constraint=(objectclass=orclgroup*) (browse,add) by
> group="cn=Common Group Attributes,
> cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse)
> orclaci: access to entry filter=(&(objectclass=orclgroup)
> (orclisvisible=false)) by groupattr=(owner) (browse, add, delete) by
> dnattr=(owner) (browse, add, delete) by group="cn=Common Group
> Attributes, cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse) by *
> (none)
> orclaci: access to entry filter=(&(objectclass=orclgroup)(!
> (orclisvisible=false))) by group="cn=oracledascreategroup,
> cn=groups,cn=OracleContext,dc=acme,dc=com"
> added_object_constraint=(objectclass=orclgroup) (browse,add) by
> group="cn=oracledasdeletegroup,
> cn=groups,cn=OracleContext,dc=acme,dc=com" (browse,delete) by
> group="cn=oracledaseditgroup,
> cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse) by
> groupattr=(owner) (browse, add, delete) by dnattr=(owner) (browse,
> add, delete) by group="cn=Common Group Attributes,
> cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse)
> orclaci: access to attr=(*) filter=(&(objectclass=orclgroup)
> (orclisvisible=false)) by groupattr=(owner)
> (read,search,write,compare) by dnattr=(owner)
> (read,search,write,compare) by * (none) by group="cn=Common Group
> Attributes, cn=Groups,cn=OracleContext,dc=acme,dc=com" (read, search,
> compare)
> orclaci: access to attr=(*) filter=(&(objectclass=orclgroup)(!
> (orclisvisible=false))) by groupattr=(owner)
> (read,search,write,compare) by dnattr=(owner)
> (read,search,write,compare) by group="cn=oracledaseditgroup,
> cn=groups,cn=OracleContext,dc=acme,dc=com" (read,search,write,compare)
> by group="cn=Common Group Attributes,
> cn=Groups,cn=OracleContext,dc=acme,dc=com" (read, search, compare)
>
> dn: cn=Users,dc=acme,dc=com
> changetype: modify
> add: orclentrylevelaci
> orclentrylevelaci: access to entry by group="cn=oracledascreategroup,
> cn=groups,cn=OracleContext,dc=acme,dc=com"
> added_object_constraint=(objectclass=orclgroup) (browse, add) by
> group="cn=IASAdmins, cn=groups,cn=OracleContext,dc=acme,dc=com"
> added_object_constraint=(objectclass=orclcontainer) (browse,add) by *
> (browse)
>
>
> This is my DIT:
>
> dn: dc=mu
> dc: mu
> objectclass: top
> objectclass: domain
>
> dn: cn=Hans,dc=mu
> cn: Hans
> sn: Malmgren
> objectclass: top
> objectclass: person
> telephonenumber: 100000
>
> How can I modify the grantrole.ldif so it will allow changes to my DIT
> from the synchronization profile? I tryed to follow the instructions
> found here:
> http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics02.htm#Grant
>
> But I can't get it to work.
>
> Please help!
>
> This is my mapping file:
> DomainRules
> dc=mu:dc=mu
> AttributeRules
> cn: : :person:cn: :person:
> sn: : :person:sn: :person:
> telephonenumber: : :person :telephonenumber : :person :
>
> And this is an example of a LDIF file that I put in
> C:\OraHome_1\ldap\odi\data\import
>
> dn: cn=hans,dc=mu
> changetype: MODIFY
> REPLACE: telephonenumber
> telephonenumber: 145542
> -
>
>
> / Mattias

Mattias,

I checked out the link you put in your post. I think it is a lot easier and less error prone to create profiles with dipassistant. And you place your users directly under your realm (mu). It's better to create a user container (users) and to place the users there.

In the grant ldif replace
dc=us,dc=oracle,dc=com
with dc=mu

And if you have a users container, replace dn: cn=Users,dc=us,dc=oracle,dc=com
with cn=Users,dc=mu

If you don't you should replace
dn: cn=Users,dc=us,dc=oracle,dc=com
with dc=mu
but you would grant too much privileges then....

And I doubt about the ldif import file containing changetype modify commands. I think it should just be a plain LDIF file with entries, no commands...

Shakespeare Received on Tue Feb 05 2008 - 08:51:26 CST

Original text of this message