Re: OID Synchronization import LDIF-file Insufficient Access Rights
- From: "shakespeare" <whatsin@xxxxxxxxx>
- Date: Tue, 5 Feb 2008 15:51:26 +0100
"Mattias" <mattias_at_freefarm_se@xxxxxxxxx> schreef in bericht
news:b0959cc7-d2d0-4fa5-a8e9-3e553f855900@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Export synchronization works fins now (for thouse of you that have
followed my struggle learning OID...). But import does not.
I am trying to do an OID import Synchronization from an LDIF-file.
When I look in the log-file
C:\OraHome_1\ldap\odi\log\MYPROFILE.trc
I can see this error:
Total # of Mod Items : 1
Exception Modifying Entry : javax.naming.NoPermissionException: [LDAP:
error code 50 - Insufficient Access Rights]; remaining name
'cn=hans,dc=mu'
[LDAP: error code 50 - Insufficient Access Rights]
javax.naming.NoPermissionException: [LDAP: error code 50 -
Insufficient Access Rights]; remaining name 'cn=hans,dc=mu'
According to
http://forums.oracle.com/forums/thread.jspa?threadID=262585
this error can be corrected by modifying a file called grantrole.ldif
which is provided in the samples that can be downloaded from here:
http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/samplefiles.zip
This is the contetns of the grantrole.ldif
dn: cn=Users,dc=acme,dc=com
changetype: modify
add: orclaci
orclaci: access to entry by group="cn=IASAdmins,
cn=groups,cn=OracleContext,dc=acme,dc=com"
added_object_constraint=(objectclass=orclcontainer) (browse,add)
orclaci: access to entry by group="cn=oracledascreategroup,
cn=groups,cn=OracleContext,dc=acme,dc=com"
added_object_constraint=(objectclass=orclgroup*) (browse,add) by
group="cn=Common Group Attributes,
cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse)
orclaci: access to entry filter=(&(objectclass=orclgroup)
(orclisvisible=false)) by groupattr=(owner) (browse, add, delete) by
dnattr=(owner) (browse, add, delete) by group="cn=Common Group
Attributes, cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse) by *
(none)
orclaci: access to entry filter=(&(objectclass=orclgroup)(!
(orclisvisible=false))) by group="cn=oracledascreategroup,
cn=groups,cn=OracleContext,dc=acme,dc=com"
added_object_constraint=(objectclass=orclgroup) (browse,add) by
group="cn=oracledasdeletegroup,
cn=groups,cn=OracleContext,dc=acme,dc=com" (browse,delete) by
group="cn=oracledaseditgroup,
cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse) by
groupattr=(owner) (browse, add, delete) by dnattr=(owner) (browse,
add, delete) by group="cn=Common Group Attributes,
cn=Groups,cn=OracleContext,dc=acme,dc=com" (browse)
orclaci: access to attr=(*) filter=(&(objectclass=orclgroup)
(orclisvisible=false)) by groupattr=(owner)
(read,search,write,compare) by dnattr=(owner)
(read,search,write,compare) by * (none) by group="cn=Common Group
Attributes, cn=Groups,cn=OracleContext,dc=acme,dc=com" (read, search,
compare)
orclaci: access to attr=(*) filter=(&(objectclass=orclgroup)(!
(orclisvisible=false))) by groupattr=(owner)
(read,search,write,compare) by dnattr=(owner)
(read,search,write,compare) by group="cn=oracledaseditgroup,
cn=groups,cn=OracleContext,dc=acme,dc=com" (read,search,write,compare)
by group="cn=Common Group Attributes,
cn=Groups,cn=OracleContext,dc=acme,dc=com" (read, search, compare)
dn: cn=Users,dc=acme,dc=com
changetype: modify
add: orclentrylevelaci
orclentrylevelaci: access to entry by group="cn=oracledascreategroup,
cn=groups,cn=OracleContext,dc=acme,dc=com"
added_object_constraint=(objectclass=orclgroup) (browse, add) by
group="cn=IASAdmins, cn=groups,cn=OracleContext,dc=acme,dc=com"
added_object_constraint=(objectclass=orclcontainer) (browse,add) by *
(browse)
This is my DIT:
dn: dc=mu
dc: mu
objectclass: top
objectclass: domain
dn: cn=Hans,dc=mu
cn: Hans
sn: Malmgren
objectclass: top
objectclass: person
telephonenumber: 100000
How can I modify the grantrole.ldif so it will allow changes to my DIT
from the synchronization profile? I tryed to follow the instructions
found here:
http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics02.htm#Grant
But I can't get it to work.
Please help!
This is my mapping file:
DomainRules
dc=mu:dc=mu
AttributeRules
cn: : :person:cn: :person:
sn: : :person:sn: :person:
telephonenumber: : :person :telephonenumber : :person :
And this is an example of a LDIF file that I put in
C:\OraHome_1\ldap\odi\data\import
dn: cn=hans,dc=mu
changetype: MODIFY
REPLACE: telephonenumber
telephonenumber: 145542
-
/ Mattias
Mattias,
I checked out the link you put in your post. I think it is a lot easier and
less error prone to create profiles with dipassistant.
And you place your users directly under your realm (mu). It's better to
create a user container (users) and to place the users there.
In the grant ldif replace
dc=us,dc=oracle,dc=com
with dc=mu
And if you have a users container, replace
dn: cn=Users,dc=us,dc=oracle,dc=com
with cn=Users,dc=mu
If you don't you should replace
dn: cn=Users,dc=us,dc=oracle,dc=com
with dc=mu
but you would grant too much privileges then....
And I doubt about the ldif import file containing changetype modify
commands. I think it should just be a plain LDIF file with entries, no
commands...
Shakespeare
.
- Follow-Ups:
- References:
- Prev by Date: Re: upgrade client on XP, how should the registry look?
- Next by Date: Re: OID Synchronization import LDIF-file Insufficient Access Rights
- Previous by thread: Re: OID Synchronization import LDIF-file Insufficient Access Rights
- Next by thread: Re: OID Synchronization import LDIF-file Insufficient Access Rights
- Index(es):
Relevant Pages
|
