I recently configured access control in OID to grant READ/WRITE access on one of the OU in OID to a group. This post cover steps to debug Access Control issues (READ/DELETE/MODIFY) in OID.
Note: For value of orcldebugflag (8192 is for Access Control List Processing) & orcldebugop (8 is for DELETE ) follow Note # 1239943.1 How To Set OID Debug / Trace Levels for 11g
Replicate issue and check OID logs at $ORACLE_INSTANCE/ diagnostics/ OID/ oid/ oidldapds[NNNNN].log
_______
2014-01-23T23:45:00+00:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: oidhost.oiddomain] [pid: 17878] [tid: 10] [ecid: 004wAjKOjRu6aMW_Lxo2ye0004NM00001V,0] ServerWorker (REG):[[
BEGIN
ConnID:77 mesgID:34 OpID:33 OpName:delete ConnIP:192.168.1.12 ConnDN:cn=atul kumar,ou=internal,cn=users,dc=onlineappsdba,dc=com
gslaudegGetNearestACP:Parsing the node cn=testuser1,ou=external,cn=users,dc=onlineappsdba,dc=com
2014-01-23T23:45:00 * gslaudegGetNearestACP:Parsing the node ou=merchant users,ou=testou,ou=external,cn=users,dc=onlineappsdba,dc=com
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Operation id:(33) Entry DN: (cn=testuser1,ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation: Operation id:(33) User DN: (cn=atul kumar,ou=internal,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (ou=users,ou=testou,ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (ou=testou,ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Entry Accees denied by ACP:(cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Operation id:(33) User has Privilege groups Evaluation continues
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Entry Accees denied by ACP:(dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Operation id:(33) User has Privilege groups Evaluation continues
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Entry Accees denied by ACP:(dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Operation id:(33) User has Privilege groups Evaluation continues
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (cn=root)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Entry Accees denied by ACP:(cn=root)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Operation id:(33) User has Privilege groups Evaluation continues
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Enforcing Server Def Access Policy
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Operation id:(33) Access to Entry (cn=testuser1,ou=External,cn=Users,dc=onlineappsdba,dc=com) not allowed by ACP at: (Deafault Policy)
END
]]
_______
If you notice Access Control Policy checked it all the way from ou=external,cn=users,dc=onlineappsdba,dc=com –> cn=users,dc=onlineappsdba,dc=com –> dc=onlineappsdba,dc=com –> dc=com –> cn=root
Fix: I defined ACL at level dc=onlineappsdba,dc=com and granted access to group “cn=oimadministrators…” and added user cn=atul kuma…. to group cn=oimadministrators
Log after defining ACL
_______
2014-01-23T23:45:00+00:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: oidhost.oiddomain] [pid: 17878] [tid: 10] [ecid: 004wAjKOjRu6aMW_Lxo2ye0004NM00001V,0] ServerWorker (REG):[[
BEGIN
ConnID:77 mesgID:34 OpID:33 OpName:delete ConnIP:192.168.1.12 ConnDN:cn=atul kumar,ou=internal,cn=users,dc=onlineappsdba,dc=com
gslaudegGetNearestACP:Parsing the node cn=testuser1,ou=external,cn=users,dc=onlineappsdba,dc=com
2014-01-23T23:59:00 * gslaudegGetNearestACP:Parsing the node ou=merchant users,ou=testou,ou=external,cn=users,dc=onlineappsdba,dc=com
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Operation id:(33) Entry DN: (cn=testuser1,ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation: Operation id:(33) User DN: (cn=atul kumar,ou=internal,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (ou=users,ou=testou,ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (ou=testou,ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Entry Accees denied by ACP:(cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Operation id:(33) User has Privilege groups Evaluation continues
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Enforcing Server Def Access Policy
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Operation id:(33) Access to Entry (cn=testuser1,ou=External,cn=Users,dc=onlineappsdba,dc=com) allowed by ACP at: (dc=onlineappsdba,dc=com)
END
]]
_______