In a configuration of OpenDS as a Resource Adapter for Sun Identity Manager, I ran into the following challenges while setting up reconciliation with the LDAP resource. After looking into this, the issue was the proxy user which is used in Identity Manager to connect to the LDAP resource. All normal provisioning succeeds, but reconciliation fails since that uses the server side sorting control to return all users.
Trying to use server side sorting (1.2.840.113556.1.4.473) with a normal user failed with insufficient access rights. An aci is needed to add to allow a normal user to use this control, but tracking this down was a bit of effort. Here are the details:
Original ldif file to create the suffix:
THIS SEARCH WORKS FOR DIRECTORY MANAGER:
But Not for a normal user (aci allows all, ldif used to create the suffix is shown above...):
This was resolved by adding the required aci for targetcontrol = "1.2.840.113556.1.4.473":
Trying to use server side sorting (1.2.840.113556.1.4.473) with a normal user failed with insufficient access rights. An aci is needed to add to allow a normal user to use this control, but tracking this down was a bit of effort. Here are the details:
Original ldif file to create the suffix:
dn: dc=identric,dc=com objectclass: top objectclass: domain dc: identric aci: (targetattr!="userPassword")(version 3.0; acl "Anonymous access"; allow (read,search,compare) userdn="ldap:///anyone";) aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ") (version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, and passwordPolicySubentry"; allow (write)userdn ="ldap:///self";) aci: (targetattr = "*")(version 3.0; acl "LDAP Administrator"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)
THIS SEARCH WORKS FOR DIRECTORY MANAGER:
# bin/ldapsearch --hostname localhost --port 1389 --bindDN "cn=Directory Manager" --bindPassword--searchScope sub --baseDN "dc=identric,dc=com" --sortorder sn,givenName "(objectclass=*)"
But Not for a normal user (aci allows all, ldif used to create the suffix is shown above...):
# bin/ldapsearch --hostname localhost --port 1389 --bindDN "uid=ldapadmin,ou=people,dc=identric,dc=com" --bindPassword--searchScope sub --baseDN "dc=identric,dc=com" --sortorder sn,givenName "(objectclass=*)" SEARCH operation failed Result Code: 50 (Insufficient Access Rights) Additional Information: The request control with Object Identifier (OID) "1.2.840.113556.1.4.473" cannot be used due to insufficient access rights
This was resolved by adding the required aci for targetcontrol = "1.2.840.113556.1.4.473":
dn: dc=identric,dc=com objectclass: top objectclass: domain dc: identric aci: (targetattr!="userPassword")(version 3.0; acl "Anonymous access"; allow (read,search,compare) userdn="ldap:///anyone";) aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ") (version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, and passwordPolicySubentry"; allow (write)userdn ="ldap:///self";) aci: (targetattr = "*")(version 3.0; acl "LDAP Administrator"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";) aci: (targetcontrol = "1.2.840.113556.1.4.473")(version 3.0; acl "LDAP Administrator Server Sort"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";) dn: ou=People,dc=identric,dc=com objectClass: top objectClass: organizationalunit ou: People dn: uid=ldapadmin,ou=people,dc=identric,dc=com givenName: Ldap sn: Admin mail: ldap.admin@identric.com uid: ldapadmin objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson cn: LDAP Admin userPassword: Passw0rd
- For more information about setting aci's in OpenDS, see: Access Control Usage Examples
- For More information on configuring an LDAP Resource Adapter in Sun Identity Manager, see: LDAP Resource Adapter configuration