Environment
Identity Manager 4.5
Identity Manager 4.6
Situation
When trying to login into IDMApps the following error is shown in the browser:
<?xml version="1.0" encoding="UTF-8" standalone="true"?>
-<Fault>
-<Code>
<Value>Receiver</Value>
-<Subcode>
<Value>InternalError</Value>
</Subcode>
</Code>
-<Reason>
.....
<?xml version="1.0" encoding="UTF-8" standalone="true"?>
-<Fault>
-<Code>
<Value>Receiver</Value>
-<Subcode>
<Value>InternalError</Value>
</Subcode>
</Code>
-<Reason>
.....
Resolution
Give Identity Vault Administrator [write] rights to oidpInstanceData on all user objects.
Cause
The customer had installed and customized IDMApps so that it would be using an limited Identity Vault Administrator, which only had normal browse rights in the tree, this caused the following error:
OSP log:
Preamble: [OIDP]
Priority Level: FINER
Java: internal.osp.oidp.service.source.ldap.LDAPSource.setAttributes() [976] thread=https-jsse-nio-8143-exec-3
Time: 2018-02-07T10:08:56.507+0100
Elapsed time: 3.477 milliseconds
Log Data: Modify attributes:
DN: cn=userA,ou=users,o=data
Attributes: oidpInstanceData
Get next available admin connection:
Get admin connection from pool:
Pool: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Reserve connection:
Type: ADMIN_CONNECTION
Wait filled from existing admin connection: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Obtained existing connection: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Error while modifying an LDAP object:
javax.naming.NoPermissionException
[LDAP: error code 50 - NDS error: no access (-672)]
com.sun.jndi.ldap.LdapCtx: LdapCtx.java: mapErrorCode: 3,144
Put connection:
Connection: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
No pending reservation, check in connection: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
NDSTrace:
2051229440 LDAP: [2018/02/07 12:26:45.258] (140.16.172.41:53768)(0x0007:0x66) modify: dn (cn=userA,ou=users,o=data)
2051229440 LDAP: [2018/02/07 12:26:45.258] (140.16.172.41:53768)(0x0007:0x66) modifications:
2051229440 LDAP: [2018/02/07 12:26:45.258] (140.16.172.41:53768)(0x0007:0x66) replace: oidpInstanceData
2051229440 LDAP: [2018/02/07 12:26:45.259] (140.16.172.41:53768)(0x0007:0x66) DDCModifyEntry failed, err = no access (-672)
OSP log:
Preamble: [OIDP]
Priority Level: FINER
Java: internal.osp.oidp.service.source.ldap.LDAPSource.setAttributes() [976] thread=https-jsse-nio-8143-exec-3
Time: 2018-02-07T10:08:56.507+0100
Elapsed time: 3.477 milliseconds
Log Data: Modify attributes:
DN: cn=userA,ou=users,o=data
Attributes: oidpInstanceData
Get next available admin connection:
Get admin connection from pool:
Pool: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Reserve connection:
Type: ADMIN_CONNECTION
Wait filled from existing admin connection: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Obtained existing connection: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Error while modifying an LDAP object:
javax.naming.NoPermissionException
[LDAP: error code 50 - NDS error: no access (-672)]
com.sun.jndi.ldap.LdapCtx: LdapCtx.java: mapErrorCode: 3,144
Put connection:
Connection: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
No pending reservation, check in connection: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
NDSTrace:
2051229440 LDAP: [2018/02/07 12:26:45.258] (140.16.172.41:53768)(0x0007:0x66) modify: dn (cn=userA,ou=users,o=data)
2051229440 LDAP: [2018/02/07 12:26:45.258] (140.16.172.41:53768)(0x0007:0x66) modifications:
2051229440 LDAP: [2018/02/07 12:26:45.258] (140.16.172.41:53768)(0x0007:0x66) replace: oidpInstanceData
2051229440 LDAP: [2018/02/07 12:26:45.259] (140.16.172.41:53768)(0x0007:0x66) DDCModifyEntry failed, err = no access (-672)