Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Insufficient Access Rights error in AM (All versions) when using a Generic LDAPv3 data store

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if you encounter an "Insufficient Access Rights: The request control with Object Identifier (OID) '1.3.6.1.4.1.36733.2.1.5.1' cannot be used due to insufficient access rights" error in AM when using a Generic LDAPv3 (LDAPv3) data store, such as Oracle® Unified Directory (OUD).


2 readers recommend this article

Symptoms

The following error is shown when using a Generic LDAPv3 (LDAPv3) data store:

amAuthLDAP:27/10/2016 11:12:03:599 AM CST: Thread[ajp-apr-8009-exec-5,5,main]: TransactionId[475c572e-f336-42ff-b6cd-85037de38dfa-94] WARNING: resultCode: Connect Error amAuthLDAP:27/10/2016 11:12:03:599 AM CST: Thread[ajp-apr-8009-exec-5,5,main]: TransactionId[475c572e-f336-42ff-b6cd-85037de38dfa-94] WARNING: Cannot connect to [ldap.example.com:636] org.forgerock.opendj.ldap.ConnectionException: Connect Error: No operational connection factories available at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:163) at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:124) at org.forgerock.opendj.ldap.AbstractLoadBalancingAlgorithm.getMonitoredConnectionFactory(AbstractLoadBalancingAlgorithm.java:343) at org.forgerock.opendj.ldap.AbstractLoadBalancingAlgorithm.access$100(AbstractLoadBalancingAlgorithm.java:59) at org.forgerock.opendj.ldap.AbstractLoadBalancingAlgorithm$MonitoredConnectionFactory.getConnection(AbstractLoadBalancingAlgorithm.java:88) at org.forgerock.opendj.ldap.LoadBalancer.getConnection(LoadBalancer.java:55) at org.forgerock.openam.ldap.LDAPAuthUtils.getAdminConnection(LDAPAuthUtils.java:459) at org.forgerock.openam.ldap.LDAPAuthUtils.searchForUser(LDAPAuthUtils.java:707) at org.forgerock.openam.ldap.LDAPAuthUtils.authenticateUser(LDAPAuthUtils.java:399) at com.sun.identity.authentication.modules.ldap.LDAP.process(LDAP.java:335) ... Caused by: org.forgerock.opendj.ldap.ConnectionException: Server Connection Closed: Heartbeat failed at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:163) at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:124) at org.forgerock.opendj.ldap.LDAPConnectionFactory$4.handleException(LDAPConnectionFactory.java:510) ... more Caused by: org.forgerock.opendj.ldap.AuthorizationException: Insufficient Access Rights: The request control with Object Identifier (OID) '1.3.6.1.4.1.36733.2.1.5.1' cannot be used due to insufficient access rights at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:155) ... 20 more

Recent Changes

Installed AM or upgraded to a later version.

Implemented a Generic LDAPv3 type data store.

Causes

The Generic LDAPv3 type data store sends a TransactionID control with all LDAP requests, which has the criticality field set to FALSE. The TransactionID is specific to DS; however, all LDAP V3 compliant data stores will ignore this control since the criticality field is set to FALSE.

This error will only present itself if your data store is not compliant per RFC4511 section 4.1.11.

Solution

This issue can be resolved by adding a global ACI to allow access to the '1.3.6.1.4.1.36733.2.1.5.1' OID such as the following:

dsconfig set-access-control-handler-prop --add global-aci:'(targetcontrol="1.3.6.1.4.1.36733.2.1.5.1")(version 3.0; acl "TransactionIdControl OpenAM control"; allow (read) userdn="ldap:///anyone";)'
Note

The exact way in which this is done will be specific to your data store, which is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.

See Also

Access control

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.