Insufficient Access Rights error in AM (All versions) when using a Generic LDAPv3 data store
The purpose of this article is to provide assistance if you encounter an "Insufficient Access Rights: The request control with Object Identifier (OID) '1.3.6.1.4.1.36733.2.1.5.1' cannot be used due to insufficient access rights" error in AM when using a Generic LDAPv3 (LDAPv3) data store, such as Oracle® Unified Directory (OUD).
2 readers recommend this article
Symptoms
The following error is shown when using a Generic LDAPv3 (LDAPv3) data store:
amAuthLDAP:27/10/2016 11:12:03:599 AM CST: Thread[ajp-apr-8009-exec-5,5,main]: TransactionId[475c572e-f336-42ff-b6cd-85037de38dfa-94] WARNING: resultCode: Connect Error amAuthLDAP:27/10/2016 11:12:03:599 AM CST: Thread[ajp-apr-8009-exec-5,5,main]: TransactionId[475c572e-f336-42ff-b6cd-85037de38dfa-94] WARNING: Cannot connect to [ldap.example.com:636] org.forgerock.opendj.ldap.ConnectionException: Connect Error: No operational connection factories available at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:163) at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:124) at org.forgerock.opendj.ldap.AbstractLoadBalancingAlgorithm.getMonitoredConnectionFactory(AbstractLoadBalancingAlgorithm.java:343) at org.forgerock.opendj.ldap.AbstractLoadBalancingAlgorithm.access$100(AbstractLoadBalancingAlgorithm.java:59) at org.forgerock.opendj.ldap.AbstractLoadBalancingAlgorithm$MonitoredConnectionFactory.getConnection(AbstractLoadBalancingAlgorithm.java:88) at org.forgerock.opendj.ldap.LoadBalancer.getConnection(LoadBalancer.java:55) at org.forgerock.openam.ldap.LDAPAuthUtils.getAdminConnection(LDAPAuthUtils.java:459) at org.forgerock.openam.ldap.LDAPAuthUtils.searchForUser(LDAPAuthUtils.java:707) at org.forgerock.openam.ldap.LDAPAuthUtils.authenticateUser(LDAPAuthUtils.java:399) at com.sun.identity.authentication.modules.ldap.LDAP.process(LDAP.java:335) ... Caused by: org.forgerock.opendj.ldap.ConnectionException: Server Connection Closed: Heartbeat failed at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:163) at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:124) at org.forgerock.opendj.ldap.LDAPConnectionFactory$4.handleException(LDAPConnectionFactory.java:510) ... more Caused by: org.forgerock.opendj.ldap.AuthorizationException: Insufficient Access Rights: The request control with Object Identifier (OID) '1.3.6.1.4.1.36733.2.1.5.1' cannot be used due to insufficient access rights at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:155) ... 20 moreRecent Changes
Installed AM or upgraded to a later version.
Implemented a Generic LDAPv3 type data store.
Causes
The Generic LDAPv3 type data store sends a TransactionID control with all LDAP requests, which has the criticality field set to FALSE. The TransactionID is specific to DS; however, all LDAP V3 compliant data stores will ignore this control since the criticality field is set to FALSE.
This error will only present itself if your data store is not compliant per RFC4511 section 4.1.11.
Solution
This issue can be resolved by adding a global ACI to allow access to the '1.3.6.1.4.1.36733.2.1.5.1' OID such as the following:
dsconfig set-access-control-handler-prop --add global-aci:'(targetcontrol="1.3.6.1.4.1.36733.2.1.5.1")(version 3.0; acl "TransactionIdControl OpenAM control"; allow (read) userdn="ldap:///anyone";)'Note
The exact way in which this is done will be specific to your data store, which is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.
See Also
Related Training
N/A
Related Issue Tracker IDs
N/A