[LDAP: error code 11 - Administrative Limit Exceeded]

Hi,
I am trying to search LDAP and retrieve a attribute (checksecurity) based on the uid (hardcoded the uid), below is the code :
<invoke name='getResourceObjects' class='com.waveset.ui.FormUtil'>
<invoke name='getLighthouseContext'>
<ref>WF_CONTEXT</ref>
</invoke>
<s>person</s>
<s>Resource_LDAP</s>
<map>
<s>searchScope</s>
<s>ou=people,o=abc.com</s>
<s>searchAttrsToGet</s>
<List>
<String>checksecurity</String>
<String>uid</String>
</List>
<s>conditions</s>
<map>
<s>uid</s>
<s>AE8024T</s>
</map>
</map>
</invoke>
Below is the block trace :
<block name='Test' trace='true'>
<invoke name='getResourceObjects' class='com.waveset.ui.FormUtil'>
<invoke name='getLighthouseContext'>
<ref>WF_CONTEXT</ref> --> com.waveset.workflow.WorkflowEngine@539f0d
</invoke> --> com.waveset.server.InternalSession@17210a5
<s>person</s> --> person
<s>Resource_LDAP</s> --> Resource_LDAP
<map>
<s>searchScope</s> --> searchScope
<s>ou=people,o=abc.com</s> --> ou=people,o=abc.com
<s>searchAttrsToGet</s> --> searchAttrsToGet
<o>[checksecurity, uid]</o> --> [checksecurity, uid]
<s>conditions</s> --> conditions
<map>
<s>uid</s> --> uid
<s>AE8024T</s> --> 210014992
</map> --> {uid=AE8024T}
</map> --> {searchAttrsToGet=[checksecurity, uid], searchScope=ou=people,o=abc.com, conditions={uid=AE8024T}}XPRESS <invoke> exception:com.waveset.util.WavesetException: Can't call method getResourceObjects on class com.waveset.ui.FormUtil
==> com.waveset.util.WavesetException: Error searching for objects
==> javax.naming.LimitExceededException: [LDAP: error code 11 - Administrative Limit Exceeded]
Please let me know if anyone has come across this error.
Thanks & Regards
Arun

Your LDAP server has search limits for the user you're logging in as (or, more likely, it has default limits, and you haven't made exceptions for that user).
If you're using Sun Directory Server, you can remove these limits by setting 'nsLookThroughLimit' and 'nsSizeLimit' both to -1 for that user.

Similar Messages

Need Help with "ldap_search: Administrative limit exceeded" issue

Hi,
I recently created an index for an attribute called abcSmDisableFlag. When i perform an Ldapsearch using an application owners binddn, 10 entires are returned before i get the error: ldap_search: Administrative limit exceeded. When I use the Directory Manager I do not get this error while the same 10 entries are returned.
I have analyzed the error and access logs and i think the problem is with the index (notes=U). I performed a reindex on the attribute but it din't work.
Below are the details i gathered from
error log:
[20/Sep/2010:15:04:59 -0400] - WARNING<20805> - Backend Database - conn=1189378 op=1 msgId=2 - search is not indexed base='ou=customers,o=abc
enterprises,c=us,dc=abc,dc=net' filter='(&(objectClass=abcIdentity)(abcIdmDeleteDate<=2010-09-20)(!(abcSmDisabledFlag=1)))' scope='sub'
access log:
[20/Sep/2010:15:04:59 -0400] conn=1189378 op=-1 msgId=-1 - fd=536 slot=536 LDAP connection from UserIP to ServerIP
[20/Sep/2010:15:04:59 -0400] conn=1189378 op=0 msgId=1 - BIND dn="cn=xyzservices,ou=appid,dc=abc,dc=net" method=128 version=3
[20/Sep/2010:15:04:59 -0400] conn=1189378 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.001190 dn="cn=xyzservices,ou=appid,dc=abc,dc=net"
[20/Sep/2010:15:04:59 -0400] conn=1189378 op=1 msgId=2 - SRCH base="ou=customers,o=abc enterprises,c=us,dc=abc,dc=net" scope=2 filter="(&
(objectClass=abcIdentity)(abcIdmDeleteDate<=2010-09-20)(!(abcSmDisabledFlag=1)))" attrs=ALL
[20/Sep/2010:15:05:03 -0400] conn=1189378 op=1 msgId=2 - RESULT err=11 tag=101 nentries=1 etime=4.604440 notes=U
I have indexed both abcIdmDeleteDate and abcSmDisabledFlag with a presence and equality index.
I am using Sun Directory Server 6.2. All the nsslapd limits are at Default value and I am not supposed to increase those values.
I will be very grateful if anyone can kindly share ideas/solutions on this issue and help me out.
Thanks!!

I don't know if your issue has been resolved but two things i see here:
1 - you should not be on 6.2, move to 6.3 or 7.
2 - your filter is the answer, when you use a filter of "(&(objectclass=abcIdentity)(abcIdmDeleteDate<=2010-09-16)("\!"(abcSmDisabledFlag=1)))", DSEE takes the 1st part of your filter, in your case objectclass=abcIdentity, and does a search on it. Then after retrieving all entries it checks all that have an abcSmDisableFlag <=2010-09-16 and finally out of the remaining entries it will check which do not have an abcSmDisableFlag=1.
The search on objectClass is resulting in an unindexed search, apparently. What you need to do is alter the order of your attributes in your search filter and have objectClass at the end.
I hope this makes sense and helps.

ODSEE 11gR1------LDAP: error code 11 - Administrative Limit Exceeded

Hello,
We are facing some issues browsing the server content when using some accounts.
We've got the error code below:
Caused by: javax.naming.LimitExceededException: [LDAP: error code 11 - Administrative Limit Exceeded]; remaining name 'ou=Users,o=XXX"
We've already tried to solve it using the below posts:
http://docs.oracle.com/cd/E19693-01/819-0995/bcapq/index.html
http://docs.oracle.com/cd/E19424-01/820-4809/gbxdp/index.html
But the problem still occurs.
Do you have any idea how to solve it?
Thank you in advance for your help.

Hello,
These are some logs while using the application and the LDAP server.
06 mai 2013 09:52:55,375 DEBUG rte_log: - LDAP search filter is '(&(objectClass=rteFOCustomers)(cn=*)(displayName=*)(iso6523=*))'
06 mai 2013 09:52:55,375 INFO rte_log: - Recherche de sociétés avec le filtre '(&(objectClass=rteFOCustomers)(cn=*)(displayName=*)(iso6523=*))'
06 mai 2013 09:52:55,491 INFO rte_log: - La recherche de sociétés avec le filtre '(&(objectClass=rteFOCustomers)(cn=*)(displayName=*)(iso6523=*))' a ramené : 925 elements
06 mai 2013 09:53:02,954 ERROR rte_log: etso - [LDAP: error code 11 - Administrative Limit Exceeded]
The account used to browse the server is the directory manager account.
Thank you for your help.

Error opening file/URL reference by alias and Administrative limit exceeded

Hello All,
Problem:
SMTP Error: 4.5.0 error opening file/URL reference by alias
and
Search failed with: netscape.ldap.LDAPException: error result (11); Administrative limit exceeded
Here is my configuration:
Windows 2000 server (without Active Directory)
SP4
Iplanet Messaging Server 5.2
Netscape Directory Server 4.16
IPlanet Messaging Server 5.2 Hotfix 1.09 (built Jan 7 2003)
We have a group which we use to flash messages to all the users of the mail server. Till last week it was working fine but now I am not able to send messages to this group <group-name>.
There are around 800 (Eight Hundred) E-mail id the messaging server and the flashed message is supposed to go to all 800 + users.
Note: I have another group of 300 users and I am able to send an E-mail to this group of 300 users.
I am using Dynamic Group for Members list.
The error message I get while trying to send message to this group is
SMTP Error: 4.5.0 error opening file/URL reference by alias.
The corresponding error in mail.log file is
30-Jan-2004 10:55:21.40 41c.7e4.1098 tcp_intranet J 0 <group-name>@domain rfc822; <group-name>@domain domain (localhost [127.0.0.1]) 452 4.5.0 error opening file/URL referenced by alias: <group-name>@domain
Now when I construct and Test the LDAP URL from Console, the error I get is:
Search failed with: netscape.ldap.LDAPException: error result (11); Administrative limit exceeded
I have increased the various limits but I still get the same error when I send mail to that group or do a LDAP Test:
The deafult and new limits are:
Sizelimit: Default 2000 New 10000
Timelimit Default 3600 New 3600
Lookthroughlimit Default 5000 New 6000
The corresponding error entry in access log of slapd is:
30/Jan/2004:12:19:26 +051800] conn=34 op=213 RESULT err=11 tag=101 nentries=0 etime=2 notes=U
My search for Administrative limit problem and error opening file/URL error in Sun forum and other groups did get some hits but that did not solve my problem.
I will appreciate any suggestion/comments.
Thanks and Regards,
Maneesh Bisht

Thanks Jay.
My problem has been fixed.
Your suggestion was to increase the lookthrough limit. As you would have noticed in my posting that I had increased this limit to 6000 but that did not solve my problem. Today I increased this limit to 10000. And after that I did not get "administrative limit exceeded" error. Also I do not get "error opening file/URL reference by alias" error while sending E-mail to a particular group of 800+ ids.
Regards,
Maneesh Bisht

Administrative limit exceeded error

On attempting an ldap search command as follows ./ldapsearch -z1000 -b "ou=People,o=abcd.com" "organizationalstatus=manager", I am getting "Administrative limit exceeded" error. The limit is set to 2000 in the console. any help is appreciated. Thanks

hello,
"Administrative limit " may be a SIZE limit , ENTRIES ( number of ) limit or SIZE ( output of ) limit:
From "man" of ldapsearch:
-l timelim time limit (in seconds) for search (default is no limit)
-z sizelim size limit (in entries) for search (default is no limit)
You can use these options when you search.
You may also check the setting of 3 limits above with Admin Console:
Open your directory server (name), Configuration Folder, Performance. On right panel check Client Control folder. You may see:
Size limit
Look-through limit
Time limit
Idle timeout
� The look-through limit specifies the maximum number of entries that will be examined for a search operation.
� The size limit specifies the maximum number of entries the server returns to the client application in response to a search operation.
� The time limit specifies the maximum time the server spends processing a search operation.
� The idle timeout specifies the time a client connection to the server can be idle before the server drops the connection.
If you bind as Directory manager, you may use unlimited resources by default.
Hello,
silvio

Ldap_search: Administrative limit exceeded

Hi I am running a number of DSCC 11.1.1.3.0 LDAP instances
within those instances I have configured the 'size limit' to unlimited (and restarted the server)
when an authenticated user does an ldapsearch they get the full search returned but when an anonymous users does the same search
they hit the 'Administrative limit exceeded' error.
what am I missing that would allow an anonymous user to return the full search?
Thanks in Advance.

I assume you are connecting direct to a Directory Server and not via a Directory Proxy instance.
Have you checked if your bound users have any of the the following operational attributes set on them?
nssizelimit
nsTimeLimit
nsLookThroughLimit
Also take a look at the error code in the logs, it may be that your search is failing due to time or indexes rather than size of result.

Error while create user in LDAP - LDAP: error code 1

Hi Guy's, I am getting below error while creating user in LDAP MS AD.
cn=3001,ou=sAP_IDM,dc=springswf,dc=comcn<mx:TEXT>putNextEntry failed storingOU=SAP_IDM,DC=springswf,DC=com</mx:TEXT>
<mx:LTEXT>Exception from Add operation:javaxnaming.NamingException: {LDAP: error code 1 = 00000000: LdapErr: DSID-OC090AE2, coment: In order to perform this operation a successful bind must be completed on the connection.,data0,vece
Steps I am following:
1. create a job through wizard and pick from (IC->jobs->Active Directory->Create Active Directory User)
2. Destination tab values that I am passing:
dn: cn=Dummyuser,ou=SAP_IDM,dc=<main domain>,dc=com
objectClass: top|person|organizationalPerson|user
sn: Surname
givenName: GivenName
displayName: Dummy user displayname
Under <main domain> an OU has been created called SAP_IDM for testing user creation from IDM.
Admin user account created called <XYZ> and has full control over SAP_IDM OU.
I am passing <XYZ> credentials into my job for user creation.
Thanks for you help!

Farhan,
Based on the error message presented,
In order to perform this operation a successful bind must be completed on the connection
Make sure that you're using the correct information to do the AD Bind. User name should be something like cn=administrator,cn=users,dc=xxx,dc=xxx and the proper password.
Matt

DPS7: LDAP error code 52

env: DPS7 on RH5. we are running into many types of connection issues...the following 3 are frequent..
1. LDAP: error code 52 - Unable to read BIND response from server
2. LDAP: error code 52 - Unable to read SEARCH response from backend server : Connection reset by peer
3. LDAP: error code 52 - Unable to read SEARCH response from backend server : Timeout when waiting to read from input stream
Appreciate someone helping me understand under what circumstances the above errors occur and what needs to be tweaked to limit them.
Also, is there a way to configure DPS not to use connection pools and instead open fresh connections for each client operation. Why would I do that. I believe DPS needs a lot of timeout and monitoring times tweaking to make sure that the connections in the pool are monitored properly and kept active. Any suggestions here.

Hi,
Looks like the connections between DPS and DS are invalid. This gives rise to a great variety of error message depending on when the error is detected (read, write, timeout etc).
In most cases, this is related to aggressive idle-timeout set on the DS side or HW LB that impacts DPS connection pooling.
The dpconf property "monitoring-inactivity-timeout" , defaulted to 120s may be used to keep pooled connection alive.
Hope this helps
-Sylvain

SGD-AD "LDAP error code 49"

Dear all,
I saw the following error in the server-login log file:
2007/07/24 15:15:03.098 (pid 2698) server/login/moreinfo #1185261303098
Loaded class com.sco.tta.server.login.LdapLoginAuthority: {
LDAPRoot=.../_ldapmulti/forest/
accountEnabledChecked=false
anonLogin=false
attemptPasswordChange=true
generalLdapProfileName=.../_ens/o=Tarantella System Objects/cn=LDAP Profile
mustChangePasswordResult[0]=LDAP: error code 49 - 80090308: LdapErr: DSID-0C090290, comment: AcceptSecurityContext error, data 701
mustChangePasswordResult[1]=LDAP: error code 49 - 80090308: LdapErr: DSID-0C090290, comment: AcceptSecurityContext error, data 773
mustChangePasswordResult[2]=LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 773
mustChangePasswordResult[3]=LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 773
name=com.sco.tta.server.login.LdapLoginAuthority
propAccEnabled=scottaaccountenabled
userMustChangePasswordResult=LDAP: error code 49 - 80090308: LdapErr: DSID-0C090290, comment: AcceptSecurityContext error, data 773
userPasswordExpiredResult=LDAP: error code 49 - 80090308: LdapErr: DSID-0C090290, comment: AcceptSecurityContext error, data 701
version=4.31.905
What should i do in my SGD server ?
What should i do in my AD server ?
What is the solution to resolve the error ?
Appreciate any help given.

Hi,
I am also getting the same error. Please let me explain what i have encountered.
In the active directory (version 2003), the administrator has limited the user to login to only his workstation. This has been set by putting his workstation host name or IP (which is allowed to accessed by the user) into a "log on to" list (at the user level) in Active Directory.There is another option if the administrator allow the user to be able to log on to any workstation, that is by checking the "log on to all computer" check box at that particular user id.
When my user has been set to "log on to all computer", i don't encounter the error message i.e. error code 49, as mentioned in the subject of this topic. However, when a particular user has been limited to only access to his own workstation, the error appears. However, if the Active Directory server host name or IP has been added into the "log on to" list, the authentication is successful.
My application is actually running on an application server and the user is using Internet Explorer to login to my application from his workstation. And also, the application server has been joined to the same domain as the Active Directory server. My question is, is it a must that the Active Directory server name be added to the "log on to" list of that particular user in order for it to be authenticated by Active Directory? Does anyone has any ideas why this is happening? I definitely don't want to add the AD server name into the list as this will give the user rights to login to the AD server. Any advise would be of great help. Thanks a million in advance.

LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 534, v1db0^@]

Hello,
What does the following error code data 534 mean?
LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 534, v1db0^@]

Hi,
Thanks for your patience.
The error code 49 related to LDAP is caused by the invalid credentials. Please refer to the following most possible causes.
1. The DN path or password which you have specified for the administrator is invalid. Any of the below will result in this error:
1). Pointed to non-user DN
2). Pointed to a non-existent user, but in existing DN
3). Pointed to non existent DN
4). Pointed to an existing user, but non existing DN
5). Pointed to an incorrect admin DN, uid instead of cn
6). Pointed to a non administrator user
7). Pointed to a valid admin but password is incorrect
2. Could not authenticate the user trying to login. This can be the result of an incorrect username or password, or an incorrect prefix and/or suffix specified in the Settings tab, depending on the type of LDAP/AD system. Could also mean the authentication
type is incorrect.
Best regards,
Ann Zhu

LDAP: error code (s) library ???

Where will I get the list of all LDAP errors and the explanation about the error. Any document OR webpage is available with such list ???
Example: Assume I got a error, "[LDAP: error code 65 - Object Class Violation]", where will I check for the exact explanation about this error.
Please help...

Hi Guy's
Here you go,
Code
(decimal) Error code (string) Description
0 LDAP_SUCCESS Success
1 LDAP_OPERATIONS_ERROR Operations error
2 LDAP_PROTOCOL_ERROR Protocol error
3 LDAP_TIMELIMIT_EXCEEDED Timelimit exceeded
4 LDAP_SIZELIMIT_EXCEEDED Sizelimit exceeded
5 LDAP_COMPARE_FALSE Compare false
6 LDAP_COMPARE_TRUE Compare true
7 LDAP_STRONG_AUTH_NOT_SUPPORTED Strong authentication not supported
8 LDAP_STRONG_AUTH_REQUIRED Strong authentication required
9 LDAP_PARTIAL_RESULTS Partial results
16 LDAP_NO_SUCH_ATTRIBUTE No such attribute
17 LDAP_UNDEFINED_TYPE Undefined attribute type
18 LDAP_INAPPROPRIATE_MATCHING Inappropriate matching
19 LDAP_CONSTRAINT_VIOLATION Constraint violation
20 LDAP_TYPE_OR_VALUE_EXISTS Type or value exists
21 LDAP_INVALID_SYNTAX Invalid syntax
32 LDAP_NO_SUCH_OBJECT No such object
33 LDAP_ALIAS_PROBLEM Alias problem
34 LDAP_INVALID_DN_SYNTAX Invalid DN syntax
35 LDAP_IS_LEAF Object is a leaf
36 LDAP_ALIAS_DEREF_PROBLEM Alias dereferencing problem
48 LDAP_INAPPROPRIATE_AUTH Inappropriate authentication
49 LDAP_INVALID_CREDENTIALS Invalid credentials
50 LDAP_INSUFFICIENT_ACCESS Insufficient access
51 LDAP_BUSY DSA is busy
52 LDAP_UNAVAILABLE DSA is unavailable
53 LDAP_UNWILLING_TO_PERFORM DSA is unwilling to perform
54 LDAP_LOOP_DETECT Loop detected
64 LDAP_NAMING_VIOLATION Naming violation
65 LDAP_OBJECT_CLASS_VIOLATION Object class violation
66 LDAP_NOT_ALLOWED_ON_NONLEAF Operation not allowed on nonleaf
67 LDAP_NOT_ALLOWED_ON_RDN Operation not allowed on RDN
68 LDAP_ALREADY_EXISTS Already exists
69 LDAP_NO_OBJECT_CLASS_MODS Cannot modify object class
70 LDAP_RESULTS_TOO_LARGE Results too large
80 LDAP_OTHER Unknown error
81 LDAP_SERVER_DOWN Can't contact LDAP server
82 LDAP_LOCAL_ERROR Local error
83 LDAP_ENCODING_ERROR Encoding error
84 LDAP_DECODING_ERROR Decoding error
85 LDAP_TIMEOUT Timed out
86 LDAP_AUTH_UNKNOWN Unknown authentication method
87 LDAP_FILTER_ERROR Bad search filter
88 LDAP_USER_CANCELLED User cancelled operation
89 LDAP_PARAM_ERROR Bad parameter to an ldap routine
90 LDAP_NO_MEMORY Out of memory
questions please contact me @ [email protected]
Thanks
srinivasa

LDAP: error code 1 - Invalid query reference]; remaining name '

I have the following function for a paged search operation.
Data retrieved by this function is used somewhere else to modify the Ldap Directory context.
Despite my setting for ctx and search control as "no timeout", i've been keeping thrown the exception for operations lasting more than 5 minutes(consistently) and for some short operations(sporadically):
Paged Search failed : javax.naming.NamingException: [LDAP: error code 1 - Invalid query reference]; remaining name '<directory>'
I am using DirX as LDAP directory.
Is this a time-out related exception which can be fixed in the code?
How can it be fixed?
There's no clue all over the web about this.
Thanks.
      * Returns the next page of the search results.
      * The returned result from this method can not exceed page size
      * set in the constructor.
      * @return
     public NamingEnumeration nextPage(){
          //1.step Set PagedResultsControl
          NamingEnumeration results = null;
          Control[] controls=null;
          try {
               if( isSearchStarted==false ){
                    isSearchStarted=true;
                    if(sortingAttributes==null)
                         controls=new Control[]{ new PagedResultsControl(pageSize) };
                    else
                         controls=new Control[]{new SortControl(sortingAttributes, Control.NONCRITICAL), new PagedResultsControl(pageSize) };
               }else {// examine the response controls
                    cookie = parseControls(ctx.getResponseControls());
                    if( cookie!=null && cookie.length!=0 ){
                         // pass the cookie back to the server for the next page
                         if(sortingAttributes==null)
                              controls=new Control[] { new PagedResultsControl(pageSize, cookie, Control.CRITICAL) };
                         else
                              controls=new Control[] {new SortControl(sortingAttributes, Control.NONCRITICAL), new PagedResultsControl(pageSize, cookie, Control.CRITICAL) };
                    }else{
                         //search is finished
                         return null;
               ctx.setRequestControls(controls);
               //ctx.getEnvironment().values();
               //ctx.getEnvironment().put("com.sun.jndi.ldap.connect.timeout", "5000", 300000);
               ctx.addToEnvironment("com.sun.jndi.ldap.connect.timeout", "0");
               //ctx.getEnvironment().values();
          } catch (NamingException e) {
               Tracer.getInstance().error("Paged Search failed while setting response controls: " + e);
               return null;
          } catch (Exception e) {
               Tracer.getInstance().error("Paged Search failed while setting response controls: " + e);
               return null;
          //2.step: DO SEARCH
          for(int i=0;i<10;i++){
               boolean reconnect=false;
               try{
                    results = ctx.search(searchBase, searchFilter, searchCtls);
                    Thread.sleep(300000);
                    //ctx.get
                    //Thread.sleep(300000);
                    break;
               } catch (NamingException e) {
                    Tracer.getInstance().error("Paged Search failed : " + e);
                    reconnect=true;
               } catch (Exception e) {
                    reconnect=true;
                    Tracer.getInstance().error("Paged Search failed : " + e);
               if(reconnect){
                    try {
                         this.ctx = LDAPServer.getInstance().getDirContext();
                         ctx=ctx.newInstance(controls);
                         //ctx.getEnvironment().values();
                    } catch (NamingException e1) {
                         Tracer.getInstance().error("Could not reconnect the ldapcontext");
          return results;
     }

It turned out to be a DirX "root DSE" entry "PAGP" that is disposing my paged results if a timeout occurs(300 seconds by default).
So i have to modify this entry during runtime, which is unfortunately only can be accesed by dirxadm.exe.
Is it possible to modify this attribute by a ldap context method?

Invalid ID store configuration LDAP : Error code 32- No Such object

Followed note : Integrating Oracle E-Business Suite Release 12.1.3 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate [ID 1484024.1
Completed all these steps:
Integrate Oracle Internet Directory with Oracle E-Business Suite
Configure Oracle Internet Directory to return operational attributes
Install Oracle Access Manager
Install and Configure WebGate on the WebTier
Register the WebGate Agent with Oracle Access Manager
Test your WebGate.
we stuck at the stage of Configure Identity Store .
section 4.3.2.1: Create User Identity Store
In the OAM Console, navigate to System Configuration > Common Configuration > Data Sources > User Identity Stores.
Highlight the User Identity Stores node, and click the "*" (Create) icon.
In the window that opens, enter the attributes for your new identity store, for example:
•Store Name = EBSIdStore
•Store Type = OID: Oracle Internet Directory
•Location = oraoidprd1.guc.loc:3060
•Bind DN = cn=orcladmin
•Password =
•User Name Attribute = uid
•User Search Base = cn=users,dc=us,dc=oraoidprd1,dc=com,dc=guc,dc=loc
•Group Search Base = cn=groups,dc=us,dc=oraoidprd1,dc=com,dc=guc,dc=loc
when we click test conenction it fails with
Invalid ID store configuration. User search base specified is invalid
LDAP : Error code 32- No Such object
Any help is greatly appreciated.
Thanks!

Yes.. i am passign the correct values..
Here are the registration steps we did.. as a pre-requisite:
1. Register instance:
[apdevebs@oraebsdev1 bin]$ $FND_TOP/bin/txkrun.pl -script=SetSSOReg -registerinstance=yes
You are registering ORACLE HOME only.
Enter the host name where Oracle iAS Infrastructure database is installed ? oraoidprd1
Enter the LDAP Port on Oracle Internet Directory server ? 3060
Enter SSL LDAP Port on Oracle Internet Directory server ? 3131
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ?
Enter Oracle E-Business apps database user password ?
2. Register OID:
Register OID
2. [apdevebs@oraebsdev1 bin]$ $FND_TOP/bin/txkrun.pl -script=SetSSOReg -registeroid=yes
You are registering this instance with OID Server.
Enter LDAP Host name ? oraoidprd1
Enter the LDAP Port on Oracle Internet Directory server ? 3060
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ?
Enter the instance password that you would like to register this application instance with ? test123
Enter Oracle E-Business apps database user password ?
3.. Configure Oracle Internet Directory to return operational attributes
cd /mnt/oidprd_app/app/middleware/Oracle_IDM1/bin
[apprdoid@oraoidprd1 bin]$ cat change_attrs.ldif
dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory
changetype: modify
add: orclallattrstodn
orclallattrstodn:cn=orcladmin
[apprdoid@oraoidprd1 bin]$ export ORACLE_HOME=/mnt/oidprd_app/app/middleware/Oracle_IDM1
[apprdoid@oraoidprd1 bin]$ export PATH=$ORACLE_HOME/bin:$PATH
[apprdoid@oraoidprd1 bin]$ echo $ORACLE_HOME
/mnt/oidprd_app/app/middleware/Oracle_IDM1
[apprdoid@oraoidprd1 bin]$ $ORACLE_HOME/bin/ldapmodify -h oraoidprd1.guc.loc -p 3060 -D cn=orcladmin -w orcladminguprd0id -v -f change_attrs.ldif
add orclallattrstodn:
cn=orcladmin
modifying entry cn=dsaconfig, cn=configsets,cn=oracle internet directory
modify complete
All these pre-req steps compelted successfully.

Administrative Limit Exceeded - DSCC Entry Management Tab

DS 6.3.1
When performing searches in the DSCC under the Entry Management tab I am getting an error that says Administrative Limit Exceeded. I know this is being caused by the global searchlimit and/or lookthroughlimt settings. I can set those to unlimited to resolve the issue but I don't want to open those values up to all users. I also know that I can set these same limits on a per entry basis by adding the nssizelimit and nslookthroughlimit attributes with -1 values to the particular user's entry.
In the DSCC however, the user that is binding to my DS instance and performing the searches is: cn=admin,cn=Administrators,cn=dscc
This user exists in the DSCC registry, not my DS instance. I assume it can BIND to my DS instance via the Pass Through Authentication plugin. I have tried setting both the nssizelimt and nslookthroughlimit attributes to -1 in that user's entry in the DSCC registry but it doesn't work like it does when I set those to an entry that exists in my DS instance. I'm guessing the Pass Through Authentication plugin doesn't look for those attributes and/or doesn't return them to my DS instance.
Is there a way to set the sizelimit and lookthrough limits for "cn=admin,cn=Administrators,cn=dscc" so I don't get the error in the DSCC and where I don't have to open up those limits globally? Is there a best practice for this other than telling me that the Entry Management tab is not the best place to be doing such tasks? I'm aware of that but this is actually for a customer who desires to use the Entry Management section to search for and periodically manage his entries.
Thanks in advance.

The behaviour you're observing is documented in a bug. Unfortunately it's not implemented since the 5.2 days and not targeted for 7.0 either. You could create a local admin user and assign rights, or use a tool like "Apache Directory Studio" and log in as directory manager.
4534340 reslimit should provide interface for chaining and PTA plugin

Synchronization errors with AD: LDAP error code 65 : orclObjectSid

I'm trying to get synchronization working - importing data from Microsoft AD.
The bootstrap seemed to go ok, and the synchronization is up and running - but I still get errors in the profile's trace file as follows at the end of this post.
The error always seem to complain about the orclObjectSid attribute
Do I need to do anything to the OID schema?
Or is this a mapping problem?
Either way, how would I correct this error?
Thanks!!
Howard Dickins
Here's an example of the errors I'm getting:
DN : dc=connectutilities,dc=co,dc=uk
Normalized DN : dc=connectutilities,dc=co,dc=uk
Processing modifyRadd Operation ..
Proceeding with checkNReplace..
Performing checkNReplace..
Naming attribute: dc
Naming attribute value: dc
Naming attribute value: orclObjectSID
Adding Attribute in OID : orclObjectSID
Naming attribute value: orclobjectguid
Adding Attribute in OID : orclobjectguid
Total # of Mod Items : 2
Exception Modifying Entry : javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Failed to find orclobjectsid in mandatory or optional attribute list.]; remaining name 'dc=connectutilities,dc=co,dc=uk'
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Failed to find orclobjectsid in mandatory or optional attribute list.]; remaining name 'dc=connectutilities,dc=co,dc=uk'
     at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3019)
     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
     at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1440)
     at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
     at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
     at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)
     at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:146)
     at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:839)
     at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:717)
     at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:310)
     at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:581)
     at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
     at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
[LDAP: error code 65 - Failed to find orclobjectsid in mandatory or optional attribute list.]
Entry Not Found. Converting to an ADD op..
Processing Insert Operation ..
Performing createEntry..
Exception creating Entry : javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Failed to find orclobjectsid in mandatory or optional attribute list.]; remaining name 'dc=connectutilities,dc=co,dc=uk'
[LDAP: error code 65 - Failed to find orclobjectsid in mandatory or optional attribute list.]
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Failed to find orclobjectsid in mandatory or optional attribute list.]; remaining name 'dc=connectutilities,dc=co,dc=uk'
     at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3019)
     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
     at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
     at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
     at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
     at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
     at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)
     at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java:1031)
     at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:386)
     at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:725)
     at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:310)
     at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:581)
     at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
     at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
DIP_LDAPWRITER_ERROR_CREATE
Error in executing mapping DIP_LDAPWRITER_ERROR_CREATE
DIP_LDAPWRITER_ERROR_CREATE
     at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:722)
     at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
     at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
DIP_LDAPWRITER_ERROR_CREATE
AD_OID_Import:Error in Mapping EngineDIP_LDAPWRITER_ERROR_CREATE
DIP_LDAPWRITER_ERROR_CREATE
     at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:741)
     at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
     at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
AD_OID_Import:about to Update exec status
Updated Attributes
orclodipLastExecutionTime: 20090617062658
orclodipConDirLastAppliedChgNum: 12242192
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors:
Sleeping for 1secs
LDAP URL : (inexus-srv01:389 oracleextract
Specifying binary attributes: mpegvideo objectguid objectsid guid usercertificate orclodipcondirlastappliedchgnum
LDAP Connection success
Applied ChangeNum : 12242192Available chg num = 12245972
Reader Initialised !!
LDAP URL : (inexus-srv34:389 cn=odisrv+orclhostname=inexus-srv34,cn=registered instances,cn=directory integration platform,cn=products,cn=oraclecontext
Specifying binary attributes: mpegvideo objectguid objectsid guid usercertificate orclodipcondirlastappliedchgnum
LDAP Connection success
Writer Initialised!!
Writer proxy connection initialised!!
MapEngine Initialised!!
Filter Initialised!!
searchF :
CHGLOGFILTER : (&(USNChanged>=12242193)(USNChanged<=12242692))
Search Time 0
Search Successful till # 12242692
Search Changes Done
Changenumber uSNChanged: 12242193
targetdn distinguishedName: DC=connectutilities,DC=co,DC=uk
ChangeRecord : ----------
Changetype: ADDRMODIFY
ChangeKey: dc=connectutilities,dc=co,dc=uk
Attributes:
Class: null Name: objectGUID Type: null ChgType: REPLACE Value: [[B@1c999c4]
Class: null Name: objectSid Type: null ChgType: REPLACE Value: [[B@8e5360]
Class: null Name: dc Type: null ChgType: REPLACE Value: [connectutilities]
Class: null Name: objectClass Type: nonbinary ChgType: REPLACE Value: [top, domain, domainDNS]
-----------

I found a solution - I added the offending attribute orclObjectSid to the domain objectClass as an optional attribute.
It was a bit of a "clutching at straws" solution - but it does seem to have worked.
I'm not sure why the data being imported had such a value, but the synchronization hasn't thrown up any further errors since then.
Thanks for your help everyone.
Howard

[LDAP: error code 11 - Administrative Limit Exceeded]

Similar Messages

Maybe you are looking for