mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml
@@ -20,7 +20,7 @@ ! ! CCPL HEADER END ! ! Copyright 2011 ForgeRock AS ! Copyright 2011-2012 ForgeRock AS ! --> <chapter xml:id='chap-troubleshooting' @@ -358,6 +358,76 @@ <literal>1.3.6.1.4.1.42.2.27.9.5.2</literal>, is not allowed by the default global ACIs. You must therefore add access to use the get effective rights control when not using it as Directory Manager.</para> <section xml:id="troubleshooting-simple-paged-results"> <title>Clients Need Simple Paged Results Control</title> <para>For Solaris and some versions of Linux you might see a message in the OpenDJ access logs such as the following.</para> <literallayout class="monospaced"> The request control with Object Identifier (OID) "1.2.840.113556.1.4.319" cannot be used due to insufficient access rights</literallayout> <para>This message means clients are trying to use the <link xlink:show="new" xlink:href="http://tools.ietf.org/html/rfc2696">simple paged results control</link> without authenticating. By default, OpenDJ includes a global ACI to allow only authenticated users to use the control.</para> <screen>$ dsconfig --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword "password" get-access-control-handler-prop Property : Value(s) -----------:------------------------------------------------------------------- enabled : true global-aci : (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 || ... : (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 : || <emphasis role="strong">1.2.840.113556.1.4.319</emphasis> || 1.2.826.0.1.3344810.2.3 || : 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || : 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version : 3.0; acl "Authenticated users control access"; allow(read) : userdn="ldap:///all";), (targetcontrol="2.16.840.1.113730.3.4.2 || : 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || : 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || : 2.16.840.1.113730.3.4.16") (version 3.0; acl "Anonymous control : access"; allow(read) userdn="ldap:///anyone";)</screen> <para>To grant anonymous (unauthenticated) user access to the control, add the OID for the simple paged results control to the list of those in the <literal>Anonymous control access</literal> global ACI.</para> <screen>$ dsconfig --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword "password" set-access-control-handler-prop --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)" --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || <emphasis role="strong">1.2.840.113556.1.4.319</emphasis>\") (version 3.0; acl \"Anonymous control access\"; allow(read) userdn=\"ldap:///anyone\";)" --no-prompt</screen> <para>Alternatively, stop OpenDJ, edit the corresponding ACI carefully in <filename>/path/to/OpenDJ/config/config.ldif</filename>, and restart OpenDJ. <footnote><para>Unlike the <command>dsconfig</command> command, the <filename>config.ldif</filename> file is not a public interface. In this particular case, however, the <command>dsconfig</command> command is such a pain in the nether regions that you might as well edit the LDIF instead (unless you are doing this in production).</para></footnote></para> </section> </section> <section xml:id="troubleshoot-repl">
