000036423 - RSA Identity Governance & Lifecycle Access Fulfillment Express (AFX) Connector for AD reports "LDAPException: Insufficient Access Rights"

Document created by RSA Customer Support Employee on Jun 18, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036423
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.0.1 and above
 
IssueWhen the Access Fulfillment Express (AFX) Connector for Active Directory attempts to create or maintain an account, the following errors may occur.
  • In the esb.AFX-MAIN.log:

2018-05-31 16:29:35.675 [INFO] org.mule.api.processor.LoggerMessageProcessor:193 - returning: -1 -> LDAPException: Insufficient Access Rights (50) Insufficient Access Rights
LDAPException: Server Message: 00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

LDAPException: Matched DN


  • In the esb.AFX-CONN-AD.log (Note: The actual name of the Active Directory Connector may differ):
********************************************************************************
Message : Failed to route event via endpoint: DefaultOutboundEndpoint{endpointUri=ldapx://AD.LDAP, connector=LdapxConnector
     
{      
   name=AD.LDAP.connector
   lifecycle=start
   this=aee1149
   numberOfConcurrentTransactedReceivers=4
   createMultipleTransactedReceivers=true
   connected=true
   supportedProtocols=[ldapx]
   serviceOverrides=<none>
}
,
name='endpoint.ldapx.AD.LDAP', mep=REQUEST_RESPONSE, properties={}, transactionConfig=Transaction{factory=null, action=INDIFFERENT, timeout=0}, deleteUnacceptedMessages=false, initialState=started, responseTimeout=10000, endpointEncoding=UTF-8, disableTransportTransformer=false}. Message payload is of type: LDAPAddRequest
Code : MULE_ERROR--2
--------------------------------------------------------------------------------
Exception stack is:
1. Insufficient Access Rights (com.novell.ldap.LDAPException)
   com.novell.ldap.LDAPResponse:-1 (null)
2. Failed to route event via endpoint: DefaultOutboundEndpoint{endpointUri=ldapx://AD.LDAP, connector=LdapxConnector
{
    name=AD.LDAP.connector
    lifecycle=start
    this=aee1149
    numberOfConcurrentTransactedReceivers=4
    createMultipleTransactedReceivers=true
    connected=true
    supportedProtocols=[ldapx]
    serviceOverrides=<none>
}
, name='endpoint.ldapx.AD.LDAP', mep=REQUEST_RESPONSE, properties={}, transactionConfig=Transaction{factory=null, action=INDIFFERENT, timeout=0}, deleteUnacceptedMessages=false, initialState=started, responseTimeout=10000, endpointEncoding=UTF-8, disableTransportTransformer=false}. Message payload is of type: LDAPAddRequest (org.mule.api.transport.DispatchException)
 org.mule.transport.AbstractMessageDispatcher:117 (http://www.mulesoft.org/docs/site/current3/apidocs/org/mule/api/transport/DispatchException.html)
--------------------------------------------------------------------------------
Root Exception stack trace:
LDAPException: Insufficient Access Rights (50) Insufficient Access Rights
LDAPException: Server Message: 00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


LDAPException: Matched DN:
    at com.novell.ldap.LDAPResponse.getResultException(Unknown Source)
    at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)
    at com.novell.ldap.LDAPConnection.chkResultCode(Unknown Source)
    + 3 more (set debug level logging or '-Dmule.verbose.exceptions=true' for everything) ********************************************************************************
CauseThe AFX Connector account (setting "Login Distinguished Name") being used to access the Microsoft Active Directory does not have administrator access to the DC (Domain Component), as specified in the AFX Connector setting for the Distinguished Name (that is, the "Account DN Suffix").  For example:
Distinguished Name 


Account DN Prefix: CN 
Account DN Suffix: OU=HR Users,DC=NoAccess,DC=com 
ResolutionTo overcome the: LDAPException: Insufficient Access Rights ... (INSUFF_ACCESS_RIGHTS), fix the Distinguished Name for the AFX Connector.  For example:

Distinguished Name 


Account DN Prefix: CN 
Account DN Suffix: OU=HR Users,DC=Access,DC=com


Alternatively, the Active Directory Administrator needs to correct the access granted to the AFX Connector account specified in the "Login Distinguished Name" setting.

 
NotesExample settings for the AFX Connector for Microsoft Active Directory.
 
Example AFX Connector AD settings


Please see Microsoft Active Directory Distinguished Names documentation for more information.

Attachments

    Outcomes