on Jun 18, 2018Article Content
| Article Number | 000036423 |
| Applies To | RSA Product Set: Identity Governance & Lifecycle RSA Version/Condition: 7.0.1 and above |
| Issue | When the Access Fulfillment Express (AFX) Connector for Active Directory attempts to create or maintain an account, the following errors may occur.
2018-05-31 16:29:35.675 [INFO] org.mule.api.processor.LoggerMessageProcessor:193 - returning: -1 -> LDAPException: Insufficient Access Rights (50) Insufficient Access Rights LDAPException: Server Message: 00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 LDAPException: Matched DN
Message : Failed to route event via endpoint: DefaultOutboundEndpoint{endpointUri=ldapx://AD.LDAP, connector=LdapxConnector { name=AD.LDAP.connector lifecycle=start this=aee1149 numberOfConcurrentTransactedReceivers=4 createMultipleTransactedReceivers=true connected=true supportedProtocols=[ldapx] serviceOverrides=<none> } , name='endpoint.ldapx.AD.LDAP', mep=REQUEST_RESPONSE, properties={}, transactionConfig=Transaction{factory=null, action=INDIFFERENT, timeout=0}, deleteUnacceptedMessages=false, initialState=started, responseTimeout=10000, endpointEncoding=UTF-8, disableTransportTransformer=false}. Message payload is of type: LDAPAddRequest Code : MULE_ERROR--2 -------------------------------------------------------------------------------- Exception stack is: 1. Insufficient Access Rights (com.novell.ldap.LDAPException) com.novell.ldap.LDAPResponse:-1 (null) 2. Failed to route event via endpoint: DefaultOutboundEndpoint{endpointUri=ldapx://AD.LDAP, connector=LdapxConnector { name=AD.LDAP.connector lifecycle=start this=aee1149 numberOfConcurrentTransactedReceivers=4 createMultipleTransactedReceivers=true connected=true supportedProtocols=[ldapx] serviceOverrides=<none> } , name='endpoint.ldapx.AD.LDAP', mep=REQUEST_RESPONSE, properties={}, transactionConfig=Transaction{factory=null, action=INDIFFERENT, timeout=0}, deleteUnacceptedMessages=false, initialState=started, responseTimeout=10000, endpointEncoding=UTF-8, disableTransportTransformer=false}. Message payload is of type: LDAPAddRequest (org.mule.api.transport.DispatchException) org.mule.transport.AbstractMessageDispatcher:117 (http://www.mulesoft.org/docs/site/current3/apidocs/org/mule/api/transport/DispatchException.html) -------------------------------------------------------------------------------- Root Exception stack trace: LDAPException: Insufficient Access Rights (50) Insufficient Access Rights LDAPException: Server Message: 00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 LDAPException: Matched DN: at com.novell.ldap.LDAPResponse.getResultException(Unknown Source) at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source) at com.novell.ldap.LDAPConnection.chkResultCode(Unknown Source) + 3 more (set debug level logging or '-Dmule.verbose.exceptions=true' for everything) ******************************************************************************** |
| Cause | The AFX Connector account (setting "Login Distinguished Name") being used to access the Microsoft Active Directory does not have administrator access to the DC (Domain Component), as specified in the AFX Connector setting for the Distinguished Name (that is, the "Account DN Suffix"). For example: Distinguished Name Account DN Prefix: CN Account DN Suffix: OU=HR Users,DC=NoAccess,DC=com |
| Resolution | To overcome the: LDAPException: Insufficient Access Rights ... (INSUFF_ACCESS_RIGHTS), fix the Distinguished Name for the AFX Connector. For example: Distinguished Name Account DN Prefix: CN Account DN Suffix: OU=HR Users,DC=Access,DC=com Alternatively, the Active Directory Administrator needs to correct the access granted to the AFX Connector account specified in the "Login Distinguished Name" setting. |
| Notes | Example settings for the AFX Connector for Microsoft Active Directory. Please see Microsoft Active Directory Distinguished Names documentation for more information. |