/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PreviewSymptom
- The User Management Engine (UME) is configured to use Active Directory as an LDAP datasource. See LDAP Directory as Data Source for more details.
- The UME is configured to use a datasource XML file that allows writable access to the Active Directory e.g. dataSourceConfiguration_ads_writeable_db.xml, dataSourceConfiguration_ads_deep_writeable_db.xml etc.
- There is an SSL connection between the UME and Active Directory. This is a requirement in order to allow the creation of Active Directory users and password resets using the User Administration UIs. See note 673824 for more details.
- An attempt to create a user or group via the User Administration Identity Management console fails with error message:
- In the server traces an error such as the following can be found:
Naming exception when trying to create principal USER.CORP_LDAP.<UserName>
[EXCEPTION]
javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
]; remaining name 'cn=<UserName>'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3049)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:788)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:178)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:178)
at com.sap.security.core.persistence.datasource.imp.LDAPPersistence.createUserAndAccount(LDAPPersistence.java:3696)
Read more...
Environment
Netweaver AS Java all releases with Active Directory as UME datasource.
Product
Keywords
User Management Engine UME Active Directory LDAP datasource LDAP: error code 4003 INSUFF_ACCESS_RIGHTS , KBA , BC-JAS-SEC-UME , User Management Engine , How To
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)