SAP Knowledge Base Article - Preview

1794128 - javax.naming.NoPermissionException: LDAP: error code 50(INSUFF_ACCESS_RIGHTS)

Symptom

  • The User Management Engine (UME) is configured to use Active Directory as an LDAP datasource. See LDAP Directory as Data Source for more details.
  • The UME is configured to use a datasource XML file that allows writable access to the Active Directory e.g. dataSourceConfiguration_ads_writeable_db.xml, dataSourceConfiguration_ads_deep_writeable_db.xml etc.
  • There is an SSL connection between the UME and Active Directory. This is a requirement in order to allow the creation of Active Directory users and password resets using the User Administration UIs. See note 673824 for more details.
  • An attempt to create a user or group via the User Administration Identity Management console fails with error message:

1794128.PNG

  • In the server traces an error such as the following can be found:

Naming exception when trying to create principal USER.CORP_LDAP.<UserName>
[EXCEPTION]
javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
]; remaining name 'cn=<UserName>'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3049)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:788)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:178)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:178)
at com.sap.security.core.persistence.datasource.imp.LDAPPersistence.createUserAndAccount(LDAPPersistence.java:3696)


Read more...

Environment

Netweaver AS Java all releases with Active Directory as UME datasource.

Product

SAP Composition Environment all versions ; SAP NetWeaver all versions

Keywords

User Management Engine UME Active Directory LDAP datasource LDAP: error code 4003 INSUFF_ACCESS_RIGHTS , KBA , BC-JAS-SEC-UME , User Management Engine , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.