When the user completes the First Time Use Wizard, Logon Manager configures permissions on the user's repository container so that only that user and administrators have access to the container and its contents. This is accomplished by adding the permitted directory object operations to the value of the aci attribute for each user.
However, in Oracle Unified Directory, the aci attribute is a protected operational attribute by default; this means that non-administrators cannot modify its value, including objects created by the target user. This will cause the First Time Use Wizard to fail and error logs will report insufficient privileges.
To work around this issue, you must grant the modify-acl privilege to each Logon Manager user affected by this problem by following the steps below.
Note:
Access privileges should always be granted in accordance with your organization's security policy.Create an LDIF file with the following contents (replace the domain values as appropriate for your environment):
dn: cn=target-user,ou=users,dc=oracle,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: modify-acl
Apply the changes to your environment by running the following command on the directory server while logged in as the Directory Administrator:
ldapmodify -p port-number -h host-name -D directory-manager-dn
-q -f
If you have not already done so, you must also grant anonymous read, search, and compare privileges to either the entire repository or the People and SSOConfig (CO) containers as follows:
Log on to Oracle Directory Services Manager as the Directory Administrator.
Select the Security tab.
Under the root entry, create an ACL with the following contents:
(targetattr = "*")(targetscope = "subtree") (version 3.0; acl "Anonymous-read-search"; allow (read,search,compare) userdn = "ldap:///anyone";)