Wednesday, November 5, 2014

Insufficient Access Rights: You do not have sufficient privileges to perform an unindexed search

In my previous post, I mentioned that we are currently migrating OpenAM 9.5.3 to OpenAM 11.0.2 for a customer based in Singapore. At the same time, we are migrating a very old OpenDJ 2.4.3 to OpenDJ 2.6.1.

And of course, we do have customized schema in OpenDJ and customized codes in OpenAM. Which customer will not have customized requirement?

Anyway, when we run an unit test against the new setup, we encountered the error below:

11:24:50.514 [http-apr-7070-exec-1] DEBUG DEBUG - [LdapConnection - getAttributes] Getting attributes for filter (sgloginid=USERA)
11:24:50.532 [http-apr-7070-exec-1] ERROR DEBUG - Check devices command exception: Proxy User ID: USERA  User ID: USERA, Facebook ID: null, M2GW IP: x.x.x.x
org.forgerock.opendj.ldap.ErrorResultIOException: org.forgerock.opendj.ldap.AuthorizationException: Insufficient Access Rights: You do not have sufficient privileges to perform an unindexed search

        at org.forgerock.opendj.ldif.ConnectionEntryReader.hasNext( ~[opendj-ldap-sdk-3.0.0-SNAPSHOT.jar:na]

One of my colleagues googled and directed us to OpenDJ Administration Guide Indexing Attribute Values - Determining What Needs Indexing.

A quick fix is to grant unindexed-search privilege to the account that binds to OpenDJ. But should we?

No, I do not think so.

The article says it all, in order of preference to resolve unindexed search issue:

1. If directory users tell you their client applications are getting this error, then you can work with them either to help them make their search filter specific enough to use existing indexes, or to index attributes they need indexed in order to perform their searches.

2. If you do need to allow some applications to perform unindexed searches, because they need to retrieve very large numbers of entries for example, then you can assign them the unindexed-search privilege.

In our case, we should index the attributes as sgloginid is used very frequently in OpenAM for authentication and in another customized application.


1 comment: