In one of our client's environment we have seen the following error while running ldapsearch on OUD as a service account user, who is not a root user (Eg: oimadmin,oamLDAP etc).

We have initially noticed this error during not succesfull run of LDAP Full Delete Recon from OIM. OIM Diagnostic shows LDAP Error Code 50 with message as "You do not have sufficient privileges to perform an unindexed search".

So, to troubleshoot I ran the ldapsearch against OUD which displayed same result. $ldapsearch -p 1389 -D "cn=oimadmin,cn=oimAdminUser,dc=mycompany,dc=com" -w password -b dc=mycompany,dc=com objectclass=* There are multiple reasons for this error to occurr.

1) One is by default, index-entry-limit on OUD is 4000. If, there are more than 4000 indexes created on OUD( It is possible, and that is what happened with us), then default user will not be able to conduct unindexed search. We didn't see this problem in Development environment initially as there are less number of records and less indexes. We have seen this in as more data added to OUD . To fix, this we have updated the resource limits as follows: $ cat oimadmin_unindexsearch.ldif dn: cn=oimadmin,cn=oimAdminUser,dc=mycompany,dc=com changetype: modify add: ds-rlim-lookthrough-limit ds-rlim-lookthrough-limit: 0 - add: ds-rlim-size-limit ds-rlim-size-limit: 0 - add: ds-rlim-time-limit ds-rlim-time-limit: 0 $ ldapmodify -p 1389 -D cn="Directory Manager" -w password -f oimadmin_unindexsearch.ldif --Output : modifying entry cn=oimadmin,cn=oimAdminUser,dc=mycompany,dc=com

2) Normally oimadmin user is creatd as part of LDAPSYnc process and all the necessary acis's are configured during this process. In case, if any of the aci's missing, we might see this error. -- Verify the necessary acis for the user. 3) Oracle documentation also recommending to use "unindexed-search' as a disabled privilege using dsconfig.But, we didn't want to use this is a Global Setting, and will let everyone to perform Unindexed search which will be very expensive. In our environment we could able to fix this with the options 1 and 2.