For Solaris and some versions of Linux you might see a message in the OpenDJ access logs such as the following.
The request control with Object Identifier (OID) "1.2.840.113556.1.4.319" cannot be used due to insufficient access rights
This message means clients are trying to use the simple paged results control without authenticating. By default, OpenDJ includes a global ACI to allow only authenticated users to use the control.
$ dsconfig
--port 4444
--hostname opendj.example.com
--bindDN "cn=Directory Manager"
--bindPassword "password"
get-access-control-handler-prop
Property : Value(s)
-----------:-------------------------------------------------------------------
enabled : true
global-aci : (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 ||
...
: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2
: || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 ||
: 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 ||
: 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version
: 3.0; acl "Authenticated users control access"; allow(read)
: userdn="ldap:///all";), (targetcontrol="2.16.840.1.113730.3.4.2 ||
: 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 ||
: 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 ||
: 2.16.840.1.113730.3.4.16") (version 3.0; acl "Anonymous control
: access"; allow(read) userdn="ldap:///anyone";)To grant anonymous (unauthenticated) user access to the control,
add the OID for the simple paged results control to the list of those in
the Anonymous control access global ACI.
$ dsconfig
--port 4444
--hostname opendj.example.com
--bindDN "cn=Directory Manager"
--bindPassword "password"
set-access-control-handler-prop
--remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 ||
2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 ||
1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 ||
2.16.840.1.113730.3.4.16\") (version 3.0; acl \"Anonymous control access\";
allow(read) userdn=\"ldap:///anyone\";)"
--add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 ||
2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 ||
1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 ||
2.16.840.1.113730.3.4.16 || 1.2.840.113556.1.4.319\")
(version 3.0; acl \"Anonymous control access\"; allow(read)
userdn=\"ldap:///anyone\";)"
--no-promptAlternatively, stop OpenDJ, edit the corresponding ACI carefully in
/path/to/opendj/config/config.ldif, and restart OpenDJ.
[11]
[11] Unlike the dsconfig command, the
config.ldif file is not a public interface, so this
alternative should not be used in production.
