12c Cloud Control: Auto-Provisioning Fails for Certain LDAP Users due to Which Login to Console Fails

Last updated on SEPTEMBER 29, 2015

Applies to:

Symptoms

OMS has been configured for Active Directory LDAP authentication using the below command:

emctl config auth ad -ldap_host ldaphost.domain -ldap_port 389 \
  -ldap_principal "${LDAP_PRINCIPLE}" -ldap_credential "${PRINCIPLE_PWD}" \
  -user_base_dn "${USER_BASE_DN}" -group_base_dn "${GROUP_BASE_DN}" \
  -sysman_pwd "${SYSMAN_PWD}"

This allows almost all LDAP users to login to the 12 Cloud Console successfully but fails for few users (for example: 123456). All the users are part of the same USER_BASE_DN.

When 123456 user logs into the console, it fails with:

Authentication failed. If problem persists, contact your system administrator.

- In the WLS console, the user name - 123456 is listed in the GCDomain-> Security Realms-> myrealm-> Users and Groups page

- The LDAP user - 123456 is able to login into other SSO systems without any errors and the account has not been locked / unusable.

-  Active Directory status of the CN has been verified and found to be fine, simple LDAP bind also works.

-  If the user is manually created in EM using the command: emcli create_user -name=123456 -type=EXTERNAL_USER

   the user is able to successfully login to the Console without any errors. But in this case, auto-provisioning is enabled by setting the OMS parameter:
oracle.sysman.core.security.auth.autoprovisioning=true, so it should not be necessary to manually create the user in EM.

Cause