12c Cloud Control: Auto-Provisioning Fails for Certain LDAP Users due to Which Login to Console Fails (Doc ID 1635786.1)

Last updated on FEBRUARY 15, 2019

Applies to:

Symptoms

OMS has been configured for Active Directory LDAP authentication using the below command:

emctl config auth ad -ldap_host ldaphost.domain -ldap_port <PORT> \
  -ldap_principal "${LDAP_PRINCIPLE}" -ldap_credential "${PRINCIPLE_PWD}" \
  -user_base_dn "${USER_BASE_DN}" -group_base_dn "${GROUP_BASE_DN}" \
  -sysman_pwd "${SYSMAN_PWD}"

This allows almost all LDAP users to login to the 12 Cloud Console successfully but fails for few users (for example: 123456). All the users are part of the same USER_BASE_DN.

When <USER_NAME> logs into the console, it fails with:

Authentication failed. If problem persists, contact your system administrator.

- In the WLS console, the user name - <USER_NAME> is listed in the GCDomain-> Security Realms-> myrealm-> Users and Groups page

- The LDAP user - <USER_NAME> is able to login into other SSO systems without any errors and the account has not been locked / unusable.

-  Active Directory status of the CN has been verified and found to be fine, simple LDAP bind also works.

-  If the user is manually created in EM using the command: emcli create_user -name=<USER_NAME> -type=EXTERNAL_USER

   the user is able to successfully login to the Console without any errors. But in this case, auto-provisioning is enabled by setting the OMS parameter:
oracle.sysman.core.security.auth.autoprovisioning=true, so it should not be necessary to manually create the user in EM.

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.