OVD 11g After Adding Plugins To AD Adapter, Cisco VPN Client Fails With "LDAP server does not support V3 protocol" And "LDAP Error 49 : Invalid operation for anonymous user" errors
(Doc ID 1383794.1)
Last updated on MAY 31, 2024
Applies to:
Oracle Virtual Directory - Version 11.1.1.1.0 to 11.1.1.3.0 [Release 11g]Information in this document applies to any platform.
Symptoms
Oracle Virtual Directory (OVD) 11g 11.1.1.1 through 11.1.1.3.0.
All connections were working before.
The problem started after adding the inetorgperson and the virtualAttribute plugins to an Active Directory (AD) adapter.
Then started to experience OVD bind issues from a VPN device, such as Cisco. OVD is reponding with "LDAP server does not support V3 protocol" error and "LDAP Error 49 : Invalid operation for anonymous user" errors, i.e.:
[4008] Session Start
[4008] New request Session, context 0x53cfe698, reqType = Authentication
[4008] Fiber started
[4008] Creating LDAP context with uri=ldap://<OVD IP address>:6501
[4008] Connect to LDAP server: ldap://<OVD IP address>:6501, status = Successful
[4008] While getting rootDSE, LDAP server <OVD IP address> returned code (49) Invalid credentials
[4008] This LDAP server does not support V3 protocol.
...<snip>....
Oracle Access Manager (OAM) 11g and other applications working against OVD are still working ok.
An error occurs when using a 3rd party ldap client such as Softerra; when the client tries to connect to OVD, the following is logged:
"Error loading RootDSE entry from <OVD_HOSTNAME>:6501"
But Softerra is able to ignore this error and proceeds to connect to OVD, so it is not a show stopper for Softerra as it is for Cisco VPN client. Seems Softerra encounters this error but continues to bind and process results, but Cisco is dropping the connection if its unable to fetch the LDAP controls, i.e., looking for V3 compliance.
Cisco device is using a service account which has been tested and does connect from a test ldap client to OVD or directly to AD without problems.
OVD diagnostic log with high debug may show:
[2011-09-08T12:54:53.353-05:00] [octetstring] [TRACE] [] [com.octetstring.vde.DoSManager] [tid: xx] [ecid: <ECID>] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Current operations per connection (cn=orcladmin/<IP_ADDRESS>, 0/0).
[2011-09-08T12:55:17.124-05:00] [octetstring] [TRACE] [] [com.octetstring.vde.MessageHandler] [tid: xx] [ecid: <ECID>] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Request Dump: { messageID 1, protocolOp searchRequest: { baseObject ''H, scope 0, derefAliases 3, sizeLimit 0, timeLimit 0, typesOnly FALSE, filter present: '6F626A656374636C617373'H, attributes { '737570706F727465644C44415056657273696F6E'H, '737570706F727465645341534C4D656368616E69736D73'H, '64656661756C744E616D696E67436F6E74657874'H, '737570706F727465644C444150506F6C6963696573'H, '76656E646F724E616D65'H } } }
[2011-09-08T12:55:17.124-05:00] [octetstring] [ERROR] [OVD-60182] [com.octetstring.vde.OperationHandler] [tid: xx] [ecid: <ECID>] [arg: LDAP Error 49 : Invalid operation for anonymous user.] Exception: LDAP Error 49 : Invalid operation for anonymous user..[[
com.octetstring.vde.util.DirectoryException: LDAP Error 49 : Invalid operation for anonymous user.
at com.octetstring.vde.MessageHandler.checkAnonymousAccess(MessageHandler.java:172)
at com.octetstring.vde.MessageHandler.answerRequest(MessageHandler.java:134)
at com.octetstring.vde.OperationHandler.run(OperationHandler.java:57)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
]]
Tried <Note:1333000.1> but then was not able to connect to OVD from the ldap client; the log shows some DN's that are not related to any adapters.
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |