Identity Synchronization for Windows Users Unable To Authenticate After Changing Password In Active Directory
Last updated on OCTOBER 11, 2016
Applies to:Oracle Directory Server Enterprise Edition - Version 5.2 SP3 to 18.104.22.168.0 [Release 5.0 to 11gR1]
Information in this document applies to any platform.
***Checked for relevance on 14-Nov-2013***
On : Identity Synchronization For Windows, and the Directory Server's pswdsync plugin.
When attempting to validate password on ODSEE after change on AD, ISW's On demand synchronization is failing from the DSEE/ODSEE to AD at the pswdsync plugin. Attribute changes are being synchronized properly but user passwords are not.
[25/Jan/2012:06:49:42 -0800] - WARNING<38786> - isw - conn=71 op=70 msgId=0 - Plugins on-demand validation could not be completed for 'uid=tuser,ou=people,dc=example,dc=sub,dc=lab', because corresponding user at ldaps://test-serv-03.abc.net.example.sub.lab:636 is disabled
[25/Jan/2012:07:21:29 -0800] - WARNING<38731> - isw - conn=-1 op=-1 msgId=-1 - Plugins authentication to Active Directory server at ldaps://gc-test-02.test.net.example.sub.lab:636 failed (bind DN: cn=svcLDAP,ou=Service Accounts,ou=ABC,dc=NET,dc=EXAMPLE,dc=SUB,dc=LAB), error(81): Can't contact LDAP server
ISW configuration is set up to where interaction with the Active Directory server is over SSL (port 636). It was discovered that a domain cert had expired and had failed to auto renew. On a Windows server, a reboot should have forced the server to renew its cert. The expiration of the cert corresponds with the time that "on demand authentication" began to fail. Because its a domain cert, it had an affect on both Global Catalog (GC) servers and any other AD servers in the ELS domain. Customer corrected the problem and the cert has been renewed.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms