Ldapbinds To OVD 11g (11.1.1.6 and Below) DB Adapter Fail With ldap_bind: Invalid credentials (Doc ID 1421023.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Virtual Directory - Version 11.1.1.2.0 and later
Information in this document applies to any platform.
***Checked for relevance on 07-Jul-2014***

Symptoms

Scenario:
The end goal is to have Oracle Database (DB) users login in unix O/S (pam_ldap / nss_ldap) and have Oracle Virtual Directory (OVD) 11g forward authentication to the DB, without having to use another ldap store or other products such as Enterprise User Security (EUS) or Oracle Authentication Services For Operating Systems (OAS4OS).


Created an OVD DB adapter to an Oracle 10g database sys.dba_users table, and mapped the desired attributes including uid=username, uidnumber=userid and userpassword=password, and verified all attributes could be searched ok.

However, ldapbinds to OVD as DB users fail with invalid credentials error.



Learned that the following requirements are a must for the passwords in the DB in order to work with OVD:

1. Password value must be SHA1 or MD5 hashed, or plainttext / cleartext.
2. If SHA1 or MD5 hashed, the value must be Base64 encoded.
3. If SHA1 or MD5 hashed, the value must be pre-pended with {SHA1} or {MD5} prefix.

Indeed, switching the value in "password" column of sys.dba_users table for the user to a clear text value, then the ldapbinds to OVD work ok.  However cleartext stored passwords are not desirable due to security.


Checking the 10g DB, found that the hashed password is not in the required format to work with OVD, for example:

SQL> select password from dba_users where username='<username>';

PASSWORD
- - - - - - - - -
0EBEDE3D0CB3255A


Per RDBMS <Note:1349896.1>, under "Password Management" section, the sha1 hashing was introduced only in 11g DB versions.


So switched focus to 11g DB version, where the sha-1 password hash is now stored in user$.spare4 table/column, and the password column is no longer available in dba_users view.  Mapped the new table/column to the OVD 11g DB adapter accordingly, however the ldapbinds still fail against OVD adapter to 11g DB.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms