My Oracle Support Banner

OID 11g Server Chaining With SSL-Only Enabled AD / ODSM Missing SSL Configuration Fields / "Verify Login Credential" Button Fails With Error: The User Credentials provided are invalid. (Doc ID 1484485.1)

Last updated on JUNE 30, 2017

Applies to:

Oracle Internet Directory - Version 11.1.1 and later
Information in this document applies to any platform.

Symptoms

Oracle Internet Directory (OID) 11g, i.e., 11.1.1.6.

Setting up Server Chaining (SC) against Active Directory (AD), where AD is configured to only allow binds via SSL.

Verfied that binds to AD SSL port works both with and without credentials and using the wallet/password, e.g.:

$ ldapbind -h myadhost.mycompany.com -p 636 -D administrator@domain.mycompany.com -w <password> -U 2 -W file://<walletdir> -P <wallet password>
  bind successful

$ ldapbind -h myadhost.mycompany.com -p 636 -U 2 -W file://<walletdir> -P <wallet password>
  bind successful


The SC screen in ODSM does not include a way/field to specify the wallet information for the bind to AD.

The documentation:

Oracle® Fusion Middleware  Administrator's Guide for Oracle Internet Directory  11g Release 1 (11.1.1)  E10029-06
Chapter 38 Configuring Server Chaining
Section 38.3.5 Active Directory with SSL Example

Instructs to configure Server Chaining (SC) to AD via NON-SSL first, then switch to SSL, however since there is no AD access via NON-SSL, there is no clear directions how to do this when SSL only is available.

 

Able to go ahead and configure with SSL via ldif file modification as per documentation above.  The following ldif file of changes were added:

dn: cn=oidscad,cn=oid server chaining,cn=subconfigsubentry
changetype: modify
replace: orcloidscsslenabled
orcloidscsslenabled:1
-
replace: orcloidscextsslport
orcloidscextsslport: 636
-
replace: orcloidscwalletlocation
orcloidscwalletlocation: /adwallet/ewallet.p12
-
replace: orcloidscwalletpassword
orcloidscwalletpassword: <wallet password>

 
However when clicking the "Verify Login Credential" button fails with:

Error
The User Credentials provided are invalid.

The corresponding wls_ods-diagnostics.log shows error :

javax.naming.AuthenticationNotSupportedException: LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db0^@

This maybe expected for not providing any ssl credentials, which appears to be required, although the end goal is not to provide any credentials and only use the wallet/password with SC, but the same happens whether entering credentials or not.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.