OID 11g EUS DB Login Fails with ORA-28274: No ORACLE password attribute corresponding to user nickname exists.

(Doc ID 1546173.1)

Last updated on AUGUST 28, 2017

Applies to:

Oracle Internet Directory - Version 11.1.1.2.0 and later
Information in this document applies to any platform.

Symptoms

New Oracle Internet Directory (OID) 11g install, e.g., 11.1.1.6.0 with all default settings, configured for EUS with, e.g., DB 10.2.0.5.0.  No firewalls or load balancers involved.

Only configured the global schema, granted the connect and did the mapping of the user's OID tree.  No roles or anything else configured.

EUS login fails with:

ORA-28274 No ORACLE password attribute corresponding to user nickname exists.

Also, in Enterprise Manager (EM)/EUS/Realm Administration, it shows 'Generate Oracle Password Verifiers' as disabled.

No RDBMS trace errors are logged, for example:

Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1
System name: AIX
Node name: mydbhost
Release: 1
Version: 6
Machine: XYZ123
Instance name: EUSDB
Redo thread mounted by this instance: 1
Oracle process number: 22
Unix process pid: 23789788, image: oracle@mydbhost (TNS V1-V3)

*** ACTION NAME:() 2013-04-01 14:53:30.964
*** MODULE NAME:(sqlplus@mydbhost (TNS V1-V3)) 2013-04-01 14:53:30.964
*** SERVICE NAME:(SYS$USERS) 2013-04-01 14:53:30.964
*** SESSION ID:(136.61274) 2013-04-01 14:53:30.964
kzld found pwd in wallet
KZLD_ERR: 0
kzld_search -s sub -b cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=example, dc=com
search filter: (&(objectclass=orcldbenterprisedomain_82)(uniqueMember=cn=DEV,cn=OracleContext,dc=example, dc=com))
KZLD_ERR: 0
kzldsp found policy ALL
kzld_search -s base -b cn=Common,cn=Products,cn=OracleContext,dc=example, dc=com
search filter: objectclass=*
KZLD_ERR: 0
kzld found uid for orclCommonNicknameAttribute
kzldsearch_ext -s sub -b cn=users, dc=example,dc=com
search filter: uid=user1
number of entries: 1
KZLD_ERR: 0
KZLD_ERR: Got Refresh Account control
kzld found user entry: cn=user1,cn=Users,dc=example,dc=com
*** 2013-04-01 14:53:41.316
KZLD is doing LDAP unbind

 

No OID stack or other logs generated.

OID highest level debug server log shows no errors other than the following towards the end of the stack, after what looks to be a successful search, for example:

...<snip>...

[2013-04-01T14:53:32-04:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: oidhost] [pid: 868] [tid: 10] [ecid: <ECID>] ServerWorker (REG):[[
BEGIN
ConnID:426 mesgID:5 OpID:3 OpName:search ConnIP:<IP address> ConnDN:cn=dbuser,cn=oraclecontext,dc=example,dc=com
gslaudeaAttributesEvaluation:Operation id:(3) Visiting ACP at: (dc=example,dc=com)
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) Attribute Accees denied by ACP: (dc=example,dc=com)
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) User being a Privileged group member, Evaluation continues
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) Visiting ACP at: (dc=com)
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) Attribute Accees denied by ACP: (dc=com)
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) User being a Privileged group member, Evaluation continues
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) Visiting ACP at: (cn=root)
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) Attribute Accees denied by ACP: (cn=root)
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) User being a Privileged group member, Evaluation continues
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation: Operation id:(3) Enforcing Server Default Access Policy
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) Attribute Access to entry (cn=user1,cn=Users,dc=example,dc=com) allowed
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation: Operation id:(3) Exit
2013-04-01T14:53:32 * gslesabAddToBer: Added orclguid to the Ber
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1f0 24 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1d0 16 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1d0 0 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1f0 0 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1f0 24 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1d0 16 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1d0 0 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1f0 0 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 8ceda20 152 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 8ceda20 0 bytes
2013-04-01T14:53:32 * Entry sent as a search result.
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1f0 24 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1d0 16 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1d0 0 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1f0 0 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1f0 24 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1d0 16 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1d0 0 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1f0 0 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 11db8b10 104 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 11db8b10 0 bytes
2013-04-01T14:53:32 * INFO:gsleswrASndResult OPtime=3257 micro sec RESULT=0 tag=101 nentries=1
2013-04-01T14:53:32 * Exit: gslsbsSearch()
2013-04-01T14:53:32 * Exit gslfseADoSearch
2013-04-01T14:53:32 *  
BASE DN = cn=users,dc=example,dc=com
SCOPE = 2
FILTER = (uid=user1)
REQD ATTRS = dn authpassword orclpassword orclguid

EVENT "BER  READ      " time :        450  micro sec
EVENT "DIME OVRD      " time :       2775  micro sec
EVENT "PRE DIME       " time :         75  micro sec
EVENT "DB Fetch       " time :        189  micro sec
EVENT "RS LOOKUP      " time :        112  micro sec
EVENT "EC LOOKUP      " time :         59  micro sec
EVENT "Post Dime      " time :       2315  micro sec
EVENT "ACL overhd     " time :        768  micro sec
EVENT "ACL ATTR       " time :        765  micro sec
EVENT "Ber Flush      " time :        235  micro sec
EVENT "Ber flush      " time :        229  micro sec
EVENT "Ber flush      " time :        204  micro sec
TOTAL "Operation      " time :       3263  micro sec

TOTAL "Worker         " time :       3332  micro sec

END
]]
[2013-04-01T14:53:43-04:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: myoidhost] [pid: 868] [tid: 7] ServerDispatcher  : TDP : SSL Freeing memory is at 11ce0650  0 bytes

...<etc,etc>...

[2013-04-01T14:53:43-04:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: myoidhost] [pid: 868] [tid: 7] ServerDispatcher  : TDP : SSL Freeing memory is at 59db770  0 bytes

[2013-04-01T14:53:43-04:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: myoidhost] [pid: 868] [tid: 7] ServerDispatcher  : INFO : Reading BER element failed.Closing connid=426, ipadd=<EUS DB host IP Address>

...<snip>...

 

Already tried and verified: Document 947285.1, Document 1528174.1, Document 1076432.1.


OID schema and objects with objectclass=orclpwdverifierprofile outputs are the same as in another working OID system.

Observed that, while the above failing trace shows only one operational attribute in the stack above:

2013-04-01T14:53:32 * gslesabAddToBer: Added orclguid to the Ber

Comparing to a working OID env, a debugged log there for the same operation shows all the requested operational attributes being included:

2013-04-01T14:53:32 * gslesabAddToBer: Added authpassword;oid to the Ber
2013-04-01T14:53:32 * gslesabAddToBer: Added authpassword;orclcommonpwd to the Ber
2013-04-01T14:53:32 * gslesabAddToBer: Added orclpassword to the Ber
2013-04-01T14:53:32 * gslesabAddToBer: Added orclguid to he Ber

And they are also returned on the working OID env from an equivalent command line ldapsearch, eg:

But the same search returns only the dn and the orclguid from the nonworking OID.

Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms