OID 11g EUS DB Login Fails with ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
(Doc ID 1546173.1)
Last updated on JANUARY 11, 2024
Applies to:
Oracle Internet Directory - Version 11.1.1.2.0 and laterInformation in this document applies to any platform.
Symptoms
New Oracle Internet Directory (OID) 11g install, e.g., 11.1.1.6.0 with all default settings, configured for EUS with, e.g., DB 10.2.0.5.0. No firewalls or load balancers involved.
Only configured the global schema, granted the connect and did the mapping of the user's OID tree. No roles or anything else configured.
EUS login fails with:
Also, in Enterprise Manager (EM)/EUS/Realm Administration, it shows 'Generate Oracle Password Verifiers' as disabled.
No RDBMS trace errors are logged, for example:
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1
System name: AIX
Node name: <DB HOSTNAME>
Release: 1
Version: 6
Machine: <MACHINE NAME>
Instance name: <INSTANCE NAME>
Redo thread mounted by this instance: 1
Oracle process number: 22
Unix process pid: 23789788, image: oracle@<DB TNS_ALIAS> (TNS V1-V3)
*** ACTION NAME:() 2013-04-01 14:53:30.964
*** MODULE NAME:(sqlplus@<DB TNS_ALIAS> (TNS V1-V3)) 2013-04-01 14:53:30.964
*** SERVICE NAME:(SYS$USERS) 2013-04-01 14:53:30.964
*** SESSION ID:(136.61274) 2013-04-01 14:53:30.964
kzld found pwd in wallet
KZLD_ERR: 0
kzld_search -s sub -b cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=<COMPANY>, dc=com
search filter: (&(objectclass=orcldbenterprisedomain_82)(uniqueMember=cn=<DB NAME>,cn=OracleContext,dc=<COMPANY>, dc=com))
KZLD_ERR: 0
kzldsp found policy ALL
kzld_search -s base -b cn=Common,cn=Products,cn=OracleContext,dc=<COMPANY>, dc=com
search filter: objectclass=*
KZLD_ERR: 0
kzld found uid for orclCommonNicknameAttribute
kzldsearch_ext -s sub -b cn=users, dc=<COMPANY>,dc=com
search filter: uid=<USER UID>
number of entries: 1
KZLD_ERR: 0
KZLD_ERR: Got Refresh Account control
kzld found user entry: cn=<USERNAME>,cn=Users,dc=<COMPANY>,dc=com
*** 2013-04-01 14:53:41.316
KZLD is doing LDAP unbind
No OID stack or other logs generated.
OID highest level debug server log shows no errors other than the following towards the end of the stack, after what looks to be a successful search, for example:
...<snip>...
[2013-04-01T14:53:32-04:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: <OID HOSTNAME>] [pid: 868] [tid: 10] [ecid: <ECID>] ServerWorker (REG):[[
BEGIN
ConnID:426 mesgID:5 OpID:3 OpName:search ConnIP:<IP address> ConnDN:cn=<USER>,cn=oraclecontext,dc=<COMPANY>,dc=com
gslaudeaAttributesEvaluation:Operation id:(3) Visiting ACP at: (dc=<COMPANY>,dc=com)
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) Attribute Accees denied by ACP: (dc=<COMPANY>,dc=com)
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) User being a Privileged group member, Evaluation continues
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) Visiting ACP at: (dc=com)
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) Attribute Accees denied by ACP: (dc=com)
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) User being a Privileged group member, Evaluation continues
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) Visiting ACP at: (cn=root)
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) Attribute Accees denied by ACP: (cn=root)
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) User being a Privileged group member, Evaluation continues
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation: Operation id:(3) Enforcing Server Default Access Policy
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation:Operation id:(3) Attribute Access to entry (cn=<USER>,cn=Users,dc=<COMPANY>,dc=com) allowed
2013-04-01T14:53:32 * gslaudeaAttributesEvaluation: Operation id:(3) Exit
2013-04-01T14:53:32 * gslesabAddToBer: Added orclguid to the Ber
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1f0 24 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1d0 16 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1d0 0 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1f0 0 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1f0 24 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1d0 16 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1d0 0 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1f0 0 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 8ceda20 152 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 8ceda20 0 bytes
2013-04-01T14:53:32 * Entry sent as a search result.
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1f0 24 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1d0 16 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1d0 0 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1f0 0 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1f0 24 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 5aad1d0 16 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1d0 0 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 5aad1f0 0 bytes
2013-04-01T14:53:32 * TDP : SSL allocated memory is at 11db8b10 104 bytes
2013-04-01T14:53:32 * TDP : SSL Freeing memory is at 11db8b10 0 bytes
2013-04-01T14:53:32 * INFO:gsleswrASndResult OPtime=3257 micro sec RESULT=0 tag=101 nentries=1
2013-04-01T14:53:32 * Exit: gslsbsSearch()
2013-04-01T14:53:32 * Exit gslfseADoSearch
2013-04-01T14:53:32 *
BASE DN = cn=users,dc=<COMPANY>,dc=com
SCOPE = 2
FILTER = (uid=<USER UID>)
REQD ATTRS = dn authpassword orclpassword orclguid
EVENT "BER READ " time : 450 micro sec
EVENT "DIME OVRD " time : 2775 micro sec
EVENT "PRE DIME " time : 75 micro sec
EVENT "DB Fetch " time : 189 micro sec
EVENT "RS LOOKUP " time : 112 micro sec
EVENT "EC LOOKUP " time : 59 micro sec
EVENT "Post Dime " time : 2315 micro sec
EVENT "ACL overhd " time : 768 micro sec
EVENT "ACL ATTR " time : 765 micro sec
EVENT "Ber Flush " time : 235 micro sec
EVENT "Ber flush " time : 229 micro sec
EVENT "Ber flush " time : 204 micro sec
TOTAL "Operation " time : 3263 micro sec
TOTAL "Worker " time : 3332 micro sec
END
]]
[2013-04-01T14:53:43-04:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: <HOSTNAME>] [pid: 868] [tid: 7] ServerDispatcher : TDP : SSL Freeing memory is at 11ce0650 0 bytes
...<etc,etc>...
[2013-04-01T14:53:43-04:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: <HOSTNAME>] [pid: 868] [tid: 7] ServerDispatcher : TDP : SSL Freeing memory is at 59db770 0 bytes
[2013-04-01T14:53:43-04:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: <HOSTNAME>] [pid: 868] [tid: 7] ServerDispatcher : INFO : Reading BER element failed.Closing connid=426, ipadd=<EUS DB host IP Address>
...<snip>...
Already tried and verified: Document 947285.1, Document 1528174.1, Document 1076432.1.
OID schema and objects with objectclass=orclpwdverifierprofile outputs are the same as in another working OID system.
Observed that, while the above failing trace shows only one operational attribute in the stack above:
Comparing to a working OID env, a debugged log there for the same operation shows all the requested operational attributes being included:
2013-04-01T14:53:32 * gslesabAddToBer: Added authpassword;orclcommonpwd to the Ber
2013-04-01T14:53:32 * gslesabAddToBer: Added orclpassword to the Ber
2013-04-01T14:53:32 * gslesabAddToBer: Added orclguid to he Ber
And they are also returned on the working OID env from an equivalent command line ldapsearch, eg:
But in some cases, the same search returns only the dn and the orclguid from the nonworking OID.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Cause |
| Solution |
| References |