LDAP Search Fails in OVD with "LDAP: error code 48 - Server is Configured to Deny Anonymous Binds" After Disabling Anonymous Bind in OID (Doc ID 1610852.1)

Last updated on SEPTEMBER 05, 2017

Applies to:

Oracle Virtual Directory - Version 11.1.1.0 and later
Information in this document applies to any platform.
For Example:

Failed Case:

ldapsearch -h mybox.example.com -p 6501 -D "cn=ovdadmin" -w xxxxxxx -b "dc=example,dc=com" -s sub uid=john@example.com -

ldap_search: Inappropriate authentication
ldap_search: additional info: LDAP Error 48 : [LDAP: error code 48 - Server is Configured to Deny Anonymous Binds]


Success Case:

ldapsearch -h mybox.example.com -p 6501 -D "cn=ovdadmin" -w xxxxxx -b "ou=people,dc=example,dc=com" -s sub uid=john@example.com
uid=john@example.com,ou=users,ou=people,dc=exa,dc=com
mail=john@example.com
createdby=wsadmin@example.com
usertype=0
userstatus=1
orclnormdn=uid=john@example.com,ou=users,ou=people,dc=example,dc=com

Symptoms

After disabling anonymous bind in Oracle Internet Directory (OID), ldapsearch to Oracle Virtual Directory (OVD) fails with following error message.

ldap_search: Inappropriate authentication

ldap_search: additional info: LDAP Error 48 : [LDAP: error code 48 - Server is Configured to Deny Anonymous Binds]

OVD and OID is integrated through LDAP Adapter.

From Diagnostic Log

:

[2013-11-19T21:15:20.854-08:00] [octetstring] [WARNING] [OVD-40066] [com.octetstring.vde.backend.jndi.AD_TestAccts.ConnectionHandle] [tid: 22] [ecid: ] [arg: testbox.example.com:3268] [arg: javax.naming.CommunicationException: Connection reset [Root exception is java.net.SocketException: Connection reset]; remaining name 'OU=TestAccounts,OU=Corp,OU=Common,DC=example,DC=com'] Remote Server Failure:testbox.example.com:3268.

[2013-11-19T21:15:20.964-08:00] [octetstring] [NOTIFICATION] [] [com.octetstring.vde.chain.plugins.DumpTransactions.DumpTransactions] [tid: 22] [ecid: ] !SEARCH Results: (Transaction#AD_TestAccts.Dump After.1) 1 sets returned.!

[2013-11-19T21:15:20.965-08:00] [octetstring] [NOTIFICATION] [] [com.octetstring.vde.chain.plugins.DumpTransactions.DumpTransactions] [tid: 22] [ecid: ] !SEARCH Results: (Transaction#AD_TestAccts.Dump Before.1) 1 sets returned.!

[2013-11-19T21:15:20.974-08:00] [octetstring] [WARNING] [OVD-40066] [com.octetstring.vde.backend.jndi.AdaptersName.ConnectionHandle] [tid: 22] [ecid: ] [arg: mybox:389] [arg: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - Server is Configured to Deny Anonymous Binds]; remaining name 'ou=engineering,ou=employees,dc=example,dc=com'] Remote Server Failure:mybox:389.

[2013-11-19T21:17:01.785-08:00] [octetstring] [NOTIFICATION] [] [com.octetstring.vde.chain.plugins.DumpTransactions.DumpTransactions] [tid: 23] [ecid: ] !SEARCH Operation: (Transaction#AD_Users.Dump Before.2)[[ BindDN: cn=ovdadmin Base: dc=example,dc=com Scope: 2 Filter: (&(objectclass=inetorgperson)(&(uid=john@example.com)(obUserAccountControl=ACTIVATED))) TypesOnly: FALSE Attrs: [cn]! ]]

:

:

Changes

Use ODSM to modify the adapter configuration and add a Proxy Bind DN and password for the adapter added, for example "AdaptersName" configured for ou=engineering,ou=employees, dc=example,dc=com in adapters.os_xml

For Example:
-
<adapters schvers="303" version="3">
-
<ldap id="AdaptersName" version="2">
<root>ou=engineering,ou=employees, dc=example,dc=com</root>
<active>true or false</active>
+
<routing>
<critical>true or false </critical>
<priority>some number</priority>
<inclusionFilter/>
<exclusionFilter/>
<plugin/>
<retrieve/>
<store/>
<visible>Yes or No</visible>
<levels>-some number</levels>
<bind>true or false</bind>
<bind-adapters/>
<views/>
<dnpattern/>
</routing>
+
<pluginChains>
-
<plugins>
-
<plugin>
<name>XXX</name>
-
<class>
com.octetstring.vde.chain.plugins.changelog.ChangelogPlugin
</class>
-
<initParams>
<param name="...."/>
<param name="...."/>
</initParams>
</plugin>
-
:
+
<hosts>
...
</hosts>
<remoteBase/>
<secure>false or true</secure>
<failover>false or true</failover>
<passCredentials>Always</passCredentials>
-
<binddn>
cn=oimadmin,cn=users,cn=oim,cn=...,cn=...... <======= Add Proxy Bind DN here
</binddn>
-
<bindpass>
{AES-CBC}khgIKaj8ZVQKiwBWit2sTCm/AePk5e39DAxvlP1wVWM= <======== Add Proxy password here
</bindpass>
+
<dnAttributeList>
<attribute>
...
</dnAttributeList>
...
<pingbinddn/>
<pingbindpass/>
<kerberosRetry>false or true</kerberosRetry>
</ldap>

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms