OAM with OVD 11g Login Fails: An incorrect Username or Password was specified | OVD Log: [LDAP: error code 53 - Unable to process the simple bind request because it contained a bind DN but no password, which is forbidden by the server configuration]
(Doc ID 1643192.1)
Last updated on AUGUST 18, 2022
Applies to:
Oracle Virtual Directory - Version 11.1.1.0 and laterInformation in this document applies to any platform.
Symptoms
Oracle Virtual Directory (OVD) 11g 11.1.1.7.0 integrated with Oracle Access Manager (OAM) 11gR2 11.1.2.2 with OVD as Identity Store which is a join of Oracle Unified Directory (OUD) as primary and bind adapter, and Active Directory (AD) as bind.
When logging into to a protected resource with a user that only has an OUD account, the login is successful.
However, when the user has an OUD account and joined AD account (sAMAccountName=uid), the OAM login fails with:
The OVD diagnostic log shows:
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Unable to process the simple bind request because it contained a bind DN but no password, which is forbidden by the server configuration]
And:
[2014-03-28T09:24:57.219-07:00] [octetstring] [TRACE] [OVD-20120] [com.octetstring.vde.backend.jndi.<OUD_ADAPTER>.JNDIConnectionPool] [tid: xx] [ecid: <ECID>] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Expiring pool connection: Handle-4.
[2014-03-28T09:24:57.220-07:00] [octetstring] [TRACE] [] [com.octetstring.vde.backend.jndi.OvdJndiSocket] [tid: xx] [ecid: <ECID>] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Closing Socket: <OUD_HOSTNAME>:<PORT>
[2014-03-28T09:24:57.221-07:00] [octetstring] [TRACE] [OVD-00617] [com.octetstring.vde.join<JOIN_ADAPTER>JoinViewAdapter] [tid: xx] [ecid: <ECID>] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Adapter [#<JOIN_ADAPTER>] : Error while trying to bind to adapter <OUD_ADAPTER>: LDAP Error 49 : [LDAP: error code 49 - Invalid Credentials]. [[
The user has two different passwords - one in OUD and another in AD. During this test, using the password for AD. Therefore would expect to see a bind failure for OUD in the logs, and since OUD and AD are both "bind" adapters, then would expect OVD to try a bind against AD after the bind against OUD failed. Instead, the bind against OUD fails and OVD does not try a bind against AD.
The OUD user adapter Pass Through (passCredentials) mode is set to Always. This scenario works when the OUD adapter is set to "BindOnly." However, need to use pass through of "Always" in order to make the OAM-OIM integration work.
In OVD, the only attributes joined on AD are memberOf, dn, sAMAaccountName and userAccountcontrol.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Cause |
Solution |