OAM with OVD 11g Login Fails: An incorrect Username or Password was specified | OVD Log: [LDAP: error code 53 - Unable to process the simple bind request because it contained a bind DN but no password, which is forbidden by the server configuration] (Doc ID 1643192.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Virtual Directory - Version 11.1.1.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Virtual Directory (OVD) 11g 11.1.1.7.0 integrated with Oracle Access Manager (OAM) 11gR2 11.1.2.2 with OVD as Identity Store which is a join of Oracle Unified Directory (OUD) as primary and bind adapter, and Active Directory (AD) as bind.

When logging into to a protected resource with a user that only has an OUD account, the login is successful.

However, when the user has an OUD account and joined AD account (sAMAccountName=uid), the OAM login fails with:

An incorrect Username or Password was specified

The OVD diagnostic log shows:

[2014-03-28T09:24:57.234-07:00] [octetstring] [ERROR] [OVD-60143] [com.octetstring.vde.backend.jndi.OUD User Adapter.BackendJNDI] [tid: 29] [ecid: 0000KK9WYlTFw000jzwkno1JDQ2600000v,0]  [#OUD User Adapter]  Unable to create connection to ldap://[oudhost.mycompany.com]:1389 as cn=user1,cn=users,dc=mycompany,dc=com.[[
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Unable to process the simple bind request because it contained a bind DN but no password, which is forbidden by the server configuration]

And:

[2014-03-28T09:24:57.186-07:00] [octetstring] [TRACE] [] [com.octetstring.vde.router.RoutingRule] [tid: 29] [ecid: 0000KK9WYlTFw000jzwkno1JDQ2600000v,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Rule[OUD User Adapter] dn: cn=user1,cn=users,dc=mycompany,dc=com MAPPED TO: cn=user1,cn=users,dc=mycompany,dc=com
[2014-03-28T09:24:57.219-07:00] [octetstring] [TRACE] [OVD-20120] [com.octetstring.vde.backend.jndi.OUD User Adapter.JNDIConnectionPool] [tid: 29] [ecid: 0000KK9WYlTFw000jzwkno1JDQ2600000v,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Expiring pool connection: Handle-4.
[2014-03-28T09:24:57.220-07:00] [octetstring] [TRACE] [] [com.octetstring.vde.backend.jndi.OvdJndiSocket] [tid: 29] [ecid: 0000KK9WYlTFw000jzwkno1JDQ2600000v,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Closing Socket: oudhost.mycompany.com/<IP address>:1389
[2014-03-28T09:24:57.221-07:00] [octetstring] [TRACE] [OVD-00617] [com.octetstring.vde.join.IAM User Adapter.JoinViewAdapter] [tid: 29] [ecid: 0000KK9WYlTFw000jzwkno1JDQ2600000v,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Adapter [#IAM User Adapter] : Error while trying to bind to adapter OUD User Adapter: LDAP Error 49 : [LDAP: error code 49 - Invalid Credentials]. [[


The user has two different passwords - one in OUD and another in AD.  During this test, using the password for AD.  Therefore would expect to see a bind failure for OUD in the logs, and since OUD and AD are both "bind" adapters, then  would expect OVD to try a bind against AD after the bind against OUD failed.  Instead, the bind against OUD fails and OVD does not try a bind against AD.

The OUD user adapter Pass Through (passCredentials) mode is set to Always.  This scenario works when the OUD adapter is set to "BindOnly."  However, need to use pass through of "Always" in order to make the OAM-OIM integration work.

In OVD, the only attributes joined on AD are memberOf, dn, sAMAaccountName and userAccountcontrol.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms