OVD Authentication Error For Users with the Same Userid from Multiple Adapters: Error while trying to bind to adapter ExternalAD: LDAP Error 49 : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data (Doc ID 1983419.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Virtual Directory - Version 10.1.4 to 11.1.1.0
Information in this document applies to any platform.

Symptoms

Oracle Virtual Directory (OVD), e.g., 11g 11.1.1.7.0.

A Portal is used by internal employees and external users, and uses OVD for authentication and authorization issues.

Microsoft (MS) Active Directory (AD) organization units for internal employees and external users are different, that is why they have separate Active Directory servers.

Roles and groups for Internal Employees and external Users are stored in Oracle IDM.

To handle this scenario, multiple adapters for each were built, including LDAP adapters, two database (DB) adapters and a join adapter that joins LDAP and DB adapters, and proxying those multiple adapters by using Proxy and CoordinatorAdapter plugins.


The only problem with this configuration is, for the users having the same login name in Internal Employees and external Users Active Directory systems, the system cannot authenticate these users with their own passwords.  Only one of the users in one AD can be authenticated, the user with the same loginname on the other AD cannot.

For example; username "myuser.test" in InternalEmployees AD system can login with its own password, however user "myuser.test" in external Users AD can not login to the system because OVD cannot get the data.

Since myuser.test is a common username, it occurs not only in InternalEmployee but also externalUsers Active Directory.

 

As a brief summary, myuser.test that occurs in InternalEmployee Active Directory can login to the system, however myuser.test that occurs in externalUsers Active Directory cannot login to the system.

The diagnostic.log shows:

...<snip>...
[2015-02-11T11:05:07.528+02:00] [octetstring] [TRACE:32] [] [com.octetstring.vde.chain.plugins.DumpTransactions.DumpTransactions] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: log] !BIND Operation: (Transaction#OctetString.GlobalServiceInterface.myDumpTr.4)[[
BindDN: CN=myuser.test,OU=Sales,OU=Operations,ou=people,dc=mycompany,dc=com
Password: ************!
]]
[2015-02-11T11:05:07.529+02:00] [octetstring] [TRACE] [] [com.octetstring.vde.view.ViewHandler] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] OVD-00901
[2015-02-11T11:05:07.529+02:00] [octetstring] [TRACE:32] [] [com.octetstring.vde.router.RoutingHandler] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: dump] Adapter#JoinLdapAndDatabase is not visible
[2015-02-11T11:05:07.529+02:00] [octetstring] [TRACE:32] [] [com.octetstring.vde.router.RoutingHandler] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: dump] Adapter#externalActiveDirectory is not visible
[2015-02-11T11:05:07.530+02:00] [octetstring] [TRACE:32] [] [com.octetstring.vde.router.RoutingHandler] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: dump] Adapter#DatabaseUsers2 is not visible
[2015-02-11T11:05:07.530+02:00] [octetstring] [TRACE:32] [] [com.octetstring.vde.router.RoutingHandler] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: dump] Adapter#VodafoneexternalActiveDirectory is not visible
[2015-02-11T11:05:07.530+02:00] [octetstring] [TRACE:32] [] [com.octetstring.vde.router.RoutingHandler] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: dump] Adapter#externalUsers is not visible
[2015-02-11T11:05:07.530+02:00] [octetstring] [TRACE:32] [] [com.octetstring.vde.router.RoutingHandler] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: dump] Adapter#JoinexternalLdapAndDatabase is not visible
[2015-02-11T11:05:07.531+02:00] [octetstring] [TRACE] [OVD-00008] [com.octetstring.vde.router.RoutingHandler] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Bind: Selected (Adapter#Proxy [Priority : 49]) backend for: ou=people,dc=mycompany,dc=com.
[2015-02-11T11:05:07.531+02:00] [octetstring] [TRACE] [] [com.octetstring.vde.chain.plugins.coordinator.CoordinatorAdapter] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Binding with DN: CN=myuser.test,OU=Sales,OU=Operations,ou=people,dc=mycompany,dc=com against adapter: JoinLdapAndDatabase
[2015-02-11T11:05:07.532+02:00] [octetstring] [TRACE] [OVD-00008] [com.octetstring.vde.router.RoutingHandler] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Bind: Selected (Adapter#externalActiveDirectory [Priority : 50]) backend for: ou=people,dc=external,dc=internal.
[2015-02-11T11:05:07.533+02:00] [octetstring] [TRACE:32] [] [com.octetstring.vde.router.RoutingRule] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: dump] Rule[externalActiveDirectory] checking binding for adapter#externalActiveDirectory
[2015-02-11T11:05:07.534+02:00] [octetstring] [TRACE] [] [com.octetstring.vde.router.RoutingRule] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Rule[externalActiveDirectory] dn: CN=myuser.test,OU=Sales,OU=Operations,ou=people,dc=external,dc=internal MAPPED TO: CN=myuser.test,OU=Sales,OU=Operations,OU=Office,OU=List,DC=mydc,DC=local
[2015-02-11T11:05:07.549+02:00] [octetstring] [TRACE] [OVD-20120] [com.octetstring.vde.backend.jndi.externalActiveDirectory.JNDIConnectionPool] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Expiring pool connection: Handle-4.
[2015-02-11T11:05:07.549+02:00] [octetstring] [TRACE] [] [com.octetstring.vde.backend.jndi.OvdJndiSocket] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Closing Socket: /<ip address>:389
[2015-02-11T11:05:07.552+02:00] [octetstring] [TRACE] [OVD-00617] [com.octetstring.vde.join.JoinLdapAndDatabase.JoinViewAdapter] [tid: 22] [ecid: 0000Khrsbz7F^6U5u7H7iX1Kqlg200000B,0] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Adapter [#JoinLdapAndDatabase] : Error while trying to bind to adapter externalActiveDirectory: LDAP Error 49 : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]. [[
com.octetstring.vde.util.DirectoryException: LDAP Error 49 : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
at com.octetstring.vde.backend.jndi.BackendJNDI.getLDAPContext(BackendJNDI.java:1060)
at com.octetstring.vde.backend.jndi.BackendJNDI.getConnection(BackendJNDI.java:952)
at com.octetstring.vde.backend.jndi.ConnectionHandle.getHolder(ConnectionHandle.java:425)
...<snip>...



Tried switching the Coordinator plugin "SearchOption" from "SearchFirstMatch" to "SearchAllCandidates", then restart OVD Server.  Then, not only the user "myuser.test" in InternalEmployees Active Directory but also the one that has the samAccountName in externalUsers Active Directory came to OVD.  However their groups joined from the DatabaseAdapters look the same even though they are coming different by the database adapters.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms