OVD Authentication Error For Users with the Same Userid from Multiple Adapters: Error while trying to bind to adapter <AD_ADAPTER>: LDAP Error 49 : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data
(Doc ID 1983419.1)
Last updated on DECEMBER 03, 2019
Applies to:
Oracle Virtual Directory - Version 10.1.4 to 11.1.1.0Information in this document applies to any platform.
Symptoms
Oracle Virtual Directory (OVD), e.g., 11g 11.1.1.7.0.
A Portal is used by internal employees and external users, and uses OVD for authentication and authorization issues.
Microsoft (MS) Active Directory (AD) organization units for internal employees and external users are different, that is why they have separate Active Directory servers.
Roles and groups for Internal Employees and external Users are stored in Oracle IDM.
To handle this scenario, multiple adapters for each were built, including LDAP adapters, two database (DB) adapters and a join adapter that joins LDAP and DB adapters, and proxying those multiple adapters by using Proxy and CoordinatorAdapter plugins.
The only problem with this configuration is, for the users having the same login name in Internal Employees and external Users Active Directory systems, the system cannot authenticate these users with their own passwords. Only one of the users in one AD can be authenticated, the user with the same login name on the other AD cannot.
For example; username "<USERNAME>" in Internal Employees AD system can login with its own password, however user "<USERNAME>" in external Users AD can not login to the system because OVD cannot get the data.
Since <USERNAME> is a common username, it occurs not only in Internal Employee but also external Users Active Directory.
As a brief summary, <USERNAME> that occurs in Internal Employee Active Directory can login to the system, however <USERNAME> that occurs in external Users Active Directory cannot login to the system.
The diagnostic.log shows:
[2015-02-11T11:05:07.531+02:00] [octetstring] [TRACE] [] [com.octetstring.vde.chain.plugins.coordinator.CoordinatorAdapter] [tid: xx] [ecid: <ECID>] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Binding with DN: CN=<USERNAME>,OU=<OU2>,OU=<OU1>,ou=people,dc=<COMPANY>,dc=com against adapter: <JOIN_ADAPTER_NAME>
[2015-02-11T11:05:07.532+02:00] [octetstring] [TRACE] [OVD-00008] [com.octetstring.vde.router.RoutingHandler] [tid: xx] [ecid: <ECID>] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Bind: Selected (Adapter#<AD_ADAPTER> [Priority : 50]) backend for: ou=people,dc=<SUB_DOMAIN>,dc=<DOMAIN>
[2015-02-11T11:05:07.533+02:00] [octetstring] [TRACE:32] [] [com.octetstring.vde.router.RoutingRule] [tid: xx] [ecid: <ECID>] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: dump] Rule[<AD_ADAPTER>] checking binding for adapter#<AD_ADAPTER>
[2015-02-11T11:05:07.534+02:00] [octetstring] [TRACE] [] [com.octetstring.vde.router.RoutingRule][tid: xx] [ecid: <ECID>] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Rule[<AD_ADAPTER>] dn: CN=<USERNAME>,OU=<OU2>,OU=<OU1>,ou=people,dc=<SUB_DOMAIN>,dc=<DOMAIN> MAPPED TO: CN=<USERNAME>,OU=<OU2>,OU=<OU1>,OU=<OU4>,OU=<OU3>,DC=<DOMAIN>,DC=com
[2015-02-11T11:05:07.549+02:00] [octetstring] [TRACE] [OVD-20120] [com.octetstring.vde.backend.jndi.<AD_ADAPTER>.JNDIConnectionPool] [tid: xx] [ecid: <ECID>] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Expiring pool connection: Handle-4.
[2015-02-11T11:05:07.549+02:00] [octetstring] [TRACE] [] [com.octetstring.vde.backend.jndi.OvdJndiSocket] [tid: xx] [ecid: <ECID>] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Closing Socket: /<IP_ADDRESS>:<PORT>
[2015-02-11T11:05:07.552+02:00] [octetstring] [TRACE] [OVD-00617] [com.octetstring.vde.join.<JOIN_ADAPTER_NAME>.JoinViewAdapter] [tid: xx] [ecid: <ECID>] [SRC_CLASS: com.octetstring.vde.util.VDELogger] [SRC_METHOD: debug] Adapter [#<JOIN_ADAPTER_NAME>] : Error while trying to bind to adapter <AD_ADAPTER>: LDAP Error 49 : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]. [[
com.octetstring.vde.util.DirectoryException: LDAP Error 49 : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
at com.octetstring.vde.backend.jndi.BackendJNDI.getLDAPContext(BackendJNDI.java:1060)
at com.octetstring.vde.backend.jndi.BackendJNDI.getConnection(BackendJNDI.java:952)
at com.octetstring.vde.backend.jndi.ConnectionHandle.getHolder(ConnectionHandle.java:425)
...<snip>...
Tried switching the Coordinator plugin "SearchOption" from "SearchFirstMatch" to "SearchAllCandidates", then restart OVD Server. Then, not only the user "<USERNAME>t" in Internal Employees Active Directory but also the one that has the samAccountName in external Users Active Directory came to OVD. However their groups joined from the Database Adapters look the same even though they are coming different by the database adapters.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Cause |
| Solution |