OAM Through OVD 11g Authentication (AD Backend) Fails for Users with Foreign Characters in their Passwords: LDAP Error 49 : [LDAP: error code 49 - Invalid Credentials] (Doc ID 2061672.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Virtual Directory - Version 11.1.1.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Access Manager (OAM) connecting to Oracle Virtual Directory (OVD) 11g which in turn connects to Microsoft (MS) Active Directory (AD) backend LDAP server.

Some of the users fail to authenticate.

OAM diagnostic log shows:

[2015-09-21T09:48:45.715+02:00] [oam_server2] [ERROR] [OAMSSA-20023] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 00583oSRdMjEoIK6yV2jMG0007tW000D1e,0:3] [APP: oam_server#11.1.2.0.0] [URI: /oam/server/auth_cred_submit] Authentication Failure for user : CN=myuser,OU=Users,DC=mycompany,DC=com, for idstore OVDIDStore with exception oracle.igf.ids.AuthenticationException: Authentication failed for user CN=myuser,OU=Users,DC=mycompany,DC=com. AdditionalInfo: LDAP Error 49 : [LDAP: error code 49 - Invalid Credentials] with primary error message {3}

OVD log with Dump Transaction Plugin enabled shows a fewer number of asterisks than the number of characters in the password entered.

For example, the password entered may have say 20 characters, but OVD log shows only 9 asterisks for it:

[2015-09-21T09:48:45.667+02:00] [octetstring] [NOTIFICATION] [] [com.octetstring.vde.chain.plugins.DumpTransactions.DumpTransactions] [tid: 150] [ecid: 0000Kzis5rREoIK6yVEgMG1Lw^j20004oA,0] !BIND Operation: (Transaction#AD_Users.Dump After.736410)[[
BindDN: CN=myuser,OU=Users,DC=mycompany,DC=com
Password: **********!
]]
[2015-09-21T09:48:45.696+02:00] [octetstring] [NOTIFICATION] [] [com.octetstring.vde.chain.plugins.DumpTransactions.DumpTransactions] [tid: 150] [ecid: 0000Kzis5rREoIK6yVEgMG1Lw^j20004oA,0] !BIND Results: (Transaction#AD_Users.Dump After.736410) FALSE![[
com.octetstring.vde.util.DirectoryException: LDAP Error 49 : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1 ]

Whereas for the users with working passwords, the same number or characters in the password is correctly represented in the OVD log with the same number of asterisks.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms