OID 11g: Microsoft Active Directory (MSAD) Password Filter Stops Working on a Single Domain Controller (DC) Only. OIDMain Log Error: Password updation failed in child process (Doc ID 2111745.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Internet Directory - Version 11.1.1 and later
Information in this document applies to any platform.

Symptoms

Oracle Internet Directory (OID) 11g with Oracle Password Filter (OPF or PF) for Microsoft (MS) Active Directory (AD).

One of many MS Domain Controllers (DCs) suddenly stopped synchronizing the users'passwords to OID via the Oracle Password Filter.

The ldapbindssl.exe test continues to work from the DC to OID.

At first there were no Password Filter log errors generated.  After uninstalling and reinstalling the Password Filter, the <date>OIDMain.log then started to show:

...<snip>....
AD search for a user objectGUID is successfull

Adding a new node to datastore
Inside sgslutilconcatData
Entire dn is ==>
cn=myuser,OU=orclpwf<DC IP address>,OU=orclpwfcorp.internal.mycompany.com,DC=corp,DC=internal,DC=mycompany,DC=com
0:417 7 myuser298 400 AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA9/qNvSh+FEi6xF3cdFIY9wAAAAAmAAAAUABhAHMAcwB3AG8AcgBkACAARQBuAGMAcgBwAHQAaQBvAG4AAAAQZgAAAAEAACAAAAA/UVTqzpNZAIS8VDnKYGyG+rieXRz026YC4/+f9rzIMwAAAAAOgAAAAAIAACAAAAClXls+X/r4OIooyQEozfsevV4jSnZVhatd/F3AoeJHFjAAAACvPaCw2XfQToPDNLXNa+CCYVuOoHtJ7jDUXJaYnyAyWa0EtvJ+6xE7AghKDG2il3xAAAAA2Jarn14Lr8J8buwh1PSKC5mEeDDrR1NN78OpkiSYvr4JxipvHID8K2Yt+Vmf/7/dcCHrqaOTcIrGQ4D16VlE7Q==
--------------------------

Adding a Node Now
Inside sgslcodsaddEPWRecord without Seq Attribute
description
Encrypted record added to datastore successfully
Operation add completed
Inside sgsladac destructor
Inside sgslodac destructor
Inside sgsladac destructor
Password updation failed in child process
Inside sgsladds::sgslperreadData
Only dataattribute
Inside sgsladdsSearchUser
Firing Search Request

AD search for a user objectGUID is successfull

Count success
...<snip...

 

Tried, to no avail:

- Reconfigured the Password Filter
- Reinstalled the Password Filter
- Tested connection using ldapbindssl.exe from domain controller successfully.
- Checked that SSL is enabled on the Windows DC server.

 

After setting OID low log level debug, the following error shows in the OID log:

BEGIN
ConnID:718431 mesgID:13744 OpID:1 OpName:search ConnIP:::ffff:<DC IP address> ConnDN:cn=svc_oid_ad_dip_sync,cn=users,dc=corp,dc=internal,dc=mycompany,dc=com
INFO :gslfseADoSearch BASE = cn=<DC IP address>,cn=corp.internal.mycompany.com,cn=PWSync,cn=Products,cn=OracleContext FILTER = (&(objectclass=oidconfig)(cn=*)) #REQDATTR = 0 SCOPE = 2 REQDATTRS =
TIMELIMIT = 3600 SIZELIMIT = 0 DEREF = 0
2016-01-06T16:25:44 * INFO:gsleswrASndResult OPtime=5614 micro sec RESULT=32 tag=101 nentries=0
END

This indicates it did connect to OID and the connection was successful, but it could not find the OIDConfig object as it does not exist (RESULT=32).

Taking from another working DC example, and referencing from Document 1368738.1, manually added this missing entry in OID with ldif file:

 

After that, the Password Filter logs no longer showed the previous log error from above (i.e., no further occurrence of "Password updation failed in child process"), however the passwords still did not get sync'd to OID.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms