OUD 11g Proxy to AD/Tivoli (TDS) with EUS: Authentication Fails "ORA-01017: invalid username/password; logon denied" and Authorization to TDS Groups Fails with "ORA-00942: table or view does not exist" (Doc ID 2116290.1)

Last updated on SEPTEMBER 09, 2021

Applies to:

Oracle Unified Directory - Version 11.1.2.0.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Unified Directory (OUD) 11g, e.g. 11.1.2.3.0 version, Proxy & Load-Balancing integrated with Enterprise User Security (EUS).

Topology:

Oracle Database (DB) <-> OUD Proxy (Authentication) Microsoft Active Directory (AD)
   ^
   |
OUD Proxy (Authorization)
   |
   v
Tivoli Directory Server (TDS)

There is only one OUD proxy for both.

Using EUS / sqlplus for testing.

Connecting to AD to find users, and TDS to fetch groups.

Users in TDS by default are identified by the UID attribute; in AD they are referenced by CN.

The access log on OUD shows the request:

[18/Feb/2016:16:48:02 -0200] SEARCH REQ conn=0 op=4 msgID=5 base="ou=employees,ou=users,ou=<ou>,o=<ou>,c=<country>" scope=sub filter="(uid=A123456)" attrs="dn,authPassword,orclPassword,orclguid"

In the context, located in OUD proxy instance, there is the tree "ou=employees,ou=users,ou=<ou>,o=<ou>,c=<country>" but the key of the User is set to "CN".

Tried exchanging DN -
CN=Users, DC=<dc>, dc=<dc>, dc=com, dc=<country>
for -
ou=employees, ou=users, ou=<ou>, o=<ou>, c=<country>.

This worked, but the change of RDN to CN for UID apparently is not being inherited by naming context.

The users are showing up as:

CN=A123456, ou=employees, ou=users, ou=<ou>, o=<ou>, c=<country>

When the correct DN would be:

uid=A123456, ou=employees, ou=users, ou=<ou>, o=<ou>, c=<country>

And unable to authenticate with error:

ORA-01017: invalid username/password; logon denied

After following Document 1570893.1 (Active Directory As External Directory Not Working For EUS), managed to authenticate via AD user (replacing orclCommonNicknameAttribute attribute from default value uid to cn).

But authorization to Tivoli group is facing a similar rename issue because the members in the Tivoli group are identified by uid (for example: uid=a123456) differently from AD user identification (cn=A123456), and it cannot find the user (cn=a123456) in the Tivoli group, so the query returns the error message:

If it could somehow convert the cn=A123456 to uid=A123456 when searching membership from the Tivoli group, the authorization would succeed.

Changes

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

OUD 11g Proxy to AD/Tivoli (TDS) with EUS: Authentication Fails "ORA-01017: invalid username/password; logon denied" and Authorization to TDS Groups Fails with "ORA-00942: table or view does not exist" (Doc ID 2116290.1)

Applies to:

Symptoms

Changes

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!