OUD 11g Proxy to AD/Tivoli (TDS) Integration with EUS, Authentication Fails: ORA-01017: invalid username/password; logon denied. After Note 1570893.1, Authorization to TDS Groups Fails with: ORA-00942: table or view does not exist

(Doc ID 2116290.1)

Last updated on MARCH 16, 2016

Applies to:

Oracle Unified Directory - Version 11.1.2.0.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Unified Directory (OUD) 11g,  e.g.  11.1.2.3.0 version, Proxy & Load-Balancing integrated with Enterprise User Security (EUS).

Topology:
Oracle Database (DB)  <->  OUD Proxy (Authentication) Microsoft Active Directory (AD)
   ^
   |
 OUD Proxy (Authorization)
   |
   v
 Tivoli Directory Server (TDS)


There is only one OUD proxy for both.

Using EUS / sqlplus for testing.


Connecting to AD to find users, and TDS to fetch groups.

Users in TDS by default are identified by the UID attribute; in AD they are referenced by CN.


The access log on OUD shows the request:

[18/Feb/2016:16:48:02 -0200] SEARCH REQ conn=0 op=4 msgID=5 base="ou=employees,ou=users,ou=access,o=myou,c=us" scope=sub filter="(uid=A123456)" attrs="dn,authPassword,orclPassword,orclguid"


In the context, located in OUD proxy instance, there is there tree "ou=employees,ou=users,ou=access,o=myou,c=us" but the key of the User is set to "CN".


Tried exchanging DN CN = Users, DC = mydc, dc = mydc, dc = com, dc = us for ou = employees, ou = users, ou = access, myou =, c = us.

This worked, but the change of RDN to CN for UID apparently is not being inherited by naming context.


The users are showing up as:

CN = A123456, ou = employees, ou = users, ou = access, myou =, c = us

When the correct would be:

uid = A123456, ou = employees, ou = users, ou = access, myou =, c = us

And unable to authenticate with error:

ORA-01017: invalid username/password; logon denied


After following Document 1570893.1 (Active Directory As External Directory Not Working For EUS), managed to authenticate via AD user (replacing orclCommonNicknameAttribute attribute from default value uid to cn).

But authorization to Tivoli group is facing similar rename issue. Because the members in the Tivoli group are identified by uid (for example: uid=a123456) differently from AD user identification (cn=A123456), it cannot find the user (cn=a123456) in the Tivoli group, so the query returns the error message:

If it could somehow convert the cn=a123456 to uid=a123456 when searching membership from the Tivoli group, the authorization would succeed.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms