OUD 11g Proxy to AD/Tivoli (TDS) with EUS: Authentication Fails "ORA-01017: invalid username/password; logon denied" and Authorization to TDS Groups Fails with "ORA-00942: table or view does not exist"
(Doc ID 2116290.1)
Last updated on SEPTEMBER 09, 2021
Applies to:Oracle Unified Directory - Version 220.127.116.11.0 and later
Information in this document applies to any platform.
Oracle Unified Directory (OUD) 11g, e.g. 18.104.22.168.0 version, Proxy & Load-Balancing integrated with Enterprise User Security (EUS).
Oracle Database (DB) <-> OUD Proxy (Authentication) Microsoft Active Directory (AD)
OUD Proxy (Authorization)
Tivoli Directory Server (TDS)
There is only one OUD proxy for both.
Using EUS / sqlplus for testing.
Connecting to AD to find users, and TDS to fetch groups.
Users in TDS by default are identified by the UID attribute; in AD they are referenced by CN.
The access log on OUD shows the request:
In the context, located in OUD proxy instance, there is the tree "ou=employees,ou=users,ou=<ou>,o=<ou>,c=<country>" but the key of the User is set to "CN".
Tried exchanging DN -
CN=Users, DC=<dc>, dc=<dc>, dc=com, dc=<country>
ou=employees, ou=users, ou=<ou>, o=<ou>, c=<country>.
This worked, but the change of RDN to CN for UID apparently is not being inherited by naming context.
The users are showing up as:
CN=A123456, ou=employees, ou=users, ou=<ou>, o=<ou>, c=<country>
When the correct DN would be:
uid=A123456, ou=employees, ou=users, ou=<ou>, o=<ou>, c=<country>
And unable to authenticate with error:
After following Document 1570893.1 (Active Directory As External Directory Not Working For EUS), managed to authenticate via AD user (replacing orclCommonNicknameAttribute attribute from default value uid to cn).
But authorization to Tivoli group is facing a similar rename issue because the members in the Tivoli group are identified by uid (for example: uid=a123456) differently from AD user identification (cn=A123456), and it cannot find the user (cn=a123456) in the Tivoli group, so the query returns the error message:
If it could somehow convert the cn=A123456 to uid=A123456 when searching membership from the Tivoli group, the authorization would succeed.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document