OVD 11g Returns Inappropriate Ldap Error Code Error 49 - Invalid Credentials Or Does Not Include Additional Information (Doc ID 2158746.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Virtual Directory - Version 11.1.1.7.0 and later
Information in this document applies to any platform.

Symptoms

On : 11g version, Virtual Directory Server 

ACTUAL BEHAVIOR
---------------
OVD Returns inappropriate ldap error code or does not include a additional information

OVD is configured as a join adapter with an OID adapter and AD adapter as the backend.

When attempting to bind as a user that is disabled in OID, OVD will always return [Error 49 - Invalid Credentials] regardless what the OID backend backend response is.


EXPECTED BEHAVIOR
-----------------------
OVD should return the same message as OID when a disabled user attempts to bind.

STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Example 1: OID User Enabled, Bind to OVD with correct username and correct password
ldapsearch -x -LLL -o ldif-wrap=no -h ovddev.cbrands.com -p 6501 -D "uid=JTEST12,cn=Users,cn=oracleAccounts,dc=cbrandsnet,dc=com,dc=cbrands,dc=dev" -w 'Password123$' -b "dc=cbrands,dc=com" "uid=jtest12" cn
dn: uid=JTEST12,cn=Users,cn=oracleAccounts,dc=cbrandsnet,dc=com,dc=external,dc=cbrands,dc=com
cn: John S Test

2. Example 2: OID User Enabled, Bind to OID with correct username and correct password
ldapsearch -x -LLL -o ldif-wrap=no -h oiddev.cbrands.com -p 3060 -D "uid=JTEST12,cn=Users,cn=oracleAccounts,dc=cbrandsnet,dc=com" -w 'Password123$' -b "dc=cbrandsnet,dc=com" "uid=jtest12" uid
dn: uid=JTEST12,cn=Users,cn=oracleAccounts,dc=cbrandsnet,dc=com
uid: JTEST12

3. Example 3: OID User Disabled, Bind to OVD with correct username and correct password.
ldapsearch -x -LLL -o ldif-wrap=no -h ovddev.cbrands.com -p 6501 -D "uid=JTEST12,cn=Users,cn=oracleAccounts,dc=cbrandsnet,dc=com,dc=cbrands,dc=dev" -w 'Password123$' -b "dc=cbrands,dc=com" "uid=jtest12" cn
ldap_bind: Invalid credentials (49)

4. Example 4: OID User Disabled, Bind to OID with correct username and correct password.
ldapsearch -x -LLL -o ldif-wrap=no -h oiddev.cbrands.com -p 3060 -D "uid=JTEST12,cn=Users,cn=oracleAccounts,dc=cbrandsnet,dc=com" -w 'Password123$' -b "dc=cbrandsnet,dc=com" "uid=jtest12" cn
ldap_bind: Server is unwilling to perform (53)
additional info: Account Policy Error :9050: GSL_ACCTDISABLED_EXCP :Your Account has been disabled. Please contact the administrator.


BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, users cannot determine when their account is disabled.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms