OVD 11g Returns Inappropriate Ldap Error Code Error 49 - Invalid Credentials Or Does Not Include Additional Information
(Doc ID 2158746.1)
Last updated on AUGUST 30, 2023
Applies to:
Oracle Virtual Directory - Version 11.1.1.7.0 and laterInformation in this document applies to any platform.
Symptoms
On : 11g version, Virtual Directory Server
ACTUAL BEHAVIOR
---------------
OVD Returns inappropriate ldap error code or does not include a additional information
OVD is configured as a join adapter with an OID adapter and AD adapter as the backend.
When attempting to bind as a user that is disabled in OID, OVD will always return [Error 49 - Invalid Credentials] regardless what the OID backend backend response is.
EXPECTED BEHAVIOR
-----------------------
OVD should return the same message as OID when a disabled user attempts to bind.
STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Example 1: OID User Enabled, Bind to OVD with correct username and correct password
ldapsearch -x -LLL -o ldif-wrap=no -h <OVD_HOSTNAME> -p 6501 -D "uid=USERNAME,cn=Users,cn=ACCOUNTS,dc=<COMPANY_NAME_NET>,dc=com,dc=<COMPANY_NAME>,dc=dev" -w '<PASSWORD>' -b "dc=<COMPANY_NAME>,dc=com" "uid=<USERNAME>" cn
dn: uid=USERNAME,cn=Users,cn=ACCOUNTS,dc=COMPANYnet,dc=com,dc=external,dc=<COMPANY_NAME>,dc=com
cn: John S Test
2. Example 2: OID User Enabled, Bind to OID with correct username and correct password
ldapsearch -x -LLL -o ldif-wrap=no -h <OID_HOSTNAME> -p 3060 -D "uid=<USERNAME>,cn=Users,cn=ACCOUNTS,dc=<COMPANY_NAME_NET>,dc=com" -w '<PASSWORD>' -b "dc=<COMPANY_NAME_NET>,dc=com" "uid=<USERNAME>" uid
dn: uid=<USERNAME>,cn=Users,cn=ACCOUNTS,dc=<COMPANY_NAME_NET>,dc=com
uid: <USERNAME>
3. Example 3: OID User Disabled, Bind to OVD with correct username and correct password.
ldapsearch -x -LLL -o ldif-wrap=no -h <OVD_HOSTNAME> -p 6501 -D "uid=<USERNAME>,cn=Users,cn=ACCOUNTS,dc=<COMPANY_NAME_NET>,dc=com,dc=<COMPANY_NAME>,dc=dev" -w '<PASSWORD>' -b "dc=<COMPANY_NAME>,dc=com" "uid=<USERNAME>" cn
ldap_bind: Invalid credentials (49)
4. Example 4: OID User Disabled, Bind to OID with correct username and correct password.
ldapsearch -x -LLL -o ldif-wrap=no -h <OID_HOSTNAME> -p 3060 -D "uid=<USERNAME>,cn=Users,cn=ACCOUNTS,dc=<COMPANY_NAME_NET>,dc=com" -w '<PASSWORD>' -b "dc=<COMPANY_NAME_NET>,dc=com" "uid=<USERNAME>" cn
ldap_bind: Server is unwilling to perform (53)
additional info: Account Policy Error :9050: GSL_ACCTDISABLED_EXCP :Your Account has been disabled. Please contact the administrator.
BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, users cannot determine when their account is disabled.
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |