My Oracle Support Banner

OAM 11.1.2.3: Password Policy : OIMPersonPwdPolicy : [LDAP: error code 65 - Object Class Violation] (Doc ID 2200898.1)

Last updated on JULY 05, 2018

Applies to:

Oracle Access Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

STEPS TO REPLICATE THE ISSUE

 

9.15 Disabling Coexistence Feature

disableOamAgentCoexistWith10G()

  


ACTUAL BEHAVIOR

OAM authentication fails for a resource protected by PasswordValidationModule as soon as pswd plugin was engaged.

OAM server diagnostic log shows exception as below and LDAP error logs shows OAM was trying to add OIMPersonPwdPolicy objectclass.

[2016-08-05T14:49:48.739-05:00] [wls_oam1] [WARNING] [] [oracle.oam.pswd.service.provider] [tid: [ACTIVE].ExecuteThread: '20' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 9a520c5fa314bcb8:-2a7f0a36:15650c2b7ab:-8000-000000000003ebec,0] [APP: oam_server#11.1.2.0.0] Updating the users password history attributes was unsuccessful in password policy engine controller {0}


[2016-08-05T14:49:48.741-05:00] [wls_oam1] [WARNING] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: '20' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 9a520c5fa314bcb8:-2a7f0a36:15650c2b7ab:-8000-000000000003ebec,0] [APP: oam_server#11.1.2.0.0] Plugin Execution Failed.[[
oracle.security.am.common.utilities.exception.AmRuntimeException: Updating the user's password history attributes was unsuccessful in password policy engine controller
at oracle.security.am.pswdmgmt.plugin.PasswordStatusDelegate.maintainUserStatusHistory(PasswordStatusDelegate.java:435)
at oracle.security.am.pswdmgmt.plugin.PasswordStatusDelegate.handlePasswordStatus(PasswordStatusDelegate.java:109)
at oracle.security.am.pswdmgmt.plugin.PswdPlugin.process(PswdPlugin.java:124)
at oracle.security.am.engine.authn.internal.executor.PlugInExecutor.execute(PlugInExecutor.java:204)
at oracle.security.am.engine.authn.internal.executor.AuthenticationSchemeExecutor.execute(AuthenticationSchemeExecutor.java:113)
at oracle.security.am.engine.authn.internal.controller.AuthenticationEngineControllerImpl.validateUser(AuthenticationEngineControllerImpl.java:269)
at oracle.security.am.engines.enginecontroller.AuthnEngineController.authenticateUser(AuthnEngineController.java:986)
at oracle.security.am.engines.enginecontroller.AuthnEngineController.processEvent(AuthnEngineController.java:341)
at oracle.security.am.controller.MasterController.processEvent(MasterController.java:596)
at oracle.security.am.controller.MasterController.processRequest(MasterController.java:788)
at oracle.security.am.proxy.oam.requesthandler.NGProvider.authenticate(NGProvider.java:796)
at oracle.security.am.proxy.oam.requesthandler.NGProvider.getAuthenticateForDccResponse(NGProvider.java:551)
at oracle.security.am.proxy.oam.requesthandler.NGProvider.getResponse(NGProvider.java:455)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleRequest(RequestHandler.java:366)
at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleMessage(RequestHandler.java:170)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean.getResponseMessage(ControllerMessageBean.java:122)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.MDOMethodInvoker.invoke(MDOMethodInvoker.java:35)
at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.getResponseMessage(Unknown Source)
at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.messageReceived(ObClientToProxyHandler.java:231)
at org.apache.mina.common.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:743)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.IoFilterEvent.fire(IoFilterEvent.java:54)
at org.apache.mina.common.IoEvent.run(IoEvent.java:62)
at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:41)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:184)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: oracle.idm.passwordmgmt.exception.PasswordManagementException: oracle.idm.passwordmgmt.exception.UserDataException: Error saving user info to OAM idstore
at oracle.security.am.pswdmgmt.impl.NonNativePasswordMgrServiceImpl.saveUserInfo(NonNativePasswordMgrServiceImpl.java:430)
at oracle.security.am.pswdmgmt.impl.NonNativePasswordMgrServiceImpl.maintainUserAttributesHistory(NonNativePasswordMgrServiceImpl.java:335)
at oracle.security.am.pswdmgmt.plugin.PasswordStatusDelegate.maintainUserStatusHistory(PasswordStatusDelegate.java:430)
... 29 more
Caused by: oracle.idm.passwordmgmt.exception.UserDataException: Error saving user info to OAM idstore
at oracle.security.am.pswdmgmt.impl.IDStoreUserRepository.saveUserInfo(IDStoreUserRepository.java:253)
at oracle.security.am.pswdmgmt.impl.NonNativePasswordMgrServiceImpl.saveUserInfo(NonNativePasswordMgrServiceImpl.java:427)
... 31 more
Caused by: oracle.security.am.engines.common.identity.provider.exceptions.IdentityProviderException: OAMSSA-20092: Could not modify user attribute for user : nabcId=JAVAT200,ou=users,dc=,dc=com, attributes : SUN_LDAP, for idstore oracle.igf.ids.InvalidAttributesException: Invalid attribute(s): entity=ntrsId=JAVAT200,ou=users,dc=nabc,dc=com op=modify mesg= AdditionalInfo: LDAP Error 65 : [LDAP: error code 65 - Object Class Violation] with exception {3}.
at oracle.security.am.engines.common.identity.provider.impl.ids.IDSUserProviderImpl.modifyUserAttributes(IDSUserProviderImpl.java:374)
at oracle.security.am.engines.common.identity.provider.impl.IdentityProviderImpl.modifyUserAttributes(IdentityProviderImpl.java:888)
at oracle.security.am.engines.common.identity.provider.impl.OracleUserIdentityProvider.modifyUserAttributes(OracleUserIdentityProvider.java:330)
at oracle.security.am.pswdmgmt.impl.IDStoreUserRepository.saveUserInfo(IDStoreUserRepository.java:248)
... 32 more
Caused by: oracle.igf.ids.InvalidAttributesException: Invalid attribute(s): entity=ntrsId=JAVAT200,ou=users,dc=nabc,dc=com op=modify mesg= AdditionalInfo: LDAP Error 65 : [LDAP: error code 65 - Object Class Violation]
at oracle.igf.ids.arisid.ArisIdServiceManager.modifyEntity(ArisIdServiceManager.java:2144)
at oracle.igf.ids.Entity.modify(Entity.java:527)
at oracle.security.am.engines.common.identity.provider.impl.ids.IDSUserProviderImpl.modifyUserAttributes(IDSUserProviderImpl.java:358)
... 35 more
Caused by: oracle.igf.ids.arisid.ArisIdSchemaException: Invalid attribute(s): entity=ntrsId=JAVAT200,ou=users,dc=nabc,dc=com op=modify mesg= AdditionalInfo: LDAP Error 65 : [LDAP: error code 65 - Object Class Violation]
at com.oracle.ovd.arisid.OvdIdsStackProvider.mapResultCode(OvdIdsStackProvider.java:673)
at com.oracle.ovd.arisid.OvdIdsStackProvider.doModify(OvdIdsStackProvider.java:1520)
at com.oracle.ovd.arisid.ArisIdStackProvider.doModify(ArisIdStackProvider.java:188)
at org.openliberty.arisid.Interaction.doModify(Interaction.java:1489)
at oracle.igf.ids.arisid.ArisIdServiceManager.modifyEntity(ArisIdServiceManager.java:2128)
... 37 more 

 

a. Entry in ldap server.

LDAP error [05/Aug/2016:14:49:48 -0500] - ERROR<5894> - Schema - conn=1936596 op=7 msgId=8 - User error: Entry "ntrsId=JAVAT200 8364,ou=users,dc=nabc,dc=com" has unknown object class "OIMPersonPwdPolicy"

 

b. Using Wireshark OAM is trying to replace several Oblix attributes and values, but where it fails is trying to add the OIMPersonPwdPolicy objectclass.

Lightweight Directory Access Protocol
LDAPMessage modifyRequest(8) "nabcId=ZK820061005062408364,ou=users,dc=nabc,dc=com"
messageID: 8
protocolOp: modifyRequest (6)
modifyRequest
object: nabcID=JAVAt200,ou=users,dc=ntrs,dc=com
modification: 5 items
modification item
operation: replace (2)
modification obpasswordchangeflag
type: obpasswordchangeflag
vals: 1 item
AttributeValue: false
modification item
operation: replace (2)
modification oblastsuccessfullogin
type: oblastsuccessfullogin
vals: 1 item
AttributeValue: 2016-10-19T10:29:35Z
modification item
operation: replace (2)
modification obpasswordcreationdate
type: obpasswordcreationdate
vals: 1 item
AttributeValue: 2016-09-26T14:39:32Z
modification item
operation: replace (2)
modification oblogintrycount
type: oblogintrycount
vals: 1 item
AttributeValue: 0
modification item
operation: add (0)
modification objectclass
type: objectclass
vals: 1 item
AttributeValue: OIMPersonPwdPolicy


EXPECTED BEHAVIOR

OAM 11g password policy should work without throwing exceptions.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.