My Oracle Support Banner

OUD11g - Enterprise User Security (EUS) Authentication Fails with "ORA-28030" and/or "SASL DIGEST-MD5 protocol error" using DB / RDBMS 12.2.0.1 (Doc ID 2280001.1)

Last updated on MARCH 22, 2023

Applies to:

Oracle Unified Directory - Version 11.1.2.3.0 to 11.1.2.3.170718 [Release 11g]
Information in this document applies to any platform.

Symptoms

Enterprise User Security (EUS), using Oracle Unified Directory 11gR2PS3 as the LDAP server, is not working as expected with RDBMS version 12.2.0.1

ORA-28030 when trying to connect using the sqlplus command:

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> connect soe
Enter password:
ERROR:
ORA-28030: Server encountered problems accessing LDAP directory service

The EUS authentication fails in 12.2.0.1 with the following error:

kzld_discover received ldaptype: OID
kzld found pwd in wallet
KZLD_ERR: Failed to bind to LDAP server. Err=80
KZLD_ERR: 80
KZLD is doing LDAP unbind
KZLD_ERR: found err from kzldini.

The SASL bind fails on 12.2.0.1:

$ORACLE_DB_HOME/oracle/product/12.2.0.1/bin/ldapbind -h <HOSTNAME> -p <LDAPS_PORT> -U 1 -D "cn=<DB12c>,cn=oraclecontext,dc=<SUFFIX>" -w <PASSWORD> -O auth -Y DIGEST-MD5
ldap_sasl_bind: Unknown error

And in the access log, the bind is performed with an empty dn:

[18/May/2017:17:28:49 +0200] CONNECT conn=0 from=<IP>:<> to=<IP>:<LDAPS_PORT> protocol=LDAPS
[18/May/2017:17:28:49 +0200] BIND REQ conn=0 op=0 msgID=1 type=SASL mechanism=DIGEST-MD5 dn="" version=3
[18/May/2017:17:28:49 +0200] BIND RES conn=0 op=0 msgID=1 result=14 etime=39
[18/May/2017:17:28:49 +0200] DISCONNECT conn=0 reason="Client Disconnect"

While in the case of using Oracle Database 12.1.0.2, the bind is correctly performed:

[18/May/2017:17:29:52 +0200] CONNECT conn=1 from=<IP>:<> to=<IP>:<LDAPS_PORT> protocol=LDAPS
[18/May/2017:17:29:52 +0200] BIND REQ conn=1 op=0 msgID=1 type=SASL mechanism=DIGEST-MD5 dn="cn=<DB12c>,cn=oraclecontext,dc=<SUFFIX>" version=3
[18/May/2017:17:29:52 +0200] BIND RES conn=1 op=0 msgID=1 result=14 etime=0
[18/May/2017:17:29:52 +0200] BIND REQ conn=1 op=1 msgID=2 type=SASL mechanism=DIGEST-MD5 dn="cn=<DB12c>,cn=oraclecontext,dc=<SUFFIX>" version=3
[18/May/2017:17:29:52 +0200] SEARCH REQ conn=-1 op=73 msgID=74 base="cn=<DB12c>,cn=oraclecontext,dc=<SUFFIX>" scope=base filter="(objectClass=*)" attrs="ds-privilege-name,*"

 From a different case, the following errors were observed:

From DB trace:

kzld found pwd in wallet
KZLD_ERR: Failed to bind to LDAP server. Err=49
KZLD_ERR: 49
KZLD is doing LDAP unbind
KZLD_ERR: found err from kzldini.

From the OUD access log from that same connection attempt:

[25/May/2018:09:45:05 -0500] CONNECT conn=1620 from=<IP>:<> to=<IP>:<LDAPS_PORT> protocol=LDAPS
[25/May/2018:09:45:06 -0500] BIND REQ conn=1620 op=0 msgID=1 type=SASL mechanism=DIGEST-MD5 dn="" version=3
[25/May/2018:09:45:06 -0500] BIND RES conn=1620 op=0 msgID=1 result=14 etime=3
[25/May/2018:09:45:06 -0500] BIND REQ conn=1620 op=1 msgID=2 type=SASL mechanism=DIGEST-MD5 dn="" version=3
[25/May/2018:09:45:06 -0500] BIND RES conn=1620 op=1 msgID=2 result=49 authFailureID=1310929 authFailureReason="SASL DIGEST-MD5 protocol error: SaslException(DIGEST-MD5: digest response format violation. Nonexistent realm: )" etime=1

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.