OUD 12c - Authentication Fails with Invalid Credentials (result=49) and "authFailure" if "authID" Exists under cn=OracleContext when using "ldapsearch" Command with LDAPS Port and DIGEST-MD5 (Doc ID 2540641.1)

Last updated on AUGUST 08, 2023

Applies to:

Oracle Unified Directory - Version 12.2.1.3.180829 and later
Information in this document applies to any platform.

Symptoms

The DIGEST-MD5 SASL authentication fails using ldapsearch command connecting LDAPS port and using an authid which exists under the "cn=OracleContext" suffix. ie;

$ ldapsearch -h <OUD_HOSTNAME> -p <LDAP_SSL_PORT> -Z -X -j <PASSWORD_FILE> --saslOption mech=DIGEST-MD5 --saslOption authid=dn:cn=<USERNAME>,cn=OracleContext -b "" -s base "(objectClass=*)"
The SASL DIGEST-MD5 bind attempt failed
Result Code: 49 (Invalid Credentials)

"authFailureID=1245385" is logged into the OUD access log;

[10/Dec/2018:05:11:03 +0000] BIND REQ conn=5 op=1 msgID=2 type=SASL mechanism=DIGEST-MD5 dn="" version=3
[10/Dec/2018:05:11:03 +0000] BIND RES conn=5 op=1 msgID=2 result=49 authFailureID=1245385 authFailureReason="The server was not able to find any user entries for the provided username of dn:cn=<USERNAME>,cn=OracleContext" etime=27

This authentication error does NOT occur if using an entry other than an authid existing under cn=OracleContext -OR - when connecting non-SSL port. For example, using non-SSL port:

$ ldapsearch -h <OUD_HOSTNAME> -p <LDAP_PORT> -w PASSWORD --saslOption mech=DIGEST-MD5 --saslOption authid=dn:cn=<USERNAME>,cn=OracleContext -b "" -s base "(objectClass=*)"

[10/Dec/2018:06:12:53 +0000] BIND REQ conn=3 op=0 msgID=1 type=SASL mechanism=DIGEST-MD5 dn="" version=3
[10/Dec/2018:06:12:53 +0000] BIND RES conn=3 op=0 msgID=1 result=14 etime=37
[10/Dec/2018:06:12:53 +0000] BIND REQ conn=3 op=1 msgID=2 type=SASL mechanism=DIGEST-MD5 dn="" version=3
[10/Dec/2018:06:12:53 +0000] BIND RES conn=3 op=1 msgID=2 result=0 authDN="cn=<USERNAME>,cn=OracleContext" etime=30
[10/Dec/2018:06:12:53 +0000] SEARCH REQ conn=3 op=2 msgID=3 base="" scope=base filter="(objectClass=*)" attrs="ALL"
[10/Dec/2018:06:12:53 +0000] SEARCH RES conn=3 op=2 msgID=3 result=0 nentries=1 etime=25
[10/Dec/2018:06:12:53 +0000] UNBIND REQ conn=3 op=3 msgID=4
[10/Dec/2018:06:12:53 +0000] DISCONNECT conn=3 reason="Client Disconnect"

The issue has been reported in the OUD instance configured with Enterprise User Security (EUS) integration.

Changes

The authentication error occurs when meeting the following conditions:

- Connecting LDAP-SSL port
and
- Requesting DIGEST-MD5 SASL authentication.
and
- Using an entry under cn=OracleContext as authid

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

OUD 12c - Authentication Fails with Invalid Credentials (result=49) and "authFailure" if "authID" Exists under cn=OracleContext when using "ldapsearch" Command with LDAPS Port and DIGEST-MD5 (Doc ID 2540641.1)

Applies to:

Symptoms

Changes

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!