OID 10g External Authentication Plugin (PLSQL Based) Stops Working - Authentication failed. Please try again (Doc ID 302444.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Internet Directory - Version 9.0.4 to 10.1.2 [Release 10gR1 to 10gR2]
Information in this document applies to any platform.

Symptoms

External Authentication Plugin against Active Directory (AD) was working fine previously.

Now AD users fail to login to SSO. Error returned is:
Error: Authentication failed. Please try again

No changes in the Infrastructure / Middle Tier / Database Tier except for a bounce of the Services and
the Database the night before.

The ldapbind command against AD using the ADuser id / password works:
$ ldapbind -h < AD host > -p < AD Port > -D "< ADusername@domain >" -w < ADuser password >
$ bind sucessful

Ldapcompare against OID fails:
$ ldapcompare -h < OID host > -p < OID Port > -D cn=orcladmin -w < password > -b
"< full user DN >" -a userPassword -v "< ADuser password >"
The value < ADuser password > is not contained in the attribute userPassword in DN < user DN >.

Using instructions from <Note:277382.1> "How to Configure OID External Authentication Plug-In for Authentication Via Microsoft Active Directory (MS AD)", to turn on plugin debugging, the table output shows the following:

select * from ods.plg_debug_log order by id
SQL> /
        ID MSG                                                LOG_DATE 
USESSION_ID
---------- -------------------------------------------------- ---------
--------------------------------
      1000 === Begin when_compare_replace()                   17-MAR-05
003F00020001
      1001 ldap_session:                                      17-MAR-05
003F00020001
      1002 simple_bind_res: 1024                              17-MAR-05
003F00020001
      1003 AD auth return FALSE or ERROR                      17-MAR-05
003F00020001
      1004 unbind_res Returns 1024                            17-MAR-05
003F00020001
      1005 === End when_compare_replace() ===                 17-MAR-05
003F00020001
6 rows selected.

And turning on full OID debug level (highest level) as per documentation:
http://download.oracle.com/docs/cd/B10464_01/manage.904/b12118/logging2.htm#130537

A resulting oidldapd01s< pid# >.log shows, for example:

.... <snip>.....
BEGIN
2005/03/18:09:20:45 * ServerWorker:4 * ConnID:-13 * OpId:2 * OpName:compare
Entry gslfcmADoCompare
09:20:45 * gslfbiGetControlInfo:Entry
09:20:45 * gslfbiGetControlInfo:Exit
09:20:45 * gslfcmADoCompare: IP Address (< OID Host IP Address) dn (< full user DN >) attr (userpassword) value(******)
09:20:45 * Entry: gslsbcmCompare()
09:20:45 * INFO * gslsbnrNormalizeString : String to Normalize: <rgrover>
09:20:45 * INFO * gslsbnrNormalizeString() Normalized value: <rgrover>
09:20:45 * INFO * gslsbnrNormalizeString : String to Normalize: <adusers>
09:20:45 * INFO * gslsbnrNormalizeString() Normalized value: <adusers>
09:20:45 * INFO * gslsbnrNormalizeString : String to Normalize: <usg>
09:20:45 * INFO * gslsbnrNormalizeString() Normalized value: <usg>
09:20:45 * INFO * gslsbnrNormalizeString : String to Normalize: <net>
09:20:45 * INFO * gslsbnrNormalizeString() Normalized value: <net>
09:20:45 * Base Search Sql: SELECT /*+ USE_NL(store) USE_NL(dn) INDEX(store
EI_ATTRSTORE) ORDERED */ store.entryid, AttrName, NVL(AttrVal,' '), attrkind,
NVL(attrstype, ' ') FROM CT_DN dn, ds_attrStore store WHERE (dn.rdn = :
szCommonName AND dn.parentdn = :szBaseDomain) AND store.entryid = dn.entryid
AND attrkind != 't'
09:20:45 * szCommonName = *cn=ADuser*, szBaseDomain = *< subscriber domain / realm >*
09:20:45 * Base Search Completed with: 100
09:20:45 *     NOT
09:20:45 *     EQUALITY
09:20:45 * INFO * gslsbnrNormalizeString : String to Normalize: <orcladuser>
09:20:45 * INFO * gslsbnrNormalizeString() Normalized value: <orcladuser>
09:20:45 * INFO * gslsbnrNormalizeString : String to Normalize: <orcladuser>
09:20:45 * INFO * gslsbnrNormalizeString() Normalized value: <orcladuser>
09:20:45 * <= gslffeATestFilter 0
09:20:45 * <= gslffeATestFilter 1010
09:20:45 *  Exiting [gsldmp_getPluginContext] ...
09:20:45 *  Exiting [gsldmj_comparePlugin] ...
09:20:45 * sgslunwWrite: Entry
09:20:45 * sgslunwWrite: Exit
09:20:45 *            DN="< full user DN >"

09:20:45 * TOTAL "Operation" time :       9840  micro sec
09:20:45 * INFO : gslfrsASendLdapResult2 RESULT = 5 nentries=0
09:20:45 * Exit: gslsbcmCompare()
09:20:45 * Exit gslfcmADoCompare
END

.... <snip>.....

The relevant portion from log above shows the error number is 5:
      09:20:45 * INFO : gslfrsASendLdapResult2 RESULT = 5 nentries=0

Description of error 5 in the Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01, Appendix I I Troubleshooting:
http://download.oracle.com/docs/cd/B10464_01/manage.904/b12118/trblsht3.htm#623944

05--LDAP_COMPARE_FALSE   Presented value is not the same as the one in the entry.

The above error indicates the password value does not match, however the ldapbind directly to the AD server with the same password works fine.

Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms