Portal 10g Procedure To Query Portal Views WWCTX_API.SET_CONTEXT Fails With ORA-06510 ORA-6512 (Doc ID 758063.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Internet Directory - Version 10.1.4 to 10.1.4 [Release 10gR3]
Portal - Version 10.1.2.0.0 to 10.1.4.2 [Release 10gR2]
Information in this document applies to any platform.

Symptoms

Production (PROD) and Development (DEV) instances running OID 10.1.4.
The DEV instance has no problems.

In PROD, a new portal midtier was setup. To migrate, newly built content should be imported into the new PROD instance, which failed.  PROD has been manually recreated, and since then the execution of the WWCTX_API.SET_CONTEXT procedure in SQL*Plus returns errors:

ORA-06510:PL/SQL: unhandled user-defined exception
ORA-6512:at "PORTAL.WWCTX_API" line 1686
ORA-6512:at line


To reproduce:
Log in to SQL*Plus using portal admin username and password, at the prompt enter:
exec WWCTX_API.SET_CONTEXT('portal',[portal lightweight password],NULL);


Diagnostics:
Using debugging steps from <Note 260840.1> binding as the Portal App Account DN, i.e.:
orclapplicationcommonname=portal.081215.010901.834742000,cn=portal,cn=products,cn=oraclecontext
And User DN : cn=portal,cn=users,<realm, e.g., dc=mycompany,dc=com>.

The script from <Note 260840.1> returns an OID ldap underlying error:

Error code : -31202
Error Message : ORA-31202: DBMS_LDAP: LDAP client/server error: Insufficient access

After turning on OID Server Access Control (aci) level debug, the OID log shows that same Portal App Account DN is authenticating to OID, but it does not have access to attributes of the Portal realm entry, e.g.:
     cn=portal,cn=users,dc=mycompany,dc=com
And it fails aci checking with LDAP error 50 insufficient privileges :

23:58:20 * gslaudeaAttributesEvaluation:Operation id:(7) User being a
Privileged group
member, Evaluation continues
23:58:20 * gslaudeaAttributesEvaluation: Operation id:(7) Enforcing Server Default
Access Policy
23:58:20 * gslaudeaAttributesEvaluation:Operation id:(7) Attribute Access to entry
(cn=portal,cn=users,dc=mycompany,dc=com) not allowed
23:58:20 * gslaudekModsEvaluation: Access to attributes not allowed
23:58:20 * INFO : gsleswrASndResult2 RESULT = 50 nentries=0

NOTE:  The following command can also be used to reproduce the same error:

ldapcompare -h <PROD oid host> -p <port> -D "orclapplicationcommonname=portal.081215.010901.834742000,cn=portal,cn=products,cn=oraclecontext"
-w <portal app dn pwd> -b "cn=portal,cn=users,dc=mycompany,dc=com" -a userpassword -v <portal user pwd>

Where <portal app dn pwd> can be obtained by using solution steps 1-3 from <Note 312154.1>.


Both PROD and DEV OID's are at same version/patchset.  Both OID's have same aci's for cn=users,dc=mycompany,dc=com and cn=portal,cn=users,dc=mycompany,dc=com (default aci's).

Both OID's return the same results from ldapsearch membership check for the portal app dn account, i.e.:

ldapsearch -h <oid host> -p <port> -D "cn=orcladmin" -w <password> -s sub -b ""
"(uniquemember=orclapplicationcommonname=portal.081215.010901.834742000,cn=portal,cn=products,cn=ora
clecontext)" dn

Also verified both nodes against <Note 270620.1>.


Changes

PROD OID has been reinstalled/rebuilt.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms