DBMS_LDAP Compare Code Returns "ORA-31202: DBMS_LDAP: LDAP client/server error: No such attribute" When Used To Compare An AD Synchronized Account's Userpassword Against AD (Via External Auth Plugin) (Doc ID 823461.1)

Last updated on SEPTEMBER 14, 2016

Applies to:

Oracle Internet Directory - Version 9.0.4 to 10.1.4.3 [Release 10gR1 to 10gR3]
Information in this document applies to any platform.

Symptoms

Using dbms_ldap compare code from <Note 820206.1> to compare userpassword for an Active Directory (AD) synchronized user with no password stored in Oracle Internet Directory (OID), using the external authentication plugin. The external authentication plugin works fine in oiddas for all AD sync'd users, both via command line ldapbinds and via oiddas logins.

The compare sdk code works fine while authenticating as root/super cn=orcladmin, or as the AD sync'd user/DN him/herself.

However, when authenticating as the realm orcladmin user (cn=orcladmin,cn=users,<realm>), the code fails with:

ORA-31202: DBMS_LDAP: LDAP client/server error: No such attribute


Similarly, an ldapcompare command line test while authenticating as the same realm orcladmin fails with same error:

> ldapcompare -h myoidhost -p 389 -D "cn=orcladmin,cn=users,dc=mycompany,dc=com" -w
<orcladmin_password> -b "cn=myADuser,cn=users,dc=mycompany,dc=com" -a userPassword -v <AD_password>
ldap_compare_s: No such attribute


After enabling full OID debugging and reproducing the problem, the log shows the following:

BEGIN
2009/04/20:10:04:07 * ServerWorker (REG):4 * ConnID:135344 * OpId:1 * OpName: compare
Entry gslfcmADoCompare
10:04:07 * gslfbiGetControlInfo:Entry
10:04:07 * gslfbiGetControlInfo:Exit
10:04:07 * gslfcmADoCompare: IP Address (<IP address>) dn (cn=myADuser,cn=users,dc=mycompany,dc=com) attr (userpassword) value(******)
10:04:07 * gslsfgglorclprivilegeGroupList:Entry
10:04:07 * Enter gsldfq_getSplGroupSQLs()10:04:07 * Enter gsldfq_getSplGroupSQLs()10:04:07 * [gsldfd_FetchSubTreeObjs]Re-using prepared Statement
10:04:07 * Subtree Search Completed with: 100
10:04:07 * Exit: gsldfd_FetchSubTreeObjs
10:04:07 * gslsfgglorclprivilegeGroupList: Exit with 0
10:04:07 * gslsfgglorclacpGroupList: Entry
10:04:07 * Enter gsldfq_getSplGroupSQLs()10:04:07 * Enter gsldfq_getSplGroupSQLs()10:04:07 * [gsldfd_FetchSubTreeObjs]Re-using prepared Statement
10:04:07 * Subtree Search Completed with: 100
10:04:07 * Exit: gsldfd_FetchSubTreeObjs
10:04:07 * gslsfgglorclacpGroupList:Exit with 0
10:04:07 * gslsfbiDumpSubscribedGroups: Op. ID: <1> Subsc
ribed Orclprivilege Groups for the user DN: <cn=orcladmin,cn=users,dc=mycompany,dc=com>
10:04:07 * Op. ID: <1> Group0 for the user DN:<cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=mycompany,dc=com>
10:04:07 * Op. ID: <1> Group1 for the user DN:<cn=oracleusersecurityadmins,cn=groups,cn=oraclecontext,dc=mycompany,dc=com>
10:04:07 * Op. ID: <1> Group2 for the user DN:<cn=userproxyprivilege,cn=groups,cn=oraclecontext,dc=mycompany,dc=com>

...<etc, etc, same for several other groups>...

10:04:07 * gslsfbiDumpSubscribedGroups: Op. ID: <1> Subscribed Orclacp Groups for the user DN: <cn=orcladmin,cn=users,dc=mycompany,dc=com>
10:04:07 * Op. ID: <1> Group0 for the user DN:<cn=iasadmins,cn=groups,cn=oraclecontext,dc=mycompany,dc=com>
10:04:07 * Op. ID: <1> Group1 for the user DN:<cn=ias & user mgmt application admins,cn=groups,cn=oraclecontext,dc=mycompany,dc=com>
10:04:07 * Op. ID: <1> Group2 for the user DN:<cn=trusted applications admins,cn=groups,cn=oraclecontext,dc=mycompany,dc=com>
10:04:07 * Op. ID: <1> Group3 for the user DN:<cn=user provisioning admins,cn=groups,cn=oraclecontext>
10:04:07 * Op. ID: <1> Group4 for the user DN:<cn=provisioning admins,cn=dipadmins,cn=directory integration platform,cn=products,cn=oraclecontext>
10:04:07 * Entry: gslsbcmCompare()
10:04:07 * Base Search Sql: SELECT /*+ USE_NL(store) USE_NL(dn) INDEX(store
EI_ATTRSTORE) INDEX(dn RP_DN) ORDERED */ store.entryid, AttrName, NVL(AttrVal,'
'), attrkind, NVL(attrstype, ' ') FROM CT_DN dn, ds_attrStore store WHERE (dn.
rdn = :szCommonName AND dn.parentdn = :szBaseDomain) AND store.entryid = dn.
entryid AND attrkind != 't'
10:04:07 * szCommonName = *cn=oracleusersecurityadmins*, szBaseDomain = *cn=oraclecontext,cn=groups,*
10:04:07 * Base Search Completed with: 100
10:04:07 * DN="cn=myADuser,cn=users,dc=mycompany,dc=com"

10:04:07 * EVENT "Proc Rslt" time : 6 micro sec
10:04:07 * EVENT "Rslt Flsh" time : 23 micro sec
10:04:07 * TOTAL "Operation" time : 5215 micro sec
10:04:07 * INFO : gslfrsASendLdapResult2 RESULT = 16 nentries=0
10:04:07 * Compare Op: <IP address>, cn=orcladmin,cn=users,dc=mycompany,dc=com, Fail
10:04:07 * Exit: gslsbcmCompare()
10:04:07 * Exit gslfcmADoCompare
END

2009/04/20:10:04:07 * ServerWorker (REG):4 * INFO * ServerWorker * Operation Complete

Where RESULT = 16 above is the same ldap error code returned from dbms/ldapcompare before, against the cn=oracleusersecurityadmins group

(reference OID Admin Guide):
(Error) 16—LDAP_NO_SUCH_ATTRIBUTE = Attribute does not exist in the entry specified in the request.

Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms