EUS SSL With Certificate Matching Is Failing With Ldap: Error Code 32 - No Such Object (Doc ID 1375027.1)

Last updated on JULY 01, 2016

Applies to:

Oracle Internet Directory - Version 10.1.4.3 to 11.1.1.5.0 [Release 10gR3 to 11g]
Advanced Networking Option - Version 10.2.0.1 to 11.2.0.3 [Release 10.2 to 11.2]
Information in this document applies to any platform.
***Checked for relevance on 30-June-2013***

Symptoms


In an existing 10g environment this has been setup and running without any difficulties. In preparation for moving to 11g a new 11g test environment has been setup as follows:

The users are created by LDAP synch from OIM into OID. The orcluser and orcluserv2 objectclass was added to the ldap synch code that is used to create the user.  This is working as expected.

The existing usercertificate is loaded into the 11g users entry using an LDIF file and then the new enterprise user mappings are created.

Userid/password EUS authentication is working fine, but when attempting to connect via SSL Certificate the connection fails.

Added the following to the init.ora file in order to get trace output:

event="28033 trace name context forever, level 9"


The output of this trace shows the following:

Trace file /opt/oracle/admin/diag/rdbms/tst11g01/TST11G01/trace/TST11G01_ora_25693.trc
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining
and Real Application Testing options
ORACLE_HOME = /opt/oracle/product/11.2.0.2
System name: Linux
Node name: ggsg-db-3-d
Release: 2.6.9-67.0.7.ELsmp
Version: #1 SMP Wed Feb 27 04:47:23 EST 2008
Machine: x86_64
Instance name: TST11G01
Redo thread mounted by this instance: 1
Oracle process number: 20
Unix process pid: 25693, image: oracle@oid11g


*** 2011-10-26 07:39:27.149
*** SESSION ID:(785.2709) 2011-10-26 07:39:27.149
*** CLIENT ID:() 2011-10-26 07:39:27.149
*** SERVICE NAME:(TST11G01.CISCO.COM) 2011-10-26 07:39:27.149
*** MODULE NAME:(sqlplus@oid11g (TNS V1-V3)) 2011-10-26 07:39:27.149
*** ACTION NAME:() 2011-10-26 07:39:27.149

kzld found pwd in wallet
KZLD_ERR: 0
kzld_search -s sub -b cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=us,dc=oracle,dc=com
search filter: (&(objectclass=orcldbenterprisedomain_82)(uniqueMember=cn=TST11G01,cn=OracleContext,dc=us,dc=oracle,dc=com))
KZLD_ERR: 0
kzldsp found policy PWD
kzldsp found policy SSL
kzld_search -s base -b cn=Common,cn=Products,cn=OracleContext,dc=us,dc=oracle,dc=com
search filter: objectclass=*
KZLD_ERR: 0
kzld found krbPrincipalName for orclCommonkrbPrincipalAttribute
kzldsearch_ext -s sub -b cn=users, dc=us,dc=oracle,dc=com
search filter: (usercertificate;binary=MIIDJzCCApCgAwIBAgIBaTANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEQ
MA4GA1UECBMHRmxvcmlkYTEPMA0GA1UEChMGT3JhY2xlMQwwCgYDVQQLEwNPU1Mx
IzAhBgNVBAMTGk5ldHdvcmtpbmcvbmV0ZmwtbGFibGludXgxMB4XDTExMTEwODEz
NTUxNloXDTE2MTEwNjEzNTUxNlowYjEPMA0GA1UEAxMGZWRjZXJ0MQ4wDAYDVQQD
EwVVc2VyczESMBAGCgmSJomT8ixkARkWAnVzMRYwFAYKCZImiZPyLGQBGRYGb3Jh
Y2xlMRMwEQYKCZImiZPyLGQBGRYDY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQCY6zpzcihRD+rJl6d/VrCFlvwthqepqJZPsLSLjWQfL9VXa16ifYblOA8U
rXS3V/Rl5mt5LJ7xTwivJ7pXv0ryS2FJcw5FLQoalrwS9vJrkrNEaNu4eGYbBiSX
Pc+95aYiTGIVl0ka3hts052GRugOUqaXEX+vtZjUaK6CiwO8dwIDAQABo4HrMIHo
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBS5aEJdS6xfbc5r96mPDzFtO6X1+jCBjQYDVR0j
BIGFMIGCgBSvb4jKfgeY7vzI1A/l5m8TOM6R36FnpGUwYzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0Zsb3JpZGExDzANBgNVBAoTBk9yYWNsZTEMMAoGA1UECxMDT1NT
MSMwIQYDVQQDExpOZXR3b3JraW5nL25ldGZsLWxhYmxpbnV4MYIBADANBgkqhkiG
9w0BAQUFAAOBgQDE9yttWSWrrnF1Q+dkbvGjPa3whYULwSltpGRraNvTDSarDSDW
rFQ3eV7E52BgKb91E2iqtmiw0rmVKtwb3i863MB5Ysg0T1IBhOe2zdm953VoOL6Q
YxEkSLRugwJf0FdwwJskuyGwjczQ+sfIZWK0U7HIJ/KOw/+VRGB65pt1Uw==
)
KZLD_ERR: failed the search 32.
number of entries: 0
KZLD_ERR: 32
KZLD_ERR: failed to locate user matching the cert.
kzld_search -s sub -b cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=ggsg-us-iam,dc=cisco,dc=com
search filter: (&(objectclass=orcldbenterprisedomain_82)(uniqueMember=cn=TST11G01,cn=OracleContext,dc=us,dc=oracle,dc=com))
KZLD_ERR: 0
kzldsp found policy PWD
kzldsp found policy SSL
kzld_search -s base -b cn=Common,cn=Products,cn=OracleContext,dc=us,dc=oracle,dc=com
search filter: objectclass=*
KZLD_ERR: 0
kzld found krbPrincipalName for orclCommonkrbPrincipalAttribute
KZLD_ERR: user's DN is not under any realm user search base.
KZLD is doing LDAP unbind



Changes

This is a new 11g environment where existing 10g users have been recreated via OIM.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms