E-LDAP: PT 8.55 LDAP Code Doesn't Loop Through Multiple Domains so Failover is not Working Correctly and Users Get LDAP Error Code : 49 Even Though They Typed the Correct Password (Doc ID 2383555.1)

Last updated on OCTOBER 15, 2024

Applies to:

Symptoms

LDAP authentication giving Invalid Username\password with the Network ID exists in multiple domains.

Customer Network ID's are unique by domain\username. For instance domain1\username and domain2\username. After upgrading from 8.55.11 to 8.55.21 and 8.56.06, and even to PT 8.57 tools, users that have a username that exists in two domains are now getting authenticated and are getting the error Invalid Username\password.

After doing a trace within the code we are finding that when username (from domain1) logs into the system, the LDAP SEARCH code is validating against username in domain2 and therefore the user is getting error because the password for domain1\username doesn't equal the password for domain2\username.

ERROR
-----------------------

- LDAP Error Message : 80090308: LdapErr: DSID-0C090400
- LDAP Error Code : 49

The issue can be reproduced at will with the following steps:
1. Setup LDAP authentication with one map and multiple LDAP servers.

2. User logs in with LDAP password but because there are similar LDAP users IDs in different locations, domain1 and domain2, the users have different passwords. The user from domain2 hits the domain1 LDAP server first, but instead of the code looping and checking the domain1 server, it fails the login and exits the code.

This was working correctly in PT 8.55.20 or earlier

Note: We have also seen this issue with customers who use a 2 factor authentication process as the first security check will fail and then not try again to authenticate the user because of this code change.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.