This post covers “How to troubleshoot login issues in Oracle Database configured with Enterprise User Security (EUS)” and using Oracle Internet Directory (OID) as Enterprise User repository.
Deployment :
1) Database DB1 integrated with Oracle Internet Directory using steps mentioned here
2) Database registered in OID under domain DC=mydomain, DC=com
.
What is EUS in Database ?
In simple terms, users can use their enterprise user accounts (OID, AD… accounts) to connect to Oracle Database so that database accounts are managed in single location (OID, AD or other LDAP server). More on EUS here
Issue : Users reported that they can’t login to Database using their OID user accounts.
.
Troubleshooting :
1. First thing to do is enable trace in database as explained here
In my case error message is
_________
kzld found pwd in wallet
KZLD_ERR: Failed to bind to LDAP server. Err=49
KZLD_ERR: 49
KZLD is doing LDAP unbind
KZLD_ERR: failed from kzldob_open_bind.
_________
To understand this issue, lets first understand how EUS login works :
.
.
During Configuration Phase
a) During EUS configuration a user is created in OID at cn=[ORACLE_SID], cn=OracleContext, dc=[OID Domain] with random password stored in attribute userPassword of above user.
b) This username/password is also stored in wallet on Database Server at $ORACLE_BASE/admin/$SID/wallet . More on Oracle wallet here
.
During Run Time
1) User type sqlplus [OID_User]/[OID_Password]@ServiceName
2) System checks SQLNET.ORA and finds LDAP as first entry
3) Connects to LDAP server (OID in my case) as defined in ldap.ora using username and password defined in wallet under $ORACLE_BASE/admin/$SID/wallet
.
As error in my case is “Failed to bind to LDAP server. Err=49″ then simple test to check is if I can connect to ldap server using username and password stored in Database Wallet.
How to find Username and Password stored in Database Wallet ?
mkstore -wrl $ORACLE_BASE/admin/$SID/wallet -viewEntry ORACLE.SECURITY.DN (Run this on database node)
mkstore -wrl $ORACLE_BASE/admin/$SID/wallet -viewEntry ORACLE.SECURITY.PASSWORD (Run this on database node)
mkstore will prompt you for wallet password which you entered during Database registration with OID.
You will get username and password like
ORACLE.SECURITY.DN = cn=DB1,cn=OracleContext,dc=mydomain,dc=com
ORACLE.SECURITY.PASSWORD = abBP2X7
How to verify Database Connection to LDAP Server ?
Run ldapbind like
ldapbind -h [OIDServer] -p [OID_Port] -D “[ORACLE.SECURITY.DN]” -w [ORACLE.SECURITY.PASSWORD] (OID 11g default LDAP port is 3060 and for OID 10g default LDAP port is 389 )
like
ldapbind -h OID_Server -p 3060 -D “cn=DB1,cn=OracleContext,dc=mydomain,dc=com” -w abBP2X7
In my case I received error message
ldap_bind: Invalid credentials
ldap_bind: additional info: Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.
OID by default comes with default password policy cn=default,cn=pwdPolicies,cn=common,cn=products,cn=oracleContext,DC=DOMAIN with pwdMaxAge set to 10368000 (120 days).
Fix :
Now we know root cause of issue so fix is to
Fix1 (Short Term): Go to OID and update password for cn=DB1,cn=OracleContext,dc=mydomain,dc=com at attribute userPassword with value received from ORACLE.SECURITY.PASSWORD
Fix2 (Long Term): Go to OID and update password policy to not expire password by setting attribute pwdMaxAge to blank for cn=default,cn=pwdPolicies,cn=common,cn=products,cn=oracleContext,DC=DOMAIN (If will affect all accounts in OID and if this solution is not acceptable then create second Password Policy in OID with pwdMaxAge to very high value or blank) . More on Password Policy in OID here