This issue is simple but good to know the root cause. There is a container in OID cn=Employee,cn=users,dc=oracle,dc=com apart from cn=users,dc=oracle,dc=com. I was trying to login to OIDDAS console as an Employee container user and it was throwing an error 401 Unauthorized.
By the way, the OSSO (OID) was integrated with OAM already. When I searched the ssoServer.log (present under $ORACLE_HOME/sso/log), I found the below exception trace.
Tue Mar 15 11:09:04 IST 2011 [ERROR] AJPRequestHandler-ApplicationServerThread-43 Could not get attributes for user, 11061
oracle.ldap.util.UtilException: Multiple Users found with Simple Name = 11061
at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1173)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:923)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:870)
at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:537)
at oracle.security.sso.server.auth.AuthUtil.getUserMapping(AuthUtil.java:1473)
at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:1288)
at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:547)
at oracle.security.sso.server.ui.SSOLoginServlet.doGet(SSOLoginServlet.java:390)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:826)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:332)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)
Tue Mar 15 11:09:04 IST 2011 [ERROR] AJPRequestHandler-ApplicationServerThread-43 Authorization failed for user: 11061
This metalink article 297059.1 was helpful for me in troubleshooting. The root cause is that the search base in OIDDAS console is specified for 2 containers i.e., cn=Employee, cn=users, dc=oracle,dc=com and cn=users,dc=oracle,dc=com. See the below screenshot.
Hence, while searching for a user say 11061, it is returning 1 record in cn=Employee,cn=users,dc=oracle, dc=com container and another record from cn=users,dc=oracle,dc=com container.
I removed the cn=Employee,cn=users,dc=oracle,dc=com from Search Base as shown below.
Bounced the OC4J process of OID. The error vanished after that.
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com