ORA-28043: invalid bind credentials for DB-OID connection

On By taliphakanozturkIn OID (Oracle Internet Directory), ORA-Errors, Step by Step Documentation

In this article, I will write about resolving ORA-28043 error. Our databases integrated with Oracle Internet Directory and registered in OID under domain dc=tholdap,dc=local
Some users in my company reported that they can’t login to database using OID user accounts. They get ORA-28043 error when attempt to login database. In this situation, first thing to do is enable a trace for this error in database as below.

sqlplus / as sysdba

SQL> alter system set events ‘28033 trace name context forever, level 9’;

Try to reconnect with OID user account and get ORA-28043 error again.

Go trace file location under directory $ORACLE_BASE/diag/rdbms/$SID/$SID/trace

The sample trace file contains following lines.

vi /u01/app/oracle/diag/rdbms/testdb/TESTDB/trace/TESTDB_ora_9951.trc

ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1
System name: SunOS
Node name: dbtest
Release: 5.10
Version: Generic_150400-09
Machine: sun4v
Instance name: TESTDB
Redo thread mounted by this instance: 1
Oracle process number: 2610
Unix process pid: 9951, image: oracle@dbtest

*** ACTION NAME:() 2016-02-24 09:04:40.463
*** MODULE NAME:(Toad.exe) 2016-02-24 09:04:40.463
*** SERVICE NAME:(TESTDB) 2016-02-24 09:04:40.463
*** SESSION ID:(1212.44043) 2016-02-24 09:04:40.463
kzld_discover received ldaptype: OID
kzld found pwd in wallet
KZLD_ERR: Failed to bind to LDAP server. Err=49
KZLD_ERR: 49
KZLD is doing LDAP unbind
KZLD_ERR: found err from kzldini.
~
~

According to trace file, the error message is related to binding to LDAP Server.

kzld_discover received ldaptype: OID
kzld found pwd in wallet
KZLD_ERR: Failed to bind to LDAP server. Err=49
KZLD_ERR: 49
KZLD is doing LDAP unbind
KZLD_ERR: found err from kzldini.

Let me check, if I can connect to ldap server using username and password stored in database wallet.

Now, there is a question: How can we find the username and password stored in our database wallet ?

$ mkstore -wrl $ORACLE_BASE/admin/TESTDB/wallet -viewEntry ORACLE.SECURITY.DN
Oracle Secret Store Tool : Version 11.2.0.3.0 – Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

Enter wallet password: abcd678xx_

ORACLE.SECURITY.DN = cn=TESTDB,cn=OracleContext,dc=tholdap,dc=local
$ mkstore -wrl $ORACLE_BASE/admin/TESTDB/wallet -viewEntry ORACLE.SECURITY.PASSWORD
Oracle Secret Store Tool : Version 11.2.0.3.0 – Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

Enter wallet password: abcd678xx_

ORACLE.SECURITY.PASSWORD = +HKRbmQ7

mkstore will ask you for wallet password which you entered during database OID registration.

Now, we have the username and password as below.

ORACLE.SECURITY.PASSWORD = +HKRbmQ7
ORACLE.SECURITY.DN = cn=TESTDB,cn=OracleContext,dc=tholdap,dc=local

Now it is needed to verify database connection to LDAP Server.

First let me get port number from ldap.ora file located in directory $ORACLE_HOME/network/admin.

$ cat /u01/app/oracle/product/11.2.0/db_1/network/admin/ldap.ora
# ldap.ora Network Configuration File: /u01/app/oracle/product/11.2.0/db_1/network/admin/ldap.ora
# Generated by Oracle configuration tools.

DIRECTORY_SERVERS= (idmoid.vodafone.local:1389:1636)

DEFAULT_ADMIN_CONTEXT = “dc=tholdap,dc=local”

DIRECTORY_SERVER_TYPE = OID

Run ldapbind command to check connection to LDAP Server.

$ ldapbind -h idmoid.vodafone.local -p 1389 -D cn=TESTDB,cn=OracleContext,dc=tholdap,dc=local -w kSlIt+n2
ldap_bind: Invalid credentials

So the problem was due to Invalid credentials. All right! How we can solve this issue?

There is two way:

1- Go to OID and update password for cn=TESTDB,cn=OracleContext,dc=tholdap,dc=local at attribute userPassword with value received from ORACLE.SECURITY.PASSWORD

2- Re-register the database using DBCA as below

dbca -silent -configureDatabase -sourceDB TESTDB -unregisterWithDirService true -dirServiceUserName cn=dirManager -dirServicePassword OracleTHO11 walletPassword abcd678xx_

dbca -silent -configureDatabase -sourceDB TESTDB -registerWithDirService true -dirServiceUserName cn=dirManager -dirServicePassword OracleTHO11 walletPassword abcd678xx_

After re-registering database, ldapbind will be successful

$ ldapbind -h idmoid.vodafone.local -p 1389 -D cn=TESTDB,cn=OracleContext,dc=tholdap,dc=local -w +HKRbmQ7
bind successful

Now, users can login database successfully.

I want to note that, if there is spaces in your CN (Directory Service username) then you must write \20 instead of spaces.

For example: Lets assume that our directory service username is “directory manager”. So we must write it as below in DBCA

dbca -silent -configureDatabase -sourceDB TESTDB -unregisterWithDirService true -dirServiceUserName cn=directory\20manager -dirServicePassword OracleTHO11 walletPassword abcd678xx_

You will get an error without “\20” as below

dbca -silent -configureDatabase -sourceDB TESTDB -unregisterWithDirService true -dirServiceUserName cn=directory manager -dirServicePassword OracleTHO11 walletPassword abcd678xx_
manager is an invalid command line argument.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s