Enterprise Manager Cloud Control is a web-based interface that allows to administer Enterprise User Security. When connecting to OUD server, the interface may complain about an invalid password even though the credentials are correct.
The same problem happens with eusm 12c (the command-line tool delivered with Oracle Database):
$ eusm listDomains realm_dn=dc=example,dc=com ldap_host=$ldap_host ldap_port=1389 ldap_user_dn="cn=directory manager" ldap_user_password=**** javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
If OUD access log shows the following error:
The server was not able to find any user entries for the provided username of cn=directory manager
then the fix is provided in Oracle Identity Management Suite Bundle Patch 184.108.40.206.8 (22085294), or Oracle Identity Management Suite Bundle Patch 220.127.116.11.3 (22085274) depending on your OUD version.
The connection method between Enterprise Manager Cloud Control and OUD (or eusm 12c and OUD) is using SASL/DIGEST-MD5 authentication instead of a simple BIND. SASL/DIGEST-MD5 requires the password to be stored in a reversible password storage scheme, which means that the additional configuration steps are also needed:
1/ identify the password policy applying to the user cn=directory manager
$ OracleUnifiedDirectory/bin/ldapsearch -h $ldap_host -p 4444 -X -Z -D "cn=directory manager" -w password -b "cn=directory manager,cn=root dns,cn=config" -s base "(objectclass=*)" ds-pwp-password-policy-dn dn: cn=Directory Manager,cn=Root DNs,cn=config ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config
2/ modify the user’s password policy to use a reversible password storage scheme (AES for instance):
$ OracleUnifiedDirectory/bin/dsconfig set-password-policy-prop --policy-name "Root Password Policy" --set default-password-storage-scheme:AES --hostname $ldap_host --port 4444 -X -D "cn=directory manager" -j pwd.txt -n
3/ modify the user’s password to generate a new reversible password hash:
$ OracleUnifiedDirectory/bin/ldappasswordmodify -h $ldap_host -p 1389 -D "cn=directory manager" -w oldpwd -c oldpwd -n newpwd The LDAP password modify operation was successful
At this point, Enterprise Manager Cloud Control and eusm 12c will be able to authenticate to OUD and administer Enterprise User Security.