Enterprise Manager Cloud Control and eusm issues: AuthenticationException

Enterprise Manager Cloud Control is a web-based interface that allows to administer Enterprise User Security. When connecting to  OUD server, the interface may complain about an invalid password even though the credentials are correct.

The same problem happens with eusm 12c (the command-line tool delivered with Oracle Database):

$ eusm listDomains realm_dn=dc=example,dc=com ldap_host=$ldap_host ldap_port=1389 ldap_user_dn="cn=directory manager" ldap_user_password=****
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

If OUD access log shows the following error:

The server was not able to find any user entries for the provided username of cn=directory manager

then the fix is provided in Oracle Identity Management Suite Bundle Patch 11.1.2.2.8 (22085294), or Oracle Identity Management Suite Bundle Patch 11.1.2.3.3 (22085274)  depending on your OUD version.

The connection method between Enterprise Manager Cloud Control and OUD (or eusm 12c and OUD) is using SASL/DIGEST-MD5 authentication instead of a simple BIND. SASL/DIGEST-MD5 requires the password to be stored in a reversible password storage scheme, which means that the additional configuration steps are also needed:

1/ identify the password policy applying to the user cn=directory manager

$ OracleUnifiedDirectory/bin/ldapsearch -h $ldap_host -p 4444 -X -Z -D "cn=directory manager" -w password -b "cn=directory manager,cn=root dns,cn=config" -s base "(objectclass=*)" ds-pwp-password-policy-dn
dn: cn=Directory Manager,cn=Root DNs,cn=config
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config

2/ modify the user’s password policy to use a reversible password storage scheme (AES for instance):

$ OracleUnifiedDirectory/bin/dsconfig set-password-policy-prop --policy-name "Root Password Policy" --set default-password-storage-scheme:AES --hostname $ldap_host --port 4444 -X -D "cn=directory manager" -j pwd.txt -n

3/ modify the user’s password to generate a new reversible password hash:

$ OracleUnifiedDirectory/bin/ldappasswordmodify -h $ldap_host -p 1389 -D "cn=directory manager" -w oldpwd  -c oldpwd -n newpwd
The LDAP password modify operation was successful

At this point, Enterprise Manager Cloud Control and eusm 12c will be able to authenticate to OUD and administer Enterprise User Security.

Advertisements

6 thoughts on “Enterprise Manager Cloud Control and eusm issues: AuthenticationException”

    1. Hi Sylvain
      I am using OUD 11.1.2.3.1, applied the OUD Patch as suggested and did all the actions you suggested above, but still the error persists when I use eusm.
      Do you have any idea
      Guenter

      Like

  1. This is what the access log says after modification:

    [11/Apr/2016:10:09:09 +0200] CONNECT conn=0 from= to= protocol=LDAP
    [11/Apr/2016:10:09:09 +0200] BIND REQ conn=0 op=0 msgID=1 type=SASL mechanism=DIGEST-MD5 dn=”” version=3
    [11/Apr/2016:10:09:09 +0200] BIND RES conn=0 op=0 msgID=1 result=14 etime=0
    [11/Apr/2016:10:09:09 +0200] BIND REQ conn=0 op=1 msgID=2 type=SASL mechanism=DIGEST-MD5 dn=”” version=3
    [11/Apr/2016:10:09:09 +0200] BIND RES conn=0 op=1 msgID=2 result=49 authFailureID=1310929 authFailureReason=”SASL DIGEST-MD5 protocol error: SaslException(DIGEST-MD5: digest response format violation. Mismatched URI: ldap/oud; expecting: ldap/oud.dbc.de)” etime=0

    Like

  2. … solved it!! I used the alias “oud” in the -h phrase instead of the fully qulified host name “oud.dbc.de”

    Thanks for your great post!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s