ORA-# Errors for Password-Authenticated Enterprise Users

If you receive an ORA-# error while using password-authenticated Enterprise User Security, then locate the error in the following section and take the recommended action.

ORA-1017: Invalid username/password; login denied

Cause: As in error message

Action: See "USER-SCHEMA ERROR Checklist"

ORA-28030: Server encountered problems accessing LDAP directory service

Cause: Indicates a problem with the connection between the database and the directory.

Action: Check the following:

  1. Check that the correct wallet_location value is specified in the database's sqlnet.ora file in case you are not using the default wallet location. You can use Oracle Net Manager to enter the wallet location. You do not need to specify a wallet location in the sqlnet.ora file if the default wallet location is being used. If a wallet location is specified in the sqlnet.ora file, then you must ensure that it is correct.

  2. If Domain Name System (DNS) server discovery of Oracle Internet Directory is not used, check that there is a correct ldap.ora file in $LDAP_ADMIN, $ORACLE_HOME/ldap/admin, $TNS_ADMIN, or $ORACLE_HOME/network/admin. (See Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information about DNS server discovery.)

  3. Check that the SSL port used (by way of either DNS discovery or an ldap.ora file) supports SSL with no authentication.

  4. Check that the LDAP_DIRECTORY_ACCESS parameter is set to PASSWORD in the database initialization parameters file.

  5. Use Database Configuration Assistant to reset the database password used to authenticate the database to Oracle Internet Directory. This resets it both locally in the database wallet, and remotely in the database entry in Oracle Internet Directory.

  6. Check that the database wallet has autologin enabled. Either use Oracle Wallet Manager or check that there is a cwallet.sso file in $ORACLE_HOME/admin/<ORACLE_SID>/wallet/.

  7. Use the password stored in the database wallet to check that the database can bind to Oracle Internet Directory:

    • Use the mkstore command-line utility to retrieve the database password from the wallet by using the following syntax:

      mkstore -wrl <database wallet location> -viewEntry ORACLE.SECURITY.PASSWORD

    • Use the password returned from mkstore in the following ldapbind:

      ldapbind -h <directory host> -p <non-SSL directory port> -D "<database DN>" -q
Please enter bind password: Password returned by mkstore

  8. Check to ensure that the database belongs to only one enterprise domain.

    Note:

    The mkstore utility is for troubleshooting purposes only. The name and functionality of this tool may change in the future.

ORA-28043: Invalid bind credentials for DB/OID connection

Cause: The database directory password no longer synchronizes with the directory.

Action: Use the Regenerate Password button in Database Configuration Assistant to generate a new directory password for the database, synchronize it with the directory, and store it in the database wallet.

ORA-28271: No permission to read user entry in LDAP directory service

Cause: As in error message

Action: Check the following:

  1. Use Oracle Internet Directory Self-Service Console to check that a user search base containing this user is listed in the user search base attribute of the realm that you are using.

  2. Check the ACL on the User Search Base in Oracle Internet Directory to ensure that the verifierServices group has read permission on the user entry, and that this permission is not prevented by an ACL between the User Search Base entry and the user entry in the directory tree.

  3. Check that the enterprise domain is in the password-accessible domains group for that realm Oracle Context.

ORA-28272: Domain policy restricts password-based GLOBAL user authentication.

Cause: As in error message

Action: Use the Oracle Enterprise Manager interface to set the user authentication policy for this enterprise domain to Password or ALL.

ORA-28273: No mapping for user nickname to LDAP distinguished name exists

Cause: As in error message

Action: Check the following:

  1. Check that a user entry exists in Oracle Internet Directory for your user.

  2. Use Oracle Internet Directory Self-Service Console to check that a user search base containing this user is listed in the identity management realm that you are using.

  3. Check that the user entry contains the correct login name:

    • Use Oracle Internet Directory Self-Service Console to find the login name attribute that is configured for the directory in your realm, and

    • Check that the name provided during the attempted user database login is the value for that attribute in the user directory entry.

  4. If you have an exclusive schema for the global user in the database, then check that the DN in the database matches the DN of the user entry in Oracle Internet Directory.

ORA-28274: No ORACLE password attribute corresponding to user nickname exists

Cause: As in error message

Action: Check the following:

  1. Check that the user entry in the directory has the orcluser object class. If it does not, then perform the following steps:

    • Use Oracle Internet Directory Self-Service Console to check that the default object classes for new user creation include orcluser, and then

    • Use Oracle Internet Directory Self-Service Console to re-create the user, or

    • Add the orcluser and the orcluserV2 object classes.

  2. Check that there is a value for the attribute orclpassword in the user entry. If there is no value, then reset the user's directory password (userpassword attribute). This should prompt Oracle Internet Directory to regenerate the database password verifier for the user.

  3. Use Oracle Internet Directory Self-Service Console to check that the user search base containing this user is listed in the user search base attribute of the realm that you are using.

  4. Check that the ACL on the user search base attribute allows read and search access to the orclpassword attributes by the verifierServices group. This is set properly by default, but may have been altered.

ORA-28275: Multiple mappings for user nickname to LDAP distinguished name exist

Cause: There are multiple user DNs in the directory within the user search base whose login name for the user matches what was provided during the database connection.

Action: Use Oracle Internet Directory Self-Service Console to make the login name value unique (no two users share the same login name) within all user search bases associated with the realm Oracle Context.

ORA-28277: LDAP search, while authenticating global user with passwords, failed

Cause: As in error message

Action: Check that the relevant directory instance is up and running.

ORA-28278: No domain policy registered for password-based GLOBAL users

Cause: The database cannot read the enterprise domain information that it needs.

Action: See "DOMAIN-READ-ERROR Checklist"

ORA-28862: SSL connection failed

Cause: As in error message

Action: Check that you are using a non-SSL connect string.