Oracle MVA

Tales from a Jack of all trades

Suddenly EUS stops working….

with 3 comments

For one of my clients I am assisting on a EUSimplementation with RDBMS and OID all on OEL 4.7. After implementing EUS and enjoying using my personal credentials instead of working as sys or system all worked like a charm. Customer happy, me happy, everybody happy.

After some time all of the sudden EUS stoped functioning for certain databases. Since the number of databases that EUS was not working for is growing, I was called to find out what was going on. I checked the login by setting event 28033:

alter system set events ‘28033 trace name context forever, level 9’;

Next i tried to login and I read the tracefile in $ORACLE_ADMIN/ORACLE_SID/udump:

Oracle Database 10g Enterprise Edition Release – 64bit Production
With the Partitioning, Real Application Clusters, OLAP, Data Mining
and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_200
System name: Linux
Release: 2.6.9-
Version: #1 SMP Mon Dec 22 02:43:08 EST 2008
Machine: x86_64
Instance name: ORACLE_SID
Redo thread mounted by this instance: 2
Oracle process number: 67
Unix process pid: 8058, image: oracle@SERVER.DOMAIN_NAME

*** ACTION NAME:() 2009-09-16 14:06:03.492
*** MODULE NAME:(sqlplus@SERVER.DOMAIN_NAME (TNS V1-V3)) 2009-09-16 14:06:03.492
*** SERVICE NAME:(ORACLE_SID) 2009-09-16 14:06:03.492
*** SESSION ID:(527.12773) 2009-09-16 14:06:03.492
kzld_discover received ldaptype: OID
kzld found pwd in wallet
KZLD_ERR: Failed to bind to LDAP server. Err=49
KZLD is doing LDAP unbind
KZLD_ERR: found err from kzldini.

Ldap error 49 is invalid credentials, but I know for sure that my credentials are correct! I even use them to logon to the machine that the database is running using OAS4OS (which was somewhat challenging too, since OAS4OS as provided by Oracle is far from enterprise ready).

Knowing my userentry is correct, I checked the database entry in the oid. To my surprise I noticed that pwdexpirationwarned and pwdgraceusetime was set for the database entry (see cn=DB_NAME,cn=OracleContext,dc=domain,dc=acme). This suggests that the passwordpolicy was enforced for databases too, even though the effective subtree was set to cn=users,dc=domain,dc=acme. Simply removing the attributes for all databases in the OID solved the issue for now:

$ORACLE_HOME/ldap/bin/bulkmodify basedn=”cn=DB_NAME,cn=OracleContext,dc=DOMAIN,dc=nl” attribute=”pwdgraceusetime” value=”” replace=true filter=”objectclass=orclDBServer”
$ORACLE_HOME/ldap/bin/bulkmodify basedn=”cn=DB_NAME,cn=OracleContext,dc=DOMAIN,dc=nl” attribute=”pwdexpirationwarned” value=”” replace=true filter=”objectclass=orclDBServer”

Or for the die-hards:

delete from ds_attrstore
 where entryid in ( select entryid
                      from ct_dn
                     where rdn = ‘cn=db_name’ )
   and attrname in (‘pwdgraceusetime’,’pwdexpirationwarned’);

Please keep in mind that Oracle doesn’t support direct querying on the OID.

Let’s find out what Oracle Support is going to give me for a more permanent solution 😉


Written by Jacco H. Landlust

September 16, 2009 at 3:40 pm

3 Responses

Subscribe to comments with RSS.

  1. […] a comment » Some time ago I wrote that EUS stopped working. Today I was finally able to spend some time on this issue. Obviously I could have know that the […]

  2. […] EUS Stop working – Blog from Jacco H. Landlust  Previous in series Related Posts for EUS Enterprise User Security (EUS) overview for Oracle Database 10/11gTroubleshoot ORA-01017 for database login when Database is configured with EUSPopularity: unranked [?]Share This document.write(' Users since Oct 07 […]

  3. Other option is to reset password of Database (randomly generated and stored in wallet file in database to userPasswd attribute of database entry in OID)

    More information here

    or change password policy in OID to not to expire user accounts


    create new password policy in OID ( and higher only) with no password expiration and set this policy to cn=[SID],cn=OracleContext,dc=[DOMAIN]

    Atul Kumar

    February 9, 2011 at 1:31 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: