Pythian Blog: Technical Track

ORA-28043: Invalid bind credentials for DB-OID connection

Have you ever encountered this error connecting to a DB using global authentication against OID? Was re-registration a temporary workaround, but the issue came back after some time? Check out this solution for ORA-28043: invalid bind credentials for DB-OID c onnection. During a long project which included changing human account’s authentication method from local to global on several databases, users started to report ORA-28043 after a couple of days.
$ sqlplus rambo@orcl
 
 SQL*Plus: Release 11.2.0.3.0 Production on Tue Nov 4 07:28:03 2014 
 
 Copyright (c) 1982, 2011, Oracle. All rights reserved. 
 
 Enter password: 
 
 ERROR: 
 
 ORA-28043: invalid bind credentials for DB-OID connection 
 
 
Since some of these were production assets, we tried to restore the service as soon as possible. The fastest workaround we found was to re-register the DBs using DBCA:
$ dbca -silent -configureDatabase -sourceDB orcl -unregisterWithDirService true -dirServiceUserName cn=orcladmin -dirServicePassword ****** -walletPassword ******
 
 Preparing to Configure Database
 
 6% complete
 
 13% complete
 
 66% complete
 
 Completing Database Configuration
 
 100% complete
 
 Look at the log file /e00/oracle/cfgtoollogs/dbca/orcl/orcl.log" for further details.
 
 $ dbca -silent -configureDatabase -sourceDB orcl -registerWithDirService true -dirServiceUserName cn=orcladmin -dirServicePassword ****** -walletPassword ******
 
 Preparing to Configure Database
 
 6% complete
 
 13% complete
 
 66% complete
 
 Completing Database Configuration
 
 100% complete
 
 Look at the log file "/e00/oracle/cfgtoollogs/dbca/orcl/orcl.log" for further details.
 
 
Good news: the service was restored quickly. Bad news: the issue came back after a couple of days. We started a deeper investigation which included opening a SR in My Oracle Support. Luckily, we found the real culprit for this error very quickly: PASSWORD EXPIRATION. These were the commands they provided us to verify that the wallet couldn't bind to the directory:
$ mkstore -wrl . -list 
 
 Oracle Secret Store Tool : Version 11.2.0.3.0 - Production 
 
 Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. 
 
 Enter wallet password:xxx 
 
 Oracle Secret Store entries: 
 
 ORACLE.SECURITY.DN 
 
 ORACLE.SECURITY.PASSWORD 
 
 $ mkstore -wrl . -viewEntry ORACLE.SECURITY.DN -viewEntry ORACLE.SECURITY.PASSWORD 
 
 Oracle Secret Store Tool : Version 11.2.0.3.0 - Production 
 
 Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. 
 
 Enter wallet password: xxx 
 
 ORACLE.SECURITY.DN = cn=ORCL,cn=OracleContext,DC=ppl,DC=com 
 
 ORACLE.SECURITY.PASSWORD = Z8p9a1j1 
 
 $ ldapbind -h oidserver -p 3060 -D cn=ORCL,cn=OracleContext,DC=ppl,DC=com -w Z8p9a1j1 
 
 ldap_bind: Invalid credentials 
 
 ldap_bind: additional info: Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password. 
 
 
Oracle’s recommendation was to set "pwdmaxage" attribute to 0. We achieved this by changing the value from the GUI, under Security/Password Policy/Password Expiry Time Note that for OID versions older than 10.0.4, changing the parameter’s value to zero doesn’t work due to Bug 3334767. Instead, you can place a very large value.

No Comments Yet

Let us know what you think

Subscribe by email