401 Unauthorized” error when tried to loging into SSO application

on Monday, 29 October 2012

401 Unauthorized” error when tried to loging into SSO application

Recently I have faced one issue in one of our development node. The problem is “401 Unauthorized” when tried to login into sso integrated application and upto two days back it was working fine.

Environment details:
 Oracle Application Server Single Sign-On – Version: 10.1.4.3 and OAM 10.1.4.3 running in same node. OAM_OSSO are integrated.

 I  got 401 Unauthorized error when I tried to access the oiddas application and I have seen the below exception in ssoServer.log

 Thu Jun 07 20:55:04 IST 2012 [ERROR] AJPRequestHandler-ApplicationServerThread-9 Could not get attributes for user, orcladmin

oracle.ldap.util.NoSuchUserException: User does not exist – SIMPLE NAME = orcladmin

        at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1160)

        at oracle.ldap.util.Subscriber.getUser(Subscriber.java:923)

        at oracle.ldap.util.Subscriber.getUser(Subscriber.java:870)

        at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:537)

        at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:508)

        at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:1076)

        at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:547)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

        at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:826)

        at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:332)

        at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)

        at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)

        at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)

        at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)

        at java.lang.Thread.run(Thread.java:534)

 Please find the workaround as below
    I have found one metalink Id(987877.1) which is deals the same issue. It’s says, issue in custom plugin configured for Oracle SSO (OSSO) and I have executed the following action plan.
        Recompile the custom plugin with a different name e.g. SSOSMAuth, so that file SSOSMAuth.class is created instead of SSONeteAuth.class
        Copy file SSOSMAuth.class to $ORACLE_HOME/sso/plugin
        Edit file $ORACLE_HOME/sso/conf/policy.properties and set the following:
        MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOSMAuth
        Restart OC4J_SECURITY:
        $ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=OC4J_SECURITY
        $ORACLE_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY
    I got the same error when tried to login again.
    After some workaround I found the root cause for this issue. The problem is common user search base (orclcommonusersearchbase attribute) was modified or new values were added.  More details as follow,
    At least one of the search bases configured (orclcommonusersearchbase attribute in the  cn=Common,cn=Products,cn=OracleContext,<realm DN> entry) does not exist in OID or wrongly configured. Here, Configured searchbase not exist in OID.
    The entries set for orclcommonusersearchbase attribute are used by SSO as search bases to locate the user entry. If the base does not exist in OID, the ldap search operation is failing with “Ldap error code 32: LDAP_NO_SUCH_OBJECT”. Ldap error code 32 means the base specified for the operation does not exist.
    Login to oidadmin tool and navigate to cn=Common,cn=Products,cn=OracleContext,<realm DC>
    Go to orclcommonusersearchbase attribute and correct / delete the incorrect values. All the entries defined in the orclcommonusersearchbase attribute must exist in OID.

 Or

    Connect the OID using LDAPbrowser or JXplorer and navigate to cn=Common,cn=Products,cn=OracleContext and correct orclcommancusersearchbase attribute according to the environment. After this change I have restart the infra node and tried to login. The issue is vanished.






Or

using ldapmodify command:
a. Then create ldif plain file adding.ldif like:
dn: cn=Common,cn=Products,cn=OracleContext,dc=shamrockfoods,dc=com
changetype: modify
replace: orclcommonusersearchbase
orclcommonusersearchbase: cn=users, dc=dec,dc=co,dc=in
 b. Then run ldapmodify command:
ldapmodify -h hostname -p 389 -D cn=orcladmin -w <passwd> -v -f adding.ldif
c. Restart components in the infra node and test.


1 comments:

My ORACLE_HOME said...

All are superb posts....Many thanks for sharing the real time issues in blog.

Post a Comment