ORA-# Errors for Kerberos-Authenticated Enterprise Users

If you receive an ORA-# error while using Kerberos-authenticated Enterprise User Security, then locate the error in the following section and take the recommended action.

ORA-1017: Invalid username/password; login denied

Cause: As in error message

Action: See "USER-SCHEMA ERROR Checklist"

ORA-28030: Problem accessing LDAP directory service

Cause: Indicates a problem with the connection between the database and the directory.

Action: See the actions listed for resolving "ORA-28030: Server encountered problems accessing LDAP directory service" in the troubleshooting section for password-authenticated enterprise users.

ORA-28271: No permission to read user entry in LDAP directory service

Cause: As in error message

Action: See the actions listed for resolving "ORA-28271: No permission to read user entry in LDAP directory service" in the troubleshooting section for password-authenticated enterprise users.

ORA-28292: No domain policy registered for Kerberos-based authentication

Cause: As in error message

Action: Perform the following actions:

  1. Use Oracle Enterprise Manager to set the user authentication policy for this enterprise domain to KERBEROS or ALL.

  2. See "DOMAIN-READ-ERROR Checklist"

ORA-28290: Multiple entries found for the same Kerberos principal name

Cause: The Kerberos principal name for this user is not unique within the user search base containing this user.

Action: Use Oracle Internet Directory Self-Service Console to change the Kerberos principal name, or to change the other copies so that it is unique.

ORA-28291: No Kerberos principal value found

Cause: As in error message

Action: Check the following:

  1. Check that the user entry in the directory has the krbprincipalname attribute.

    If it does not have the krbprincipalname attribute, then check the following:

    • Check that the default attributes for new user creation by using Oracle Internet Directory Self-Service Console include krbprincipalname, and then

    • Use Oracle Internet Directory Self-Service Console to create the user again, or

    • Add the orclcommonattributes object class.

  2. Check that there is a value for the attribute krbprincipalname in the user entry. If there is no value, then use Oracle Internet Directory Self-Service Console to enter one.

  3. Use Oracle Internet Directory Self-Service Console to check that the user search base containing this user is listed in the realm Oracle Context that you are using.

  4. Check that the ACL on the user search base attribute allows read and search access to the krbprincipalname attributes by the verifierServices group. This is set properly by default, but may have been altered.

ORA-28293: No matched Kerberos principal found in any user entry.

Cause: As in error message

Action: Check the following:

  1. Check that a user entry exists in Oracle Internet Directory for your user.

  2. Use Oracle Internet Directory Self-Service Console or ldapsearch to check that a user search base containing this user is listed in the identity management realm that you are using.

  3. Check that the user entry in the directory contains the correct Kerberos principal name, by using the following steps:

    • Use Oracle Internet Directory Self-Service Console to find the Kerberos principal name attribute that is configured for the directory in your realm, and

    • Check that the correct Kerberos principal name appears in that attribute in the user's directory entry.

  4. If you have an exclusive schema for the global user in the database, check that the DN in the database matches the DN of the user entry in Oracle Internet Directory.

ORA-28300: No permission to read user entry in LDAP directory service

Cause: As in error message

Action: Check that the database wallet contains the correct credentials for the database-to-directory connection. The wallet DN should be the DN of the database in Oracle Internet Directory. To retrieve the credentials, perform the following steps:

  1. Use the mkstore command-line utility to retrieve the database password for the wallet by using the following syntax:

    mkstore -wrl <database wallet location> -viewEntry ORACLE.SECURITY.PASSWORD -viewEntry ORACLE.SECURITY.DN

  2. If these values are incorrect, reset the database wallet by using Database Configuration Assistant.

  3. Use the DN and the password returned by mkstore in the following ldapbind:

    ldapbind -h <directory host> -p <non-SSL directory port> -D "<database DN>" -q
Please enter bind password: Password returned by mkstore

    Note:

    The mkstore utility is for troubleshooting purposes only. The name and functionality of this tool may change in the future.

ORA-28302: User does not exist in the LDAP directory service

Cause: As in error message

Action: Check that the user entry is present in the directory.