Have you ever encountered this error connecting to a DB using global authentication against OID? Was re-registration a temporary workaround, but the issue came back after some time? Check out this solution for ORA-28043: invalid bind credentials for DB-OID connection.
During a long project which included changing human account’s authentication method from local to global on several databases, users started to report ORA-28043 after a couple of days.
$ sqlplus [email protected] SQL*Plus: Release 11.2.0.3.0 Production on Tue Nov 4 07:28:03 2014 Copyright (c) 1982, 2011, Oracle. All rights reserved. Enter password: ERROR: ORA-28043: invalid bind credentials for DB-OID connection
Since some of these were production assets, we tried to restore the service as soon as possible. The fastest workaround we found was to re-register the DBs using DBCA:
$ dbca -silent -configureDatabase -sourceDB orcl -unregisterWithDirService true -dirServiceUserName cn=orcladmin -dirServicePassword ****** -walletPassword ****** Preparing to Configure Database 6% complete 13% complete 66% complete Completing Database Configuration 100% complete Look at the log file “/e00/oracle/cfgtoollogs/dbca/orcl/orcl.log" for further details. $ dbca -silent -configureDatabase -sourceDB orcl -registerWithDirService true -dirServiceUserName cn=orcladmin -dirServicePassword ****** -walletPassword ****** Preparing to Configure Database 6% complete 13% complete 66% complete Completing Database Configuration 100% complete Look at the log file "/e00/oracle/cfgtoollogs/dbca/orcl/orcl.log" for further details.
Good news: the service was restored quickly. Bad news: the issue came back after a couple of days. We started a deeper investigation which included opening a SR in My Oracle Support. Luckily, we found the real culprit for this error very quickly: PASSWORD EXPIRATION. These were the commands they provided us to verify that the wallet couldn’t bind to the directory:
$ mkstore -wrl . -list Oracle Secret Store Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. Enter wallet password:xxx Oracle Secret Store entries: ORACLE.SECURITY.DN ORACLE.SECURITY.PASSWORD $ mkstore -wrl . -viewEntry ORACLE.SECURITY.DN -viewEntry ORACLE.SECURITY.PASSWORD Oracle Secret Store Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. Enter wallet password: xxx ORACLE.SECURITY.DN = cn=ORCL,cn=OracleContext,DC=ppl,DC=com ORACLE.SECURITY.PASSWORD = Z8p9a1j1 $ ldapbind -h oidserver -p 3060 -D cn=ORCL,cn=OracleContext,DC=ppl,DC=com -w Z8p9a1j1 ldap_bind: Invalid credentials ldap_bind: additional info: Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.
Oracle’s recommendation was to set “pwdmaxage” attribute to 0. We achieved this by changing the value from the GUI, under Security/Password Policy/Password Expiry Time
Note that for OID versions older than 10.0.4, changing the parameter’s value to zero doesn’t work due to Bug 3334767. Instead, you can place a very large value.
No comments