ORA-28043: Invalid bind credentials for DB-OID connection
Have you ever encountered this error connecting to a DB using global authentication against OID? Was re-registration a temporary workaround, but the issue came back after some time? Check out this solution for
ORA-28043: invalid bind credentials for DB-OID
c
onnection. During a long project which included changing human account’s authentication method from local to global on several databases, users started to report ORA-28043 after a couple of days.
Since some of these were production assets, we tried to restore the service as soon as possible. The fastest workaround we found was to re-register the DBs using DBCA:$ sqlplus rambo@orcl SQL*Plus: Release 11.2.0.3.0 Production on Tue Nov 4 07:28:03 2014 Copyright (c) 1982, 2011, Oracle. All rights reserved. Enter password: ERROR: ORA-28043: invalid bind credentials for DB-OID connection
Good news: the service was restored quickly. Bad news: the issue came back after a couple of days. We started a deeper investigation which included opening a SR in My Oracle Support. Luckily, we found the real culprit for this error very quickly: PASSWORD EXPIRATION. These were the commands they provided us to verify that the wallet couldn't bind to the directory:$ dbca -silent -configureDatabase -sourceDB orcl -unregisterWithDirService true -dirServiceUserName cn=orcladmin -dirServicePassword ****** -walletPassword ****** Preparing to Configure Database 6% complete 13% complete 66% complete Completing Database Configuration 100% complete Look at the log file “/e00/oracle/cfgtoollogs/dbca/orcl/orcl.log" for further details. $ dbca -silent -configureDatabase -sourceDB orcl -registerWithDirService true -dirServiceUserName cn=orcladmin -dirServicePassword ****** -walletPassword ****** Preparing to Configure Database 6% complete 13% complete 66% complete Completing Database Configuration 100% complete Look at the log file "/e00/oracle/cfgtoollogs/dbca/orcl/orcl.log" for further details.
Oracle’s recommendation was to set "pwdmaxage" attribute to 0. We achieved this by changing the value from the GUI, under Security/Password Policy/Password Expiry Time Note that for OID versions older than 10.0.4, changing the parameter’s value to zero doesn’t work due to Bug 3334767. Instead, you can place a very large value.$ mkstore -wrl . -list Oracle Secret Store Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. Enter wallet password:xxx Oracle Secret Store entries: ORACLE.SECURITY.DN ORACLE.SECURITY.PASSWORD $ mkstore -wrl . -viewEntry ORACLE.SECURITY.DN -viewEntry ORACLE.SECURITY.PASSWORD Oracle Secret Store Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. Enter wallet password: xxx ORACLE.SECURITY.DN = cn=ORCL,cn=OracleContext,DC=ppl,DC=com ORACLE.SECURITY.PASSWORD = Z8p9a1j1 $ ldapbind -h oidserver -p 3060 -D cn=ORCL,cn=OracleContext,DC=ppl,DC=com -w Z8p9a1j1 ldap_bind: Invalid credentials ldap_bind: additional info: Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.
