Have you ever encountered this error connecting to a DB using global authentication against OID? Was re-registration a temporary workaround, but the issue came back after some time? Check out this solution for
ORA-28043: invalid bind credentials for DB-OID
c
onnection. During a long project which included changing human account’s authentication method from local to global on several databases, users started to report ORA-28043 after a couple of days.
$ sqlplus rambo@orcl
SQL*Plus: Release 11.2.0.3.0 Production on Tue Nov 4 07:28:03 2014
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Enter password:
ERROR:
ORA-28043: invalid bind credentials for DB-OID connection
Since some of these were production assets, we tried to restore the service as soon as possible. The fastest workaround we found was to re-register the DBs using DBCA:
$ dbca -silent -configureDatabase -sourceDB orcl -unregisterWithDirService true -dirServiceUserName cn=orcladmin -dirServicePassword ****** -walletPassword ******
Preparing to Configure Database
6% complete
13% complete
66% complete
Completing Database Configuration
100% complete
Look at the log file “/e00/oracle/cfgtoollogs/dbca/orcl/orcl.log" for further details.
$ dbca -silent -configureDatabase -sourceDB orcl -registerWithDirService true -dirServiceUserName cn=orcladmin -dirServicePassword ****** -walletPassword ******
Preparing to Configure Database
6% complete
13% complete
66% complete
Completing Database Configuration
100% complete
Look at the log file "/e00/oracle/cfgtoollogs/dbca/orcl/orcl.log" for further details.
Good news: the service was restored quickly. Bad news: the issue came back after a couple of days. We started a deeper investigation which included opening a SR in My Oracle Support. Luckily, we found the real culprit for this error very quickly:
PASSWORD EXPIRATION. These were the commands they provided us to verify that the wallet couldn't bind to the directory:
$ mkstore -wrl . -list
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:xxx
Oracle Secret Store entries:
ORACLE.SECURITY.DN
ORACLE.SECURITY.PASSWORD
$ mkstore -wrl . -viewEntry ORACLE.SECURITY.DN -viewEntry ORACLE.SECURITY.PASSWORD
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: xxx
ORACLE.SECURITY.DN = cn=ORCL,cn=OracleContext,DC=ppl,DC=com
ORACLE.SECURITY.PASSWORD = Z8p9a1j1
$ ldapbind -h oidserver -p 3060 -D cn=ORCL,cn=OracleContext,DC=ppl,DC=com -w Z8p9a1j1
ldap_bind: Invalid credentials
ldap_bind: additional info: Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.
Oracle’s recommendation was to set "pwdmaxage" attribute to 0. We achieved this by changing the value from the GUI, under Security/Password Policy/Password Expiry Time Note that for OID versions older than 10.0.4, changing the parameter’s value to zero doesn’t work due to Bug 3334767. Instead, you can place a very large value.
.svg){kind=small}
.svg){kind=small}