{"id":393,"date":"2018-10-19T21:00:53","date_gmt":"2018-10-19T21:00:53","guid":{"rendered":"https:\/\/www.spotonoracle.com\/?p=393"},"modified":"2018-10-19T18:07:36","modified_gmt":"2018-10-19T18:07:36","slug":"tracing-ldap-from-cmu-to-ad","status":"publish","type":"post","link":"https:\/\/www.spotonoracle.com\/?p=393","title":{"rendered":"Tracing LDAP from CMU to AD"},"content":{"rendered":"

I know, how many acronyms can you use in a title?<\/p>\n

This is a quick note about another tracing facility within Oracle. If you’re using Centrally Manager Users with Active Directory you can enable a trace for the LDAP searches Oracle performs.<\/p>\n

Enable tracing:<\/p>\n

\r\nalter system set events='trace[gdsi] disk low';\r\n<\/pre>\n
Disable tracing:<\/p>\n
\r\nalter system set events='trace[gdsi] off';\r\n<\/pre>\n
Here are a few examples.<\/p>\n
Failed Kerberos authentication<\/strong><\/p>\n
\r\nkzlg found dn in wallet\r\nkzlg found pwd in wallet\r\nkzlg found usr in wallet\r\nkzlg found domain SPOTONORACLE; dc=spotonoracle,dc=com; 1 dirsrv\r\nkzlg ldap_open win2012dc1.spotonoracle.com:636\r\nkzlg DB-LDAP init SSL succeeded.\r\nkzlg bind success\r\nkzlg AD user name: user1@SPOTONORACLE.COM\r\nkzlg default naming ctx: dc=spotonoracle,dc=com\r\nkzlg search -s base -b dc=spotonoracle,dc=com\r\nkzlg search filter: objectclass=*\r\nkzlg AD lockout_duration: 18000000000\r\nkzlg AD max_pwd_age: 36288000000000\r\nkzlg search_ext -s sub -b dc=spotonoracle,dc=com\r\nkzlg search filter: (&(objectclass=user)(userPrincipalName=user1@SPOTONORACLE.COM))\r\nKZLG_ERR: failed the search err=28304.\r\nkzlg number of entries: 0\r\nKZLG_ERR: LDAPERR=28304, OER=28304\r\nKZLG_ERR: error=28304\r\nkzlg doing LDAP unbind \r\n<\/pre>\n
Successful Kerberos authentication<\/strong><\/p>\n
\r\nkzlg found dn in wallet\r\nkzlg found pwd in wallet\r\nkzlg found usr in wallet\r\nkzlg found domain SPOTONORACLE; dc=spotonoracle,dc=com; 1 dirsrv\r\nkzlg ldap_open win2012dc1.spotonoracle.com:636\r\nkzlg DB-LDAP init SSL succeeded.\r\nkzlg bind success\r\nkzlg AD user name: user1@SPOTONORACLE.COM\r\nkzlg default naming ctx: dc=spotonoracle,dc=com\r\nkzlg search -s base -b dc=spotonoracle,dc=com\r\nkzlg search filter: objectclass=*\r\nkzlg AD lockout_duration: 18000000000\r\nkzlg AD max_pwd_age: 36288000000000\r\nkzlg search_ext -s sub -b dc=spotonoracle,dc=com\r\nkzlg search filter: (&(objectclass=user)(userPrincipalName=user1@SPOTONORACLE.COM))\r\nkzlg number of entries: 1\r\nkzlg found user entry: CN=user1,OU=users,OU=oracle,DC=spotonoracle,DC=com\r\nkzlg search -s base -b\r\nkzlg search filter: objectclass=*\r\nkzlg get AD current time: 20181019155231.0Z\r\nkzlg found user entry normalized: cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=com\r\nkzlg search_ext -s sub -b dc=spotonoracle,dc=com\r\nkzlg search filter: (&(objectclass=group)(member:1.2.840.113556.1.4.1941:=cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=com))\r\nkzlg number of entries: 1\r\nkzlg search_ext -s sub -b dc=spotonoracle,dc=com\r\nkzlg search filter: (&(objectclass=group)(objectSid=S-1-5-21-4282430696-1338935355-568305779-513))\r\nkzlg number of entries: 1\r\nkzlg doing LDAP unbind \t\r\n<\/pre>\n
Failed TLS authentication<\/strong><\/p>\n
\r\nkzlg found dn in wallet\r\nkzlg found pwd in wallet\r\nkzlg found usr in wallet\r\nkzlg found domain SPOTONORACLE; dc=spotonoracle,dc=com; 1 dirsrv\r\nkzlg ldap_open win2012dc1.spotonoracle.com:636\r\nkzlg DB-LDAP init SSL succeeded.\r\nkzlg bind success\r\nkzlg AD user name: cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=com\r\nkzlg default naming ctx: dc=spotonoracle,dc=com\r\nkzlg search -s base -b dc=spotonoracle,dc=com\r\nkzlg search filter: objectclass=*\r\nkzlg AD lockout_duration: 18000000000\r\nkzlg AD max_pwd_age: 36288000000000\r\nkzlg search_ext -s sub -b dc=spotonoracle,dc=com\r\nkzlg search filter: (&(objectclass=user)(distinguishedName=cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=com))\r\nKZLG_ERR: failed the search err=28304.\r\nkzlg number of entries: 0\r\nKZLG_ERR: LDAPERR=28304, OER=28304\r\nKZLG_ERR: error=28304\r\nkzlg doing LDAP unbind\r\nkzlg found dn in wallet\r\nkzlg found pwd in wallet\r\nkzlg found usr in wallet \r\n<\/pre>\n
Successful TLS authentication<\/strong><\/p>\n
\r\nkzlg found dn in wallet\r\nkzlg found pwd in wallet\r\nkzlg found usr in wallet\r\nkzlg found domain SPOTONORACLE; dc=spotonoracle,dc=com; 1 dirsrv\r\nkzlg ldap_open win2012dc1.spotonoracle.com:636\r\nkzlg DB-LDAP init SSL succeeded.\r\nkzlg bind success\r\nkzlg AD user name: cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=com\r\nkzlg default naming ctx: dc=spotonoracle,dc=com\r\nkzlg search -s base -b dc=spotonoracle,dc=com\r\nkzlg search filter: objectclass=*\r\nkzlg AD lockout_duration: 18000000000\r\nkzlg AD max_pwd_age: 36288000000000\r\nkzlg search_ext -s sub -b dc=spotonoracle,dc=com\r\nkzlg search filter: (&(objectclass=user)(distinguishedName=cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=com))\r\nkzlg number of entries: 1\r\nkzlg found user entry: CN=user1,OU=users,OU=oracle,DC=spotonoracle,DC=com\r\nkzlg search -s base -b\r\nkzlg search filter: objectclass=*\r\nkzlg get AD current time: 20181019155506.0Z\r\nkzlg found user entry normalized: cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=com\r\nkzlg search_ext -s sub -b dc=spotonoracle,dc=com\r\nkzlg search filter: (&(objectclass=group)(member:1.2.840.113556.1.4.1941:=cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=com))\r\nkzlg number of entries: 1\r\nkzlg search_ext -s sub -b dc=spotonoracle,dc=com\r\nkzlg search filter: (&(objectclass=group)(objectSid=S-1-5-21-4282430696-1338935355-568305779-513))\r\nkzlg number of entries: 1\r\nkzlg doing LDAP unbind \r\n<\/pre>\n
Thanks to this I could resolve the last road block. CMU with TLS\/Kerberos is fully functioning.<\/p>\n","protected":false},"excerpt":{"rendered":"
I know, how many acronyms can you use in a title? This is a quick note about another tracing facility within Oracle. If you’re using Centrally Manager Users with Active Directory you can enable a trace for the LDAP searches Oracle performs. Enable tracing: alter system set events=’trace[gdsi] disk low’; Disable tracing: alter system set […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17,3,12],"tags":[],"class_list":["post-393","post","type-post","status-publish","format-standard","hentry","category-cmu","category-internals","category-security"],"_links":{"self":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts\/393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=393"}],"version-history":[{"count":3,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts\/393\/revisions"}],"predecessor-version":[{"id":395,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts\/393\/revisions\/395"}],"wp:attachment":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}