I know, how many acronyms can you use in a title?
This is a quick note about another tracing facility within Oracle. If you’re using Centrally Manager Users with Active Directory you can enable a trace for the LDAP searches Oracle performs.
Enable tracing:
1 | alter system set events='trace[gdsi] disk low'; |
Disable tracing:
1 | alter system set events='trace[gdsi] off'; |
Here are a few examples.
Failed Kerberos authentication
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | kzlg found dn in walletkzlg found pwd in walletkzlg found usr in walletkzlg found domain SPOTONORACLE; dc=spotonoracle,dc=com; 1 dirsrvkzlg ldap_open win2012dc1.spotonoracle.com:636kzlg DB-LDAP init SSL succeeded.kzlg bind successkzlg AD user name: user1@SPOTONORACLE.COMkzlg default naming ctx: dc=spotonoracle,dc=comkzlg search -s base -b dc=spotonoracle,dc=comkzlg search filter: objectclass=*kzlg AD lockout_duration: 18000000000kzlg AD max_pwd_age: 36288000000000kzlg search_ext -s sub -b dc=spotonoracle,dc=comkzlg search filter: (&(objectclass=user)(userPrincipalName=user1@SPOTONORACLE.COM))KZLG_ERR: failed the search err=28304.kzlg number of entries: 0KZLG_ERR: LDAPERR=28304, OER=28304KZLG_ERR: error=28304kzlg doing LDAP unbind |
Successful Kerberos authentication
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | kzlg found dn in walletkzlg found pwd in walletkzlg found usr in walletkzlg found domain SPOTONORACLE; dc=spotonoracle,dc=com; 1 dirsrvkzlg ldap_open win2012dc1.spotonoracle.com:636kzlg DB-LDAP init SSL succeeded.kzlg bind successkzlg AD user name: user1@SPOTONORACLE.COMkzlg default naming ctx: dc=spotonoracle,dc=comkzlg search -s base -b dc=spotonoracle,dc=comkzlg search filter: objectclass=*kzlg AD lockout_duration: 18000000000kzlg AD max_pwd_age: 36288000000000kzlg search_ext -s sub -b dc=spotonoracle,dc=comkzlg search filter: (&(objectclass=user)(userPrincipalName=user1@SPOTONORACLE.COM))kzlg number of entries: 1kzlg found user entry: CN=user1,OU=users,OU=oracle,DC=spotonoracle,DC=comkzlg search -s base -bkzlg search filter: objectclass=*kzlg get AD current time: 20181019155231.0Zkzlg found user entry normalized: cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=comkzlg search_ext -s sub -b dc=spotonoracle,dc=comkzlg search filter: (&(objectclass=group)(member:1.2.840.113556.1.4.1941:=cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=com))kzlg number of entries: 1kzlg search_ext -s sub -b dc=spotonoracle,dc=comkzlg search filter: (&(objectclass=group)(objectSid=S-1-5-21-4282430696-1338935355-568305779-513))kzlg number of entries: 1kzlg doing LDAP unbind |
Failed TLS authentication
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | kzlg found dn in walletkzlg found pwd in walletkzlg found usr in walletkzlg found domain SPOTONORACLE; dc=spotonoracle,dc=com; 1 dirsrvkzlg ldap_open win2012dc1.spotonoracle.com:636kzlg DB-LDAP init SSL succeeded.kzlg bind successkzlg AD user name: cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=comkzlg default naming ctx: dc=spotonoracle,dc=comkzlg search -s base -b dc=spotonoracle,dc=comkzlg search filter: objectclass=*kzlg AD lockout_duration: 18000000000kzlg AD max_pwd_age: 36288000000000kzlg search_ext -s sub -b dc=spotonoracle,dc=comkzlg search filter: (&(objectclass=user)(distinguishedName=cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=com))KZLG_ERR: failed the search err=28304.kzlg number of entries: 0KZLG_ERR: LDAPERR=28304, OER=28304KZLG_ERR: error=28304kzlg doing LDAP unbindkzlg found dn in walletkzlg found pwd in walletkzlg found usr in wallet |
Successful TLS authentication
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | kzlg found dn in walletkzlg found pwd in walletkzlg found usr in walletkzlg found domain SPOTONORACLE; dc=spotonoracle,dc=com; 1 dirsrvkzlg ldap_open win2012dc1.spotonoracle.com:636kzlg DB-LDAP init SSL succeeded.kzlg bind successkzlg AD user name: cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=comkzlg default naming ctx: dc=spotonoracle,dc=comkzlg search -s base -b dc=spotonoracle,dc=comkzlg search filter: objectclass=*kzlg AD lockout_duration: 18000000000kzlg AD max_pwd_age: 36288000000000kzlg search_ext -s sub -b dc=spotonoracle,dc=comkzlg search filter: (&(objectclass=user)(distinguishedName=cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=com))kzlg number of entries: 1kzlg found user entry: CN=user1,OU=users,OU=oracle,DC=spotonoracle,DC=comkzlg search -s base -bkzlg search filter: objectclass=*kzlg get AD current time: 20181019155506.0Zkzlg found user entry normalized: cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=comkzlg search_ext -s sub -b dc=spotonoracle,dc=comkzlg search filter: (&(objectclass=group)(member:1.2.840.113556.1.4.1941:=cn=user1,ou=users,ou=oracle,dc=spotonoracle,dc=com))kzlg number of entries: 1kzlg search_ext -s sub -b dc=spotonoracle,dc=comkzlg search filter: (&(objectclass=group)(objectSid=S-1-5-21-4282430696-1338935355-568305779-513))kzlg number of entries: 1kzlg doing LDAP unbind |
Thanks to this I could resolve the last road block. CMU with TLS/Kerberos is fully functioning.