I have a need to update a user's password in Microsoft's Active Directory through PL/SQL. I have configured an Oracle Wallet and can successfully bind to the Active Directory (LDAP) over SSL Port 636.

However, when I attempt to change the 'unicodePwd' parameter through the DBMS_LDAP.populate_mod_array statement below:

DBMS_LDAP.populate_mod_array(v_emp_array,DBMS_LDAP.MOD_REPLACE,'unicodePwd',v_emp_vals);

I receive the following error:

ORA-31202: DBMS_LDAP: LDAP client/server error: DSA is unwilling to perform. 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
ORA-06512: at "SYS.DBMS_LDAP", line 1455
ORA-06512: at "SYS.DBMS_LDAP", line 929
ORA-06512: at line 103

Has anyone experienced this before? Is this a problem on the Active Directory configuration, or is there something that may need to be done to the string being passed into the attribute (i.e., needs to be converted to Unicode?). We are attempting to create the Unicode string through the following routine:

v_emp_vals(1) := UTL_RAW.cast_to_raw(convert(v_random_pwd, 'AL16UTF16', 'US7ASCII'));

, but this does not appear to resolve the issue. Any help!?

Hi,

You need to use the little endian Unicode characterset, 'AL16UTF16LE', also the password needs to be concatenated with double quotes on each side:

bervals dbms_ldap.berval_collection;
...
bervals(1) := utl_raw.cast_to_raw(convert('"'||password||'"','AL16UTF16LE'))

It wont work if you are not using a SSL connection to the ActiveDirectory.

Regards,
Luis

Update

I had the certificate installed on the database server to make sure it wasn't having problems finding it.

Reading the other posts I found a sample select to try

SELECT UTL_HTTP.REQUEST('HTTPS://INTERACT.CSC.XXX.XXX:4443/....',
NULL,'FILE:/U11/APP/ORACLE/ADMIN/TST7/CERTIFICATE','pswrd')
FROM DUAL;

This worked successfully, but I am still getting the same error on the open_ssl function.

See Metalink 215532.1
"The Oracle Extensions to the LDAP APIs (DBMS_LDAP_UTL and C API SSL extension) cannot be used with third party directories."

My interpretation of this is that using DBMS_LDAB.open_ssl is not supported with anything besides OID. And any other product of Oracle's that does allow for third-party directory authentication is probably not using DBMS_LDAP, but something more low-level.

I got to work today. The trick is to make sure you use a binary collection to put the password in. Of course this assumes you are using SSL. as well. I was just a few minutes from giving up when figured it out.

ldap_valsb DBMS_LDAP.BERVAL_COLLECTION ;

ldap_valsb(1) := UTL_RAW.cast_to_raw(convert('"' || :new.lpass || '"','AL16UTF16LE'));
ldap_adduserstring := ldap_adduserstring || ' *UNICODEPWD:' || ldap_valsb(1);
DBMS_LDAP.populate_mod_array(ldap_array,DBMS_LDAP.MOD_ADD , 'unicodePwd',ldap_valsb);

This error seems to be from AD. And your code seems ok to me. To change the password using only the new password you need to do it using an administrative account. If you are changing your own password you need to use a replace operation and send the old password and the new password.

Also, are you sure that your users are in the form 'cn='||I_USERNAME||',ou=Users,' || ldap_base on Active Directory? The cn does not need to be equal to the samaccountname (Or the uid you see on OID).

Regards,
Luis

Hello,
I'm trying to set AD password to a new entry user.
I know i have to use SSL, an administrator account, but no more.
Can you post a working listing of the code?

Thank you...

Hi,

Some of you have mentioned that you could successfully use Port 636 for binding a session to AD thru SSL using dbms_ldap.open_ssl

Some of the metalink note suggests that using SSL to connect to a thirdparty LDAP is not supported in dbms_ldap. Is it true?

How did you do bind then? Using wallet? What are the steps for creating wallet... Could you pls provide the steps / any URL explaining how to do this.