EBS blank login page issue - How to autopopulate user_guid in fnd_user table
Unable to call fnd_ldap_wrapper . create_user / update_user ORA-20001
While creating user in Oracle Apps it's showing error that AppsDN password has been expired
Internal Error: Webgate allowed access to protected page GUID=null-
Issue:
EBS Local Login url is working fine. When accessing sso url, users are getting error as below appended to the url. And login page will be blank.
Assumptions:
All SSO setups and profiles are fine. along with “Applications SSO Auto Link User” is already “Enabled” but its not helping. "Applications SSO Login Types" is already set to "BOTH"
Reason :
This error could be because of many reasons , to name few
1) More Secure Password Policy in OID compared to E-Business Suite
2) User already exists in OID but missing in E-Business Suite
3) apps user does not have privileges to access dbms_ldap package.
4) AppsDN password expired in OID (password expiry in OID)
5) OID or DIP server not running
One of the reason can be : OAM Authentication is fine but during authorization process, OAM is unable to map guid from oid to user_guid in fnd_user. This can be due to user_guid being null in fnd_user table.
As per the process, when user logins for the first time, user_guid need to be populated automatically (from oid)
Workaround :
Query guid from oid and update fnd_user table with that.
ldapsearch -h oidhost.online.org -p 3060 -D "cn=orcladmin" -w orcladmpwd -b "cn=Users,dc=dc,dc=online,dc=org" -s sub "(uid=$1)" orclsamaccountname krbprincipalname mail orcluserprincipalname orclguid
Pass userid to this command which gives guid along with other details.
Update fnd_user table with above guid :
update fnd_user set user_guid='' where user_name like '';
Solution
The "AppsDN" user is a special administration account which eBiz uses to connect to OID for management and administrative tasks when integrating with OID/SSO. First check whether AppsDN password has been expired. To
check this first login to apps and check the following.
Step 1
SQL> select fnd_preference.get('#INTERNAL', 'LDAP_SYNCH','USERNAME') from dual;
FND_PREFERENCE.GET('#INTERNAL','LDAP_SYNCH','USERNAME')
--------------------------------------------------------------------------------
orclapplicationcommonname=prod,cn=ebusiness,cn=products,cn=oraclecontext,dc=cloud,dc=com
Step 2
Check the current password of AppsDN in oracle apps R12.
select fnd_preference.eget('#INTERNAL', 'LDAP_SYNCH','EPWD','LDAP_PWD') Password from dual;
Step 3
Now use the information you gathered from Step 1 and Step 2 to check what is the issue with AppsDN user in Oracle OID. To check this use the following command.
$ORACLE_HOME/bin/ldapcompare -h -p -D cn=orcladmin -w -b "orclapplicationcommonname=prod,cn=ebusiness,cn=products,cn=oraclecontext,dc=cloud,dc=com" -a userpassword -v
For our case it has returned following error.
ldap_compare_s: Invalid credentials
ldap_compare_s: additional info: Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.
Solution
Step 4
To resolve this issue, login to "oidadmin" after setting proper env variable in OID.
$ oidadmin
Navigate through the "Entry Management" tree to the appropriate context (the reversed path of the orclApplcationCommonName). Use the information you gathered from Step 1.
for example
com, oracle, uk, OracleContext, Products, EBusiness, orclApplicationCommonName=VIS
Update the "userpassword" field for this entry. It can be set to the existing value.
Click the "Apply" button to save this change. This immediately stores the new password, so you can redo the "ldapbind" test and it will succeed this time.