| Oracle® Identity Management Integration Guide 10g (10.1.4.0.1) Part Number B15995-01 |
|
|
View PDF |
| Oracle® Identity Management Integration Guide 10g (10.1.4.0.1) Part Number B15995-01 |
|
|
View PDF |
This appendix describes common problems that you might encounter when using the Oracle Directory Integration Platform and explains how to solve them. It contains these topics:
|
See Also:
|
This section includes general approaches for diagnosing problems with the Oracle directory integration server. It contains these topics:
After you start the Oracle directory integration server, you can verify that it is running by following these steps:
On UNIX/Linux, use the following command to verify that the odisrv process is running:
ps -ef | grep odisrv
For Windows operating systems, obtain the value of the process ID (PID) for the odisrv process from $ORACLE_HOME/ldap/log/oidmon.log. Then, start Task Manager and click the Processes tab to verify that the process is running.
If the Oracle directory integration server is not running, then examine the $ORACLE_HOME/ldap/log/oidmon.log file to determine the reason why the server did not start.
If the log file shows any database related errors:
Verify that a value is set for ORACLE_SID.
Verify that the connection string assigned to ORACLE_SID is specified in the $ORACLE_HOME/network/admin/tnsnames.ora file.
Ensure that the log file lists valid values for the server instance number and the configset number arguments. If the values are set correctly, then examine the file $ORACLE_HOME/ldap/log/odisrv_nn.log where nn is the number of the started instance. If the odisrv_xx.log file indicates a registration error, then re-register the Oracle directory integration platform by using the odisrvreg utility.
If you do not find any errors in the previous step, then examine the file $ORACLE_HOME/ldap/log/odisrv_jvm_yyy.log, where yyy is the process identifier of the odisrv process that should have started. Look for the file with the latest timestamp.
After you start the Oracle directory integration server, you can verify that it is running by following these steps:
On UNIX/Linux, use the following command to verify that the odisrv process is running:
ps -ef | grep odisrv
For Windows operating systems, obtain the value of the process ID (PID) for the odisrv process from the $ORACLE_HOME/ldap/log/odisrv_nn.log file, where nn is the number of the started instance. Then, start Task Manager and click the Processes tab to verify that the process is running.
If the Oracle directory integration server is not running, examine the odisrv_xx.log file. If the file contains a registration error, then re-register the Oracle directory integration server by using the odisrvreg utility.
If you do not find any errors in the previous step, then examine the file $ORACLE_HOME/ldap/log/odisrv_jvm_yyy.log, where yyy is the process identifier of the odisrv process that should have started. Look for the file with the latest timestamp.
This section discusses the oditest and DIP Tester utilities that you can use to troubleshoot synchronization problems.
Troubleshooting synchronization can be complex if there are numerous profiles running or if the synchronization interval for a particular profile is set to occur too infrequently. In such cases, the behavior of any connector can be tested using the oditest utility as follows:
If numerous profiles are running, then use the Directory Integration Assistant (dipassistant) to selectively disable the profile you want to troubleshoot. If a single profile is running, then stop the directory integration server.
Go to $ORACLE_HOME/bin and run the oditest utility using the following syntax:
oditest sync | prov profile_name host=host_of_Oracle_Internet_Directory \ port=port_for_Oracle_Internet_Directory binddn=bind_DN \ bindpass=password_for_the_bind_DN sslauth=0 debug=63
The following example shows how to run the oditest utility with a Sun Java System Directory synchronization profile:
oditest sync IplanetImport host=my-oidhost port=3060 binddn=cn=orcladmin bindpass=welcome1 sslauth=0 debug=63
The DIP Tester utility is a standalone, platform independent Java application that aids in the configuration, testing, and debugging of Oracle Internet Directory implementations that synchronize with Oracle Directory Integration Platform connectors. The utility uses the Directory Integration Assistant (dipassistant) to modify profiles and also uses standard LDAP tools (ldapadd, ldapmodify, ldapdelete, and ldapsearch) for many behind-the-scenes operations. The DIP Tester utility has been tested on Oracle Internet Directory Release 10g (9.0.4) through Oracle Application Server 10g (10.1.4.0.1) for Solaris, Linux, and Windows platforms. You can download DIP Tester from Oracle Technology Network at http://www.oracle.com/technology/index.html. The download includes graphical user interface (GUI) and command-line versions of the DIP Tester utility. Both versions are installed automatically with a single installation script.
As you follow the troubleshooting procedure in this section, you can use DIP Tester to:
Make changes to a directory integration profile
View log files
Create test entries
Get or set the last applied change key
Dump entire profile contents
Reload the map file
Start and stop the directory integration server
Capture errors in trace files for uploading to Oracle Support
Perform initial bootstrapping of users
|
Note: When the Oracle directory integration server performs a synchronization, it reads the last applied change key and caches the value. At the next synchronization interval, the Oracle directory integration server updates Oracle Internet Directory with the last execution time and the cached value of the last applied change key.Before you manually change the last applied change key in a synchronization profile, be sure to stop the Oracle directory integration server. Otherwise at the next interval, your change will be overwritten by the cached value. In fact, you should always stop the Oracle directory integration server before changing any values in a synchronization profile. |
The DIP Tester utility is installed in the $ORACLE_HOME/bin directory.
|
See Also: The README.txt and DIP Tester User's Guide, located in the directory where you installed the DIP Tester utility |
This section describes common problems and solutions for Oracle Directory Integration Platform. It contains these topics:
Novell eDirectory and OpenLDAP Synchronization Errors and Problems
Oracle Password Filter for Microsoft Active Directory Errors and Problems
|
Note: The Oracle directory integration platform stores error messages in the appropriate file, as described in "Location and Naming of Files". |
This section provides solutions for errors and problems you may encounter with the Oracle directory integration server.
Problem
PASSWORD POLICY ERROR :9000: GSL_PWDEXPIRED_EXCP.
Solution
Beginning with Oracle Internet Directory 10g (9.0.4), the default password expiration time, which is assigned to the pwdmaxage attribute, is set to 60 days. To fix this problem, perform the following steps:
Use the oidpasswd utility to unlock the cn=orcladmin super user account as follows:
oidpasswd connect=asdb unlock_su_acct=true OID DB user password: OID super user account unlocked successfully.
This unlocks only the super user account, cn=orcladmin. Do not confuse this account with the cd=orcladmin account within the default realm cn=orcladmin,cn=users,dc=xxxxx,dc=yyyyy. They are two separate accounts.
Start an Oracle Internet Directory 10g (10.1.4.0.1) release of Oracle Directory Manager and navigate to Password Policy Management. You will see two entries: cn=PwdPolicyEntry and the password policy for your realm—for example, password_policy_entry,dc=acme,dc=com.
Change the pwdmaxage attribute in each password policy to an appropriate value:
5184000 = 60 days (default)
7776000 = 90 days
10368000 = 120 days
15552000 = 180 days
31536000 = 1 year
|
Note: It is important to change this value in both places. |
Start Oracle Directory Manager and navigate to the realm-specific orcladmin account. Find the userpassword attribute and assign a new value. You should then be able to start any Oracle component that uses OracleAS Single Sign-On, and log in as orcladmin.
Rerun the odisrvreg utility to reset the randomly generated password for Oracle Directory Integration Platform:
odisrvreg -D cn=orcladmin -w welcome1 -p 3060 Already Registered...Updating DIS password... DIS registration successful.
This section provides solutions for provisioning errors and problems.
Problem
Unable to get the Entry from its GUID. Fatal Error...
Solution
The Oracle directory integration server is attempting to retrieve an entry that has been deleted, but not yet purged. Update the tombstone purge configuration settings in the Garbage Collection Management node of Oracle Directory Manager.
Problem
LDAP connection failure.
Solution
Oracle Directory Integration Platform failed to connect to the directory server. Check the connection to the directory server.
|
See Also: The chapter about directory server administration in Oracle Internet Directory Administrator's Guide for information about directory server connections |
Problem
LDAP authentication failure.
Solution
The provisioning profile is not able to connect to the LDAP server as administrator. Verify Oracle directory integration server entry in the directory. Re-register the Oracle directory integration server by using the odisrvreg utility.
Problem
Initialization failure.
Solution
Problem connecting to the directory server using JNDI. Examine the trace files (profile_name.trc) and audit files (profile_name.aud) in the $ORACLE_HOME/ldap/odi/log directory.
Problem
Database connection failure.
Solution
Problem connecting to the database with the given account information; either the database is not running or there is an authentication problem. Examine the trace files (profile_name.trc) and audit files (profile_name.aud) in the $ORACLE_HOME/ldap/odi/log directory.
Problem
Exception while calling an SQL operation.
Solution
Problem in executing the package. Verify the package usability. Examine the trace files (profile_name.trc) and audit files (profile_name.aud) in the $ORACLE_HOME/ldap/odi/log directory.
Problem
Provisioning Profiles Not Getting Executed by the DIP Provisioning Server.
Solution
Provisioning profiles only run when the Oracle directory integration platform is started with configuration set 0. Ensure that the Oracle directory integration server has been started with the argument configset=0.
Problem
Unable to Connect to the Application Database.
Solution
The application database connection requirements in a provisioning profile may be incorrect. Use sqlplus to verify connectivity requirements.
Problem
User/Group Modify And Delete Events Not being consumed by the application.
Solution
The Oracle Directory Integration Platform Service first queries an application database about the existence of a user or group. If the application database responds with a negative value, then the user or group does not exist, and the event is not propagated to the application. Examine the trace files (profile_name.trc) and audit files (profile_name.aud) in the $ORACLE_HOME/ldap/odi/log directory to determine whether the user or group exists in the application database.
Problem
Subscription to binary attributes results in the event propagation error.
Solution
Binary attributes propagation is not supported. Remove the binary attribute assignments from the event subscription in the provisioning profile.
Problem
Insufficient Access Rights to do "proxy" as the Application DN.
Solution
The Oracle Directory Integration Platform server group has not been granted browse privilege by the application DN. Use the ldapmodify command to load the following ACIs, which grant browse privileges from the application DN to the Oracle Directory Integration Platform group:
orclaci: access to attr=(*) by group="cn=odisgroup,cn=odi,cn=oracle internet directory"(read,write,search,compare) orclaci: access to entry by group="cn=odisgroup,cn=odi,cn=oracle internet directory"(browse,proxy)
Problem
Insufficient access rights to use an application DN as a proxy.
Solution
The Oracle Directory Integration Platform server group has not been granted proxy privileges by the application DN. Use the ldapmodify command to load the following ACI, which grants proxy privileges from the application DN to the Oracle Directory Integration Platform group:
orclaci: access to entry by group=" cn=odisgroup, cn=odi,cn=oracle internet directory" (browse,proxy)
This section provides solutions for synchronization errors and problems.
|
See Also: OracleMetaLink Note: 276481.1—Troubleshooting OID DIP Synchronization Issues available on OracleMetaLink athttp://metalink.oracle.com/ |
Problem
LDAP: error code 50 - Insufficient Access Rights; remaining name 'CN=Users,dc=mycompany,dc=com'
Solution
The record target is not in a default container. Find the DST CHANGE RECORD. Check the ACIs for the target container. If they are blank, then use DIP Tester to apply a known set of ACIs to the new container.
Problem
LDAP: error code 50 - Insufficient Access Rights; ACTIVECHGIMP MAPPING IMPORT OPERATION FAILURE; Agent execution successful, Mapping/import operation failure
Solution
By default the cn=Users,default realm contains the proper ACIs. However, this error can occur when trying to synchronize into a different container within the default realm. Open the trace file, locate the change record that is causing the error, and then check the ACIs for the record's parent container. Apply the same ACIs to the target container.
Problem
Trace File Error: Not able to construct DN Output ChangeRecord ChangeRecord : Changetype: 1 ChangeKey: cn=users, dc=us,dc=oracle,dc=com Exception javax.naming. ContextNotEmptyException: [LDAP: error code 66 - Not Allowed On Non-leaf]; remaining name 'cn=users,dc=us,dc=oracle,dc=com' Missing mandatory attribute(s).
Solution
Problem with the mapping file. Follow the instructions in OracleMetaLink Note: 261342.1—Understanding DIP Mapping available on OracleMetaLink at http://metalink.oracle.com/.
Problem
Trace File Error: IPlanetImport:Error in Mapping Enginejava.lang.NullPointerException java.lang.NullPointerException at oracle.ldap.odip.engine.Connector.setValues(Connector.java:101).
Solution 1
The mapping file has not been loaded. In the Oracle Directory Integration Server Administration tool, verify that the Mapping tab contains the values from your mapping file. If your values are not available, then use the DIP Tester utility to reload the mapping file.
Solution 2
The orclcondirlastappliedchgnum attribute is null or has no value. This may occur if bootstrapping failed or if you manually populated Oracle Internet Directory and did not assign a value to the orclcondirlastappliedchgnum attribute. Verify that the orclcondirlastappliedchgnum attribute has a value. If not, then use the DIP Tester utility to set the orclcondirlastappliedchgnum attribute.
Problem
Trace File Error: Command exec successful IPlanetImport:Error in Mapping Enginejava.lang.NullPointerException java.lang.NullPointerException at oracle.ldap.odip.engine.Connector.setValues(Connector.java:101) at oracle.ldap.odip.gsi.LDAPReader.initialise(LDAPReader.java:169) Updated Attributes orclodipLastExecutionTime: 20040601143204.
Solution
Missing LDAP port on connected directory URL attribute value (hostname:port). Specify the LDAP port in the connected directory URL attribute.
Problem
Trace File Error: LDAP URL : (xxxxxx.com:389<login credentials to 3rd party ldap server> LDAP Connection success ActiveChgImp:Error in Mapping EngineODIException: DIP_GEN_INITIALIZATION_EXCEPTION ODIException: DIP_GEN_INITIALIZATION_EXCEPTION at oracle.ldap.odip.util.DirUtils.getLastChgNum(DirUtils.java:48) at oracle.ldap.odip.gsi.LDAPReader.initAvailableChgKey(LDAPReader.java:719) at oracle.ldap.odip.gsi.LDAPReader.initialise(LDAPReader.java:212) at oracle.ldap.odip.engine.AgentThread.mapInitialise(AgentThread.java:327) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:253) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:149) ActiveChgImp:about to Update exec status Error in proxy connection : java.lang.NullPointerException.
Solution
Permissions and ownership of the files in $ORACLE_HOME/ldap/odi/conf should be owned by the Oracle installer ID. Use the ldapmodify utility to fix the following two entries:
dn: orclODIPAgentName=profile_name,cn=subscriber profile,
cn=changelog subscriber, cn=oracle internet directory
changetype: modify
replace: orclaci
orclaci: access to attr = (*) by group="cn=odisgroup,cn=odi,cn=oracle
internet directory" (read,write,search,compare)
orclaci: access to entry by group="cn=odisgroup,cn=odi,cn=oracle
internet directory" (browse,proxy)
dn: orclodipAgentName=ActiveChgImp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
orclodipagentconfiginfo:: W0lOVEVSRkFDRURFVEFJTFNdClBhY2thZ2U6IGdzaQpSZWFkZXI 6IEFjdGl2ZUNoZ1JlYWRlcgo=
|
Note: The preceding entry is a binary object representing an import profile for the ActiveChange Reader. If you are fixing a Sun Java System Directory export profile, then you must dump theorclodipagentconfiginfo attribute for the corresponding profile from a existing profile or another node. |
|
See Also: The following for information about LDAP error code 49 and Error 9000: GSL_PWDEXPIRED_EXCP:
|
Problem
The Mapping tab in the Oracle Directory Integration Server Administration tool shows a file name instead of the mapping rules.
Solution
The absolute path was not included when the mapping file was loaded. Reload the mapping file using full absolute path. You can reload the mapping file using the Directory Integration Assistant (dipassistant) or the DIP Tester utility.
Problem
LDAP: error code 50 - Insufficient Access Rights.
Solution
The odi agent orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn= changelog subscriber,cn=oracle internet directory does not have full read/write access to the synchronized entries in Oracle Internet Directory. Because the cn=oracleDASCreateUser,cn=groups,cn=oraclecontext,identity_management_realm group will already have the required ACLs defined, this entry should be a member of this group. In this case, <subscriber DN> is set to identity_management_realm. You must add the orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory user entry to the cn=oracleDASCreateUser,cn=groups,cn=oraclecontext,identity_management_realm group, so that it will have the required ACL access to perform the updates: In Oracle Directory Manager, navigate through: Entry Management ->dc=com,identity_management_realm,cn=oraclecontext-> cn=groups-> cn=oracleDASCreateUser. From here, against the attribute 'uniquemember' add: orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory.
Problem
Add and change operations are successful, but delete operations fail without being recorded in the trace file.
Solution 1
Tombstones are not enabled in Sun Java System Directory. Verify that tombstones are enabled as described in OracleMetaLink Note: 219835.1, available on OracleMetaLink at http://metalink.oracle.com/.
Solution 2
In Microsoft Active Directory, the account used for the profile is not a member of the DIR SYNCH ADMIN group. This only occurs if you are not using a Microsoft Active Directory administrator account. Install the appropriate patch from Microsoft.
Problem
Data synchronization problems encountered after configuring Oracle Directory Integration import or export connectors to third-party LDAP directories.
Solution
Determine the cause by running the oditest utility. Run the oditest utility as described in "The oditest Utility".
Problem
The Oracle Internet Directory profile in Oracle Directory Manager shows "synchronization successful" yet no changes show up in the directory.
Solution
The synchronization interval is set to occur too infrequently to be of use during testing. By default, the synchronization interval is set to occur every 60 seconds. However, you can increase the synchronization interval for better performance. For example, you can increase your synchronization interval to a value such as 300 seconds (5 minutes) or 600 seconds (10 minutes). Follow these steps to decrease your synchronization interval:
|
CAUTION: Decreasing the synchronization interval may significantly impact the performance of your connected directory server. Before changing the synchronization interval, try debugging your connector with the |
In the Oracle Directory Integration Server Administration tool, in the navigator pane, navigate to the Integration Server and modify the Scheduling Interval attribute in the profiles to 20 seconds.
Use the odisrv command to stop the Oracle directory integration server, and restart it with the parameter debug=63.
Add a test entry in your connected directory.
In Oracle Internet Directory, change to the $ORACLE_HOME/ldap/odi/log directory and use the cat command to display the ActiveChgImp.trc file. When the Oracle directory integration server wakes up and processes the record from the connected directory change log, you will see the details listed in the IplanetImport.trc or ActiveChgImp.trc file.
Examine the trace files for possible clues as to what is actually taking place: You should see the handshake/login to the connected directory server, then the change being captured and reformatted according to the mapping rules, and finally the change being attempted in Oracle Internet Directory. If there are handshake or mapping problems they will appear in this file.
A common mistake is to set the Connect Directory Account DN to Administrator. This field must contain the entire distinguished name of the Microsoft Active Directory administrator, for example:
cn=Administrator,cn=Users,dc=myoracle,dc=com
The first domain component is the value of the third field of the Windows Login page: User Name, Password, Log on to.
The following ldapsearch commands may be helpful in identifying problems with the configuration.
To check the default identity management realm:
ldapsearch -h host -p port -D cn=orcladmin -w password -b "cn=common,cn=products, cn=oraclecontext" -L -s base "objectclass=*" orcldefaultsubscriber
To dump the Oracle directory integration server configuration set:
ldapsearch -h host -p port -D cn=orcladmin -w password -b cn=instance1,cn=odisrv, cn=subregistrysubentry -s base -v "objectclass=*"
To check profiles:
ldapsearch -h host -p port -D cn=orcladmin -w password -b "orclODIPAgentName=profile,cn=subscriber profile,cn=changelog Subscriber,cn=oracle internet directory" -s sub objectclass=*
To check the agent credentials:
ldapsearch -p port -D cn=orcladmin -w password -b "orclODIPAgentName=profile, cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" -s sub "objectclass=*"
This command returns the password in clear text only if you run it using orcladmin credentials.
Problem
Bootstrap Error: DIP_GEN_AUTHENTICATION_FAILURE when trying to Synchronize Microsoft Active Directory with Oracle Internet Directory
Solution
Invalid credentials. Check the synchronization profile and ensure that it contains the proper credentials to log in to the Microsoft Active Directory server.
This section provides solutions for errors and problems you may encounter when integrating Oracle Identity Management with Windows Native Authentication.
Problem
Internal Server error. Please contact your administrator.
Solution
Windows Native Authentication is misconfigured on the middle-tier computer. To fix this problem, perform the following steps:
Check the opmn.log file for errors.
Check the ssoServer.log file for errors.
Make sure that the keytab file is located in the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory and that the principal name configured in the jazn-data.xml file is correct.
Make sure that the single sign-on middle tier computer is properly configured to access the Key Distribution Center. See "Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server".
Problem
Could not authenticate to KDC.
Solution
This error message may be invoked if the realm name in krb5.conf is incorrectly configured. Check the values default_realm and domain_realm in /etc/krb5/krb5.conf. Note that the realm name is case-sensitive.
Problem
Your browser does not support the Windows Kerberos authentication or is not configured properly.
Solution
The user's Web browser is not supported or is misconfigured. Follow the instructions in "Task 2: Configure Internet Explorer for Windows Native Authentication".
Problem
"Access forbidden" or "HTTP error code 403" or "Windows Native Authentication Failed. Please contact your administrator."
Solution
These error messages have the same cause: the user entry cannot be found in Oracle Internet Directory. A local administrator working at a Windows desktop may be trying to access a single sign-on partner application whose entry may not have been synchronized with Oracle Internet Directory. Determine whether the user entry exists in the directory and if the Kerberos principal attributes for the user are properly synchronized from Microsoft Active Directory.
Problem
The Windows login dialog box (with user name, password, and domain fields in it) comes up when accessing the partner application.
Solution
The single sign-on server was not able to authenticate the Kerberos token because the corresponding user entry could not be found in Oracle Internet Directory. Add the user entry to the directory.
Problem
Single sign-on server fails to start. Log file contains an exception bearing the message "Credential not found."
Solution
The parameter kerberos-servicename may not be configured correctly. To fix this problem, perform the following steps:
Make sure that kerberos-servicename is configured correctly in the files orion-application.xml and jazn-data.xml. In orion-application.xml, the format for this parameter is HTTP@sso.mycompany.com. In the jazn-data.xml, the format is HTTP/sso.mycompany.com.
Check the ssoServer.log file for errors.
Make sure that the keytab file is located in the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory and that the principal name configured in jazn-data.xml is correct.
Make sure that the single sign-on middle tier computer is configured to access the Kerberos domain controller. See "Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server".
Problem
The following exception is raised when running the OracleAS Single Sign-On Configuring Assistant:
Repository Access API throws exception :
oracle.ias.repository.schema.SchemaException: Unable to establish secure
connection to Oracle Internet Directory Server
ldap://server.mycompany.com:636/ Base Exception :
javax.naming.CommunicationException: server.mycompany.com:636 [Root
exception is java.lang.UnsatisfiedLinkError: no njssl10 in java.library.path]
at
oracle.ias.repository.directory.DirectoryReader.connectSsl(DirectoryReader.java:
98)
at
oracle.ias.repository.directory.DirectoryReader.connect(DirectoryReader.java:106
)
at oracle.ias.repository.IASSchema.getDBPassword(IASSchema.java:440)
at
oracle.ias.repository.SchemaManager.getDBPassword(SchemaManager.java:310)
at oracle.security.sso.IMWNAConfig.getSSOHost(IMWNAConfig.java:903)
at oracle.security.sso.IMWNAConfig.parseArgs(IMWNAConfig.java:168)
at oracle.security.sso.IMWNAConfig.init(IMWNAConfig.java:194)
at oracle.security.sso.IMWNAConfig.work(IMWNAConfig.java:60)
at oracle.security.sso.SSOConfigAssistant.wnaConfig(SSOConfigAssistant.java:243)
at oracle.security.sso.SSOConfigAssistant.main(SSOConfigAssistant.java:218)
Solution
This exception occurs when the Windows version of the OracleAS Single Sign-On Configuring Assistant is run on UNIX and Linux platforms. Run the UNIX/Linux version of the OracleAS Single Sign-On Configuring Assistant by following the instructions in "Run the OracleAS Single Sign-On Configuration Assistant on each Oracle Application Server Single Sign-On Host".
Problem
With Windows Native Authentication, Internet Explorer is sending NT Lan Manager (NTLM) authentication instead of Kerberos credentials.
Solution
This issue is caused by an improperly configured Microsoft Active Directory installation. Refer to your Microsoft Active Directory documentation or contact Microsoft for information on how to resolve this issue.
Problem
Individual users cannot log in from specific computers using Windows Native Authentication.
Solution
If the users can log in using another computer, then there is a configuration problem with Windows or Internet Explorer on the original computer. Refer to the Microsoft Developer Network at http://msdn.microsoft.com or contact Microsoft for information on how to resolve this issue.
This section provides solutions to synchronization errors and problems that can occur with Novell eDirectory and OpenLDAP.
Problem
After configuring import synchronization, entries are not synchronizing from Novell eDirectory or OpenLDAP to Oracle Internet Directory, even though the profile's synchronization status is successful and the trace file does not show any exceptions.
Possible causes and their solutions:
Cause Incorrect value assigned to the modifiersname parameter of the odip.profile.condirfilter property in the import profile.
Solution Copy the connection DN from the Novell eDirectory or OpenLDAP export profile to the modifiersname parameter of the odip.profile.condirfilter property in the import profile.
Cause The entries that the Oracle directory integration server are attempting to synchronize are created using the same DN that is assigned to the modifiersname parameter of the odip.profile.condirfilter property in the import profile.
Solution Change the DN that is assigned to the modifiersname parameter of the odip.profile.condirfilter property in the import profile to a DN that does not create the entries in Novell eDirectory of OpenLDAP.
Cause There is a time difference between the computer that is running Oracle Internet Directory and the computer that is running Novell eDirectory or OpenLDAP.
Solution Assign to the ReduceFilterTimeInSeconds parameter of the odip.profile.configfile property in the import profile a value in seconds that is equal to the time difference between the two computers.
Problem
Communications exception.
Solution
One of the directory servers is not running. Use the ldapbind utility to determine which server is not running, and then restart it.
Problem
Unsupported exception thrown during reconciliation.
Solution
One or more of the Oracle Internet Directory attributes that are specified in the Novell eDirectory or OpenLDAP reconciliation rules are not indexed. Index the corresponding attributes in Oracle Internet Directory.
Problem
Deleted entries are not synchronizing from Novell eDirectory or OpenLDAP to Oracle Internet Directory, even though the profile's reconciliation status is successful.
Possible causes and their solutions:
Cause The deleted entries are not specified in the Novell eDirectory or OpenLDAP reconciliation rules.
Solution Modify the Novell eDirectory or OpenLDAP reconciliation rules to include the deleted entries.
Cause There are more entries in Novell eDirectory or OpenLDAP for a particular reconciliation rule than there are in Oracle Internet Directory.
Solution Examine the $ORACLE_HOME/ldap/odi/log/profile_name.trc file for the following message:
No. of entries are less in destination directory compared to source directory.
The preceding message is usually generated when the entire Novell eDirectory or OpenLDAP DIT needs to be synchronized with Oracle Internet Directory. To resolve this problem, assign a value of true to the CheckAllEntries parameter of the odip.profile.configfile property.
|
Caution: Assigning a value oftrue to the CheckAllEntries parameter of the odip.profile.configfile property will result in decreased performance. |
This section provides solutions to errors and problems that can occur with the Oracle Password Filter for Microsoft Active Directory.
Problem
Unable to find log file path.
Cause
Invalid log file path.
Solution
Specify a valid log file path by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory" .
Problem
Cannot connect to Oracle Internet Directory in non-SSL mode.
Cause
Invalid Oracle Internet Directory configuration settings.
Solution
Correct the Oracle Internet Directory configuring settings by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory" .
Problem
Cannot connect to Oracle Internet Directory in SSL mode.
Cause
The Oracle Internet Directory certificate authority's trusted certificate has not been imported into the Microsoft Active Directory domain controller.
Solution
Import the trusted certificate into Microsoft Active Directory by following the instructions in "Importing a Trusted Certificate into a Microsoft Active Directory Domain Controller" .
Problem
Cannot connect to Microsoft Active Directory.
Cause
Invalid Microsoft Active Directory configuration settings.
Solution
Correct the Microsoft Active Directory configuration settings by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory" .
Problem
Cannot upload the prepAD.ldif file.
Cause
The specified Microsoft Active Directory base DN container cannot store organizationalUnit objects.
Solution
Specify a base DN for Microsoft Active Directory that can store organizationalUnit objects by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory" .
Problem
Password updates are looping between Oracle Internet Directory and Microsoft Active Directory.
Cause
The Oracle Password Filter is not configured to use the same bind DN and password that are specified in the synchronization profile that imports values from Microsoft Active Directory into Oracle Internet Directory.
Solution
Configure the Oracle Password Filter to use the same bind DN and password that are specified in the synchronization profile that imports values from Microsoft Active Directory into Oracle Internet Directory by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory" .
Problem
Some passwords are not synchronizing between Oracle Internet Directory and Microsoft Active Directory.
Cause
Oracle Internet Directory and Microsoft Active Directory specify conflicting password policies.
Solution
Set the Oracle Internet Directory password policies to the same policies that are set in Microsoft Active Directory or remove the password policies from Oracle Internet Directory.
Problem
Passwords are not synchronizing for some users.
Cause
You performed an advanced installation of the Oracle Password Filter and specified different values for the attributes that you want to synchronize between Oracle Internet Directory and Microsoft Active Directory.
Solution
Specify the same values for the attributes that you want to synchronize between Oracle Internet Directory and Microsoft Active Directory by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory" .
Problem
User data synchronizes, but password synchronization is delayed.
Cause
Different time intervals are specified for user data synchronization and password synchronization.
Solution
Verify that the value assigned to the Oracle Password Filter's SleepTime parameter is the same as the default scheduling interval for the synchronization profile. You can use the Oracle Directory Integration Server Administration tool or the Directory Integration Assistant (dipassistant) to view and change the default scheduling interval for synchronization profiles. To change the value assigned to the SleepTime parameter, follow the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory" .
|
See Also: Chapter 3, "Oracle Directory Integration Platform Administration Tools" for more information on the Oracle Directory Integration Server Administration tool or the Directory Integration Assistant (dipassistant) |
This section describes how to troubleshoot provisioning problems in the Oracle Internet Directory Provisioning Console. It contains these topics:
You can use the Oracle Delegated Administration Services diagnostic settings to debug provisioning problems in the Oracle Internet Directory Provisioning Console without having to examine the log files. For more information about viewing and configuring diagnostic settings, see the chapter on managing users and groups with the Oracle Internet Directory Self-Service Console in the Oracle Identity Management Guide to Delegated Administration.
After you install a new provisioning-integrated application in Oracle Internet Directory, the application does not appear in the Provisioning Console until you reload the application cache. You must also reload the application cache whenever a provisioning-integrated application is enabled or disabled in Oracle Internet Directory. To reload the application cache, follow the procedures described in "Reloading the Application Cache".
The Oracle Provisioning Service uses plug-ins to create new users. This section contains these topics, which describe how to troubleshoot the Oracle Provisioning Service plug-ins to resolve user creation problems:
Provisioning-integrated applications can invoke the Pre-Data Entry and Post-Data Entry plug-ins to enhance provisioning intelligence and implement business policies. This section describes how to troubleshoot problems with both plug-ins.
When you follow the instructions described in "Creating Users with the Provisioning Console", the Provisioning Console invokes the Pre-Data Entry plug-in after you click Next in the General Provisioning window. The primary purpose of this plug-in is to determine whether a user should be provisioned in the applications selected in the General Provisioning window. If a user has provisioning permission for an application, then the Pre-Data Entry plug-in populates fields in the next window, the Application Provisioning window, according to the application's provisioning policies.
In the event of a problem with the Pre-Data Entry plug-in, an error containing an exception message and stack trace will display in the General Provisioning window. You can find the user attributes that were passed to the plug-in by locating the following line in the stack trace:
******preplugin base user prop set for <Application Name> …
You can locate the error in the log files by searching for the following:
oracle.idm.provisioning.plugin.PluginException
When you follow the instructions described in "Creating Users with the Provisioning Console", the Provisioning Console invokes the Post-Data Entry plug-in after you click Next in the Application Attributes window. The Post-Data Entry plug-in validates data entered by users for common and application-specific attributes. The validation for the plug-in must be successful in order for provisioning to continue.
In the event of a problem with the Post-Data Entry plug-in, an error will display in the Application Attributes window. The exception stack trace will be located after the following line:
UserPlguInMgmt::postPlugInProcess(): apptype <Application Type> appname <Application Name> error when executing plugin logics
Provisioning-integrated applications can be provisioned either through a PL/SQL plug-in or the Data Access Java plug-in. The PL/SQL plug-in is invoked by the Oracle directory integration platform while the Data Access Java plug-in is invoked directly by Oracle Delegated Administration Services.
When you follow the instructions described in "Creating Users with the Provisioning Console", user creation may be successful even though provisioning for a specific application may fail. You will know when provisioning has failed if you receive a warning status along with a provisioning error message after you click Submit in the Review window. For details about the failure, search the log files for "Data Access plug-in execution failure." The lines following this statement list details of why provisioning failed.
You can use the provisioning status of a user entry to help identify provisioning problems.
To view a user entry's provisioning status:
In the Provisioning Console, select the Directory tab, then select Users. The Search for Users window appears.
In the Search for User field, enter the first few characters of the user's first name, last name, e-mail address, or user ID. For example, if you are searching for Anne Smith, you could enter Ann or Smi. To generate a list of all users in the directory, leave this field blank.
Click Go to display the search results.
Select the user whose entry you want to view, then click View to display the View User window.
This window is described in Oracle Identity Management Guide to Delegated Administration
In the View User window, examine the entries in the Provisioning Status table. If the Provisioning Status column for an application contains a value of PROVISIONING_FAILURE, then the Provisioning Status Description column will contain one of the following values to describe the reason for the failure:
PROVISIONING_REQUIRED
PENDING_UPGRADE
PROVISIONING_NOT_REQUIRED
PROVISIONING_FAILURE
|
See Also: "Understanding User Provisioning Statuses" for more information on user provisioning statuses |
To resolve typical problems that prevent users from logging in after account creation:
Examine the user provisioning statuses to identify the applications in which the user was not successfully provisioned by following the instructions described in "Using Provisioning Status to Identify Problems".
Identify the application provisioning approach for applications in which the user was not successfully provisioned:
For user accounts created with the Oracle Internet Directory Provisioning Console, examine the following Oracle Delegated Administration Services log file:
$ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1
For user accounts created with the PL/SQL plug-in or the Data Access Java plug-in, examine the following trace and audit files:
$ORACLE_HOME/ldap/odi/log/applicationType_realmName_E.trc $ORACLE_HOME/ldap/odi/log/applicationType_realmName_E.aud
You can use the Oracle Enterprise Manager 10g Application Server Control Console to monitor the provisioning execution status of provisioning integration profiles.
On the main Application Server Control Console page, select the name of the Oracle Application Server instance you want to manage in the Standalone Instances section. The Oracle Application Server home page opens for the selected instance.
In the System Components table, select OID in the Name column. The Oracle Internet Directory page opens. The status should be green if the required packages are installed properly. This does not indicate whether or not the Oracle directory integration server is running or not.
To check the status of the servers, select Directory Integration to display the Directory Integration Platform Status page. This page displays the various running instances of Oracle directory integration servers—including those for both provisioning and synchronization. The main data displayed for provisioning integration profiles in this window are:
Name of the subscribed application
Name of the organization for which the subscription was made
Status of the profile (ENABLED or DISABLED)
Change key in Oracle Internet Directory up to which the events have been propagated to the application that is represented by the profile
Last execution time
Last successful execution time of the profile.
Errors, if any
|
Note: The Directory Integration Platform Status page does not display the various event subscriptions for this profile. |
You can also get detailed output about provisioning integration status by running the oidprovtool utility with the operation argument status. The oidprovtool utility is located in the $ORACLE_HOME/bin directory.
|
See Also: The chapter about Oracle Directory Integration Platform tools in the Oracle Identity Management User Reference for information on how to use theoidprovtool utility |
When troubleshooting provisioning, use the following as a checklist:
On UNIX/Linux, use the following command to verify that the Oracle directory integration server process (odisrv) is running:
ps -ef | grep odisrv
For Windows operating systems, obtain the value of process ID (PID) for the odisrv process from the $ORACLE_HOME/ldap/log/oidmon.log file. Then, start Task Manager and click the Processes tab to verify that the process is running.
Check whether there is also a Oracle directory integration server instance running.
If OracleAS Portal, Oracle Collaboration Suite, or another component needs provisioning, then there is probably a Oracle directory integration server provisioning process running as instance 1 on configuration set 0. In this case, you should start your Oracle directory integration server as instance 2 with either the default configset=1 argument or use your custom created configuration set number.
Check $ORACLE_HOME/ldap/log/odisrv0x.log. When the provisioning integration service is running, it logs to the odisrv01.log file. The directory synchronization service then logs to the odisrv02.log file.
Verify that the profile is enabled by using the Oracle Directory Integration Server Administration tool or the DIP Tester utility.
Verify that trace files are being generated. The trace file can be found at $ORACLE_HOME/ldap/odi/log/profile_name.trc.
If no trace file is generated, then check the odisrv0x.log for possible problems in the startup of the Oracle directory integration server, as described earlier in this list.
Verify that correct syntax is used to start the Oracle directory integration server. For example:
oidctl connect=asdb server=odisrv instance=2 configset=1 flags="host=myhost port=3060" start
For debugging, verify that the value of the debug flag is set to 63 when starting the Oracle directory integration server, as follows:
oidctl connect=asdb server=odisrv instance=2 configset=1 flags="host=myhost port=3060 debug=63" start
Edit the profile and set the debug level to 63 by using the Oracle Directory Integration Server Administration tool or the DIP Tester utility.
Validate all required parameters in the profile.
|
See Also:
|
Verify that you are using the Oracle Internet Directory 10g (10.1.4.0.1) release of the Oracle Directory Integration Server Administration tool or Oracle Directory Manager to update the profile. Previous releases of these utilities display different information on the Profile tab pages and should not be used.
If you are using the PL/SQL plug-in, use sqlplus to verify that you can connect to the provisioning-integrated application.
|
See Also: OracleMetaLink Note: 265397.1—Password Policy Expires available on OracleMetaLink athttp://metalink.oracle.com/ |
This section describes how to troubleshoot synchronization with Oracle Directory Integration Platform. It contains these topics:
When debugging synchronization issues between Oracle Internet Directory and a connected directory, it helps to understand the synchronization process flow of the Oracle directory integration server.
The Oracle directory integration server reads all import profiles at startup. For each profile that is set to ENABLE, the Oracle directory integration server performs the following tasks during the synchronization process:
Connects to a third-party directory.
Gets the value of the last change key from the connected directory.
Connects to Oracle Internet Directory.
Gets the value of the profile's last applied change key from Oracle Internet Directory.
For Sun Java System Directory connections, the Oracle directory integration server searches the remote change logs for entries greater than the value of the last applied change key and less than or equal to the value of the last change key. For Microsoft Active Directory connections, the Oracle directory integration server searches for this information in the remote directory's USNChanged values. For the Novell eDirectory and OpenLDAP connectors, changes are identified based on the modifytimestamp attribute of each entry. For other types of connectors, such as the Oracle Human Resources connector, the Oracle directory integration server performs similar types of searches, although the method by which data is exchanged varies according to the type of connection.
Maps the data values from the connected directory to Oracle Internet Directory values.
Creates an Oracle Internet Directory change record.
Applies the change (add, change, delete) in Oracle Internet Directory.
Updates the Oracle Internet Directory import profile with the last execution times and the last applied change key from the connected directory.
Enters sleep mode for the number of seconds specified for the synchronization interval.
The Oracle directory integration server reads all export profiles at startup. For each profile that is set to ENABLE, the Oracle directory integration platform performs the following tasks during the synchronization process:
Connects to a third-party directory.
Connects to Oracle Internet Directory.
Gets the value for the last change key from Oracle Internet Directory.
Gets the value of the profile's last applied change key from Oracle Internet Directory.
The Oracle directory integration server searches the Oracle Internet Directory change logs for entries greater than the value of the last applied change key and less than or equal to the value of the last change key.
Maps the data values from Oracle Internet Directory to the connected directory values.
Creates a change record.
Applies the change (add, change, delete) on the connected directory.
Updates the Oracle Internet Directory export profile with the last execution times and the last applied change key from Oracle Internet Directory.
Enters sleep mode for the number of seconds specified for the synchronization interval.
When troubleshooting synchronization, use the following as a checklist.
On UNIX/Linux, use the following command to verify that the Oracle directory integration platform process (odisrv) is running:
ps -ef | grep odisrv
For Windows operating systems, obtain the value of process ID (PID) for the odisrv process from $ORACLE_HOME/ldap/log/oidmon.log. Then, launch Task Manager, and click the Processes tab to verify that the process is running.
Check whether there is also a Oracle directory integration server instance running.
If OracleAS Portal, Oracle Collaboration Suite, or another component needs provisioning, then there is probably a Oracle directory integration server provisioning process running as instance 1 on configuration set 0. In this case, you should start your directory integration server as instance 2 with either the default configset=1 argument or using your custom created configuration set number.
Check $ORACLE_HOME/ldap/log/odisrv0x.log. When the provisioning integration service is running, it logs to the odisrv01.log file. The directory synchronization service then logs to odisrv02.log.
Verify that the profile is enabled by using the Oracle Directory Integration Server Administration tool or the DIP Tester utility.
Verify that trace files are being generated. The trace file can be found at $ORACLE_HOME/ldap/odi/log/profile_name.trc
If no trace file is generated, then check the odisrv0x.log for possible problems in startup of the directory integration server, as described earlier in this list.
Verify that audit logs are being generated and periodically review them for failures. The audit logs can be found at: $ORACLE_HOME/ldap/odi/log/profile_name.aud.
Verify that correct syntax is used to start the Oracle directory integration server. For example:
oidctl connect=asdb server=odisrv instance=2 configset=1 flags="host=myhost port=3060" start
For debugging, verify that the value of the debug flag set to 63 when starting the directory integration server, as follows:
oidctl connect=asdb server=odisrv instance=2 configset=1 flags="host=myhost port=3060 debug=63" start
Edit the profile and set the debug level to 63 by using the Oracle Directory Integration Server Administration tool or the DIP Tester utility.
Validate the all required parameters in the profile.
|
See Also:
|
Verify that you are using the Oracle Internet Directory 10g (10.1.4.0.1) release of the Oracle Directory Integration Server Administration tool or Oracle Directory Manager to update the profile. Previous releases of these utilities display different information on the Profile tab pages and should not be used.
Verify that the third-party LDAP directory server is running by executing the following command:
ldapbind -h ldap_host -p ldap_port -D account -w password
If the Oracle directory integration server does not start, or if it starts and then fails, then check the following:
The instance number and configset being used
Whether the flags="host=xxx port=xxxx" parameter is used with oidctl
The odisrv0x.log to see:
The connector successfully started
The password expired
To re-register the connector, enter the following command:
odisrvreg -p port -D cn=orcladmin -w passwd -h host
|
See Also: OracleMetaLink Note: 265397.1—Password Policy Expires available on OracleMetaLink athttp://metalink.oracle.com/ |
The following is the beginning and end portions of a valid sample trace file for an Microsoft Active Directory connector synchronized addition operation:
------------------------------------------------------------------------------- Trace Log Started at Tue Jun 08 11:22:25 EDT 2004 ------------------------------------------------------------------------------- Command exec succesful LDAP URL : (activedir.oracle.com:389 administrator@oracle.com LDAP Connection success Applied ChangeNum : 28017Available chg num = 28019 Reader Initialised !! LDAP URL : (sun1:3060 cn=odisrv+orclhostname=sun1,cn=odi,cn=oracle internet directory LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! searchF : CHGLOGFILTER : (&(USNChanged>=28018)(USNChanged<=28022)) Search Time 8 Search Successful till # 28022 Search Changes Done Changenumber USNChanged: 28022 targetdn distinguishedName: CN=Test User56,CN=Users,DC=US,DC=ORACLE,DC=com ChangeRecord : ---------- Changetype: 4 ChangeKey: CN=Test User56,CN=Users,DC=US,DC=ORACLE,DC=com Attributes: Class: null Name: ou Type: null ChgType: 1 Value: [ ] Class: null Name: objectGUID Type: null ChgType: 2 Value: [[B@d0a5d9] ... Class: null Name: mail Type: null ChgType: 1 Value: [ ] Class: null Name: displayname Type: null ChgType: 2 Value: [Test User56] Class: null Name: cn Type: null ChgType: 2 Value: [Test User56] Class: null Name: sn Type: null ChgType: 2 Value: [Test User56] Class: null Name: krbprincipalname Type: null ChgType: 1 Value: [@ ] Class: null Name: uid Type: null ChgType: 1 Value: [ ] Class: null Name: orcluserprincipalname Type: null ChgType: 1 Value: [ ] Class: null Name: orclsamaccountname Type: null ChgType: 2 Value: [$Test User56] ----------- DN : CN=Test User56,cn=users,dc=us,dc=oracle,dc=com Normalized DN : CN=Test User56,cn=users,dc=us,dc=oracle,dc=com Processing modifyRadd Operation .. Entry Not Found. Converting to an ADD op.. Processing Insert Operation .. Performing createEntry.. Entry Added Successfully : CN=Test User56,cn=users,dc=us,dc=oracle,dc=com Updated Attributes orclodipLastExecutionTime: 20040608112226 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20040608112226
The following is the beginning and end portions of a valid sample trace file for an Microsoft Active Directory connector synchronized deletion operation:
------------------------------------------------------------------------------- Trace Log Started at Wed Aug 18 09:10:05 EDT 2004 ------------------------------------------------------------------------------- Command exec succesful LDAP URL : (sun1.mycompany.com:389 administrator@mycompany.com LDAP Connection success Applied ChangeNum : 31940Available chg num = 31940 Reader Initialised !! LDAP URL : (sun2.mycompany.com:3060 cn=odisrv+orclhostname=sun2,cn=odi,cn=oracle internet directory LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! searchF : CHGLOGFILTER : (&(USNChanged>=31941)(USNChanged<=31941)) Search Time 10 Search Successful till # 31941 Search Changes Done Changenumber USNChanged: 31941 Deleted isDeleted: TRUE Deleted isDeleted: TRUE ChangeRecord : ---------- Changetype: 1 ChangeKey: * Attributes: Class: null Name: objectGUID Type: null ChgType: 3 Value: [[B@ece65] ... Output ChangeRecord ChangeRecord : ---------- Changetype: 1 ChangeKey: * Attributes: Class: null Name: objectclass Type: null ChgType: 3 Value: [organizationalunit, orclcontainer, orcladuser, orcluserv2, orcladgroup] Class: null Name: krbprincipalname Type: null ChgType: 3 Value: [@ ] Class: null Name: orclsamaccountname Type: null ChgType: 3 Value: [$ ] Class: null Name: orclobjectguid Type: null ChgType: 3 Value: [2xR7Nas8UUKtzmPk0jpSFg==] ----------- DN : * Normalized DN : cn=TUser2007,cn=users,dc=us,dc=oracle,dc=com Processing Delete Operation .. Deleted entry Successfully : cn=TUser2007,cn=users,dc=us,dc=oracle,dc=com Updated Attributes orclodipLastExecutionTime: 20040818091005 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20040818091005
The following is the beginning and end portions of a valid sample trace file for an Microsoft Active Directory connector synchronized modify operation:
------------------------------------------------------------------------------- Trace Log Started at Wed Sep 29 09:40:18 EDT 2004 ------------------------------------------------------------------------------- Command exec succesful LDAP URL : (server.mycompany.com:389 administrator@mycompany.com LDAP Connection success Applied ChangeNum : 35322Available chg num = 35322 Reader Initialised !! LDAP URL : (sun2.mycompany.com:3060 cn=odisrv+orclhostname=sun2,cn=odi,cn=oracle internet directory LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! searchF : CHGLOGFILTER : (&(USNCreated>=35323)(USNCreated<=35323)) Search Time 7 Search Successful till # 35323 Search Changes Done searchF : CHGLOGFILTER : (&(USNChanged>=35323)(USNChanged<=35323)(USNCreated<=35322)) Search Time 15 Search Successful till # 35323 Changenumber USNChanged: 35323 targetdn distinguishedName: CN=Test User111,CN=Users,DC=US,DC=ORACLE,DC=com ChangeRecord : ---------- Changetype: 4 ChangeKey: CN=Test User111,CN=Users,DC=US,DC=ORACLE,DC=com Attributes: Class: null Name: distinguishedname Type: null ChgType: 1 Value: [ ] Class: null Name: samaccountname,userprincipalname Type: null ChgType: 1 Value: [ ] Class: null Name: userprincipalname Type: null ChgType: 1 Value: [ ] ... Output ChangeRecord ChangeRecord : ---------- Changetype: 4 ChangeKey: cn=TUser111,cn=users,dc=us,dc=oracle,dc=com Attributes: Class: null Name: objectclass Type: null ChgType: 3 Value: [orcluserv2, orcladuser, inetorgperson, person] Class: null Name: orclObjectSID Type: null ChgType: 2 Value: [AQUAAAAAAAUVAAAAiqcyP8CFOF0VJa9HCAYAAA==] Class: null Name: orclObjectGUID Type: null ChgType: 2 Value: [6uEo05+F/0CHj4PTpPCchQ==] Class: null Name: mail Type: null ChgType: 2 Value: [Tuser111@oracle.com] Class: null Name: displayName Type: null ChgType: 2 Value: [Test User111] Class: null Name: cn Type: null ChgType: 2 Value: [TUser111] Class: null Name: sn Type: null ChgType: 2 Value: [TUser111] Class: null Name: krbPrincipalName Type: null ChgType: 1 Value: [@ ] Class: null Name: uid Type: null ChgType: 2 Value: [TUser111] Class: null Name: orclUserPrincipalName Type: null ChgType: 1 Value: [ ] Class: null Name: orclSAMAccountName Type: null ChgType: 2 Value: [$TUser111] Class: null Name: orclDefaultProfileGroup Type: null ChgType: 1 Value: [ ] ----------- DN : cn=TUser111,cn=users,dc=us,dc=oracle,dc=com Normalized DN : cn=TUser111,cn=users,dc=us,dc=oracle,dc=com Processing modifyRadd Operation .. Entry found. Converting To a Modify Operation.. Proceeding with checkNReplace.. Performing checkNReplace.. Naming attribute: cn Naming attribute value: orclDefaultProfileGroup Naming attribute value: orclSAMAccountName Naming attribute value: orclUserPrincipalName Naming attribute value: uid Naming attribute value: krbPrincipalName Naming attribute value: sn Naming attribute value: cn Naming attribute value: displayName Naming attribute value: mail Adding Attribute in OID : mail Naming attribute value: orclObjectGUID Naming attribute value: orclObjectSID Total # of Mod Items : 1 Modified Entry Successfully : cn=TUser111,cn=users,dc=us,dc=oracle,dc=com Replacing Attribute orclodipLastSuccessfulExecutionTime in the Profile with value : 20040929094018 Removed Existing attribute RePopulated Attribute.. Updated Attributes orclodipLastExecutionTime: 20040929094018 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20040929094018
This section describes how to troubleshoot integration with Microsoft Active Directory. It contains these topics:
Once you have configured Windows Native Authentication (see "Configuring Windows Native Authentication"), you can enable logging for this feature at run time. Open the opmn.xml file, located in $ORACLE_HOME/opmn/conf, and add the following parameter:
-Djazn.debug.log.enable = {true | false}
Assigning a value of true to the parameter enables debugging while assigning a value of false disables it.
The boldface text in the following example show where you should place the parameter in the opmn.xml file:
<process-type id="OC4J_SECURITY" module-id="OC4J">
<environment>
<variable id="DISPLAY" value="sun1.us.oracle.com:0.0"/>
<variable id="LD_LIBRARY_PATH" value="/private/ora1012/OraHome1/lib"/>
</environment>
<module-data>
<category id="start-parameters">
<data id="java-options" value="-server -Djazn.debug.log.enable=true
-Djava.security.policy=/private/ora1012/OraHome1/j2ee/OC4J_SECURITY/
config/java2.policy -Djava.awt.headless=true -Xmx512m
-Djava.awt.headless=true"/>
<data id="oc4j-options" value="-properties"/>
</category>
<category id="stop-parameters">
<data id="java-options" value="-Djava.security.policy=/private/ora1012/
OraHome1/j2ee/OC4J_SECURITY/config/java2.policy -Djava.awt.headless=true"/>
</category>
The log is written to the file OC4J~OC4J_SECURITY~default_island~1, found at $ORACLE_HOME/opmn/logs.
|
See Also: OracleMetaLink Note: 283268.1—Troubleshooting Oracle Application Server Single Sign-On Windows Native Authentication available on OracleMetaLink athttp://metalink.oracle.com/ |
|
Note: When accessing a protected application with Windows Native Authentication, Web browsers automatically return a "401 - Unauthorized" error that is logged by Oracle Enterprise Manager. This is normal behavior and can be safely ignored. |
When Oracle Internet Directory is unavailable, changes are stored in Microsoft Active Directory. The Oracle Password Filter for Microsoft Active Directory attempts to synchronize these entries after connectivity is restored with Oracle Internet Directory. The SearchDeltaSize parameter determines how many incremental changes are processed during each iteration in a synchronization cycle. By default, the SearchDeltaSize parameter is assigned a value of 500. Depending on how long Oracle Internet Directory is unavailable, the default SearchDeltaSize value of 500 may be too low to catch up all of the unsynchronized changes. To resolve this problem, you must create a catchup profile by copying the existing Microsoft Active Directory import synchronization profile and modifying the value assigned to the SearchDeltaSize parameter.
To create a catchup synchronization profile:
Stop the Oracle directory integration platform by following the instructions described in "Starting, Stopping, and Restarting the Oracle Directory Integration Platform".
Use the following command to disable the Microsoft Active Directory import synchronization profile:
$ORACLE_HOME/bin/dipassistant modifyprofile -host host -port port -file import.profile -dn bind_DN -passwd password_of_bind_DN -profile profile_name odip.profile.status=DISABLE
Use the following command to create the catchup synchronization profile by copying the Microsoft Active Directory import synchronization profile:
$ORACLE_HOME/bin/dipassistant createprofilelike -h host -p port -U ssl_mode -D bindDN -w password -profile orig_profile_name -newprofile catchup_profile_name
Use the following command to enable the original Microsoft Active Directory import synchronization profile:
$ORACLE_HOME/bin/dipassistant modifyprofile -h host -p port -file import.profile -dn bind_DN -passwd password_of_bind_DN -profile profile_name odip.profile.status=ENABLE
Start the Oracle directory integration platform by following the instructions described in "Starting, Stopping, and Restarting the Oracle Directory Integration Platform".
Obtain the current value of the highestCommittedUSN by searching the new domain controller's root DSE for the current highest USNChanged value (attribute value of the highestCommittedUSN attribute of the root DSE):
ldapsearch -h host -p port -b "" -s base -D userDN -w password "objectclass=*" highestCommittedUSN
Experiment with the following ldapsearch command until you retrieve more than 100 entries but less than 200. Retrieving more than 200 entries may result in an internal buffer overrun.
ldapsearch -v -h adhost -p adport -D administrator@domain -w password -b cn=users,dc=acme,dc=com -s sub "(&(objectclass=*)(usnChanged>=delta)(&(usnChanged<=highestCommittedUSN)))" dn
For example, the following command performs a search using a default search delta size of 500:
ldapsearch -v -h adhost -p adport -D administrator@domain -w password -b cn=users,dc=acme,dc=com -s sub "(&(objectclass=*)(usnChanged>=55010)(&(usnChanged<=55510)))" dn
Create a text file named profile_config.txt that contains the following:
[INTERFACEDETAILS] Package: gsi Reader: ActiveChgReader SkipErrorToSyncNextChange: true SearchDeltaSize: 100000
|
Note: You can also set theSkipErrorToSyncNextChange parameter to determine how the Oracle directory integration platform handles an error when processing a change during synchronization. See "SkipErrorToSyncNextChange Parameter" for more information. |
Use the following command to load the profile_config.txt file into the catchup synchronization profile:
dipassistant modifyprofile -h oidhost -port oidport -dn cn=orcladmin -passwd password -profile catchup_profile_name odip.profile.configfile=path/profile_config.txt
Use the following command to enable the catchup synchronization profile:
$ORACLE_HOME/bin/dipassistant modifyprofile -host host -port port -file import.profile -dn bind_DN -passwd password_of_bind_DN -profile catchup_profile_name odip.profile.status=ENABLE
|
Note: Be sure to continue running the original Microsoft Active Directory import synchronization profile along with the catchup synchronization profile. |
Allow the catchup synchronization profile to run for at least 12 hours, and then monitor the $ORACLE_HOME/ldap/odi/log/catchup_profile_name.aud file. After all of the backlogged changes are synchronized, use the following command to disable the catchup synchronization profile.
$ORACLE_HOME/bin/dipassistant modifyprofile -host host -port port -file import.profile -dn bind_DN -passwd password_of_bind_DN -profile catchup_profile_name odip.profile.status=DISABLE
You can find more solutions on Oracle MetaLink, http://metalink.oracle.com. If you do not find a solution for your problem, log a service request.
|
See Also: Oracle Application Server Release Notes, available on the Oracle Technology Network:http://www.oracle.com/technology/documentation/index.html |
