Oracle® Authentication Services for Operating Systems Administrator's Guide 10g (10.1.4.0.1-OAS4OS) E12023-01 |
|
|
View PDF |
This appendix lists problems you might encounter when configuring or managing Oracle Authentication Services for Operating Systems. It contains the following topics:
This section lists errors you might encounter when migrating entries to Oracle Authentication Services for Operating Systems.
Problem
The sudo
conversion tool reports parse errors while converting your /etc/sudoers
file to LDIF format.
Solution
The conversion script in the sudo
package might not cover all intricacies of your sudoers
file format. For example, if command aliases are preceded by an exclamation mark (!
), remove the exclamation mark. Please see the sudo
package documentation for known limitations.
This section lists errors you might encounter when using management tools with Oracle Authentication Services for Operating Systems.
Problem
You encounter errors when using the system-config-users
tool.
Solution
Ensure that user entries have all the attributes described in "Migrating from NIS to Oracle Internet Directory".
Solution
For errors when creating a new group on Red Hat Enterprise Linux, version 4, edit the file /usr/share/system-config-users/userGroupCheck.py
.
Change:
def isGroupnameOk(str, widget):
to:
def isGroupnameOk(name,widget):
Problem
You see Python errors when invoking libuser tools such as system-config-users
and luseradd
.
Solution
To use libuser
tools, you must configure your client and server for SSL. See "Switching Between SSL Authentication and Non-SSL Configurations".
Problem
Using Linux tools such as useradd
, userdel
, groupadd
, or groupdel
causes inconsistencies or unexpected behavior.
Solution
These tools are not supported. After you install Oracle Authentication Services for Operating Systems and migrate your data to Oracle Internet Directory, you must use specific tools to manage users, passwords, and other data. Specifically, you must use:
Oracle Directory Manager
The LDAP tools and bulk tools in $ORACLE_HOME/bin
The passwd
command
You can also use the libuser
tools on Linux distributions that support it, with some limitations. See "Password Policy Not Consistently Enforced".
Problem
When you attempt to perform a search, the server returns this error:
Function not implemented. DSA unwilling to perform.
Solution
You have attempted to perform a search with a non-indexed attribute specified as a required attribute.
You can search for an attribute in Oracle Internet Directory only if the attribute is indexed. By default, standard attributes of the user and group entries are indexed. If you use a custom attribute, you can index it by using the catalog
command. For example:
catalog connect="connect_str" add="TRUE" attribute="automountKey"
This section describes some testing techniques and explains some messages you might find in log files when running Oracle Authentication Services for Operating Systems.
Problem
Administrators need to monitor Oracle Internet Directory.
Solution
You can set a debug level that causes Oracle Internet Directory to generate log messages for all operations.
Set the function trace debug level on Oracle Internet Directory by using the following command line:
ldapmodify -p port -h host -D cn=orcladmin -w password -v -f debug.ldif
where debug.ldif
looks like this:
dn: changetype: modify replace: orcldebugflag orcldebugflag: 117440511 - replace: orcldebugforceflush orcldebugforceflush: 1
Problem
StartTLS, which enables you to negotiate an SSL connection on a previously clear connection, is transparent to the user. Administrators need a way to verify that StartTLS is working.
Note: StartTLS is not used on HP-UX and Solaris Oracle Internet Directory servers. On these platforms, SSL is configured on a different port from non-SSL connections. |
Solution
To verify that StartTLS is working, set a debug level that causes Oracle Internet Directory to generate a log message when an SSL negotiation begins. Because the clients are all pointing to the non-SSL port, generation of this message implies that startTLS is working.
Perform the following steps:
Set the function trace debug level on Oracle Internet Directory by using the following command line:
ldapmodify -p port -h host -D cn=orcladmin -w password -f debug.ldif -v
where debug.ldif
looks like this:
dn: changetype: modify replace: orcldebugflag orcldebugflag: 25165824 - replace: orcldebugforceflush orcldebugforceflush: 1
Perform an authentication operation that invokes the Oracle Internet Directory server. For example, use ssh
to connect to a client that is configured to authenticate against Oracle Internet Directory.
Examine the log files in $ORACLE_HOME/ldap/log
. Look for messages containing the string gslsflnNegotiateSSL
.
Problem
Log files contain messages about password syntax, and Oracle Internet Directory is not being used for password policy enforcement.
Solution
If you are not using Oracle Internet Directory for password policy enforcement, you must disable password policies in Oracle Internet Directory by setting orclpwdpolicyenable
to 0. To avoid messages about password syntax, you must also disable the password syntax check by setting pwdCheckSyntax
to 0.
This section lists errors users might encounter when attempting to log in when Oracle Authentication Services for Operating Systems is used for authentication.
Problem
Users cannot log in after you run the client configuration script.
Solution
On some operating systems, if nscd
or sshd
is running while you execute the config_OIDclient.sh
or sslConfig_OIDclient.sh
script, user authentication might not work after the configuration. Restart sshd
or nscd
to correct the problem.
Problem
Adding or migrating a user to Oracle Internet Directory does not create that user's home directory.
Solution
On Linux systems, you do not have to create a user's home directory on the client computer when you add that user to Oracle Internet Directory. The client configuration script that you ran on each client computer enabled the creation of each user's home directory on first login. On operating systems other than Linux, however, you must manually create user home directories.
Problem
When attempting to log in, the user sees a message such as:
No shell Connection closed by foreign host.
Solution
This problem occurs when a user entry in Oracle Internet Directory specifies a shell pathname that does not exist on the computer where the user is logging in. Supported shells and shell pathnames vary from one operating system to another. For example, one operating system might have sh
, csh
, bash
, and tcsh
under /bin
, and another might have sh
and csh
under /usr/bin
.
If the user must be able to log in on computers with different shell pathnames, you might have to create a symbolic link to the shell on one of the computers.
Problem
Oracle Internet Directory fails to enforce password policies, or password policy enforcement is not as expected.
Solution
If you use Oracle Internet Directory to enforce password policies, you cannot use tools in the libuser
package to add passwords or entries containing passwords. The reason is that the libuser
tools generate a hashed password before sending it to Oracle Internet Directory, so Oracle Internet Directory cannot determine whether the password meets policy criteria or not. Use the LDAP tools or Oracle Directory Manager instead.
Solution
If you are using Oracle Internet Directory for password policy enforcement, you must set shadowmax
to 99999
and shadowexpire
to -1
to disable password expiration by the operating system.