Release 2 (9.2)
Part Number A96573-01
 Home |
 Book List |
 Contents |
 Index |
 Master Index |
 Feedback |
| Oracle Advanced Security Administrator's Guide Release 2 (9.2) Part Number A96573-01 |
|
This chapter describes the User Migration Utility, which can be used to perform bulk migrations of database users to an LDAP directory where they are stored and managed as enterprise users. It contains the following topics:
Migrating from a database user model to an enterprise user model provides solutions to administrative, security, and usability challenges in an enterprise environment. In an enterprise user model, all user information is moved to an LDAP directory service.
Enterprise user security provides the ability to easily and securely manage enterprise-wide users by providing the following benefits:
Because an enterprise user model is easier to manage, security administrators can perform necessary maintenance changes to user information immediately so they have better control over access to critical network resources. In addition, an enterprise user model is easier for users to use because they have fewer passwords to remember so they are less likely to choose easily guessed passwords or write them down where others can copy them.
| See Also:
"Overview of Enterprise User Security" for detailed conceptual information about enterprise user security. |
The User Migration Utility is a command-line utility that is used when enterprise user administrators decide to move their users from a local database model to an enterprise user model. This utility makes it easy to migrate thousands of local and external database users to an enterprise user environment in an LDAP directory where they can be managed from a central location.
Enterprise user administrators can select for migration any combination of the following subsets of users in a database:
In addition, enterprise user administrators can specify values for utility parameters that determine how the users are migrated such as
The following sections explain the migration process and the changes that occur to users' schemas.
|
Note: After external users are migrated, their external authentication and authorization mechanisms are replaced by directory-based mechanisms. |
Bulk user migration is a two-phase process. In phase one, you start the migration process by populating user information into an interface database table, where enterprise user administrators can verify that the information is accurate before committing the changes to the database and the directory in phase two. The process is described in the following steps:
In the first part of the migration process, the utility checks for the existence of the ORCL_GLOBAL_USR_MIGRATION_DATA interface table in the enterprise user administrator's schema. If it exists, then the administrator can choose to reuse the table (clearing its contents), reuse the table and its contents, or re-create the table. Phase one of the utility can be run multiple times, each time adding to the interface table. If the table does not exist, then the utility creates it in the administrator's schema. The interface table is populated with information about the migrating users from the database and the directory. The type of information that is populated into this table is determined by the command line options which are used.
Passwords are randomly generated and populated into the interface table for users who were EXTERNAL or GLOBAL. For users who were LOCAL, their database password verifier is copied to the directory from the database. If there is an existing directory entry for the user with an existing database password verifier, then the utility runs successfully if both database password verifiers match. If they do not match, then the utility produces an error for that user.
This is an intermediate step to allow the enterprise user administrator to verify that the user information is correct in the interface table before committing the changes to the database and the directory.
After the interface table is populated with user information and the enterprise user administrator has verified the information, then in phase two the utility retrieves the information from the interface table and updates the directory and the database. The utility generates random database passwords for external and global users, and it also generates random passwords for directory entries, which it then stores in the DBPASSWORD and DIRPASSWORD columns of the interface table. The enterprise user administrator can read these passwords from the interface table and inform migrating users.
| See Also:
"List of User Migration Utility Parameters" for a list of command line options and their descriptions. |
This is the interface table which is populated with information about the migrating users during phase one of the bulk user migration process. The information that populates this table is pulled from the database and checked against existing entries in the directory. If there is corresponding information in the directory, then that is marked in the table for that user. After enterprise user administrators verify the information in this table, changes are made to the directory and the database in phase two.
|
Caution: The |
The table columns are listed in Table 16-1.
| Column Name | DataType | Null | Description |
|---|---|---|---|
|
|
VARCHAR2(30) |
NOT NULL |
Database user name. |
|
|
VARCHAR2(10) |
- |
Old schema type in the database before migration. |
|
|
VARCHAR2(30) |
- |
This contains the database password verifier from the database for local users. |
|
|
VARCHAR2(4000) |
- |
Distinguished Name (DN) of the user in the directory (new or existing). |
|
|
CHAR(1) |
- |
Flag indicating whether the DN already exists in the directory. |
|
|
VARCHAR2(30) |
- |
Shared schema name, if users are to be mapped to a shared schema during phase two. |
|
|
VARCHAR2(10) |
- |
Mapping type (database or domain). |
|
|
VARCHAR2(10) |
- |
Mapping level (entry or subtree). |
|
|
CHAR(1) |
- |
Cascade flag used when dropping a user (for shared schema mapping only). |
|
|
CHAR(1) |
- |
Flag indicating whether the database password verifier already exists in the directory for this user. |
|
|
VARCHAR2(30) |
- |
Randomly generated database password verifiers that are to be stored in the directory. |
|
|
VARCHAR2(30) |
- |
Randomly generated directory password for new entries. |
|
|
VARCHAR2(10) |
- |
Information about the phase that has completed successfully. |
|
|
CHAR(1) |
- |
Flag indicating whether the row contains abnormalities that require administrator attention. |
|
|
VARCHAR2(100) |
- |
Textual hint for the administrator if the attention flag is set. |
After running phase one of the utility, if necessary, enterprise user administrators can change the columns of the interface table that are listed in Table 16-2.
If shared schema mapping is not used, then users retain their old database schemas. If shared schema mapping is used, then users' local schemas are dropped from the database and they are mapped to a shared schema that the enterprise user administrator creates for this purpose before performing the migration. When migrated users own database objects in their old local database schemas, administrators can specify that the schema and objects are not to be dropped by setting the CASCADE parameter to NO. When the CASCADE parameter is set to NO, users who own database objects in their old local schemas do not migrate successfully so their objects are not dropped.
If some users want to retain the objects in their local database schemas and be mapped to a shared schema, then the administrator can manually migrate those objects to the shared schema before performing the bulk user migration. However, when objects are migrated to a shared schema, they are shared among all users who share that new schema.
Table 16-3 summarizes the effects of setting the MAPSCHEMA and CASCADE parameters.
| MAPSCHEMA Parameter Setting | CASCADE Parameter Setting | User Migration Successful? | User Schema Objects Dropped? |
|---|---|---|---|
|
PRIVATE |
NO (default setting) |
Yes |
No |
|
SHARED |
NO |
YesFoot 1 |
No |
|
SHARED |
YES |
YesFoot 2 |
Yes |
| 1 Users migrate successfully only if they do not own objects in their old database schemas; otherwise, they fail. 2 Users migrate successfully and their old database schemas are dropped. |
| See Also:
"List of User Migration Utility Parameters" for detailed information about the |
Enterprise users, those that are defined and managed in the directory, can be authenticated to the database either with a password or with a certificate. Users that authenticate with a password require an Oracle database password, which is stored in the directory. Users that authenticate with a certificate must have a valid X.509 v3 certificate.
This utility performs the following steps during migration:
See Also:
|
The User Migration Utility is automatically installed in the following location when you install Oracle9i Client:
$ORACLE_HOME/rdbms/bin/umu
The following sections describe what programs must be running and what user privileges are required to successfully migrate users with the User Migration Utility.
To successfully use this utility, enterprise user administrators must have the following database privileges:
These privileges enable the enterprise user administrator to alter users, drop users, look at dictionary views, and create the interface table that is used by this utility.
In addition to the required database privileges, enterprise user administrators must have the directory privileges which allow them to perform the following tasks:
Perform the following steps before using the User Migration Utility:
ldap.ora parameters.
See Also:
|
To perform a bulk migration of database users to enterprise users, use the following syntax:
umu parameter1 parameter2 ...
For parameters that take a single value use the following syntax:
keyword=value
For parameters that take multiple values, use a colon (:) to separate the values as in the following syntax:
keyword=value1:value2:...
Example 16-1 shows the syntax used to run the utility through both phases of the bulk user migration process.
umu PHASE=ONE DBADMIN=dba_username:password ENTADMIN=enterprise_admin_DN:password USERS=[ALL_GLOBAL | ALL_EXTERNAL | LIST | FILE] DBLOCATION=database_host:database_port:database_sid DIRLOCATION=ldap_directory_host:ldap_directory_port USERSLIST=username1:username2:username3:... USERSFILE=filename MAPSCHEMA=[PRIVATE | SHARED]:schema_name MAPTYPE=[DB | DOMAIN]:[ENTRY | SUBTREE] CASCADE=[YES | NO] CONTEXT=user_entries_parent_location LOGFILE=filename PARFILE=filenameumu PHASE=TWO
DBADMIN=dba_username:password ENTADMIN=enterprise_admin_DN:password DBLOCATION=database_host:database_port:database_sid DIRLOCATION=ldap_directory_host:ldap_directory_port LOGFILE=filename PARFILE=filename
|
Note: If the enterprise user administrator does not specify the mandatory parameters on the command line, then the utility will prompt the user for those parameters interactively. |
See Also:
|
To display the command-line syntax for using the User Migration Utility, enter the following command at the system prompt:
umu HELP=YES
While the HELP parameter is set to YES, the utility cannot execute.
The following sections list the available parameter keywords and the values that can be used with them when running this utility. The keywords are not case-sensitive.
|
Valid Values: |
Values can be:
This parameter takes multiple values. Separate values with a colon (:). (These values are not case-sensitive.) |
|
Default Setting: |
No default setting. |
|
Syntax Examples: |
|
|
Description: |
Specifies which users are to be migrated. If multiple values are specified for this parameter, then the utility uses the union of these sets of users. |
|
Restrictions: |
This parameter is mandatory for phase one only, and it is ignored in phase two. |
|
Valid Values: |
Schema type can be:
(These values are not case-sensitive.) |
|
Default Setting: |
|
|
Syntax Examples: |
|
|
Description: |
Specifies whether the utility populates the interface table with schema mapping information. |
|
Restrictions: |
|
Valid Values: |
Mapping type can be: Mapping level can be: Separate mapping type from mapping level with a colon (:). (These values are not case-sensitive.) |
|
Default Setting: |
|
|
Syntax Examples: |
|
|
Description: |
Specifies the type of schema mapping that is to be applied when "Keyword: MAPSCHEMA" is set to |
|
Restrictions: |
This parameter is effective only when |
| See Also:
"About Using the SUBTREE Mapping Level Option" for more information about using this mapping level option. |
|
Valid Values: |
Distinguished Name (DN) of the parent for user entries. Parent DN can also be specified within double quotation marks ("..."). |
|
Default Setting: |
This value is automatically populated from the |
|
Syntax Examples: |
|
|
Description: |
Specifies the DN of the parent entry under which user entries are created in the directory if there is no directory entry that matches the userID for the user. |
|
Restrictions: |
The following sections contain examples of the syntax for some typical uses of this utility.
To migrate users while retaining their old database schemas, set the MAPSCHEMA parameter to PRIVATE, which is the default setting. For example, to migrate users scott1, scott2, and all external database users, while retaining their old schemas, to the directory at c=us with the newly generated directory passwords, the syntax shown in Example 16-2 is used.
umu PHASE=ONE DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager USERS=ALL_EXTERNAL:LIST USERSLIST=scott1:scott2 DIRLOCATION=machine2:636 CONTEXT="c=us" ENTADMIN="cn=janeadmin":welcomeumu PHASE=TWO
DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager DIRLOCATION=machine2:636 ENTADMIN="cn=janeadmin":welcome
After phase one completes successfully, the interface table is populated with the user migration information. Then the enterprise user administrator can review the table to confirm its contents. Because no value was specified for the MAPSCHEMA parameter, the utility runs phase one using the default value of PRIVATE so all users' old database schemas and objects are retained.
To migrate users and map them to a new shared schema, dropping their old database schemas, set the MAPSCHEMA parameter to SHARED. The shared schema must already exist or the enterprise user administrator must create it before running the utility with this parameter setting. In the following example, users scott1, scott2, and all external database users are migrated to the directory at c=us with newly generated directory passwords, while mapping all migrated users to a new shared schema in the database.
Use the syntax shown in Example 16-3 to run the migration process with MAPSCHEMA set to SHARED.
umu PHASE=ONE DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager USERS=ALL_EXTERNAL:LIST USERSLIST=scott1:scott2 MAPSCHEMA=SHARED:schema_32 DIRLOCATION=machine2:636 CONTEXT="c=us" ENTADMIN="cn=janeadmin":welcomeumu PHASE=TWO
DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager DIRLOCATION=machine2:636 ENTADMIN="cn=janeadmin":welcome
After phase one completes successfully, the interface table is populated with the user migration information. Then the administrator can review the table to confirm its contents. Users scott1 and scott2 retain their old database passwords, but the external users, who had no old database passwords, are assigned new randomly generated ones. Because no value was specified for the CASCADE parameter, the utility runs phase one using the default value of NO, which means that migrating users who own database objects in their old database schemas will fail and their schemas will not be automatically dropped. To determine which users have failed, review the log file that is located at $ORACLE_HOME/network/log/umu.log by default.
The CASCADE parameter setting determines whether users' old database schemas are automatically dropped when mapping to a shared schema during migration. CASCADE can be used only when MAPSCHEMA is set to SHARED.
By default, the CASCADE parameter is set to NO. This setting means that when mapping migrating users to a shared schema, users who own database objects in their old schemas are not migrated. For users who do not own database objects, their old database schemas are automatically dropped and they are mapped to the new shared schema.
| See Also:
Example 16-3 for an example of the syntax used to map users to a shared schema with |
If it is known that no migrating users own database objects or want to retain the objects that they own in their old database schemas, then setting the CASCADE parameter to YES automatically drops all users' schemas and schema objects and maps them to the new shared schema. Example 16-4 shows the syntax to use when setting CASCADE to YES. In this example, users scott1, scott2, and all external database users are migrated to the directory at c=us, while mapping all migrating users to a new shared schema in the database.
umu PHASE=ONE DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager USERS=ALL_EXTERNAL:LIST USERSLIST=scott1:scott2 MAPSCHEMA=SHARED:schema_32 CASCADE=YES DIRLOCATION=machine2:636 CONTEXT="c=us" ENTADMIN="cn=janeadmin":welcomeumu PHASE=TWO
DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager DIRLOCATION=machine2:636 ENTADMIN="cn=janeadmin":welcome
After phase one completes successfully, the interface table is populated with the user migration information. Then the administrator can review the table to confirm its contents. Because the CASCADE parameter is set to YES, all migrated users' old database schemas are automatically dropped, including those who own database objects.
When MAPSCHEMA is set to SHARED, the type of mapping can be set by specifying a value for the MAPTYPE parameter. This parameter takes two values, which are the type of mapping and the level of mapping.
Mapping type can be set at DB, for database, or DOMAIN, for enterprise domain. When mapping type DB is specified, the mapping is applied only to the database where the shared schema is stored. When DOMAIN is specified as the mapping type, then the mapping is applied to the enterprise domain that contains the database where the shared schema is stored and also applies to all databases in that domain.
Mapping level can be set to ENTRY or SUBTREE. When ENTRY is specified then users are mapped to the shared schema using their full distinguished name (DN). This results in one mapping for each user. When SUBTREE is specified then groups of users who share part of their DNs are mapped together. This results in one mapping for groups of users who are already grouped under some common root in the directory tree. Example 16-5 shows the syntax to use when using the MAPTYPE parameter. In this example, users scott1, scott2, and all external database users are migrated to the directory at c=us, while mapping all migrated users to a new shared schema in the database. In this example, the mapping will apply to the enterprise domain that contains the database and the mapping will be performed at the entry level, resulting in a mapping for each user.
umu PHASE=ONE DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager USERS=ALL_EXTERNAL:LIST USERSLIST=scott1:scott2 MAPSCHEMA=SHARED:schema_32 MAPTYPE=DOMAIN:ENTRY DIRLOCATION=machine2:636 CONTEXT="c=us" ENTADMIN="cn=janeadmin":welcomeumu PHASE=TWO
DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager DIRLOCATION=machine2:636 ENTADMIN="cn=janeadmin":welcome
If a user (scott, for example) who is being migrated will have future user entries in a subtree under it, then it makes sense to create a subtree level mapping from this user entry (cn=scott) to a schema. However, the database does not interpret the user to be in the subtree so the mapping does not apply to scott himself. For example, if you are migrating the user scott with the DN cn=scott,o=acme, and you choose SUBTREE as the mapping level when you run the utility, then a new mapping is created from cn=scott,o=acme to the shared schema, but the user scott is not mapped to that schema. Only new users who are created under the scott directory entry are mapped to the shared schema. Consequently, the SUBTREE mapping level should only be specified when user directory entries are placed under other user directory entries, which would be an unusual directory configuration.
If you want an arbitrary subtree user to be mapped to a single shared schema with only one mapping entry, then you must use Oracle Enterprise Security Manager to create that mapping.
| See Also:
"Managing Database Schema Mappings" for information about using Oracle Enterprise Security Manager. |
It is possible to enter user information and User Migration Utility parameters into a text file and pass the information and parameters to the utility using the PARFILE and USERSFILE parameters. The LOGFILE parameter sets the directory path for the log file where details about the migration for each user are written.
The PARFILE parameter tells the utility where a text file is located that contains the parameters for a bulk user migration. The USERSFILE parameter works like the PARFILE parameter. Instead of listing parameters in the specified file, it contains a list of database users. The parameters and users lists contain one parameter or user for each line of their respective text files. The LOGFILE parameter tells the utility where to write the system events that occur during a user migration, such as errors. The USERSFILE parameter is used during phase one of the migration process. The PARFILE and LOGFILE parameters can be used in both phases.
Example 16-6 shows the syntax for a typical parameter text file to migrate users scott1, scott2, and all external database users, while retaining their old schemas, to the directory at c=us. In this example a log of migration events is written to the file errorfile1 in the directory where the utility is run. If another location is desired, then include the path with the file name.
DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager USERS=ALL_EXTERNAL:LIST:FILE USERSLIST=scott1:scott2 USERSFILE=usrs.txt DIRLOCATION=machine2:636 CONTEXT="c=us" ENTADMIN="cn=janeadmin":welcome LOGFILE=errorfile1
Example 16-7 shows the syntax for a typical users list text file.
user1 user2 user3
To execute phase one of the migration process with these parameters and users list text files, use the syntax shown in Example 16-8.
umu PHASE=ONE DBADMIN=system:manager PARFILE=par.txt LOGFILE=errorfile2
|
Note: Although the |
Migration failures are reported to the enterprise user administrator with error messages and log messages. The following sections describe common error and log messages and what administrators can do to resolve them.
| See Also:
"Summary of User Migration Utility Error and Log Messages" for an alphabetical listing of error and log messages and links to where they are described in this section. |
When the utility encounters any error while running, it displays an error message and stops running. The following sections describe these messages and explain how to resolve the errors:
The following error messages may display while the utility is running either phase one or phase two of the migration:
Cause: The nickname attribute is not set in the directory at the root context.
Action: Use Enterprise Security Manager to set the nickname attribute for the root context.
Cause: The utility was unable to connect to the database.
Action: Perform these steps:
Cause: The utility encountered a database error.
Action: Check the database error message details for the database.
| See Also:
Oracle9i Database Error Messages for information about resolving database error messages. |
Cause: The database is not a member of any enterprise domain.
Action: Use Enterprise Security Manager to add the database to an enterprise domain in the directory.
Cause: There is no entry for the database in the Oracle context that the ldap.ora file points to.
Action: Use Database Configuration Assistant or Enterprise Security Manager to register the database in the directory.
Cause: The utility was unable to connect to the directory.
Action: Perform these steps:
Cause: The utility encountered a directory error.
Action: Check the directory error message details for the directory.
| See Also:
Oracle Internet Directory Administrator's Guide for information about resolving error messages for Oracle Internet Directory. |
Cause: The database belongs to more than one enterprise domain in the directory.
Action: Use Enterprise Security Manager or Oracle Directory Manager to ensure that the database belongs to only one enterprise domain.
While the utility is running phase one of the migration, syntax or other types of errors may occur. The following error messages may display while the utility is running phase one of the migration:
Cause: Syntax error. A parameter is missing or has been entered multiple times.
Action: Check the usage syntax.
Cause: The shared schema is not present in the database.
Action: Create the shared schema.
Cause: Syntax error. The DEFAULT_ADMIN_CONTEXT parameter value has an invalid format in the ldap.ora file.
Action: Use Oracle Net Configuration Assistant to create a new ldap.ora file.
Cause: Syntax error. The DIRECTORY_SERVERS parameter value has an invalid format in the ldap.ora file.
Action: Use Oracle Net Configuration Assistant to create a new ldap.ora file.
Cause: Syntax error. The utility cannot read the file that contains the users list that is specified in the USERSFILE parameter.
Action: Perform these steps:
Cause: Syntax error. The utility cannot read the file that contains the list of parameters that is specified in the PARFILE parameter.
Action: Perform these steps:
Cause: Syntax error. The utility is unable to read the local host name for the database location or the directory location.
Action: Explicitly enter the hostname information with the DBLOCATION and DIRLOCATION parameters.
Cause: The interface table cannot be created in the SYS schema.
Action: Specify another user in the DBADMIN parameter.
| See Also:
"Keyword: DBADMIN" for information about setting the |
Cause: Syntax error. The argument name or value has been entered incorrectly.
Action: Check the usage syntax.
See Also:
For information about using the command line syntax for this utility. |
Cause: Syntax error. This occurs when you have used a command line argument that is only intended for phase one, but you are running phase two.
Action: Check the usage syntax.
Cause: Syntax error. The user that is specified in this error message is invalid because they are not a user in the database that is specified in the DBLOCATION parameter.
Action: Remove the invalid user from the file that is specified with the USERSFILE parameter.
Cause: Syntax error. The file that is specified in the USERSFILE parameter contains the user who is running the migration utility.
Action: Remove that user from the file.
Cause: Syntax error. The user that is specified in this error message is invalid because they are not a user in the database that is specified in the DBLOCATION parameter.
Action: Remove the invalid user from the USERSLIST parameter.
Cause: Syntax error. The USERSLIST parameter contains the user who is running the migration utility.
Action: Remove that user from the USERSLIST.
Cause: Syntax error. The utility cannot find the log file or it cannot open the file to write to it.
Action: Perform these steps:
Cause: The CONTEXT value contains the nickname attribute setting and it should not. Only the root Oracle Context contains this setting.
Action: Specify another CONTEXT value that is not the root Oracle Context, and therefore does not contain the nickname attribute setting.
Cause: The CONTEXT entry is not present in the directory.
Action: Perform one of the following options:
Cause: The CONTEXT value is not under the user search bases.
Action: Use Enterprise Security Manager to add an appropriate user search base or give the appropriate CONTEXT value.
Resolving Error Messages Displayed for Phase Two
Most of the error messages that you encounter while running this utility occur in phase one. After phase one has completed successfully, and while phase two is running, the following error may occur:
Cause: The utility cannot find the interface table.
Action: Perform one of the following options:
Typically, log messages are written to the log file for each user who is migrated, whether the user was migrated successfully or not. The following sections describe these messages and explain how to resolve the errors:
While the utility is running phase one of the migration, messages that indicate a user's information has not been successfully populated in the interface table may be written to the log file. After the utility completes phase one, review the log file to check for the following messages:
Cause: The nickname attribute matches multiple users or the user matches with multiple nickname attributes.
Action: Resolve the multiple matches and run the utility again for the users whose log file entry displayed this message.
Cause: No entry was found for the nickname matching, but an entry already exists for the DN in the directory.
Action: Specify a different DN for the user.
Cause: A DN already exists with the orclPassword populated for this local user, but its value is not equal to the verifier in the database.
Action: Check the user's entry in the directory and the user's database account to resolve the value mismatch.
While the utility is running phase two of the migration, messages that indicate a user has not successfully migrated may be written to the log file. After the utility completes phase two, review the log file to check for the following messages:
This message typically occurs with the message Invalid value::<column_name>=<column_value>.
Cause: The entry already contains a value for the orclPassword attribute.
Action: Check the DBPASSWORD_EXIST_FLAG column in the interface table for a T/F value that correctly reflects whether a database password exists for this user.
This message typically occurs with the message Invalid value::<column_name>=<column_value>.
Cause: The orclPassword attribute of this user's entry has a null value.
Action: Check the DBPASSWORD_EXIST_FLAG column in the interface table for a T/F value that correctly reflects whether a database password exists for this user.
Cause: The shared schema that was specified for this user does not exist in the database.
Action: Perform one of the following options:
SHARED_SCHEMA column of the interface table and run phase two of the utility for this user again.This message typically occurs with the message Invalid value::<column_name>=<column_value>.
Cause: An entry already exists for the specified user DN.
Action: Check the USERDN_EXIST_FLAG column in the interface table for a T/F value that correctly reflects whether a user entry already exists in the directory for this DN.
Cause: The value in the interface table column for this user is invalid. Typically, this message is accompanied by additional log messages for this user.
Action: Check to ensure that the correct value has been entered for this user.
This message typically occurs with the message Invalid value::<column_name>=<column_value>.
Cause: The entry for the DN is missing in the directory.
Action: Check the USERDN_EXIST_FLAG column in the interface table for a T/F value that correctly reflects whether a user entry already exists in the directory for this DN.
Cause: The USERNAME column value in the interface table and the nickname attribute value in the directory for the USERDN entry are not equal.
Action: Perform the following steps:
Table 16-4 and Table 16-5 list all of the error and log messages in alphabetical order and provides links to the section in this chapter that describes the message and how to resolve it.
1 A database password verifier is an irreversible value that is derived from the user's database password. This value is used during password authentication to the database to prove the identity of the connecting user.
|
 Copyright © 1996, 2002 Oracle Corporation. All Rights Reserved. |
|