|
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) Part No. B14085-01 |
|
 Previous |
 Next |
|
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) Part No. B14085-01 |
|
|
Previous |
Next |
This appendix describes how to troubleshoot Oracle Directory Integration and Provisioning. It contains these topics:
|
See Also:
|
This section contains these topics:
After you start the Oracle directory integration and provisioning server, you can verify that it is running by following these steps:
On UNIX, use the following command to verify that odisrv process is running:
ps -ef | grep odisrv
For Windows operating systems, obtain the value of process ID (PID) for the odisrv process from $ORACLE_HOME/ldap/log/oidmon.log. Then, launch Task Manager and click the Processes tab to verify that the process is running.
If the Oracle directory integration and provisioning server is not running, then examine the $ORACLE_HOME/ldap/log/oidmon.log file to determine the reason why the server did not start.
If the log file shows any database related errors:
Verify that a value is set for ORACLE_SID.
Verify that the connect string assigned to ORACLE_SID is specified in the $ORACLE_HOME/network/admin/tnsnames.ora file.
Ensure that the log file lists valid values for the server instance number and the configset number arguments. If the values are set correctly, then examine the file $ORACLE_HOME/ldap/log/odisrv_xx.log where xx is the number of the started instance. If the odisrv_xx.log file indicates a registration error, then re-register the Oracle directory integration and provisioning server by using odisrvreg.
If you do not find any errors in the previous step, then examine the file $ORACLE_HOME/ldap/log/odisrv_jvm_yyy.log, where yyy is the process identifier of the odisrv process that should have started. Look for the file with the latest timestamp.
After you start the Oracle directory integration and provisioning server, you can verify that it is running by following these steps:
On UNIX, use the following command to verify that odisrv process is running:
ps -ef | grep odisrv
For Windows operating systems, obtain the value of process ID (PID) for the odisrv process from the $ORACLE_HOME/ldap/log/odisrv_xx.log file, where xx is the number of the started instance. Then, launch Task Manager and click the Processes tab to verify that the process is running.
Oracle directory integration and provisioning server, then examine the odisrv_xx.log file. If the file contains a registration error, then re-register the Oracle directory integration and provisioning server by using odisrvreg.
If you do not find any errors in the previous step, then examine the file $ORACLE_HOME/ldap/log/odisrv_jvm_yyy.log, where yyy is the process identifier of the odisrv process that should have started. Look for the file with the latest timestamp.
This section discusses the oditest and diptester utilities that you can use to troubleshoot synchronization problems.
Troubleshooting synchronization can be complex if there are numerous profiles running or if the synchronization interval for a particular profile is set to occur too infrequently. In such cases, the behavior of any connector can be tested using the oditest utility as follows:
If numerous profiles are running, then use the Directory Integration and Provisioning Assistant to selectively disable the profile you want to troubleshoot. If a single profile is running, then stop the directory integration and provisioning server.
Go to $ORACLE_HOME/bin and run the oditest utility using the following syntax:
oditest sync | prov profile_name host=host_of_Oracle_Internet_Directory port=port_for_Oracle_Internet_Directory binddn=bind_DN bindpass=password_for_the_bind_DN sslauth=0 debug=63
The following example shows how to run the oditest utility with a SunONE Directory Server synchronization profile:
oditest sync IplanetImport host=my-oidhost port=3060 binddn=cn=orcladmin bindpass=welcome1 sslauth=0 debug=63
|
See Also: The chapter on logging, auditing, and debugging the directory in Oracle Internet Directory Administrator's Guide |
The diptester utility is a shell script tool that helps you troubleshoot synchronization problems. You can download the diptester utility from Oracle Technology Network at http://www.oracle.com/technology/index.html.
|
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
The diptester utility runs in a UNIX shell that makes calls to the Directory Integration and Provisioning Assistant (dipassistant), the oditest utility, and various LDAP command-line utilities. When following the troubleshooting procedure in this section, you can use the diptester utility to:
Make changes to a directory integration profile
View log files
Create test entries
Get or set the last applied change key
Dump entire profile contents
Reload the map file
Start and stop the directory integration and provisioning server
Capture errors in trace files for uploading to Oracle Support
Perform initial bootstrapping of users
|
Note: When the directory integration and provisioning server performs a synchronization, it reads the last applied change key and caches the value. At the next synchronization interval, the directory integration and provisioning server updates Oracle Internet Directory with the last execution time and the cached value of the last applied change key.Before you manually change the last applied change key in a synchronization profile, be sure to stop the directory integration and provisioning server. Otherwise at the next interval your change will be overwritten by the cached value. In fact, you should always stop the directory integration and provisioning server before changing any values in a synchronization profile. |
The diptester utility is installed in the $ORACLE_HOME/bin directory. The installation process also creates a file named $ORACLE_HOME/diptester.ini, which contains configuration settings for the diptester utility. Although not required, you can alter the behavior of the diptester utility by modifying the configuration set number, profile name, and other settings in the diptester.ini file.
|
See Also: $ORACLE_HOME/diptester/README.txt for additional information on configuring and running thediptester utility
|
You can monitor certain provisioning integration profile status information from the Oracle Enterprise Manager 10g Application Server Control Console.
On the main Application Server Control Console page, select the name of the Oracle Application Server instance you want to manage in the Standalone Instances section. The Oracle Application Server home page opens for the selected instance.
In the System Components table, select OID in the Name column. This Oracle Internet Directory page opens. The status should be green if the required packages are installed properly. This does not indicate whether the Oracle directory integration and provisioning server is running or not.
To check the status of the servers, select Directory Integration to display the Directory Integration Platform Status page. This page displays the various running instances of the directory integration platform servers—including those for both provisioning and synchronization. The main data displayed for provisioning integration profiles in this window are:
Name of the subscribed application
Name of the organization for which the subscription was made
Status of the profile (ENABLED or DISABLED)
Change key in Oracle Internet Directory up to which the events have been propagated to the application on behalf of this profile
Last Execution Time
Last Successful Execution Time of the profile.
Errors, if any
|
Note: The Directory Integration Platform Status page does not currently display the various event subscriptions for this profile |
You can also get detailed output on provisioning integration status by running the oidprovtool utility with the operation argument status. The oidprovtool utility is located in the $ORACLE_HOME/bin directory.
This section contains these topics:
When debugging synchronization issues between Oracle Internet Directory and a connected directory, it helps to understand the synchronization process flow of the Oracle directory integration and provisioning server.
The Oracle directory integration and provisioning server reads all import profiles at startup. For each profile that is set to ENABLE, the Oracle directory integration and provisioning server performs the following tasks during the synchronization process:
Connects to a third-party directory
Gets the value of the last change key from the connected directory
Connects to Oracle Internet Directory
Gets the value of the profile's last applied change key from Oracle Internet Directory
For SunONE connections, the Oracle directory integration and provisioning server searches the remote change logs for entries greater than the value of the last applied change key and less than or equal to the value of the last change key. For Active Directory connections, the Oracle directory integration and provisioning server searches for this information in the remote directory's uSNChanged values. For other types of connectors, such as the Oracle Human Resources connector, the Oracle directory integration and provisioning server performs similar types of searches, although the method by which data is exchanged varies according to the type of connection.
Maps the data values from the connected directory to Oracle Internet Directory values
Creates an Oracle Internet Directory change record
Processes change (add, change, delete)
Updates the Oracle Internet Directory import profile with the last execution times and the last applied change key from the connected directory
Enters sleep mode for the number of seconds specified for the synchronization interval
The Oracle directory integration and provisioning server reads all export profiles at startup. For each profile that is set to ENABLE, the Oracle directory integration and provisioning server performs the following tasks during the synchronization process:
Connects to a third-party directory
Connects to Oracle Internet Directory
Gets the value for the last change key from Oracle Internet Directory
Gets the value of the profile's last applied change key from Oracle Internet Directory
For SunONE connections, the Oracle directory integration and provisioning server searches the remote change logs for entries greater than the value of the last applied change key and less than or equal to the value of the last change key. For Active Directory connections, the Oracle directory integration and provisioning server searches for this information in the remote directory's uSNChanged values. For other types of connectors, such as the Oracle Human Resources connector, the Oracle directory integration and provisioning server performs similar types of searches, although the method by which data is exchanged varies according to the type of connection.
Maps the data values from Oracle Internet Directory to the connected directory values
Creates a change record
Processes change (add, change, delete) on the connected directory
Updates the Oracle Internet Directory export profile with the last execution times and the last applied change key from Oracle Internet Directory
Enters sleep mode for the number of seconds specified for the synchronization interval
When troubleshooting synchronization, use the following as a checklist.
On UNIX, use the following command to verify that the Oracle directory integration and provisioning server process (odisrv) is running:
ps -ef | grep odisrv
For Windows operating systems, obtain the value of process ID (PID) for the odisrv process from $ORACLE_HOME/ldap/log/oidmon.log. Then, launch Task Manager and click the Processes tab to verify that the process is running.
Check whether there is also a directory integration and provisioning server instance running.
If OracleAS Portal, Oracle Collaboration Suite, or another component needs provisioning, then there is probably a directory integration and provisioning server provisioning process running as instance 1 on configuration set 0. In this case, you should start your directory integration and provisioning server as instance 2 with either the default configset=1 argument or using your custom created configuration set number.
Check $ORACLE_HOME/ldap/log/odisrv0x.log. When the provisioning integration service is running, it logs to odisrv01.log. The directory synchronization service then logs to odisrv02.log.
Verify that the profile is enabled by using the Oracle Directory Integration and Provisioning Server Administration tool or diptester option 12.
Verify that trace files are being generated. The trace file can be found at: $ORACLE_HOME/ldap/odi/log/profilename.trc
If no trace file is generated, then check the odisrv0x.log for possible problems in startup of the directory integration and provisioning server, as described earlier in this list.
Verify that correct syntax is used to start the directory integration and provisioning server. For example:
oidctl connect=asdb server=odisrv instance=2 configset=1 flags="host=myhost port=3060" start
For debugging, verify that the value of the debug flag set to 63 when starting the directory integration and provisioning server, as follows:
oidctl connect=asdb server=odisrv instance=2 configset=1 flags="host=myhost port=3060 debug=63" start
Edit the profile and set the debug level to 63 by using the Oracle Directory Integration and Provisioning Server Administration tool or diptester option 12.
Validate the all required parameters in the profile.
|
See Also:
|
Verify that you are using the Oracle Internet Directory 10g (10.1.2) version of the Oracle Directory Integration and Provisioning Server Administration tool or Oracle Directory Manager to update the profile. Previous releases of these utilities display different information on the Profile tab pages and should not be used.
Verify that the third-party LDAP directory server is running by executing the following command:
ldapbind -h ldap_host -p ldap_port -D account -w password
If the directory integration and provisioning server does not start or if it starts and then fails, then check the following:
The instance name and configset being used
Whether the flags="host=xxx port=xxxx" parameter is used with oidctl
The odisrv0x.log to see whether:
Whether the connector successfully started
Whether the password expired
To re-register the connector, enter the following command:
odisrvreg -p port -D cn=orcladmin -w passwd -h host
|
See Also: MetaLink Note: 265397.1—Password Policy Expires available on Oracle MetaLink athttp://metalink.oracle.com/
|
The following is the beginning and end portions of a valid sample trace file for an Active Directory connector synchronized addition operation:
------------------------------------------------------------------------------- Trace Log Started at Tue Jun 08 11:22:25 EDT 2004 ------------------------------------------------------------------------------- Command exec succesful LDAP URL : (activedir.oracle.com:389 administrator@oracle.com LDAP Connection success Applied ChangeNum : 28017Available chg num = 28019 Reader Initialised !! LDAP URL : (sun1:3060 cn=odisrv+orclhostname=sun1,cn=odi,cn=oracle internet directory LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! searchF : CHGLOGFILTER : (&(USNChanged>=28018)(USNChanged<=28022)) Search Time 8 Search Successful till # 28022 Search Changes Done Changenumber uSNChanged: 28022 targetdn distinguishedName: CN=Test User56,CN=Users,DC=US,DC=ORACLE,DC=com ChangeRecord : ---------- Changetype: 4 ChangeKey: CN=Test User56,CN=Users,DC=US,DC=ORACLE,DC=com Attributes: Class: null Name: ou Type: null ChgType: 1 Value: [ ] Class: null Name: objectGUID Type: null ChgType: 2 Value: [[B@d0a5d9] ... Class: null Name: mail Type: null ChgType: 1 Value: [ ] Class: null Name: displayname Type: null ChgType: 2 Value: [Test User56] Class: null Name: cn Type: null ChgType: 2 Value: [Test User56] Class: null Name: sn Type: null ChgType: 2 Value: [Test User56] Class: null Name: krbprincipalname Type: null ChgType: 1 Value: [@ ] Class: null Name: uid Type: null ChgType: 1 Value: [ ] Class: null Name: orcluserprincipalname Type: null ChgType: 1 Value: [ ] Class: null Name: orclsamaccountname Type: null ChgType: 2 Value: [$Test User56] ----------- DN : CN=Test User56,cn=users,dc=us,dc=oracle,dc=com Normalized DN : CN=Test User56,cn=users,dc=us,dc=oracle,dc=com Processing modifyRadd Operation .. Entry Not Found. Converting to an ADD op.. Processing Insert Operation .. Performing createEntry.. Entry Added Successfully : CN=Test User56,cn=users,dc=us,dc=oracle,dc=com Updated Attributes orclodipLastExecutionTime: 20040608112226 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20040608112226
The following is the beginning and end portions of a valid sample trace file for an Active Directory connector synchronized deletion operation:
------------------------------------------------------------------------------- Trace Log Started at Wed Aug 18 09:10:05 EDT 2004 ------------------------------------------------------------------------------- Command exec succesful LDAP URL : (oemfl-ad.us.oracle.com:389 administrator@oemad-orl.us.oracle.com LDAP Connection success Applied ChangeNum : 31940Available chg num = 31940 Reader Initialised !! LDAP URL : (sun1.us.oracle.com:3060 cn=odisrv+orclhostname=sun1,cn=odi,cn=oracle internet directory LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! searchF : CHGLOGFILTER : (&(USNChanged>=31941)(USNChanged<=31941)) Search Time 10 Search Successful till # 31941 Search Changes Done Changenumber uSNChanged: 31941 Deleted isDeleted: TRUE Deleted isDeleted: TRUE ChangeRecord : ---------- Changetype: 1 ChangeKey: * Attributes: Class: null Name: objectGUID Type: null ChgType: 3 Value: [[B@ece65] ... Output ChangeRecord ChangeRecord : ---------- Changetype: 1 ChangeKey: * Attributes: Class: null Name: objectclass Type: null ChgType: 3 Value: [organizationalunit, orclcontainer, orcladuser, orcluserv2, orcladgroup] Class: null Name: krbprincipalname Type: null ChgType: 3 Value: [@ ] Class: null Name: orclsamaccountname Type: null ChgType: 3 Value: [$ ] Class: null Name: orclobjectguid Type: null ChgType: 3 Value: [2xR7Nas8UUKtzmPk0jpSFg==] ----------- DN : * Normalized DN : cn=TUser2007,cn=users,dc=us,dc=oracle,dc=com Processing Delete Operation .. Deleted entry Successfully : cn=TUser2007,cn=users,dc=us,dc=oracle,dc=com Updated Attributes orclodipLastExecutionTime: 20040818091005 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20040818091005
The following is the beginning and end portions of a valid sample trace file for an Active Directory connector synchronized modify operation:
------------------------------------------------------------------------------- Trace Log Started at Wed Sep 29 09:40:18 EDT 2004 ------------------------------------------------------------------------------- Command exec succesful LDAP URL : (oemfl-ad.us.oracle.com:389 administrator@oemad-orl.us.oracle.com LDAP Connection success Applied ChangeNum : 35322Available chg num = 35322 Reader Initialised !! LDAP URL : (sun1.us.oracle.com:3060 cn=odisrv+orclhostname=sun1,cn=odi,cn=oracle internet directory LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! searchF : CHGLOGFILTER : (&(USNCreated>=35323)(USNCreated<=35323)) Search Time 7 Search Successful till # 35323 Search Changes Done searchF : CHGLOGFILTER : (&(USNChanged>=35323)(USNChanged<=35323)(USNCreated<=35322)) Search Time 15 Search Successful till # 35323 Changenumber uSNChanged: 35323 targetdn distinguishedName: CN=Test User111,CN=Users,DC=US,DC=ORACLE,DC=com ChangeRecord : ---------- Changetype: 4 ChangeKey: CN=Test User111,CN=Users,DC=US,DC=ORACLE,DC=com Attributes: Class: null Name: distinguishedname Type: null ChgType: 1 Value: [ ] Class: null Name: samaccountname,userprincipalname Type: null ChgType: 1 Value: [ ] Class: null Name: userprincipalname Type: null ChgType: 1 Value: [ ] ... Output ChangeRecord ChangeRecord : ---------- Changetype: 4 ChangeKey: cn=TUser111,cn=users,dc=us,dc=oracle,dc=com Attributes: Class: null Name: objectclass Type: null ChgType: 3 Value: [orcluserv2, orcladuser, inetorgperson, person] Class: null Name: orclObjectSID Type: null ChgType: 2 Value: [AQUAAAAAAAUVAAAAiqcyP8CFOF0VJa9HCAYAAA==] Class: null Name: orclObjectGUID Type: null ChgType: 2 Value: [6uEo05+F/0CHj4PTpPCchQ==] Class: null Name: mail Type: null ChgType: 2 Value: [Tuser111@oracle.com] Class: null Name: displayName Type: null ChgType: 2 Value: [Test User111] Class: null Name: cn Type: null ChgType: 2 Value: [TUser111] Class: null Name: sn Type: null ChgType: 2 Value: [TUser111] Class: null Name: krbPrincipalName Type: null ChgType: 1 Value: [@ ] Class: null Name: uid Type: null ChgType: 2 Value: [TUser111] Class: null Name: orclUserPrincipalName Type: null ChgType: 1 Value: [ ] Class: null Name: orclSAMAccountName Type: null ChgType: 2 Value: [$TUser111] Class: null Name: orclDefaultProfileGroup Type: null ChgType: 1 Value: [ ] ----------- DN : cn=TUser111,cn=users,dc=us,dc=oracle,dc=com Normalized DN : cn=TUser111,cn=users,dc=us,dc=oracle,dc=com Processing modifyRadd Operation .. Entry found. Converting To a Modify Operation.. Proceeding with checkNReplace.. Performing checkNReplace.. Naming attribute: cn Naming attribute value: orclDefaultProfileGroup Naming attribute value: orclSAMAccountName Naming attribute value: orclUserPrincipalName Naming attribute value: uid Naming attribute value: krbPrincipalName Naming attribute value: sn Naming attribute value: cn Naming attribute value: displayName Naming attribute value: mail Adding Attribute in OID : mail Naming attribute value: orclObjectGUID Naming attribute value: orclObjectSID Total # of Mod Items : 1 Modified Entry Successfully : cn=TUser111,cn=users,dc=us,dc=oracle,dc=com Replacing Attribute orclodipLastSuccessfulExecutionTime in the Profile with value : 20040929094018 Removed Existing attribute RePopulated Attribute.. Updated Attributes orclodipLastExecutionTime: 20040929094018 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20040929094018
This section contains these topics:
You can debug the Active Directory connector by using the oditest and diptester utilities described in "Troubleshooting Synchronization".
To troubleshoot the Active Directory connector:
Run oditest and enter the profile name as the value of the directory synchronization profile argument
Examine the $ORACLE_HOME/ldap/odi/log/AgentChgImp.trc and $ORACLE_HOME/ldap/odi/log/AgentChgImp.aud files in a text editor for pertinent information
If more than one profile is enabled, then the diptester utility can be run against each of them.
Once you have configured Windows native authentication (see "Configuring Windows Native Authentication"), you can enable logging for this feature at run time. Open the opmn.xml file, located in $ORACLE_HOME/opmn/conf, and add the following parameter:
-Djazn.debug.log.enable = {true | false}
Assigning a value of true to the parameter enables debugging while assigning a value of false disables it.
The boldface text in the following example show where you should place the parameter in opmn.xml:
<process-type id="OC4J_SECURITY" module-id="OC4J">
<environment>
<variable id="DISPLAY" value="sun1.us.oracle.com:0.0"/>
<variable id="LD_LIBRARY_PATH" value="/private/ora1012/OraHome1/lib"/>
</environment>
<module-data>
<category id="start-parameters">
<data id="java-options" value="-server -Djazn.debug.log.enable=true
-Djava.security.policy=/private/ora1012/OraHome1/j2ee/OC4J_SECURITY/
config/java2.policy -Djava.awt.headless=true -Xmx512m
-Djava.awt.headless=true"/>
<data id="oc4j-options" value="-properties"/>
</category>
<category id="stop-parameters">
<data id="java-options" value="-Djava.security.policy=/private/ora1012/
OraHome1/j2ee/OC4J_SECURITY/config/java2.policy -Djava.awt.headless=true"/>
</category>
The log is written to the file OC4J~OC4J_SECURITY~default_island~1, found at $ORACLE_HOME/opmn/logs.
If you are experiencing unknown errors, then you can enable plug-in debugging as explained in "Debugging the Windows NT External Authentication Plug-in"
You can debug the SunONE connector by using the oditest and diptester utilities described in "Troubleshooting Synchronization".
To troubleshoot the SunONE import connector:
Run oditest and enter IplanetImport as the value of the directory synchronization profile argument
Examine the $ORACLE_HOME/ldap/odi/log/IplanetImport.trc and $ORACLE_HOME/ldap/odi/log/IplanetImport.aud files in a text editor for pertinent information
To troubleshoot the SunONE export connector:
Run oditest and enter IplanetExport as the value of the directory synchronization profile argument
Examine the $ORACLE_HOME/ldap/odi/log/IplanetExport.trc and $ORACLE_HOME/ldap/odi/log/IplanetExport.aud files in a text editor for pertinent information
If more than one profile is enabled, then the diptester utility can be run against each of them.
This section contains these topics:
The Oracle directory integration and provisioning server stores error messages in the appropriate file, as described in "Location and Naming of Files".
This section provides solutions for errors and problems you may encounter with the Oracle directory integration and provisioning server.
pwdmaxage attribute, is set to 60 days.
You must first unlock the cn=orcladmin super user account before you can modify password policies. Use the oidpasswd utility to unlock the super user account as follows:
oidpasswd connect=asdb unlock_su_acct=true OID DB user password: OID super user account unlocked successfully.
This unlocks only the super user account, cn=orcladmin. Do not confuse this account with the cd=orcladmin account within the default realm cn=orcladmin,cn=users,dc=xxxxx,dc=yyyyy. They are two separate accounts.
Launch an Oracle Internet Directory 10g (10.1.2) version of Oracle Directory Manager and navigate to Password Policy Management. You will see two entries: cn=PwdPolicyEntry and the password policy for your realm—for example, password_policy_entry,dc=acme,dc=com.
Change the pwdmaxage attribute in each password policy to an appropriate value:
5184000 = 60 days (default)
7776000 = 90 days
10368000 = 120 days
15552000 = 180 days
31536000 = 1 year
|
Note: It is very important to change this value in both places. |
Launch the Oracle Directory Manager and navigate to the realm-specific orcladmin account. Find the userpassword attribute and assign a new value. You should then be able to launch any Oracle component that uses OracleAS Single Sign-On and log in as orcladmin.
Rerun the odisrvreg utility to reset the randomly generated password for Directory Integration and Provisioning:
odisrvreg -D cn=orcladmin -w welcome1 -p 3060 Already Registered...Updating DIS password... DIS registration successful.
odisrvreg -p port -D cn=orcladmin -w passwd
|
See Also: MetaLink Note: 265397.1—Password Policy Expires available on Oracle MetaLink athttp://metalink.oracle.com/
|
This section provides solutions for provisioning errors and problems.
|
See Also: The chapter on directory server administration in Oracle Internet Directory Administrator's Guide for information about directory server connections |
odisrvreg.
configset=0.
sqlplus to verify connectivity requirements.
ldapmodify command to load the following ACIs, which grant browse privileges from the application DN to the Oracle Directory Integration and Provisioning group:
orclaci: access to attr=(*) by group="cn=odisgroup,cn=odi,cn=oracle internet directory"(read,write,search,compare) orclaci: access to entry by group="cn=odisgroup,cn=odi,cn=oracle internet directory"(browse,proxy)
ldapmodify command to load the following ACI, which grants proxy privileges from the application DN to the Oracle Directory Integration and Provisioning group:
orclaci: access to entry by group=" cn=odisgroup, cn=odi,cn=oracle internet directory" (browse,proxy)
This section provides solutions for synchronization errors and problems.
|
See Also: MetaLink Note: 276481.1—Troubleshooting OID DIP Synchronization Issues available on Oracle MetaLink athttp://metalink.oracle.com/
|
diptester option 13 to apply a known set of ACIs to the new container.
cn=Users,<default realm> contains the proper ACIs. However, this error can occur when trying to synchronize into a different container within the default realm
http://metalink.oracle.com/.
diptester to reload the mapping file.
orclcondirlastappliedchgnum attribute is null or has no value. This may occur if bootstrapping failed or if you manually populated Oracle Internet Directory and did not assign a value to the orclcondirlastappliedchgnum attribute.
orclcondirlastappliedchgnum attribute has a value. If not, then use diptester to set the orclcondirlastappliedchgnum attribute.
hostname:port).
ldapmodify to fix the following two entries:
dn: orclODIPAgentName=profile_name,cn=subscriber profile,
cn=changelog subscriber, cn=oracle internet directory
changetype: modify
replace: orclaci
orclaci: access to attr = (*) by group="cn=odisgroup,cn=odi,cn=oracle
internet directory" (read,write,search,compare)
orclaci: access to entry by group="cn=odisgroup,cn=odi,cn=oracle
internet directory" (browse,proxy)
dn: orclodipAgentName=ActiveChgImp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
orclodipagentconfiginfo:: W0lOVEVSRkFDRURFVEFJTFNdClBhY2thZ2U6IGdzaQpSZWFkZXI 6IEFjdGl2ZUNoZ1JlYWRlcgo=
|
Note: The preceding entry is a binary object representing an import profile for the ActiveChange Reader. If you are fixing an SunONE/iPlanet, or and EXPORT profile, then you must dump theorclodipagentconfiginfo attribute for the corresponding profile from a existing profile or another node.
|
|
See Also: The following for information about LDAP error code 49 and Error 9000: GSL_PWDEXPIRED_EXCP:
|
dipassistant) or diptester option 5.
This section provides solutions for errors and problems you may encounter when integrating Oracle Identity Management with Windows Native Authentication.
Check the opmn.log file for errors.
Check ssoServer.log for errors.
Make sure that the keytab file is located in the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory and that the principal name configured in jazn-data.xml is correct.
Make sure that the single sign-on middle tier computer is properly configured to access the Key Distribution Center. See "Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server".
default_realm and domain_realm in /etc/krb5/krb5.conf. Note that the realm name is case sensitive.
kerberos-servicename may not be configured correctly.
Make sure that kerberos-servicename is configured correctly in the files orion-application.xml and jazn-data.xml. In orion-application.xml, the format for this parameter is HTTP@sso.mycompany.com. In the jazn-data.xml, the format is HTTP/sso.mycompany.com.
Check ssoServer.log for errors.
Make sure that the keytab file is located in the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory and that the principal name configured in jazn-data.xml is correct.
Make sure that the single sign-on middle tier computer is configured to access the Kerberos domain controller. See "Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server".
This section provides solutions to synchronization errors and problems that can occur with Microsoft Active Directory and SunONE Directory Server.
orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn= changelog subscriber,cn=oracle internet directory does not have full read/write access to the synchronized entries in Oracle Internet Directory. Because the cn=oracleDASCreateUser,cn=groups,cn=oraclecontext,identity_management_realm group will already have the required ACLs defined, this entry should be a member of this group.
identity_management_realm. You must add the orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory user entry to the cn=oracleDASCreateUser,cn=groups,cn=oraclecontext,identity_management_realm group, so that it will have the required ACL access to perform the updates: In Oracle Directory Manager, navigate through: Entry Management ->dc=com,identity_management_realm,cn=oraclecontext-> cn=groups-> cn=oracleDASCreateUser. From here, against the attribute 'uniquemember' add: orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory.
http://metalink.oracle.com/
oditest utility.
oditest utility as described in Troubleshooting Integration with the SunONE Connector or Debugging the Active Directory Connector.
|
WARNING: Decreasing your synchronization interval may significantly impact the performance of your connected directory server. Before changing your synchronization interval, try debugging your connector with the |
In the Oracle Directory Integration and Provisioning Server Administration tool, in the navigator pane, navigate to the Integration Server and modify the Scheduling Interval attribute in the profiles to 20 seconds.
Use the odisrv command to stop the directory integration and provisioning server and restart it with the parameter debug=63.
Add a test entry in your connected directory.
In Oracle Internet Directory, change to the $ORACLE_HOME/ldap/odi/log directory and use the cat command to display the file ActiveChgImp.trc. When the directory integration and provisioning server wakes up and processes the record from the connected directory changelog, you will see the details listed in the ActiveChgImp.trc file.
Examine the trace file ActiveChgImp.trc for possible clues as to what is actually taking place: You should see the handshake/login to the connected directory server, then the change being captured and reformatted according to the mapping rules, and finally the change being attempted in Oracle Internet Directory. If there are handshake or mapping problems they will appear in this file.
A common mistake is to set the Connect Directory Account DN to Administrator. This field must contain the entire distinguished name of the Active Directory administrator—for example:
cn=Administrator,cn=Users,dc=myoracle,dc=com
The first domain component is the value of the third field of the Windows Login Page: User Name, Password, Log on to.
The following ldapsearch commands may be helpful in identifying problems with the configuration.
To check the default identity management realm:
ldapsearch -h host; -p port; -D cn=orcladmin -w password; -b "cn=common,cn=products, cn=oraclecontext" -L -s base "objectclass=*"; orcldefaultsubscriber
To dump the directory integration and provisioning server configuration set:
ldapsearch -p port; -D cn=orcladmin -w password -b cn=instance1,cn=odisrv, cn=subregistrysubentry -s base -v "objectclass=*"
To check profiles:
ldapsearch -p port -D cn=orcladmin -w password -b "orclODIPAgentName=ActiveImpChg, cn=subscriber profile,cn=changelog Subscriber,cn=oracle internet directory" -s sub objectclass=*
To check the agent credentials:
Note: This command returns the password in clear text only if you run it using orcladmin credentials.
ldapsearch -p port -D cn=orcladmin -w password -b "orclodipagentname=ActiveImpChg, cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" -s sub "objectclass=*"
You can find more solutions on Oracle MetaLink, http://metalink.oracle.com. If you do not find a solution for your problem, log a service request.
|
See Also:
|
