| Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform 11g Release 1 (11.1.1) E10031-03 |
|
 Previous |
 Next |
| Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform 11g Release 1 (11.1.1) E10031-03 |
|
Previous |
Next |
This appendix describes common problems that you might encounter when using the Oracle Directory Integration Platform and explains how to solve them. It contains these topics:
|
See Also:
|
Use the following checklist as a starting point when troubleshooting Oracle Directory Integration Platform problems:
Verify that the Oracle Directory Integration Platform application has been deployed by using the WebLogic console.
Verify that the Oracle Directory Integration Platform application is running.
To verify the status of the Oracle Directory Integration Platform application using Oracle Enterprise Manager Fusion Middleware Control, open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
You can view the status of the Oracle Directory Integration Platform application in the status column of the Fusion Middleware section on the Oracle Enterprise Manager Fusion Middleware Control home page for your environment.
To verify the status of the Oracle Directory Integration Platform application from the command-line, use the dipStatus utility. If Oracle Directory Integration Platform is running, dipStatus returns an ODIP Application is active at this host and port message.
|
Notes:
|
Verify the appropriate profiles are enabled by listing their names and status using the manageSyncProfiles command as follows:
manageSyncProfiles list -h host -p port -D user [-prfSt] [-help]
|
Note: You will be prompted for the password. |
Verify that the third-party LDAP directory server is running by executing the following command:
ldapbind -h ldap_host -p ldap_port -D binddn -q
|
Note: You will be prompted for the password. |
If you are using the PL/SQL plug-in, use sqlplus to verify that you can connect to the provisioning-integrated application.
The DIP Tester utility is a standalone, platform independent Java application that aids in the configuration, testing, and debugging of Oracle Internet Directory implementations that synchronize with Oracle Directory Integration Platform connectors. The utility uses the manageSyncProfiles command to modify profiles and also uses standard LDAP tools (ldapadd, ldapmodify, ldapdelete, and ldapsearch) for many operations. The DIP Tester utility has been tested on Oracle Internet Directory Release 10g (9.0.4) through Oracle Fusion Middleware 11g Release 1 (11.1.1) for Solaris, Linux, and Windows platforms. You can download DIP Tester from Oracle Technology Network at http://www.oracle.com/technology/index.html. The download includes graphical user interface (GUI) and command-line versions of the DIP Tester utility. Both versions are installed automatically with a single installation script.
As you follow the troubleshooting procedures in this appendix, you can use DIP Tester to:
Make changes to a directory integration profile
View log files
Create test entries
Get or set the last applied change key
Dump entire profile contents
Reload the map file
Start and stop the Oracle Directory Integration Platform
Capture errors in trace files for uploading to Oracle Support
Perform initial bootstrapping of users
|
Note: When the Oracle Directory Integration Platform performs a synchronization, it reads the last applied change key and caches the value. At the next synchronization interval, the Oracle Directory Integration Platform updates Oracle Internet Directory with the last execution time and the cached value of the last applied change key.Before you manually change the last applied change key in a synchronization profile, be sure to stop the Oracle Directory Integration Platform. Otherwise at the next interval, your change will be overwritten by the cached value. In fact, you should always stop the Oracle Directory Integration Platform before changing any values in a synchronization profile. |
The DIP Tester utility is installed in the $ORACLE_HOME/bin directory.
|
See Also: The README.txt and DIP Tester User's Guide, located in the directory where you installed the DIP Tester utility |
This section describes common problems and solutions for Oracle Directory Integration Platform. It contains these topics:
Novell eDirectory and OpenLDAP Synchronization Errors and Problems
Oracle Password Filter for Microsoft Active Directory Errors and Problems
|
Note: The Oracle Directory Integration Platform stores error messages in the appropriate file, as described in "Location and Naming of Files". |
This section provides solutions for provisioning errors and problems.
Problem
Unable to get the Entry from its GUID. Fatal Error...
Solution
Oracle Directory Integration Platform is attempting to retrieve an entry that has been deleted, but appears to not have been purged. However, when this error happens, the entry has been already purged. To avoid future errors, update the tombstone purge configuration settings in the Oracle Internet Directory garbage collection framework by referring to the "Managing Garbage Collection" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
Problem
LDAP connection failure.
Solution
Oracle Directory Integration Platform failed to connect to the directory server. Check the connection to the directory server.
|
See Also: The chapter about directory server administration in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information about directory server connections |
Problem
Initialization and database connection failures, and exceptions while calling an SQL operation.
Solution
To test the connection, use the Test Connection feature for the profile in Oracle Enterprise Manager Fusion Middleware Control. If the connection fails, examine the diagnostic log file at the following location for more information:
MW_HOME/user_projects/domains/DOMAIN_NAME/servers/NAME_OF_MANAGED_SERVER/logs/
|
Note: The file name is NAME_OF_MANAGED_SERVER-diagnostic.log |
Problem
Provisioning Profiles Not Getting Executed by the DIP Provisioning Server.
Solution
Using Oracle Enterprise Manager Fusion Middleware Control or the oidprovtool command, verify the profile is enabled and that the Oracle Directory Integration Platform scheduling interval is set to a positive integer.
Problem
Unable to Connect to the Application Database.
Solution
The application database connection requirements in a provisioning profile may be incorrect. Use sqlplus to verify connectivity requirements.
Problem
User/Group Modify And Delete Events Not being consumed by the application.
Solution
Verify the host port details and credentials using the Test Connection feature for the profile in Oracle Enterprise Manager Fusion Middleware Control. If the connection fails after using the Test Connection option, an error message appears providing information about the failed connection.
For additional information about the failed connection, you can examine the diagnostic log using Oracle Enterprise Manager Fusion Middleware Control or from the command line. The diagnostic log is located at:
MW_HOME/user_projects/domains/DOMAIN_NAME/servers/NAME_OF_MANAGED_SERVER/logs/
|
Note: The file name is NAME_OF_MANAGED_SERVER-diagnostic.log |
Problem
Subscription to binary attributes results in the event propagation error.
Solution
Binary attributes propagation is not supported. Remove the binary attribute assignments from the event subscription in the provisioning profile.
Problem
Insufficient Access Rights to do "proxy" as the Application DN.
Solution
The Oracle Directory Integration Platform server group has not been granted browse privilege by the application DN. Use the ldapmodify command to load the following ACIs, which grant browse privileges from the application DN to the Oracle Directory Integration Platform group:
orclaci: access to attr=(*) by group="cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=products,cn=oraclecontext "(read,write,search,compare) orclaci: access to entry by group="cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=products,cn=oraclecontext"(browse,proxy)
Problem
Insufficient access rights to use an application DN as a proxy.
Solution
The Oracle Directory Integration Platform server group has not been granted proxy privileges by the application DN. Use the ldapmodify command to load the following ACI, which grants proxy privileges from the application DN to the Oracle Directory Integration Platform group:
orclaci: access to entry by group=" cn=odisgroup, cn=odi,cn=oracle internet directory" (browse,proxy)
This section provides solutions for synchronization errors and problems.
|
See Also: Note: 276481.1—Troubleshooting OID DIP Synchronization Issues in My Oracle Support (formerly MetaLink) athttp://metalink.oracle.com/ |
Problem
LDAP: error code 50 - Insufficient Access Rights; remaining name 'CN=Users,dc=mycompany,dc=com'
Solution
The record target is not in a default container. Find the DST CHANGE RECORD. Check the ACIs for the target container. If they are blank, then use DIP Tester to apply a known set of ACIs to the new container.
Problem
LDAP: error code 50 - Insufficient Access Rights; ACTIVECHGIMP MAPPING IMPORT OPERATION FAILURE; Agent execution successful, Mapping/import operation failure
Solution
By default the cn=Users,default realm contains the proper ACIs. However, this error can occur when trying to synchronize into a different container within the default realm. Open the trace file, locate the change record that is causing the error, and then check the ACIs for the record's parent container. Apply the same ACIs to the target container.
Problem
Log File Error: Not able to construct DN Output ChangeRecord : Changetype: 1 ChangeKey: cn=users, dc=us,dc=oracle,dc=com Exception javax.naming. ContextNotEmptyException: [LDAP: error code 66 - Not Allowed On Non-leaf]; remaining name 'cn=users,dc=us,dc=oracle,dc=com' Missing mandatory attribute(s).
Solution
There is a problem with the mapping file. Refer to Note: 261342.1—Understanding DIP Mapping in My Oracle Support (formerly MetaLink) at http://metalink.oracle.com/.
Problem
Trace File Error: IPlanetImport:Error in Mapping Enginejava.lang.NullPointerException java.lang.NullPointerException at oracle.ldap.odip.engine.Connector.setValues(Connector.java:101).
Solution
The orclcondirlastappliedchgnum attribute is null or has no value. This may occur if bootstrapping failed or if you manually populated Oracle Internet Directory and did not assign a value to the orclcondirlastappliedchgnum attribute. Verify that the orclcondirlastappliedchgnum attribute has a value. If it does not have a value, set it using the DIP Tester utility or using WLST to configure the DIP Mbean.
Problem
Add and change operations are successful, but delete operations fail without being recorded in the trace file.
Solution 1
Tombstones are not enabled in Sun Java System Directory Server. Verify that tombstones are enabled by referring to Note: 219835.1 in My Oracle Support (formerly MetaLink) at http://metalink.oracle.com/.
Solution 2
In Microsoft Active Directory, the account used for the profile is not a member of the DIR SYNCH ADMIN group. This only occurs if you are not using a Microsoft Active Directory administrator account. Install the appropriate patch from Microsoft.
Problem
Data synchronization problems encountered after configuring Oracle Directory Integration import or export connectors to third-party LDAP directories.
Solution
Determine the cause using the testProfile operation of the manageSyncProfiles command.
Problem
Editing the attribute mapping rule for a synchronization profile using Oracle Enterprise Manager Fusion Middleware Control may cause the Schema not initialized for object class error.
Solution
The problem could be caused by an invalid directory type specified for the third party directory connection details. Verify you have specified the correct directory type and connection details.
Problem
The Oracle Internet Directory profile in Oracle Enterprise Manager Fusion Middleware Control shows "synchronization successful" yet no changes show up in the directory.
Solution
First, determine if synchronization is occurring by examining the following parameters for the synchronization profile using Oracle Enterprise Manager Fusion Middleware Control:
Successful Completion Time (on DIP Server Home page)
Last Execution Time (on DIP Server Home page)
Scheduling Interval (on Advanced tab for profile)
Synchronization is occurring if the Successful Completion Time and Last Execution Time metrics have time values relevant to the current time of the system. If these metrics indicate time values that are considerably older than the current time of the system, synchronization is not occurring.
If synchronization is occurring:
Verify synchronization is configured to occur in the correct location by examining the Source Container setting on the profile's Mapping tab in Oracle Enterprise Manager Fusion Middleware Control.
Verify the correct objects are being filtered by examining the Source Matching Filter setting on the profile's Filtering tab in Oracle Enterprise Manager Fusion Middleware Control.
If synchronization is not occurring:
Verify the synchronization profile is enabled using the DIP Server Home page in Oracle Enterprise Manager Fusion Middleware Control.
Check the status of the Quartz Scheduler using the DIP Server Home page in Oracle Enterprise Manager Fusion Middleware Control.
Test the synchronization profile using the manageSyncProfiles command and its testProfile operation. Refer to "Managing Synchronization Profiles Using manageSyncProfiles" for more information about the manageSyncProfiles command.
This section provides solutions for errors and problems you may encounter when integrating Oracle Identity Management with Windows Native Authentication.
|
Note: Oracle Directory Integration Platform 11g Release 1 (11.1.1) interoperates with and supports Oracle Application Server Single Sign-On 10g Release 10.1.4.3.0 and higher. |
|
See Also: The "Problems and Solutions for Windows Native Authentication Errors" section in the Troubleshooting chapter of the Oracle Fusion Middleware Administrator's Guide for Oracle Single Sign-On for more information about Windows Native Authentication errors. |
Problem
Internal Server error. Please contact your administrator.
Solution
Windows Native Authentication is misconfigured on the middle-tier computer. To fix this problem, perform the following steps:
Check the opmn.log file for errors.
Check the ssoServer.log file for errors.
Make sure that the keytab file is located in the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory and that the principal name configured in the jazn-data.xml file is correct.
Make sure that the single sign-on middle tier computer is properly configured to access the Key Distribution Center.
Problem
Could not authenticate to KDC.
Solution
This error message may be invoked if the realm name in krb5.conf is incorrectly configured. Check the values default_realm and domain_realm in /etc/krb5/krb5.conf. Note that the realm name is case-sensitive.
Problem
Your browser does not support the Windows Kerberos authentication or is not configured properly.
Solution
The user's Web browser is not supported or is misconfigured. Follow the instructions in "Task 2: Configure Internet Explorer for Windows Native Authentication".
Problem
"Access forbidden" or "HTTP error code 403" or "Windows Native Authentication Failed. Please contact your administrator."
Solution
These error messages have the same cause: the user entry cannot be found in Oracle Internet Directory. A local administrator working at a Windows desktop may be trying to access a single sign-on partner application whose entry may not have been synchronized with Oracle Internet Directory. Determine whether the user entry exists in the directory and if the Kerberos principal attributes for the user are properly synchronized from Microsoft Active Directory.
Problem
The Windows login dialog box (with user name, password, and domain fields in it) comes up when accessing the partner application.
Solution
The single sign-on server was not able to authenticate the Kerberos token because the corresponding user entry could not be found in Oracle Internet Directory. Add the user entry to the directory.
Problem
Single sign-on server fails to start. Log file contains an exception bearing the message "Credential not found."
Solution
The parameter kerberos-servicename may not be configured correctly. To fix this problem, perform the following steps:
Make sure that kerberos-servicename is configured correctly in the files orion-application.xml and jazn-data.xml. In orion-application.xml, the format for this parameter is HTTP@sso.mycompany.com. In the jazn-data.xml, the format is HTTP/sso.mycompany.com.
Check the ssoServer.log file for errors.
Make sure that the keytab file is located in the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory and that the principal name configured in jazn-data.xml is correct.
Make sure that the single sign-on middle tier computer is configured to access the Kerberos domain controller.
Problem
The following exception is raised when running the OracleAS Single Sign-On Server Configuring Assistant:
Repository Access API throws exception :
oracle.ias.repository.schema.SchemaException: Unable to establish secure
connection to Oracle Internet Directory Server
ldap://server.mycompany.com:636/ Base Exception :
javax.naming.CommunicationException: server.mycompany.com:636 [Root
exception is java.lang.UnsatisfiedLinkError: no njssl10 in java.library.path]
at
oracle.ias.repository.directory.DirectoryReader.connectSsl(DirectoryReader.java:
98)
at
oracle.ias.repository.directory.DirectoryReader.connect(DirectoryReader.java:106
)
at oracle.ias.repository.IASSchema.getDBPassword(IASSchema.java:440)
at
oracle.ias.repository.SchemaManager.getDBPassword(SchemaManager.java:310)
at oracle.security.sso.IMWNAConfig.getSSOHost(IMWNAConfig.java:903)
at oracle.security.sso.IMWNAConfig.parseArgs(IMWNAConfig.java:168)
at oracle.security.sso.IMWNAConfig.init(IMWNAConfig.java:194)
at oracle.security.sso.IMWNAConfig.work(IMWNAConfig.java:60)
at oracle.security.sso.SSOConfigAssistant.wnaConfig(SSOConfigAssistant.java:243)
at oracle.security.sso.SSOConfigAssistant.main(SSOConfigAssistant.java:218)
Solution
This exception occurs when the Windows version of the OracleAS Single Sign-On Server Configuring Assistant is run on UNIX and Linux platforms. Run the UNIX/Linux version of the OracleAS Single Sign-On Server Configuring Assistant by following the instructions in "Run the OracleAS Single Sign-On Server Configuration Assistant on each Oracle Application Server Single Sign-On Host".
Problem
With Windows Native Authentication, Internet Explorer is sending NT Lan Manager (NTLM) authentication instead of Kerberos credentials.
Solution
This issue is caused by an improperly configured Microsoft Active Directory installation. Refer to your Microsoft Active Directory documentation or contact Microsoft for information on how to resolve this issue.
Problem
Individual users cannot log in from specific computers using Windows Native Authentication.
Solution
If the users can log in using another computer, then there is a configuration problem with Windows or Internet Explorer on the original computer. Refer to the Microsoft Developer Network at http://msdn.microsoft.com or contact Microsoft for information on how to resolve this issue.
This section provides solutions to synchronization errors and problems that can occur with Novell eDirectory and OpenLDAP.
Problem
After configuring import synchronization, entries are not synchronizing from Novell eDirectory or OpenLDAP to Oracle Internet Directory, even though the profile's synchronization status is successful and the trace file does not show any exceptions.
Possible causes and their solutions:
Cause Incorrect value assigned to the modifiersname parameter of the odip.profile.condirfilter property in the import profile.
Solution Copy the connection DN from the Novell eDirectory or OpenLDAP export profile to the modifiersname parameter of the odip.profile.condirfilter property in the import profile.
Cause The entries that the Oracle Directory Integration Platform are attempting to synchronize are created using the same DN that is assigned to the modifiersname parameter of the odip.profile.condirfilter property in the import profile.
Solution Change the DN that is assigned to the modifiersname parameter of the odip.profile.condirfilter property in the import profile to a DN that does not create the entries in Novell eDirectory of OpenLDAP.
Cause There is a time difference between the computer that is running Oracle Internet Directory and the computer that is running Novell eDirectory or OpenLDAP.
Solution Assign to the ReduceFilterTimeInSeconds parameter of the odip.profile.configfile property in the import profile a value in seconds that is equal to the time difference between the two computers.
Problem
Unsupported exception thrown during reconciliation.
Solution
One or more of the Oracle Internet Directory attributes that are specified in the Novell eDirectory or OpenLDAP reconciliation rules are not indexed. Index the corresponding attributes in Oracle Internet Directory.
Problem
Deleted entries are not synchronizing from Novell eDirectory or OpenLDAP to Oracle Internet Directory, even though the profile's reconciliation status is successful.
Possible causes and their solutions:
Cause The deleted entries are not specified in the Novell eDirectory or OpenLDAP reconciliation rules.
Solution Modify the Novell eDirectory or OpenLDAP reconciliation rules to include the deleted entries.
Cause There are more entries in Novell eDirectory or OpenLDAP for a particular reconciliation rule than there are in Oracle Internet Directory.
Solution Examine the $ORACLE_HOME/ldap/odi/log/profile_name.trc file for the following message:
No. of entries are less in destination directory compared to source directory.
The preceding message is usually generated when the entire Novell eDirectory or OpenLDAP DIT needs to be synchronized with Oracle Internet Directory. To resolve this problem, assign a value of true to the CheckAllEntries parameter of the odip.profile.configfile property.
|
Caution: Assigning a value oftrue to the CheckAllEntries parameter of the odip.profile.configfile property will result in decreased performance. |
This section provides solutions to errors and problems that can occur with the Oracle Password Filter for Microsoft Active Directory.
Problem
Unable to find log file path.
Cause
Invalid log file path.
Solution
Specify a valid log file path by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
Problem
Cannot connect to Oracle Internet Directory in non-SSL mode.
Cause
Invalid Oracle Internet Directory configuration settings.
Solution
Correct the Oracle Internet Directory configuring settings by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
Problem
Cannot connect to Oracle Internet Directory in SSL mode.
Cause
The Oracle Internet Directory certificate authority's trusted certificate has not been imported into the Microsoft Active Directory domain controller.
Solution
Import the trusted certificate into Microsoft Active Directory by following the instructions in "Importing a Trusted Certificate into a Microsoft Active Directory Domain Controller".
Problem
Cannot connect to Microsoft Active Directory.
Cause
Invalid Microsoft Active Directory configuration settings.
Solution
Correct the Microsoft Active Directory configuration settings by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
Problem
Cannot upload the prepAD.ldif file.
Cause
The specified Microsoft Active Directory base DN container cannot store organizationalUnit objects.
Solution
Specify a base DN for Microsoft Active Directory that can store organizationalUnit objects by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
Problem
Password updates are looping between Oracle Internet Directory and Microsoft Active Directory.
Cause
The Oracle Password Filter is not configured to use the same bind DN and password that are specified in the synchronization profile that imports values from Microsoft Active Directory into Oracle Internet Directory.
Solution
Configure the Oracle Password Filter to use the same bind DN and password that are specified in the synchronization profile that imports values from Microsoft Active Directory into Oracle Internet Directory by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
Problem
Some passwords are not synchronizing between Oracle Internet Directory and Microsoft Active Directory.
Cause
Oracle Internet Directory and Microsoft Active Directory specify conflicting password policies.
Solution
Set the Oracle Internet Directory password policies to the same policies that are set in Microsoft Active Directory or remove the password policies from Oracle Internet Directory.
Problem
Passwords are not synchronizing for some users.
Cause
You performed an advanced installation of the Oracle Password Filter and specified different values for the attributes that you want to synchronize between Oracle Internet Directory and Microsoft Active Directory.
Solution
Specify the same values for the attributes that you want to synchronize between Oracle Internet Directory and Microsoft Active Directory by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
Problem
User data synchronizes, but password synchronization is delayed.
Cause
Different time intervals are specified for user data synchronization and password synchronization.
Solution
Verify that the value assigned to the Oracle Password Filter's SleepTime parameter is the same as the default scheduling interval for the synchronization profile. You can use Oracle Enterprise Manager Fusion Middleware Control tool or the manageSyncProfiles command to view and change the default scheduling interval for synchronization profiles. To change the value assigned to the SleepTime parameter, follow the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory" .
This section describes how to troubleshoot provisioning problems in the Oracle Internet Directory Provisioning Console. It contains these topics:
Provisioning-Integration Applications Not Visible in the Provisioning Console
Monitoring Provisioning Execution Status with the Fusion Middleware Control
You can use the Oracle Delegated Administration Services diagnostic settings to debug provisioning problems in the Oracle Internet Directory Provisioning Console without having to examine the log files. For more information about viewing and configuring diagnostic settings, see the chapter on managing users and groups with the Oracle Internet Directory Self-Service Console in the Oracle Fusion Middleware Guide to Delegated Administration for Oracle Identity Management.
After you install a new provisioning-integrated application in Oracle Internet Directory, the application does not appear in the Provisioning Console until you reload the application cache. You must also reload the application cache whenever a provisioning-integrated application is enabled or disabled in Oracle Internet Directory.
The Oracle Provisioning Service uses plug-ins to create new users. This section contains these topics, which describe how to troubleshoot the Oracle Provisioning Service plug-ins to resolve user creation problems:
Provisioning-integrated applications can invoke the Pre-Data Entry and Post-Data Entry plug-ins to enhance provisioning intelligence and implement business policies. This section describes how to troubleshoot problems with both plug-ins.
The primary purpose of the Pre-Data Entry plug-in is to determine whether a user should be provisioned in the applications selected in the General Provisioning window. If a user has provisioning permission for an application, then the Pre-Data Entry plug-in populates fields in the next window, the Application Provisioning window, according to the application's provisioning policies.
In the event of a problem with the Pre-Data Entry plug-in, an error containing an exception message and stack trace will display in the General Provisioning window. You can find the user attributes that were passed to the plug-in by locating the following line in the stack trace:
******preplugin base user prop set for <Application Name> …
You can locate the error in the log files by searching for the following:
oracle.idm.provisioning.plugin.PluginException
The Post-Data Entry plug-in validates data entered by users for common and application-specific attributes. The validation for the plug-in must be successful in order for provisioning to continue.
In the event of a problem with the Post-Data Entry plug-in, an error will display in the Application Attributes window. The exception stack trace will be located after the following line:
UserPlguInMgmt::postPlugInProcess(): apptype <Application Type> appname <Application Name> error when executing plugin logics
Provisioning-integrated applications can be provisioned either through a PL/SQL plug-in or the Data Access Java plug-in. The PL/SQL plug-in is invoked by the Oracle Directory Integration Platform while the Data Access Java plug-in is invoked directly by Oracle Delegated Administration Services.
Occasionally, User creation may be successful even though provisioning for a specific application may fail. You will know when provisioning has failed if you receive a warning status along with a provisioning error message after you click Submit in the Review window. For details about the failure, search the log files for "Data Access plug-in execution failure." The lines following this statement list details of why provisioning failed.
You can use the provisioning status of a user entry to help identify provisioning problems.
To view a user entry's provisioning status:
In the Provisioning Console, select the Directory tab, then select Users. The Search for Users window appears.
In the Search for User field, enter the first few characters of the user's first name, last name, e-mail address, or user ID. For example, if you are searching for Anne Smith, you could enter Ann or Smi. To generate a list of all users in the directory, leave this field blank.
Click Go to display the search results.
Select the user whose entry you want to view, then click View to display the View User window.
This window is described in Oracle Fusion Middleware Guide to Delegated Administration for Oracle Identity Management
In the View User window, examine the entries in the Provisioning Status table. If the Provisioning Status column for an application contains a value of PROVISIONING_FAILURE, then the Provisioning Status Description column will contain one of the following values to describe the reason for the failure:
PROVISIONING_REQUIRED
PENDING_UPGRADE
PROVISIONING_NOT_REQUIRED
PROVISIONING_FAILURE
|
See Also: "Understanding User Provisioning Statuses" for more information on user provisioning statuses |
To resolve typical problems that prevent users from logging in after account creation:
Examine the user provisioning statuses to identify the applications in which the user was not successfully provisioned by following the instructions described in "Using Provisioning Status to Identify Problems".
Identify the application provisioning approach for applications in which the user was not successfully provisioned:
For user accounts created with the Oracle Internet Directory Provisioning Console, examine the following Oracle Delegated Administration Services log file:
$ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1
For user accounts created with the PL/SQL plug-in or the Data Access Java plug-in, examine the following diagnostic log file:
MW_HOME/user_projects/domains/DOMAIN_NAME/servers/NAME_OF_MANAGED_SERVER/logs/
|
Note: The file name is NAME_OF_MANAGED_SERVER-diagnostic.log |
You can use the Oracle Enterprise Manager Fusion Middleware Control to monitor the provisioning execution status of provisioning integration profiles.
On the main Oracle Enterprise Manager Fusion Middleware Control page, select the name of the Oracle Fusion Middleware instance you want to manage in the Standalone Instances section. The Oracle Fusion Middleware home page opens for the selected instance.
In the System Components table, select OID in the Name column. The Oracle Internet Directory page opens. The status should be green if the required packages are installed properly. This does not indicate whether or not the Oracle Directory Integration Platform is running or not.
To check the status of the servers, select Directory Integration to display the Directory Integration Platform Status page. This page displays the various running instances of Oracle Directory Integration Platforms—including those for both provisioning and synchronization. The main data displayed for provisioning integration profiles in this window are:
Name of the subscribed application
Name of the organization for which the subscription was made
Status of the profile (ENABLED, DISABLED, or DISCARDED)
Change key in Oracle Internet Directory up to which the events have been propagated to the application that is represented by the profile
Last execution time
Last successful execution time of the profile.
Errors, if any
|
Note: The Directory Integration Platform Status page does not display the various event subscriptions for this profile. |
You can also get detailed output about provisioning integration status by running the oidprovtool utility with the operation argument status. The oidprovtool utility is located in the $ORACLE_HOME/bin directory.
This section describes how to troubleshoot synchronization with Oracle Directory Integration Platform. It contains these topics:
When debugging synchronization issues between Oracle Internet Directory and a connected directory, it helps to understand the synchronization process flow of the Oracle Directory Integration Platform.
The Oracle Directory Integration Platform reads all import profiles at startup. For each profile that is set to ENABLE, the Oracle Directory Integration Platform performs the following tasks during the synchronization process:
Connects to a third-party directory.
Gets the value of the last change key from the connected directory.
Connects to Oracle Internet Directory.
Gets the value of the profile's last applied change key from Oracle Internet Directory.
For Sun Java System Directory Server connections, the Oracle Directory Integration Platform searches the remote change logs for entries greater than the value of the last applied change key and less than or equal to the value of the last change key. For Microsoft Active Directory connections, the Oracle Directory Integration Platform searches for this information in the remote directory's USNChanged values. For the Novell eDirectory and OpenLDAP connectors, changes are identified based on the modifytimestamp attribute of each entry. For other types of connectors, such as the Oracle Human Resources connector, the Oracle Directory Integration Platform performs similar types of searches, although the method by which data is exchanged varies according to the type of connection.
Maps the data values from the connected directory to Oracle Internet Directory values.
Creates an Oracle Internet Directory change record.
Applies the change (add, change, delete) in Oracle Internet Directory.
Updates the Oracle Internet Directory import profile with the last execution times and the last applied change key from the connected directory.
Enters sleep mode for the number of seconds specified for the synchronization interval.
The Oracle Directory Integration Platform reads all export profiles at startup. For each profile that is set to ENABLE, the Oracle Directory Integration Platform performs the following tasks during the synchronization process:
Connects to a third-party directory.
Connects to Oracle Internet Directory.
Gets the value for the last change key from Oracle Internet Directory.
Gets the value of the profile's last applied change key from Oracle Internet Directory.
The Oracle Directory Integration Platform searches the Oracle Internet Directory change logs for entries greater than the value of the last applied change key and less than or equal to the value of the last change key.
Maps the data values from Oracle Internet Directory to the connected directory values.
Creates a change record.
Applies the change (add, change, delete) on the connected directory.
Updates the Oracle Internet Directory export profile with the last execution times and the last applied change key from Oracle Internet Directory.
Enters sleep mode for the number of seconds specified for the synchronization interval.
This section provides information about synchronization profile registration.
Validating Profiles Registered in DISABLED State
Validating registered profiles is not required. However, you may validate registered profiles as long as the validation does not prevent the profile from being created.
Registration of DISABLED Profiles that Fail Validation
If the validation of profile in DISABLED state fails, the profile is still registered. Profiles in the DISABLED state may contain errors or the credentials to the target system directory may be unknown, however, this does not prevent the profile from being registered.
Correcting Profile Errors
If you receive errors while registering a profile, for example, due to an incorrect third party directory password, use the manageSyncProfiles command line tool to correct the errors in the profile. Refer to "Managing Synchronization Profiles Using manageSyncProfiles" for more information.
This section explains how to understand the Oracle Directory Integration Platform diagnostic.log file, which is located at the following location:
MW_HOME/user_projects/domains/DOMAIN_NAME/servers/NAME_OF_MANAGED_SERVER/logs/
|
Note: The file name is NAME_OF_MANAGED_SERVER-diagnostic.log |
This following is an example diagnostic.log file that is broken into sections and annotated to identify information that will be useful when troubleshooting Oracle Directory Integration Platform. Noteworthy information is shown in bold type, and the text Host: HOST_NAME: PORT indicates the host name and port of the machine on which Oracle Directory Integration Platform is connecting.
Startup Information
The following section of the diagnostic.log file shows information related to Oracle Directory Integration Platform startup. In this section, notice the following:
SSL Mode: 1 indicates the connection mode used for connecting to Oracle Internet Directory. You may see SSL Mode: 1 or SSL Mode: 2. If you see SSL Mode: 2, Oracle Directory Integration Platform uses certificates to connect to Oracle Internet Directory.
Scheduler initialized indicates the profile scheduler has initialized properly. A string indicating that a successful connection to the Oracle Internet Directory server follows.
Schema objects are initialized and profiles are scheduled for synchronization.
[2009-02-18T00:52:27.530-08:00] [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] Copyright (c) 1982, 2009 Oracle. All rights reserved [2009-02-18T00:52:27.550-08:00] [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] SSL Mode : 1 [2009-02-18T00:52:27.554-08:00] [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] Host: HOST_NAME: PORT [2009-02-18T00:52:38.104-08:00] [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] Scheduler intialized [2009-02-18T00:52:47.273-08:00] [wls_ods1] [NOTIFICATION] [DIP-10571] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] Connection to LDAP Server Successful [2009-02-18T00:52:47.334-08:00] [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] OBJECT_SCHEMA_READER_INITIALIZING [2009-02-18T00:52:47.508-08:00] [wls_ods1] [NOTIFICATION] [DIP-10572] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] Object Schema Reader Initialized. [2009-02-18T00:52:47.510-08:00] [wls_ods1] [NOTIFICATION] [DIP-10573] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] Event Schema Reader Initialized. [2009-02-18T00:52:48.198-08:00] [wls_ods1] [NOTIFICATION] [DIP-10574] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] Data transfer interface defn initialized [2009-02-18T00:52:48.213-08:00] [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] INITALIZE_PROVJOBS [2009-02-18T00:52:48.773-08:00] [wls_ods1] [NOTIFICATION] [DIP-10566] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] [arg: \n----------EVENT TYPE CONFIGURATION ---------------\n--------------------------------\nEventLDAPChangeType : ADD,MODIFY,DELETE\nobjectclass: inetorgperson,orcluserv2\n--------------------------------\nEventLDAPChangeType : ADD,MODIFY,DELETE\nobjectclass: orclservicesubscriptiondetail\n--------------------------------\nEventLDAPChangeType : ADD,MODIFY,DELETE\nobjectclass: *\n--------------------------------\nEventLDAPChangeType : ADD,MODIFY,DELETE\nobjectclass: inetorgperson,orcluserv2\n--------------------------------\nEventLDAPChangeType : ADD,MODIFY,DELETE\nobjectclass: orclsubscriber\n--------------------------------\nEventLDAPChangeType : ADD,MODIFY,DELETE\nobjectclass: orclgroup,orclprivilegegroup,groupofuniquenames,groupofnames\n------------------------------------- -------------] Print Event Type Configuration...[[ ----------EVENT TYPE CONFIGURATION --------------- -------------------------------- EventLDAPChangeType : ADD,MODIFY,DELETE objectclass: inetorgperson,orcluserv2 -------------------------------- EventLDAPChangeType : ADD,MODIFY,DELETE objectclass: orclservicesubscriptiondetail -------------------------------- EventLDAPChangeType : ADD,MODIFY,DELETE objectclass: * -------------------------------- EventLDAPChangeType : ADD,MODIFY,DELETE objectclass: inetorgperson,orcluserv2 -------------------------------- EventLDAPChangeType : ADD,MODIFY,DELETE objectclass: orclsubscriber -------------------------------- EventLDAPChangeType : ADD,MODIFY,DELETE objectclass: orclgroup,orclprivilegegroup,groupofuniquenames,groupofnames -------------------------------------------------- ]] [2009-02-18T00:52:48.826-08:00] [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] INITALIZE_SYNCJOBS [2009-02-18T00:52:50.804-08:00] [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] Job submission successfulActiveExport SYNC_JOB 60 [2009-02-18T00:52:50.809-08:00] [wls_ods1] [NOTIFICATION] [EVENT_NOT_ENABLED] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] [2009-02-18T00:52:52.184-08:00] [wls_ods1] [NOTIFICATION] [DIP-10605] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP#11.1.1.1.0] [arg: ActiveExport] Profile : ActiveExport added successfully for scheduling.
UpdateThread Checking for Changes in Profiles
The following section of the diagnostic.log file shows information related to the UpdateThread job, which checks for changes made to synchronization and provisioning profiles. If UpdateThread finds changes, the profile is modified and rescheduled. In this section, notice the following:
[2009-02-18T01:20:42.501-08:00] [wls_ods1] [NOTIFICATION] [DIP-10580] [oracle.dip] [tid:
UpdateThread] [userId: <anonymous>] [ecid: 0000Hy8fyF1F0FQ6ubn3EH19ax8V000003,0] [APP:
DIP#11.1.1.1.0] [arg:
(&(objectclass=changelogentry)(changenumber>=3340)(|(targetdn=*cn=Profiles,cn=Provisioning,cn=Direc
tory Integration Platform,cn=Products,cn=OracleContext)(targetdn=*cn=event definitions,cn=directory
integration platform,cn=products,cn=oraclecontext)(targetdn=*cn=object definitions,cn=directory
integration platform,cn=products,cn=oraclecontext)))] Changelog Filter :
(&(objectclass=changelogentry)(changenumber>=3340)(|(targetdn=*cn=Profiles,cn=Provisioning,cn=Direc
tory Integration Platform,cn=Products,cn=OracleContext)(targetdn=*cn=event definitions,cn=directory
integration platform,cn=products,cn=oraclecontext)(targetdn=*cn=object definitions,cn=directory
integration platform,cn=products,cn=oraclecontext)))
Profile Initialization
The following section of the diagnostic.log file shows information related to profile initialization. In this section, notice that the ActiveImport profile is scheduled:
[2009-02-18T02:26:19.604-08:00] [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8unSqF0FQ6ubn3EH19ay88000001,0] [APP: dipapp#11.1.1.1.0] INITALIZE_SYNCJOBS [2009-02-18T02:26:19.695-08:00] [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8unSqF0FQ6ubn3EH19ay88000001,0] [APP: dipapp#11.1.1.1.0] Job submission successfulActiveImport SYNC_JOB 60 [2009-02-18T02:26:19.703-08:00] [wls_ods1] [NOTIFICATION] [EVENT_NOT_ENABLED] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8unSqF0FQ6ubn3EH19ay88000001,0] [APP: dipapp#11.1.1.1.0] [2009-02-18T02:26:19.741-08:00] [wls_ods1] [NOTIFICATION] [DIP-10605] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8unSqF0FQ6ubn3EH19ay88000001,0] [APP: dipapp#11.1.1.1.0] [arg: ActiveImport] profile added successfully for scheduling : ActiveImport
Database Failure
The following section of the diagnostic.log file shows information that appears if the database is not running:
Feb 18, 2009 3:01:19 AM org.quartz.impl.jdbcjobstore.JobStoreSupport$ClusterManager manage
SEVERE: ClusterManager: Error managing cluster: Failed to obtain DB connection from data source
'schedulerDS': java.sql.SQLException: Could not retrieve datasource via JNDI url 'jdbc/schedulerDS'
weblogic.jdbc.extensions.PoolDisabledSQLException:
weblogic.common.resourcepool.ResourceDisabledException: Pool schedulerDS is disabled, cannot
allocate resources to applications..
org.quartz.JobPersistenceException: Failed to obtain DB connection from data source 'schedulerDS':
java.sql.SQLException: Could not retrieve datasource via JNDI url 'jdbc/schedulerDS'
weblogic.jdbc.extensions.PoolDisabledSQLException:
weblogic.common.resourcepool.ResourceDisabledException: Pool schedulerDS is disabled, cannot
allocate resources to applications.. [See nested exception: java.sql.SQLException: Could not
retrieve datasource via JNDI url 'jdbc/schedulerDS'
weblogic.jdbc.extensions.PoolDisabledSQLException:
weblogic.common.resourcepool.ResourceDisabledException: Pool schedulerDS is disabled, cannot
allocate resources to applications..]
at org.quartz.impl.jdbcjobstore.JobStoreSupport.getConnection(JobStoreSupport.java:636)
at org.quartz.impl.jdbcjobstore.JobStoreTX.getNonManagedTXConnection(JobStoreTX.java:72)
at org.quartz.impl.jdbcjobstore.JobStoreSupport.doCheckin(JobStoreSupport.java:3070)
at org.quartz.impl.jdbcjobstore.JobStoreSupport$ClusterManager.manage(JobStoreSupport.java:3713)
at org.quartz.impl.jdbcjobstore.JobStoreSupport$ClusterManager.run(JobStoreSupport.java:3749)
Caused by: java.sql.SQLException: Could not retrieve datasource via JNDI url 'jdbc/schedulerDS'
weblogic.jdbc.extensions.PoolDisabledSQLException:
weblogic.common.resourcepool.ResourceDisabledException: Pool schedulerDS is disabled, cannot
allocate resources to applications..
at org.quartz.utils.JNDIConnectionProvider.getConnection(JNDIConnectionProvider.java:166)
at org.quartz.utils.DBConnectionManager.getConnection(DBConnectionManager.java:112)
at org.quartz.impl.jdbcjobstore.JobStoreSupport.getConnection(JobStoreSupport.java:633)
Successful Synchronization OPeration
The following section of the diagnostic.log file shows the successful synchronization of a user:
QuartzJobListener says: Job ActiveImport Is about to be executed.Wed Feb 18 03:36:00 PST 2009 createChangeRecord:ChangeRecord : ---------- Changetype: ADDRMODIFY ChangeKey: cn=myuser2,cn=users,dc=imtest,dc=com Attributes: Class: null Name: userprincipalname Type: null ChgType: DELETE Value: [ ] Class: null Name: givenname Type: null ChgType: DELETE Value: [ ] Class: null Name: employeeid Type: null ChgType: DELETE Value: [ ] Class: null Name: physicaldeliveryofficename Type: null ChgType: DELETE Value: [ ] Class: null Name: title Type: null ChgType: DELETE Value: [ ] Class: null Name: mobile Type: null ChgType: DELETE Value: [ ] Class: null Name: telephonenumber Type: null ChgType: DELETE Value: [ ] Class: null Name: facsimiletelephonenumber Type: null ChgType: DELETE Value: [ ] Class: null Name: l Type: null ChgType: DELETE Value: [ ] Class: null Name: thumbnailphoto Type: null ChgType: DELETE Value: [ ] Class: null Name: samaccountname Type: nonbinary ChgType: REPLACE Value: [MyUser2] Class: null Name: objectsid Type: nonbinary ChgType: REPLACE Value: [[B@1b994c4] Class: null Name: objectguid Type: nonbinary ChgType: REPLACE Value: [[B@1b990b5] Class: null Name: distinguishedname Type: nonbinary ChgType: REPLACE Value: [CN=MyUser2,CN=Users,DC=imtest,DC=com] Class: null Name: cn Type: nonbinary ChgType: REPLACE Value: [MyUser2] Class: null Name: objectclass Type: nonbinary ChgType: REPLACE Value: [top, person, organizationalPerson, user] ----------- copying : changeRecord to dstchange for writing In DIPSYNC: doOneIteration():execMapping status0 QuartzJobListener says: Job ActiveImport was executed.Wed Feb 18 03:36:00 PST 2009
This section describes how to troubleshoot integration with Microsoft Active Directory. It contains these topics:
Once you have configured Windows Native Authentication (see "Configuring Windows Native Authentication"), you can enable logging for this feature at run time. Open the opmn.xml file, located in $ORACLE_HOME/opmn/conf, and add the following parameter:
-Djazn.debug.log.enable = {true | false}
Assigning a value of true to the parameter enables debugging while assigning a value of false disables it.
The boldface text in the following example show where you should place the parameter in the opmn.xml file:
<process-type id="OC4J_SECURITY" module-id="OC4J">
<environment>
<variable id="DISPLAY" value="sun1.us.oracle.com:0.0"/>
<variable id="LD_LIBRARY_PATH" value="/private/ora1012/OraHome1/lib"/>
</environment>
<module-data>
<category id="start-parameters">
<data id="java-options" value="-server -Djazn.debug.log.enable=true
-Djava.security.policy=/private/ora1012/OraHome1/j2ee/OC4J_SECURITY/
config/java2.policy -Djava.awt.headless=true -Xmx512m
-Djava.awt.headless=true"/>
<data id="oc4j-options" value="-properties"/>
</category>
<category id="stop-parameters">
<data id="java-options" value="-Djava.security.policy=/private/ora1012/
OraHome1/j2ee/OC4J_SECURITY/config/java2.policy -Djava.awt.headless=true"/>
</category>
The log is written to the file OC4J~OC4J_SECURITY~default_island~1, found at $ORACLE_HOME/opmn/logs.
|
Note: When accessing a protected application with Windows Native Authentication, Web browsers automatically return a "401 - Unauthorized" error that is logged by Oracle Enterprise Manager. This is normal behavior and can be safely ignored. |
|
See Also:
|
When Oracle Internet Directory is unavailable, changes are stored in Microsoft Active Directory. The Oracle Password Filter for Microsoft Active Directory attempts to synchronize these entries after connectivity is restored with Oracle Internet Directory. The SearchDeltaSize parameter determines how many incremental changes are processed during each iteration in a synchronization cycle. By default, the SearchDeltaSize parameter is assigned a value of 500. Depending on how long Oracle Internet Directory is unavailable, the default SearchDeltaSize value of 500 may be too low to catch up all of the unsynchronized changes. To resolve this problem, you must create a catchup profile by copying the existing Microsoft Active Directory import synchronization profile and modifying the value assigned to the SearchDeltaSize parameter.
To create a catchup synchronization profile:
Stop the Oracle Directory Integration Platform.
Deactivate the Microsoft Active Directory import synchronization profile using the deactivate operation of the manageSyncProfiles command.
Use the manageSyncProfiles copy command to create the catchup synchronization profile by copying the import synchronization profile. For example:
manageSyncProfiles copy -h myhost.mycompany.com -p 7005 -D weblogic -pf existing_import_sync_profile -newpf name_of_new_catchup_sync_profile
Activate the original Microsoft Active Directory import synchronization profile using the activate operation of the manageSyncProfiles command.
Start the Oracle Directory Integration Platform.
Obtain the current value of the highestCommittedUSN by searching the new domain controller's root DSE for the current highest USNChanged value (attribute value of the highestCommittedUSN attribute of the root DSE):
ldapsearch -h host -p port -b "" -s base -D binddn -q \ DN "objectclass=*" highestCommittedUSN
|
Note: You will be prompted for the password. |
Experiment with the following ldapsearch command until you retrieve more than 100 entries but less than 200. Retrieving more than 200 entries may result in an internal buffer overrun.
ldapsearch -v -h adhost -p adport -D administrator@domain -q \ -b cn=users,dc=acme,dc=com -s sub \ "(&(objectclass=*)(usnChanged>=delta)(&(usnChanged<=highestCommittedUSN)))" dn
|
Note: You will be prompted for the password. |
For example, the following command performs a search using a default search delta size of 500:
ldapsearch -v -h adhost -p adport -D administrator@domain -q \ -b cn=users,dc=acme,dc=com -s sub \ "(&(objectclass=*)(usnChanged>=55010)(&(usnChanged<=55510)))" dn
|
Note: You will be prompted for the password. |
Create a text file named profile_config.txt that contains the following:
[INTERFACEDETAILS] Package: gsi Reader: ActiveChgReader SkipErrorToSyncNextChange: true SearchDeltaSize: 100000
|
Note: You can also set theSkipErrorToSyncNextChange parameter to determine how the Oracle Directory Integration Platform handles an error when processing a change during synchronization. See the "Advanced" section for more information about the SkipErrorToSyncNextChange parameter in synchronization profiles. |
Use the update operation of the manageSyncProfiles command to load the profile_config.txt file into the catchup synchronization profile.
Use the activate operation of the manageSyncProfiles command to activate the catchup synchronization profile.
|
Note: Be sure to continue running the original Microsoft Active Directory import synchronization profile along with the catchup synchronization profile. |
Allow the catchup synchronization profile to run for at least 12 hours. After all of the backlogged changes are synchronized, use the deactivate operation of the manageSyncProfiles command to deactivate the catchup synchronization profile.
You can find more solutions in My Oracle Support (formerly MetaLink) at http://metalink.oracle.com. If you do not find a solution for your problem, log a service request.
|
See Also: Oracle Application Server Release Notes, available on the Oracle Technology Network:http://www.oracle.com/technology/documentation/index.html |
|
 Copyright © 1999, 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|