This appendix lists problems you might encounter when configuring or managing Oracle Authentication Services for Operating Systems. It contains the following topics:
This section lists errors you might encounter when executing the client configuration script.
Before you execute the client script on AIX, you must add at least one user to LDAP. Otherwise, the configuration script might fail with one of these error messages:
Cannot find users from all base DN client setup failed."
Cannot find the group base DN from the LDAP server. Client setup failed."
See "Add At Least One User and One Group to Oracle Internet Directory on AIX".
The SSL client configuration script fails on AIX 6.1 due to a problem with the mksecldap
tool. You can only configure Oracle Authentication Services for Operating Systems in non-SSL mode, using the non-SSL configuration script, on AIX 6.1.
The server hostname printed by the client script has a duplicate domain name, for example: myserver.mycompany.com.mycompany.com
.
When the server script generates the client script, it appends the domain to the server hostname. In most cases, the server hostname is the simple name, so this behavior is correct. If, however, you have set hostname
to a fully-qualified domain name on your server, the server script generates an incorrect name.
To correct this problem, while executing the client script, type n
in response to the query:
Do you want to configure test-host to authenticate users against the above OID LDAP server [n]: y
which terminates the client script. Then edit the server hostname in the client script and execute the script again. The line to be edited is:
oidServerHost="myserver.mycompany.com.mycompany.com"
This section lists errors you might encounter when migrating entries to Oracle Authentication Services for Operating Systems.
The sudo
conversion tool reports parse errors while converting your /etc/sudoers
file to LDIF format.
The conversion script in the sudo
package might not cover all intricacies of your sudoers
file format. For example, if command aliases are preceded by an exclamation mark (!
), remove the exclamation mark. Please see the sudo
package documentation for known limitations.
This section lists errors you might encounter when using command-line tools with Oracle Authentication Services for Operating Systems.
You encounter errors when using the system-config-users
tool.
Ensure that user entries have all the attributes described in "Migrating from NIS to Oracle Internet Directory".
For errors when creating a new group on Red Hat Enterprise Linux, version 4, edit the file /usr/share/system-config-users/userGroupCheck.py
.
Change:
def isGroupnameOk(str, widget):
to:
def isGroupnameOk(name,widget):
You see Python errors when invoking libuser tools such as system-config-users
and luseradd
.
To use libuser
tools, you must configure your client and server for SSL. See "Switching Between SSL Authentication and Non-SSL Configurations".
Using Linux tools such as useradd
, userdel
, groupadd
, or groupdel
causes inconsistencies or unexpected behavior.
These tools are not supported. After you install Oracle Authentication Services for Operating Systems and migrate your data to Oracle Internet Directory, you must use specific tools to manage users, passwords, and other data. Specifically, you must use:
Oracle Directory Manager
The LDAP tools and bulk tools in $ORACLE_HOME/bin
The passwd
command
You can also use the libuser
tools on Linux distributions that support it, with some limitations. See "Password Policy Not Consistently Enforced".
When you attempt to perform a search, the server returns this error:
Function not implemented. DSA unwilling to perform.
You have attempted to perform a search with a non-indexed attribute specified as a required attribute.
You can search for an attribute in Oracle Internet Directory only if the attribute is indexed. By default, standard attributes of the user and group entries are indexed. If you use a custom attribute, you can index it by using the catalog
command. For example:
catalog connect="connect_str" add="TRUE" attribute="automountKey"
The AIX mkuser
command fails with the error:
Group "staff" does not exist.Check "/usr/lib/security/mkuser.default" file.
To resolve this problem, create a group called staff
in Oracle Internet Directory.
On AIX 5.3, if the LDAP client and NIS client are configured on the same machine, you cannot create users from the AIX LDAP client. You can rectify this problem by installing APAR IY90556.
See Also:
"LDAP configuration management and troubleshooting on AIX" athttp://www.ibm.com/developerworks/
Your user account has a primary group and one or more secondary groups. When you type:
id -a
on a Solaris system after configuring Oracle Authentication Services for Operating Systems, the secondary groups are not displayed.
Ensure that you are using the -a
option to the id
command.
If you are using id -a
and not seeing secondary groups, you might need to change the LDAP entries for the secondary groups.
First, add the uid
attribute to objectclass orclGroup
in your LDAP schema, if it is not there already. See the chapter "Managing Directory Schema" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information about adding a new attribute to Oracle Internet Directory.
Then modify the group entries for all secondary groups. Replace uniquemember:
dn
with memberuid:
uid
, where uid is an attribute of type uid
that contains a uid
value.
Each secondary group entry should resemble this example:
dn: cn=dba,cn=groups,dc=us,dc=example,dc=com memberuid: cms memberuid: gtest1 memberuid: oidpam4 memberuid: oidpam5 memberuid: oidpam8 memberuid: orcladmin objectclass: posixGroup objectclass: top objectclass: groupOfUniqueNames objectclass: orclGroup cn: cmsdba displayname: dba description: DBAgroup. gidnumber: 7002
This section describes some testing techniques and explains some messages you might find in log files when running Oracle Authentication Services for Operating Systems.
Administrators need to monitor Oracle Internet Directory.
You can enable Oracle Internet Directory debugging, which will cause the Oracle Internet Directory LDAP server to write debug messages to the file ORACLE_INSTANCE
/diagnostics/logs/OID/
componentName/oidldapd01s
PID
-XXXX
.log where:
01 is the instance number, which is 01 by default
s stands for server
PID is the server process identifier
XXXX
is a number from 0000 to orclmaxlogfilesconfigured
To enable debugging, set the debug flag to 1 by using the following command line:
ldapmodify -p port -h host -D cn=orcladmin -q -v -f debug.ldif
where debug.ldif
looks like this:
dn:cn=componentname,cn=osdldapd,cn=subconfigsubentry
changetype:modify
replace: orcldebugflag
orcldebugflag:1
You can set a debug level that causes Oracle Internet Directory to generate log messages for all operations.
Set the function trace debug level on Oracle Internet Directory by using the following command line:
ldapmodify -p port -h host -D cn=orcladmin -q -v -f debug.ldif
where debug.ldif
looks like this:
dn:cn=componentname,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orcldebugflag
orcldebugflag: 117440511
-
replace: orcldebugforceflush
orcldebugforceflush: 1
StartTLS, which enables you to negotiate an SSL connection on a previously clear connection, is transparent to the user. Administrators need a way to verify that StartTLS is working.
Note:
StartTLS is not used on HP-UX and Solaris Oracle Internet Directory servers. On these platforms, SSL is configured on a different port from non-SSL connections.To verify that StartTLS is working, set a debug level that causes Oracle Internet Directory to generate a log message when an SSL negotiation begins. Because the clients are all pointing to the non-SSL port, generation of this message implies that startTLS is working.
Perform the following steps:
Set the function trace debug level on Oracle Internet Directory by using the following command line:
ldapmodify -p port -h host -D cn=orcladmin -q -f debug.ldif -v
where debug.ldif
looks like this:
dn: changetype: modify replace: orcldebugflag orcldebugflag: 25165824 - replace: orcldebugforceflush orcldebugforceflush: 1
Perform an authentication operation that invokes the Oracle Internet Directory server. For example, use ssh
to connect to a client that is configured to authenticate against Oracle Internet Directory.
Examine the log files in $ORACLE_HOME/ldap/log
. Look for messages containing the string gslsflnNegotiateSSL
.
Log files contain messages about password syntax, and Oracle Internet Directory is not being used for password policy enforcement.
If you are not using Oracle Internet Directory for password policy enforcement, you must disable password policies in Oracle Internet Directory by setting orclpwdpolicyenable
to 0. To avoid messages about password syntax, you must also disable the password syntax check by setting pwdCheckSyntax
to 0.
You can test the connection from a Red Hat Enterprise Linux or Oracle Enterprise Linux client to the Oracle Internet Directory server by using the OpenLDAP command ldapsearch
, as follows:
ldapsearch -ZZ -d 1 -x -h your_oid_host -p 389 -b your_realm -D user_dn -W -s sub objectclass=*
If the invocation succeeds, your connection to the server is working.
Also check the time synchronization between machines by using the date
or time
command. The discrepancy should be less than two minutes.
Verify that the root CA certificate under $ORACLE_INSTANCE/OID/admin/wallet/root/cacert.txt
is the same as the Operating System client certificate /etc/oracle-certs/oid-test-cert.pem
Verify that the certificate is valid. Type:
openssl x509 -in oid-test-cert.pem -noout -text
Look at the Validity
section of the output. The valid times are specified as Not Before
and Not After
, for example:
Validity Not Before: Mar 25 11:52:37 2010 GMT Not After : Mar 24 11:52:37 2011 GMT
This section lists errors users might encounter when attempting to log in when Oracle Authentication Services for Operating Systems is used for authentication.
Users cannot log in after you run the client configuration script. Operating system log files might contain an error message similar to this:
April 10 14:32:21 myhost sshd: nss_ldap: failed to bind to LDAP server ldap://ldaphost: Inappropriate authentication
Users cannot log in unless Oracle Internet Directory allows anonymous binds. If anonymous binds have been disabled, enable them as follows:
Create an LDIF file that looks like this:
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclAnonymousBindsFlag orclAnonymousBindsFlag: 1
Execute the command:
ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFileName
Users cannot log in after you run the client configuration script.
On some operating systems, if nscd
or sshd
is running while you execute the config_OIDclient.sh
or sslConfig_OIDclient.sh
script, user authentication might not work after the configuration. Restart sshd
or nscd
to correct the problem.
You have configured Active Directory synchronization. After a password change, a user cannot log in using the new password.
You must change the password in the Active Directory user entry, not the Oracle Internet Directory entry.
Users cannot log in after you run the SSL version of the configuration script using a custom certificate.
Examine the subject DN in the server certificate. There should be only one CN and it should contain the hostname of the SSL server. The current implementation of OpenSSL fails to verify the hostname of the server certificate if there are multiple CNs in the subject DN.
Adding or migrating a user to Oracle Internet Directory does not create that user's home directory.
On Linux systems, you do not have to create a user's home directory on the client computer when you add that user to Oracle Internet Directory. The client configuration script that you ran on each client computer enabled the creation of each user's home directory on first login. On operating systems other than Linux, however, you must manually create user home directories.
When attempting to log in, the user sees a message such as:
No shell Connection closed by foreign host.
This problem occurs when a user entry in Oracle Internet Directory specifies a shell pathname that does not exist on the computer where the user is logging in. Supported shells and shell pathnames vary from one operating system to another. For example, one operating system might have sh
, csh
, bash
, and tcsh
under /bin
, and another might have sh
and csh
under /usr/bin
.
If the user must be able to log in on computers with different shell pathnames, you might have to create a symbolic link to the shell on one of the computers.
Oracle Internet Directory fails to enforce password policies, or password policy enforcement is not as expected.
If you use Oracle Internet Directory to enforce password policies, you cannot use tools in the libuser
package to add passwords or entries containing passwords. The reason is that the libuser
tools generate a hashed password before sending it to Oracle Internet Directory, so Oracle Internet Directory cannot determine whether the password meets policy criteria or not. Use the LDAP tools or Oracle Directory Manager instead.
If you are using Oracle Internet Directory for password policy enforcement, you must set shadowmax
to 99999
and shadowexpire
to -1
to disable password expiration by the operating system.