This appendix explains typical problems that you could encounter while running or installing Oracle Internet Directory. It contains these sections:
Note:
All references to Oracle Single Sign-On and Oracle Delegated Administration Services in this appendix refer to Oracle Single Sign-On 10g (10.1.4.3.0) or later and Oracle Delegated Administration Services 10g (10.1.4.3.0) or later.
This section describes common Oracle Internet Directory error messages, problems and solutions. It contains the following topics:
Section S.1.4, "Getting a Core Dump and Stack Trace When Oracle Internet Directory Crashes"
Section S.1.9, "Troubleshooting Creating Oracle Internet Directory Component with opmnctl"
Section S.1.10, "Troubleshooting Starting Oracle Internet Directory"
Section S.1.11, "Troubleshooting Starting, Stopping, and Restarting of the Directory Server"
Section S.1.12, "Troubleshooting Oracle Internet Directory Replication"
Section S.1.13, "Troubleshooting Change Log Garbage Collection"
Section S.1.14, "Troubleshooting Dynamic Password Verifiers"
Section S.1.15, "Troubleshooting Oracle Internet Directory Password Wallets"
Section S.1.17, "Troubleshooting bulkdelete, bulkmodify, and ldifwrite"
Section S.1.22, "Troubleshooting Fusion Middleware Control and WLST"
Section S.1.23, "Troubleshooting Oracle Directory Services Manager"
Section S.1.24, "Performance Tuning When Oracle Internet Directory is the Policy Store"
During installation and configuration of the Oracle Database, Oracle recommends that you select the character set AL32UTF8 to avoid possible problems with multibyte characters.
Because Oracle Internet Directory relies on Oracle Database, database errors can cause directory server problems. This section lists some database errors you might see in the Oracle Internet Directory logs.
Oracle Internet Directory shuts down. You see error ORA-3113 or ORA-3114 in the log file.
Oracle Internet Directory has lost its connection to Oracle Database.
Check database and listener status, either directly on the host where they are running, or through. Restart them if necessary. OIDMON automatically detects that the database is up and restarts OIDLDAPD servers.
You get error sgslunrRead
or 30SendPort
These errors indicates that an LDAP client has disconnected abruptly.
Possible reasons include:
The client program terminated the connection without performing an unbind or abandon.
The client machine shut down.
A network component, such as a load balancer or firewall, broke the connection due to a configured timeout setting.
The network is down.
These errors are due to conditions external to the server. If necessary, inform the network administrator.
This section contains a list of Oracle directory server error messages that you might encounter. Each message is followed by its most probable causes. Also see Oracle Fusion Middleware Error Messages Reference.
You see the following error message on the command line when attempting an anonymous bind to the server:
ldap_bind: Inappropriate authentication ldap_bind: additional info: Server is Configured to Deny Anonymous Binds
Anonymous binds are disabled. In most environments, some clients require anonymous access.
Enable anonymous binds.
See Also:
Section 33.7, "Managing Anonymous Binds" for more information.
You get the following error in oidldap*.log
:
ORA-01483: invalid length for DATE or NUMBER bind variable.
You may also see the following error on your screen:
LDAP: error code 19 - Constraint Violation
These errors might only occur intermittently.
If you loaded the OracleAS Metadata Repository into an Oracle 10g Database that uses the AL32UTF8 character set, you may encounter some errors when you try to edit a user or Group, or Create Identity Management Realms in Oracle Internet Directory. Editing a user includes editing attributes for an existing user.
As a workaround, you can wait a bit and try editing the user again.
Table S-1 lists standard error messages and their causes. Oracle Internet Directory also returns other messages listed and described in Section S.1.3.4, "Additional Directory Server Error Messages."
Table S-1 Standard Error Messages
Error | Cause |
---|---|
00: LDAP_SUCCESS |
The operation was successful. |
01: LDAP_OPERATIONS_ERROR |
General errors encountered by the server when processing the request. |
02: LDAP_PROTOCOL_ERROR |
The client request did not meet the LDAP protocol requirements, such as format or syntax. This can occur in the following situations: Server encounters a decoding error while parsing the incoming request. The request is an add or modify request that specifies the addition of an attribute type to an entry but no values specified. Error reading SSL credentials. An unknown type of modify operation is specified (other than LDAP_MOD_ADD, LDAP_MOD_DELETE, and LDAP_MOD_REPLACE) Unknown search scope |
03: LDAP_TIMELIMIT_EXCEEDED |
Search took longer than the time limit specified. If you have not specified a time limit for the search, Oracle Internet Directory uses a default time limit of one hour. |
04: LDAP_SIZELIMIT_EXCEEDED |
More entries match the search query than the size limit specified. If you have not specified a size limit for the search, Oracle Internet Directory uses a default size limit of 1000. |
05: LDAP_COMPARE_FALSE |
Presented value is not the same as the one in the entry. |
06: LDAP_COMPARE_TRUE |
Presented value is same as the one in the entry. |
07: LDAP_STRONG_AUTH_NOT_SUPPORTED |
The requested bind method is not supported by the server. For example, SASL clients requesting Kerberos authentication from Oracle Internet Directory receive this error in response. |
09: LDAP_PARTIAL_RESULTS |
Server returned a referral. |
10: LDAP_REFERRAL |
Server returned a referral. |
12: LDAP_UNAVAILABLE_CRITICALEXTENSION |
Specified request is not supported |
16: LDAP_NO_SUCH_ATTRIBUTE |
Attribute does not exist in the entry specified in the request. |
17: LDAP_UNDEFINED_TYPE |
Specified attribute type is undefined in the schema. |
19: LDAP_CONSTRAINT_VIOLATION |
The value in the request violated certain constraints. |
20: LDAP_TYPE_OR_VALUE_EXISTS |
Duplicate values specified for the attribute. |
21: LDAP_INVALID_SYNTAX |
Specified attribute syntax is invalid. In a search, the filter syntax is invalid. |
32: LDAP_NO_SUCH_OBJECT |
The base specified for the operation does not exist. |
34: LDAP_INVALID_DN_SYNTAX |
Error in the DN syntax. |
49: LDAP_INVALID_CREDENTIALS |
Bind failed because the credentials are not correct. |
50: LDAP_INSUFFICIENT_ACCESS |
The client does not have access to perform this operation. |
53: LDAP_UNWILLING_TO_PERFORM |
General error, or server is in read-only mode. |
65: LDAP_OBJECT_CLASS_VIOLATION |
A change to the entry violates the object class definition. |
66: LDAP_NOT_ALLOWED_ON_NONLEAF |
The entry to be deleted has children. |
67: LDAP_NOT_ALLOWED_ON_RDN |
Cannot perform the operation on RDN attributes—for example, you cannot delete the RDN attribute of the entry. |
68: LDAP_ALREADY_EXISTS |
Duplicate ADD condition. |
81: LDAP_SERVER_DOWN |
Cannot contact the directory server. This message is returned from the SDK. |
82: LDAP_LOCAL_ERROR |
The client encountered an internal error. This message is returned from the client SDK. |
83: LDAP_ENCODING_ERROR |
The client encountered an error in encoding the request. This message is returned from the SDK. |
84: LDAP_DECODING_ERROR |
The client encountered an error in decoding the request. This message is returned from the SDK. |
85: LDAP_TIMEOUT |
Client encountered the time out specified for the operation. This message is returned from the SDK. |
86: LDAP_AUTH_UNKNOWN |
Authentication method is unknown to the client SDK. |
87: LDAP_FILTER_ERROR |
Bad search filter |
88: LDAP_USER_CANCELLED |
User cancelled operation |
89: LDAP_PARAM_ERROR |
Bad parameter to an LDAP routine |
90: LDAP_NO_MEMORY |
Out of memory |
Table S-2 lists additional directory server error messages and their causes. These messages do not display error codes.
The Oracle Internet Directory application replaces the parameter
tag seen in some of the following messages with the appropriate run-time value.
Table S-2 Additional Error Messages
Error | Cause |
---|---|
%s attribute not found |
The particular attribute type is not defined in the schema. |
parameter not found for attribute parameter |
Value not found in the attribute. (ldapmodify) |
Admin domain does not contain schema information for objectclass parameter |
The object class specified in the request is not present in the schema. |
Attempted to add a Class with oid parameter taken by other class |
Duplicate object identifier specified. (schema modification) |
Attribute parameter already in use |
Duplicate attribute name. (schema modification) |
Attribute parameter has syntax error. |
Syntax error in the attribute name definition. (schema modification) |
Attribute parameter is not supported in the schema. |
Attribute not defined. (all operations) |
Attribute parameter is single valued. |
Attribute is single-valued. (ldapadd and ldapmodify) |
Attribute parameter not present in the entry. |
This attribute does not exist in the entry. (ldapmodify) |
Bad attribute definition. |
Syntax error in attribute definition. (schema modification) |
Currently Not Supported |
The version of LDAP request is not supported by this server. |
Entry to be deleted not found. |
DN specified in the delete operation not found. |
Entry to be modified not found |
The entry specified in the request is not found. |
Error encountered while adding parameter to the entry |
Returned when modify add operation is invoked. A possible cause is that the system resource is unavailable. |
Error encountered while encrypting an attribute value. |
Error in encrypting user password. (all operations) |
Error in DN Normalization. |
DN specified is invalid. Syntax error encountered in parsing the DN. (all operations) |
Error in hashing parameter attribute. |
Error in creating hash entry for the attribute. (schema modification) |
Error in hashing parameter objectclass. |
Error in creating hash entry for the objectclass. (schema modification) |
Error in Schema hash creation. |
Error while creating hash table for schema. (schema modification) |
Error replacing parameter. |
Error in replacing this attribute. (ldapmodify) |
Error while normalizing value for attribute parameter. |
Error in normalizing value for the attribute. (all operations) |
Failed to find parameter in mandatory or optional attribute list. |
Attribute specified does not exist in either the mandatory or optional attribute list as required by the object class(es). |
Function Not Implemented |
The feature/request is currently not supported. (Specifying a non-indexed attribute in a search can generate this error.) |
INVALID ACI is parameter |
The particular ACI you specified in a request is invalid. |
Mandatory attribute parameter is not defined in Admin Domain parameter. |
MUST refers to attribute not defined. (schema modification) |
Mandatory Attribute missing. |
The mandatory attribute for the particular entry is missing, as required by the particular object class. |
Matching rule, parameter, not defined. |
Matching rule not defined in the server. (schema modification) |
MaxConn Reached |
The maximum number of concurrent connections to the LDAP server has been reached. |
Modifying the Naming attribute for the entry without modifying the DN. |
Cannot modify the naming attributes using ldapmodify. A naming attribute, such as |
New Parent not found. |
New parent specified in modifydn operation does not exist.(ldapmodifydn) |
Object already exists. |
Duplicate entry. (ldapadd and ldapmodifydn) |
Object ID parameter already in use. |
Duplicate object identifier specified. (schema modification) |
Objectclass parameter already in use. |
Duplicate Objectclass name. (schema modification) |
Objectclass attribute missing. |
The objectclass attribute is missing for this particular entry. |
OID parameter has syntax error. |
syntax error in the object identifier definition. (schema modification) |
One of the attributes in the entry has duplicate value. |
You entered two values for the same attribute in the entry you are creating. |
Operation not allowed on the parameter. |
Operation not allowed on this entry. (modify, add, and delete) |
Operation not allowed on the DSE Entry. |
Can't do this operation on DSE entry. (delete) |
Optional attribute parameter is not defined in Admin Domain parameter. |
MAY refers to attribute not defined. (schema modification) |
Parent entry not found in the directory. |
Parent entry does not exist. (ldapadd and perhaps ldapmodifydn) |
Super object parameter is not defined in Admin Domain parameter. |
SUP types refer to non-existing class. (schema modification) |
Super type undefined. |
SUP type does not exist. (schema modification) |
Superuser addition not permitted. |
Cannot create superuser entry. (ldapadd) |
Syntax, parameter, not defined. |
Syntax not defined in the server. (schema modification) |
The attribute or the value specified in the RDN does not exist in the entry. |
AVA specified as the RDN does not exist in the entry. (ldapadd) |
Unknown search scope |
The search scope specified in the LDAP request is not recognized. |
Version Not Supported |
The version of the LDAP request is not supported by this server. |
Alias Problem |
Either of the following have occurred:
|
Alias Dereferencing Problem |
The user cannot dereference an alias because of access control issues. |
No Such Object |
The server cannot find the base DN specified in the search request. |
Invalid DN Syntax |
When adding or modifying an alias entry, if the value specified for |
Insufficient Access Rights |
The user does not have access to the dereferenced entry. |
You can control the type of information Oracle Internet Directory provides when it crashes by changing the value of the orclsdumpflag
attribute in the instance-specific configuration entry.
If the server crashes, it leaves a core file under the directory
ORACLE_INSTANCE/diagnostics/logs/OID
If orclsdumpflag
is set to 0
, and the server crashes, in addition to the core dump, the server also attempts to leave a stack trace. The location for the stack trace is:
ORACLE_INSTANCE/diagnostics/logs/OID/compName/oidldapd_stack00_pid.dmp
Some operating system-specific settings can affect the generation of a core dump or stack trace. Consult your operating system documentation to determine whether the following settings are required:
The coredump
parameter must be set to allow core dumps.
The file size limit, as specified with the ulimit
command, must be sufficient to allow core dumps.
The file permissions on the ORACLE_HOME
/bin/oidldapd
binary file must allow read by group. You can ensure that group has read permission by typing:
chmod g+r $ORACLE_HOME/bin/oidldapd
as the root user.
TCP/IP bugs in the operating system can interfere with Oracle Internet Directory service.
If you use the F5 load balancer for monitoring Oracle Internet Directory server availability, configure the load balancer to use LDAP- or HTTP-based monitoring, as described in the Oracle Fusion Middleware High Availability Guide section "Configuring A Load Balancer For OracleAS Cluster (Identity Management)." Using TCP-based monitoring might cause the service to become unavailable, due to an operating system bug on Microsoft Windows 2003 Server.
This section describes error messages and problems related to password policies.
The password policy is not being enforced for a given user or set of users. For example, users can reset their password using a syntax that is disallowed by the defined password policy.
Just creating a password policy is not sufficient. You must also specify the subtree to be governed by the policy.
Add and populate a pwdPolicysubentry
attribute with the policy's DN, at the root of that subtree.
See Also:
Section 29.1.2, "Steps Required to Create and Apply a Password Policy" for more information.
Table S-3 contains the error messages sent to the client as a result of password policy violations. The error codes are not standard LDAP error codes. They are messages sent as a part of additional information in the LDAP result.
Table S-3 Password Policy Violation Error Messages
Error Number | Exception | Comment or Resolution |
---|---|---|
9000 |
|
User's password has expired. |
9001 |
|
User account is locked. |
9002 |
|
User password will expire in |
9003 |
|
User password is not the required number of characters long. |
9004 |
|
User password does not contain required numeric characters. |
9005 |
|
User password is a null password, which is disallowed. |
9006 |
|
User's new password is the same as an old one saved in history, which is disallowed.(The |
9007 |
|
The user password supplied is an illegal value defined in |
9008 |
|
User password has expired. User has |
9012 |
|
Your Password must contain at least |
9013 |
|
Your Password must contain at least |
9014 |
|
Your Password must contain at least |
9015 |
|
Your Password can only contain |
9016 |
|
Your Password must contain at least |
9017 |
|
The |
9018 |
|
The |
9019 |
|
The DN of a |
9020 |
|
Your Password has to be at least |
9032 |
|
|
9033 |
|
The |
9034 |
|
Only password policies defined in the Root Oracle Context are applicable in the Root DSE. (This ensures that only a policy specified by an admin who has directory-wide privileges can be applied to the entire directory.) |
9050 |
|
User account has been disabled. |
This section gives some quick pointers for common performance-related problems.
LDAP search performance is poor.
Various problems.
Make sure that:
Schema associated with the ODS
user is ANALYZED
For searches involving multiple filter operands, make sure that the order in which they are given goes from the most specific to the least specific. For example, &(uid=john.doe)(objectclass=person)
is better than &(objectclass=person)(uid=john.doe)
.
Also see Section S.1.7.3, "Poor Oracle Database Server Performance."
LDAP add or modify performance is poor.
Various problems
Make sure that:
There are enough redo log files in the database
The undo tablespace in the database is large enough
The schema associated with the ODS
user is ANALYZED
When estimating the statistics, you can use the OID Database Statistics Collection tool to analyze the various database ODS schema objects.
Both the tracing functionality described in Chapter 24, "Managing Logging" and the database tracing event 10046 can assist you in diagnosing performance issues.
See Also:
The oidstats.sql
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management for instructions on using the OID Database Statistics Collection tool
The Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide for instructions on optimizing searches
Note 243006.1 on My Oracle Support (formerly MetaLink), http://metalink.oracle.com
, for information on performance issues with group entries
Oracle database server is consuming lot of processor resources during LDAP search operations.
Proceed as follows:
Identify the LDAP operations that are processor-intensive by running:
oidctl connect=connstr status -diag
This command displays the LDAP operation and associated SQL that is being executed.
Tune the database appropriately for this kind of query. See the Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide.
If possible, change the applications's search signature. If that is not possible, tune the Oracle Internet Directory attribute orclinmemfiltprocess
. See the Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide.
You can find out which ports the Oracle Internet Directory dispatcher is using for SSL and non-SSL connections in the following ways:
In Oracle Enterprise Manager Fusion Middleware Control, select Port Usage from the OID menu.
From the command line, execute:
ORACLE_INSTANCE/bin/opmnctl status -l
From the command line, execute:
oidctl connect=oiddb status
The command opmnctl createcomponent
fails and the following error appears in the file ORACLE_INSTANCE
/diagnostics/logs/OPMN/opmn/provision.log
:
INFO: $ORACLE_INSTANCE/config/tnsnames_copy.ora file does not exist
Ensure that the following are true:
The file ORACLE_INSTANCE
/config/tnsnames_copy.ora
exists
The OIDDB
connectString is present in ORACLE_INSTANCE
/config/tnsnames.ora
The connectString in the OID Snippet in ORACLE_INSTANCE
/config/OPMN/opmn/opmn.xml
is the same as in ORACLE_INSTANCE
/config/tnsnames.ora
. OIDDB
is the default.
Then retry opmnctl createcomponent
.
This section describes problems you might encounter when starting Oracle Internet Directory.
Oracle Enterprise Manager Fusion Middleware Control shows Oracle Internet Directory down. The command:
opmnctl status
shows that oidmon
is down, as well as all the oidldapd
processes.
Consult the OPMN log, ORACLE_HOME
/opmn/logs/opmn.log
to determine why oidmon is not starting.
Oracle Enterprise Manager Fusion Middleware Control shows Oracle Internet Directory down. The command:
opmnctl status
shows that oidmon
is up, but the oidldapd
processes are down.
Check the following logs in the order shown:
The oidmon
log, ORACLE_INSTANCE
/diagnostics/logs/OID/
componentName
/oidmon-0000.log
contains details as to why oidmon
cannot start the oidldapd
process. The most common issues are
Unable to connect to Oracle Database: Ensure that the Oracle database and listener are up and running.
Time difference between the two nodes is more than 250 seconds: Adjust the system time.
Oidmon
keeps trying to start oidldapd
processes, but they fail to run. To debug, see Step 2.
The Oracle Internet Directory dispatcher log, ORACLE_INSTANCE
/diagnostics/logs/OID/
componentName
/oidldapd01-0000.log
contains information about why oidldapd
server processes fail to start. The most common reasons are:
Configured PORT for Oracle Internet Directory is not free: Execute
netstat -an | grep oidPort
to see if it the port is free.
Oracle Internet Directory is configured to listen on a port number less than 1024 on a UNIX or Linux system and the executable binary file ORACLE_HOME
/bin/oidldapd
is either not owned by root
or does not have the setuid
bit set.
The oidldapd
dispatcher keeps spawning oidldapd
server processes, but they fail to run. In this case, you might see a single oidldapd
dispatcher process running if you use ps
on UNIX or Linux or Task Manager on Windows. To debug, see Step 3.
The Oracle Internet Directory server log, ORACLE_INSTANCE
/diagnostics/logs/OID/
componentName
/oidldapd01s
PID
-0000.log
contains information about why the server processes fail to run. Common issues include:
Unable to create Oracle Database connection pool: Check the Oracle Database PROCESSES
parameter and increase if necessary.
Oracle Internet Directory is configured to use an SSL wallet file, and that file is inaccessible.
The Oracle Internet Directory server starts in read-only mode.
This usually indicates that the Oracle Internet Directory server has been started against the wrong schema. To verify, type these two commands:
oidldapd -v
ldapsearch -p oidPort -D cn=orcladmin -q -b "" -s base "objectclass=*" Orcldirectoryversion
If these commands show different versions, the server starts in read-only mode.
To troubleshoot starting and stopping the directory server, you must know the purpose of each tool involved, how all the tools work together, and the overall process for starting and stopping the server.
See Also:
The Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide.
You start the directory server instance by typing:
opmnctl startproc process-type=OID opmnctl stopproc process-type=OID
OIDCTL When OIDCTL is executed, it connects to the database as user ODS
. Depending on the options used in the command, it either inserts or updates rows into a table named ODS.ODS_PROCESS_STATUS
_STATUS. If the START
option is used, then a row is inserted. If either the STOP
or RESTART
option is used, then a row is updated.
The ODS.ODS_PROCESS_STATUS table includes the following information:
instance
: The unique number of the instance, any value between 0 and 1000
pid
: Process identifier, which is updated by OIDMON when the process is started
state
: The type of operation requested
The possible values for state
are:
0=stop
1=start
2=running
3=restart
4=shutdown
5=failedover
Note:
When OPMN stops the directory server, the value for state is initially 4, that is, shutdown. However, when OPMN starts the directory server again, the state value becomes 2, that is, running.
OIDMON To start, stop, or restart a directory server instance, OIDMON must be running. At specified intervals, this daemon checks the value of the state
column in the ODS.ODS_PROCESS_STATUS
table.
state=0
, then it reads the pid
and stops the process.state=1
or state=4
, then it starts a new process and updates the pid column with a new process identifier.state=2
, then it reads the pid
and verifies that the process with that pid
is running. If it is not running, then OIDMON starts a new process and updates the pid
column with a new process identifier.state=3
, then OIDMON reads the pid
, stops the process, starts a new one, and updates the pid
accordingly.In short, OIDCTL inserts and updates state information in the rows in the ODS.ODS_PROCESS_STATUS
table. OIDMON then reads that information and performs the specified task.
About the Processes Involved in Starting, Stopping, and Restarting the Directory Server
Starting, stopping and restarting the directory server involves processes. OIDMON is one process. On UNIX, it is called oidmon
. In a Microsoft Windows environment, it is called oidmon.exe
.
To start an instance, OIDMON checks the unique number in the instance
column mentioned in the previous section. It then starts another process, namely, the listener/dispatcher, which is different from the Oracle Net Services listener process. It stores the process identifier for that new process in the pid
column.
The listener/dispatcher, in turn, starts a number of server processes as defined in the configuration set entry. Note that these server processes are controlled by the listener/dispatcher and not by OIDMON. If one of these processes fails, then it is automatically restarted by the listener/dispatcher.
Together, the listener/dispatcher and the server processes constitute a directory server instance. On UNIX, this directory server instance is called oidldapd
. On Microsoft Windows, they are called oidldapd.exe
.
In short, there are at least three processes: one for OIDMON and at least two for the directory server itself. When all processes are running, you should see something like the following on UNIX computers:
% ps -ef|grep oid root 12387 12381 0 Mar 28 ? 0:05 oidldapd -i 1 -conf 0 key=811436710 root 12381 1 0 Mar 28 ? 0:10 oidmon start root 13297 1 0 Mar 28 ? 0:14 oidldapd
Another way to obtain server information is by running:
oidctl connect=oiddb status.
This section describes some problems you might have when starting, stopping, or restarting the directory server.
Either OIDCTL or OIDMON can fail for reasons.
Incorrect syntax
Verify that you are using the correct syntax as described in "Oracle Internet Directory Administration Tools" in Oracle Fusion Middleware Reference for Oracle Identity Management. Note that the correct value of the connect option when using OIDCTL is the TNS alias—that is, the connect string—and not a host name or other value. See Note 155790.1, on My Oracle Support (formerly MetaLink), http://metalink.oracle.com
.
The Oracle Internet Directory-designated database is not running.
The Oracle Net Services configurations are incorrect.
Verify that the Oracle Internet Directory-designated database and the Oracle Net Services components are correctly configured and running. To do this, see if you can connect to the database by using SQL*Plus that is installed in the same ORACLE_HOME
as OIDCTL. Log in as ODS
/ods_password
@
tns_alias w
here tns_alias
is the same as that used in the connect
option with OIDCTL. See Note 155790.1, on My Oracle Support (formerly MetaLink), http://metalink.oracle.com
.
Missing oidldapd
file.
See $ORACLE_INSTANCE
/diagnostics/logs/OID/
componentName
/oidmon-XXXX.log
. Look for the message: No such file or directory
. To correct the problem, replace the executable file.
Wrong permissions on oidldapd
executable file.
Look for the message Exec of OIDLDAPD failed with error 13
. On UNIX, the $ORACLE_HOME/bin/oidldapd
file must have the following permissions:
-rws--x--- 1 root dba 1691802 Jan 20 10:30 oidldapd
If the permissions are not correct, type the following, as root:
cd $ORACLE_HOME/bin chown root:dba oidldapd chmod 0710 oidldapd chmod u+s oidldapd
You are running as a user with insufficient privilege
To confirm that this is the problem, see ORACLE_INSTANCE
/diagnostics/logs/ OID/
componentName
/oidmon-XXXXX.log
.
Look for the message: Permission denied
or Open Wallet failed
. This happens if you are not running either as root
or as the user who is in the dba
group. To correct the problem, try again as the correct user.
A port is in use.
See
ORACLE_INSTANCE
/diagnostics/logs/ OID/
componentName
/oidldapd00s
PID
-XXXX.log
.
Look for the message: Bind failed on...
This indicates that the port that oidldapd
is configured to listen on is in use by some other process. To determine which process is using the port, type:
netstat -a | grep portNum
If necessary, reconfigure the other process to use a different port or configure oidladapd
to listen on another port by adding a configset. Remember that, by default, oidladapd
listens on two ports, an SSL and non-SSL port.
On a cluster or Oracle Application Server Cluster (Identity Management) configuration, OIDMON pushes the server to another node in a cluster when it cannot start the server on the local node.
See oidmon.log
. Look for the message: gslsgfrPushServer: Could not start
server
on
NodeA
, trying to start on node
NodeB
. To correct this problem, you must first determine why OIDMON cannot start the server on the local node.
A possible problem with Oracle Net Services or with the database itself.
See oidmon.log
, oidldapd
xx
.log
, where xx
is the server instance number.
A Row is Missing from ODS.ODS_PROCESS_STATUS
In a cluster or Oracle Application Server Cluster (Identity Management) configuration, OIDMON successfully starts oidldapd
on both nodes, but then initiates failover due to a time stamp difference.
See the trace files oidldapd
xx
.log
where xx
is the instance number, and oidldapd
xx
syy
.log
where xx
is the instance number and yy
is the process identifier. If the trace files do not give useful information or pointers to My Oracle Support (formerly MetaLink) documents, then do the following: (1) Stop the directory server processes; (2) Remove or rename old trace files; (3) Start OIDMON and a directory server with maximum debug level, namely, 11744051. Note that, to get the trace files, you must first stop, then start, the server; you cannot simply restart it. Investigate the new trace files, and, if needed, log an iTAR with Oracle Support Services and upload the trace files to the iTAR. See Note 155790.1, on My Oracle Support (formerly MetaLink), http://metalink.oracle.com
.
See Also:
The oidctl
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management for more information on failover.
This section discusses directory replication problems.
Whenever you investigate a replication problem, be sure to consult the log files for information. The log files are ORACLE_INSTANCE
/diagnostics/logs/OID/
componentName
/oidrepld-XXXX.log, oidldapd00-XXXX.log
and ORACLE_INSTANCE
/diagnostics/logs/OID/
componentName
/oidldapd00s
PID
-XXXX.log
where PID
is the server process identifier and XXXX
is a number from 0000 to orclmaxlogfiles configured
.
The replication server supports multiple debugging levels. To turn on replication debugging, use either ldapmodify
or the Shared Properties, Replication tab, in Fusion Middleware Control to change orcldebuglevel
in the replication configuration set.
Note:
Turning on debugging affects replication performance.
See Also:
Chapter 42, "Managing Replication Configuration Attributes" for more information.
Disable referential integrity during the replication bootstrapping process. If referential integrity is enabled, bootstrapping fails.
There are several problems that can prevent the replication server from starting.
Invalid oidctl
syntax
Use the following syntax to start the replication server.:
oidctl server=oidrepld connect=connect string instance=instance_number \ flags="-h host -p port"
Oracle Internet Directory is not running at the host and port you specified on the command line when you attempted to start the replication server. This caused the anonymous bind to the target Oracle Internet Directory to fail.
Make sure the target Oracle Internet Directory is up and running at the specified host and port.
The replication server is attempting to bind to the host and port specified in either the orclreplicaprimaryurl
or the orclreplicasecondaryurl
attribute of the Replica entry, but Oracle Internet Directory is running at a different host or port.
If you decide to run Oracle Internet Directory at a different host or port, add the new information to the orclreplicasecondaryurl
attribute of the replica entry, as follows:
Prepare a modification file, mod.ldif
. For example, to change to host my.us.example.com and port 4444, you would specify:
dn: orclreplicaid=replica_ID, cn=replication configuration
changetype: modify
add: orclreplicasecondaryurl
orclreplicasecondaryurl: ldap://my.us.example.com:4444/
Run:
ldapmodify -h host -p port -f mod.ldif
The ReplBind
credential in the replication wallet ORACLE_INSTANCE
/OID/admin/oidpwdr
ORACLE_SID
is corrupt or invalid. That is, the password stored in the wallet is not the same as the password that is stored in the directory, or the wallet does not exist. This causes the replication bind to fail and the replication server to exit with an error.
You might see messages similar to this example in the file oidrepld
XX
.log
:
2005/07/21:11:13:28 * gslrcfdReadReplDnPswd:Error reading repl passwd 2005/07/21:11:13:28 * gslrcfcReadReplConfig:Error found. 2005/07/21:11:13:28 * Failed to read replication configuration information.
Use remtool
to fix the replication bind credential in the replication wallet or to synchronize between Oracle Internet Directory and the replication wallet.
remtool -pchgpwd
changes the password of the replication dn of a replica. Use this option if you know the current replication DN password stored in the directory and you want to change it both in the directory and in the wallet.
remtool -presetpwd
resets the password or the replication dn of a replica. Use this option if you know the current replication DN password stored in the directory and you want to change it both in the directory and in the wallet.
remtool -pchgwalpwd
changes password of replication dn of a replica only in the wallet. Use this option if you know the replication DN password stored in the directory but you are not sure whether the wallet has the correct password or you want to create the wallet file.
All of these options create a wallet if one does not already exist.
See Also:
The remtool
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management for more information about using remtool
The oidpasswd
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management for more information about using oidpasswd
The replication server is attempting to bind to an SSL port that is configured for one-way or two-way authentication.
Configure the replication server to use either the non-SSL port or an SSL port configured for no authentication. You can use a separate Oracle Internet Directory server instance just for replication.
When you use the Oracle Application Server tool RepCA to load Oracle Internet Directory schema into an existing Oracle 10.1.0.3 Database, you might see the following error message in the ORACLE_INSTANCE
/diagnostics/logs/OID/tools/repca*log
file:
SP2-0332: Cannot create spool file.
This error message can be ignored.
errors can occur in replication bootstrap.
Some of the naming contexts failed to be bootstrapped.
Identify the naming contexts that failed to be bootstrapped, and use the oidcmprec
tool to reconcile them.Then resume replication by setting the consumer's replica state to ONLINE mode
Various causes.
Identify the cause of the bootstrap failure and fix the cause, then restart bootstrapping by setting consumer's replica state to BOOTSTRAP mode.
To determine the exact cause of the error, examine the log file oidldapd
xx
.log
. Look for error messages like those in the following example:
2004/09/14:12:57:23 * Starting OIDREPLD against dlsun1418:4444... 2004/09/14:12:57:25 * Starting scheduler... 2004/09/14:12:57:26 * Start to BootStrap from supplier=dlsun1418_replica to consumer=dlsun1418_replica2 2004/09/14:12:57:27 * gslrbssSyncDIT:Replicating namingcontext=cn=oraclecontext ...... 2004/09/14:12:58:21 * gslrbssSyncDIT:Sync done successfully for namingctx: cn=oraclecontext, 222 entries matched 2004/09/14:12:58:21 * gslrbssSyncDIT:Replicating namingcontext=cn=joe smith ...... 2004/09/14:12:58:23 * BootStrap failure when adding DN=cn=Joe Smith, server=dlsun1418_replica2,err=Constraint violation. 2004/09/14:12:58:23 * gslrbssSyncDIT:Sync failed for namingctx: cn=joe smith, only 1 entries retrieved 2004/09/14:12:58:23 * gslrbssSyncDIT:Replicating namingcontext=cn=oracleschemaversion ...... 2004/09/14:12:58:25 * gslrbssSyncDIT:Sync done successfully for namingctx: cn=oracleschemaversion, 10 entries matched 2004/09/14:12:58:51 * gslrbsbBootStrap: Failure occurred when bootstrapping 1 out of 3 namingcontext(s) from the supplier
Identify the cause of the bootstrap failure and fix it. You can identify the naming contexts that caused the problem, then use oidcmprec
to compare and reconcile the naming contexts. After you resolve the problem, start bootstrapping again by starting the Oracle Internet Directory replication server.
The Oracle Internet Directory server was shut down during the bootstrapping
Make sure both the supplier Oracle Internet Directory and the consumer Oracle Internet Directory servers are up and running during replication bootstrapping.
Some of the entries being bootstrapped cannot be applied at the consumer due to a constraint violation.
Make sure the Oracle Internet Directory schema of the consumer are synchronized with those of the supplier before starting replication bootstrap. When you add an LDAP replica, remtool
ensures that the Oracle Internet Directory schema on the consumer replica are synchronized with those on the supplier replica.
Improper replication filtering during bootstrapping. Replication supports excluding one or more attributes during bootstrapping. However, if a mandatory attribute of an entry is configured to be excluded, that entry cannot be applied at the consumer due to an objectclass violation.
Follow the replication naming context configuration rules in Chapter 40, "Setting Up Replication" to configure replication filtering properly.
If you are debugging LDAP replication, you should become familiar with the LDAP replica states. If LDAP-based replication is configured, when the replication server starts, it reads the replica state from the local replica. The replication server behaves differently, depending upon the local replica state. LDAP replication errors appear in oidldapd
xx
.log
See Also:
When you restart the replication server after the replication server failed to bootstrap a naming context having more than 5000 entries, you may see error messages similar to this in the log file oidrepld00.log
:
2005/04/05:13:21:55 * gslrbssSyncDIT:Replicating namingcontext=dc=com ...... 2005/04/05:15:36:09 * gslrbssSyncDIT:Subtree delete on dc=com failed. Error=DSA is unwilling to perform 2005/04/05:15:36:09 * gslrbssSyncDIT:Sync failed for namingctx: dc=com, only 0 entries retrieved
The replication server performs two steps during bootstrap operation. First, in the consumer, it deletes the naming contexts that it has to bootstrap. Second, it copies entries belonging to those naming contexts from supplier to consumer. Deletion by the replication server of a naming context having several thousands of entries results in a big transaction. The undo tablespace must have sufficient space to accommodate a big transaction. If the database's undo tablespace does not have sufficient space, it results in an ORA-30036 error.
Either have the database administrator add more space to the undo tablespace, or use the bulkdelete
tool to delete the required naming context before you start the replication server.
Changes are not replicated from one node to another.
The replication server has run out of table space
Look for the following message in the server log:
OCI Error ORA-1653 : ORA-01653: unable to extend table ODS.ASR_CHG_LOG by 8192 in tablespace OLTS_DEFAULT
Extend the table space and investigate why the table space keeps growing.
The target Oracle Internet Directory server is down.
Restart the target Oracle Internet Directory server.
Various causes
Make sure the replication server is started on all nodes, in multi-master replication, and at the consumer node in single-master or fan-out replication.
For Oracle Database Advanced Replication-based multimaster replication, use remtool
to diagnostic and fix problems.
remtool -asrverify
verifies the correctness of a DRG setup and reports problems.
remtool -asrrectify
verifies the correctness of a DRG setup, reports problems, and attempts to rectify the problems.
Check the replication log and LDAP log for error messages and fix the cause of the error after investigation.
See Also:
The remtool
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management for more information about using remtool
.
Data is not replicated between the replicas. In some cases, a working replication setup stops working after OID Human Intervention Queue entries are applied to one of the nodes. In other cases, adding or deleting a new replica causes problems or failures.
Various causes
See the following Notes on My Oracle Support (formerly MetaLink), http://metalink.oracle.com
:
Note 171693.1, "Resolving Conflicts"
Note 122039.1, "Troubleshooting Basics for Advanced Replication"
Note 213910.1, "Debugging OID Replication when ASR_CHG_LOG Never Gets Populated."
You can search for Notes by entering a term such as "replication" into the search box.
Both replication and Oracle Directory Integration Platform use change logs to propagate information from a supplier directory to a consumer directory. All change logs are stored in the table ods_chg_log
. In addition, replication change logs are stored in asr_chg_log
.
This section discusses possible problems you might encounter with change log garbage collection.
Garbage collection is not working and Oracle Internet Directory is using Oracle Database 11.2.0.1.
Apply 11.2.0.1.3 PSU to the database.
Change logs are not being purged due to a replication issue. For example, if a replication server has been down for a few days, replication change logs are not purged because they are needed for replication recovery.
Resolve the replication issue. See "Troubleshooting Oracle Internet Directory Replication"".
The attribute orclpurgetargetage
is set too high and there are one or more enabled but inactive change log subscribers that do not update orclLastAppliedChangeNumber
in their subscriber profiles. Change number-based purging won't purge change logs that are not yet consumed and time-based purging won't purge them because they're not old enough.
Set the attribute orclpurgetargetage
to a smaller value so that change logs are purged sooner.
Disable inactive changelog subscribers so that change logs are purged by change log number-based purging. Locate such enabled but inactive subscriber profiles by examining the orclLastAppliedChangeNumber
in all subscriber profiles by typing:
ldapsearch -v -p port -h host -D cn=orcladmin -q \ -b "cn=changelog subscriber,cn=oracle internet directory" \ -s sub "objectclass=orclchangesubscriber" \ orcllastappliedchangenumber orclsubscriberdisable
Look for an entry that has orclSubscriberDisabled
equal to zero and an orclLastAppliedChangeNumber
value that never changes. If such an entry exists, and the change log garbage collector's orclpurgetargetage
is zero or greater, delete the value of orclpurgetargetage
. When orclpurgetargetage
is not defined or less than zero, the garbage collector purges changes applied by the replication server, even if another subscriber has not updated its orclLastAppliedChangeNumber
.
See Also:
Table S-4 lists and describes the error messages for dynamic password verifiers.
Table S-4 Error Messages for Dynamic Password Verifiers
Error Code | Description |
---|---|
9022 |
A reversible encrypted password is missing from the user entry. |
9023 |
The crypto type specified in the LDAP request control is not supported. |
9024 |
The username parameter is missing from the LDAP request control. |
If the directory is able to compare verifiers, and the comparison evaluates as false, the directory sends the standard error LDAP_COMPARE_FALSE to the client. Similarly, if the user being authenticated lacks a directory entry, the directory sends the standard error LDAP_NO_SUCH_OBJECT.
See Also:
"Password Verifier Schema Elements" in Oracle Fusion Middleware Reference for Oracle Identity Management
The Oracle Internet Directory Server has two password wallets: oidpwdlldap1
and oidpwdr
SID
.
The oidpwdlldap1
file contains the DN and password of an ODS user in encrypted format. The Oracle Internet Directory server uses the credential to connect to the back end database at startup time.
Either oidctl
or opmn
fails to start an Oracle Internet Directory server instance.
The password stored in the oidpwdlldap1
wallet is not synchronized with the ODS password in the back end database.
Try to connect to the database again using the sqlplus
command:
sqlplus ods /ods_password@connect_string
If the connection succeeds, try to synchronize the password in the wallet with the ODS password by using the oidpasswd
tool to create a new wallet with the correct password. For example, ensure that ORACLE_INSTANCE
is set, then type:
>> oidpasswd connect=connect_string create_wallet=true
If the connection attempt fails, you must login into the back end database as a database administrator and change the ODS password by using the sql command:
>> alter user ods identified by some_new_password
Then try to create a new oidpwdlldap1
to store the new password.
Try to start the Oracle Internet Directory server again.
The oidpwdr
SID
file contains the DN and password of a replica DN in an encrypted format. The Oracle Internet Directory replication server uses the credential to connect to the Oracle Internet Directory server at startup time.
This is an example of a replication password wallet, oidpwdr
SID
:
/------BEGIN REPL CREDENTIAL:cn=replication dn,orclreplicaid=qdinh-sun_ adeldap,cn=replication configuration----- ezNkZXMtY2JjLXBrY3M1cGFkfQUnaz0TsfzcP0nM1HcHAXchf5mJw+sb4y0bLvvw3RvSg7H S7/WsKJB02fdSGRlmfWAV+6llkRQ26g== -----END REPL CREDENTIAL:cn=replication dn,orclreplicaid=qdinh-sun_ adeldap,cn=replication configuration-----/
Either oidctl
or opmn
fails to start an Oracle Internet Directory server instance and the replication server log file oidrepld00.log
reports that it is not able to bind.
The replica DN password stored in the oidpwdr
SID
is not synchronized with the replica DN password in the Oracle Internet Directory server.
Try to connect to the Oracle Internet Directory server instance using the ldapbind
command. Specify the replica DN stored in oidpwdr
SID
and the replica DN password. For example:
>> ldapbind -h host -p port -D "cn=replication dn,orclreplicaid=qdinh-sun_adeldap, cn=replication configuration" -q
If the connection succeeds, then you can reset the password in the oidpwdr
SID
wallet using remtool
with the option -pchgwalpwd
, which changes the password of the replication DN of a replica only in the wallet. If you do not remember the replication dn password, then you can reset it using remtool
with the option -prestpwd
, which resets the password of the replication dn of a replica.
After resetting the replication password wallet, restart the replication server instance again a using opmnctl
.
Oracle highly recommends that you investigate and correct all errors thrown by bulkload
before proceeding with the next step. If you ignore an bulkload
error, you are likely to run into serious problems later.
To get more information about the reason for error, run the command with debug enabled (debug=t)
. Debug information is available in ORACLE_INSTANCE
/diagnostics/logs/OID/tools/bulkload.log
and in the database ods.ds_ldap_log
table.
Most bulkload
errors occur during data load or during index creation.
The bulkload
command-line tool fails during data load.
Restore the directory to the state it was in before the data load by using one of these methods:
Use the bulkload
recover
option
Restore the database from a backup taken before you invoked bulkload
.
The bulkload
command-line tool fails during index creation.
Examine bulkload.log
. Find and fix the specific issue that caused index creation failure. Run bulkload
with the index
option again.
Failure to correct index errors can cause duplicate entries or duplicate rows in the Oracle Internet Directory's tables.
The bulkload
command-line tool fails because of a broken connection to the database. This can occur, for example, due to a host crash or in to a failover in Real Application Clusters.
Follow the following procedure:
Ensure that the database is restarted properly.
If the bulkload
invocation employed only the check="TRUE"
or generate="TRUE"
options, but not the load="TRUE"
option, go to step 3.
If it was the bulkload load="TRUE"
option that failed, you must restore the database to its state before the failure. How you do that depends on whether you have a backup of the database before you issued the bulkload load="TRUE"
command.
If you have a backup, use it to restore the database to its original state before you issued the bulkload
command.
If you do not have a backup, use the bulkload recover
command to return the database to its state before the bulkload load="TRUE"
command.
Oracle highly recommends that you investigate and correct all errors thrown by the bulk tools before proceeding with the next step. To get more information about the reason for error, run the command with debug enabled (debug=t
).Debug information is available in the corresponding log file, bulkdelete.log
, bulkmodify.log
, or ldifwrite.log
, under ORACLE_INSTANCE
/diagnostics/logs/OID/tools/
. In the database, debug information is available in the ods.ds_ldap_log
table.
The bulkdelete
or bulkmodify
command-line tool fails because of a broken connection to the database. This can occur, for example, due to a host crash or in to a failover in Real Application Clusters.
Ensure that the database is restarted properly. Then retry the bulkdelete
or bulkmodify
command that failed.
Oracle highly recommends that you investigate and correct all errors thrown by the bulk tools before proceeding with the next step. To get more information about the reason for error, run the command with debug enabled (debug=t
).Debug information is available in ORACLE_INSTANCE
/diagnostics/logs/OID/tools/catalog.log
and in database ods.ds_ldap_log
table.
The catalog
command-line tool fails because of a broken connection to the database. This can occur, for example, due to a host crash or in to a failover in Real Application Clusters.
Ensure that the database is restarted properly. Retry the catalog
command that failed. If the original invocation employed the add="TRUE"
option, the retry might fail because the first command partially completed. If the retry fails, use catalog delete="TRUE"
to delete the attribute index, then retry the command again.
The catalog
command throws an error because more than 1000 attributes are present in the file.
If you need to index more than 1000 attributes, use multiple files.
remtool -pdispqstat -v -bind host:port
hangs. During the hang, attempts to bind to the server with other tools might fail.
If there is a large backlog of changelogs waiting to be purged, the remtool
search query runs for a long time. Ensure that changelog purging is configured appropriately for your environment. See "Change Log Purging".
You can also increase the number of worker threads so that other tools can bind while remtool is running the query. See "Attributes of the Instance-Specific Configuration Entry" and the Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide.
The log contains the error message Server Chaining error
followed by javax.naming.AuthenticationException
.
In ODSM, go to the Advanced tab and expand Server Chaining. In each enabled entry, click Verify Login Credential, Verify User Container, and Verify Group Container.
If the verification fails, examine the values you entered for errors. If the problem persists, consult the external directory administrator to verify the accuracy of the values you entered.
On the Oracle Directory Services Manager home page for Oracle Internet Directory, you can view version information about Oracle Directory Services Manager, Oracle Internet Directory, and the associated Oracle Database. For information about using Oracle Directory Services Manager, see "Using Oracle Directory Services Manager".
Oracle Enterprise Manager Fusion Middleware Control and WLST do not work after the system is patched to 11g Release 1 (11.1.1.4.0).
This problem occurs if you had SSL server authentication enabled and cipher suites configured prior to patching. To fix this problem after patching, remove the orclsslciphersuite
attribute from the instance-specific configuration entry by using ldapmodify
. The LDIF file for deleting the orclsslciphersuite
attribute in the instance-specific entry is:
dn: cn=componentname,cn=osdldapd,cn=subconfigsubentry
changetype: modify
delete: orclsslciphersuite
The command is:
ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile
Restart Oracle Internet Directory as described in "Restarting the Oracle Internet Directory Server by Using opmnctl".
Oracle Internet Directory is up and running, but you cannot change Oracle Internet Directory parameters by using Oracle Enterprise Manager Fusion Middleware Control or WLST. You might see the error message: Unable to connect backend OID
.
This can occur if the Oracle Internet Directory port number was changed and the server was not restarted or the Oracle Internet Directory component registration was not updated. Restart the server and run opmnctl
updatecomponentregistration
, as described in "Updating the Component Registration of an Oracle Instance by Using opmnctl".
This occurs if you specify an SSL port configured for server authentication or mutual authentication when using the replication wizard. The replication wizard can only connect to SSL ports that are configured for no authentication. Always specify a non-SSL port or an SSL port configured for no authentication when prompted to log in or when specifying a node.
This occurs if Oracle Internet Directory's SSL port is configured for mutual authentication. Oracle Enterprise Manager Fusion Middleware Control and WLST manage Oracle Internet Directory through the SSL port, and the port must be configured for no authentication or server authentication.
See Also:
This section lists issues related to Oracle Directory Services Manager.
You attempt to invoke Oracle Directory Services Manager from Oracle Enterprise Manager Fusion Middleware Control by selecting Directory Services Manager from the Oracle Internet Directory menu in the Oracle Internet Directory target, then Data Browser, Schema, Security, or Advanced.
ODSM does not open. You might see an error message.
This is probably an installation problem. See Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
The WebLogic Managed Server where Oracle Directory Services Manager is deployed has multiple Network Interface Cards (NIC) or is DHCP enabled. Attempts to invoke Oracle Directory Services Manager from Oracle Enterprise Manager Fusion Middleware Control fail and return 404 errors
.
Use the WebLogic Server Administration Console to change the listen address of the Managed WebLogic Server so that the IP address or hostname in the URL for Oracle Directory Services Manager is accessible.
Perform the following steps:
Using a web browser, access the WebLogic Server Administration Console.
In the left pane of the WebLogic Server Administration Console, click Lock & Edit to edit the server configuration.
In the left pane of the WebLogic Server Administration Console, expand Environment and select Servers.
On the Summary of Servers page, click the link for the WebLogic Managed Server where Oracle Directory Services Manager is deployed.
On the Settings page for the WebLogic Managed Server, update the Listen Address to the host name of the server where Oracle Directory Services Manager is deployed.
Click Save to save the configuration.
Click Activate Changes to update the server configuration.
When you perform an Oracle Directory Services Manager failover using Oracle HTTP Server, the failover is not transparent. You see this behavior when you perform the following steps:
Oracle Directory Services Manager is deployed in a High Availability active-active configuration using Oracle HTTP Server.
Display an Oracle Directory Services Manager page using the Oracle HTTP Server name and port number.
Make a connection to an Oracle Internet Directory server.
Work with the Oracle Internet Directory server using the current Oracle Directory Services Manager Oracle HTTP Server host and port.
Shut down one managed server at a time using the WebLogic Server Administration Console.
Go back to the Oracle Directory Services Manager page and port, and the connection which was established earlier with Oracle Internet Directory. When you do, a message is displayed advising you to re-establish a new connection to the Oracle Directory Services Manager page.
If you encounter this problem, perform the following steps:
In your web browser, exit the current Oracle Directory Services Manager page.
Launch a new web browser page and specify the same Oracle Directory Services Manager Oracle HTTP Server name and port.
Re-establish a new connection to the Oracle Internet Directory server you were working with earlier.
See Also:
The Oracle Fusion Middleware High Availability Guide for more information about Oracle Directory Services Manager in High Availability configurations.
ODSM temporarily loses its connection to Oracle Internet Directory and displays the message LDAP Server is down
.
In a High Availability configuration where ODSM is connected to Oracle Internet Directory through a load balancer, ODSM reports that the server is down during failover from one instance of Oracle Internet Directory to another. In other configurations, this message might indicate that Oracle Internet Directory has been shut down and restarted. In either case, the connection is reestablished in less than a minute, and you are able to continue without logging in again.
ODSM temporarily loses its connection to an Oracle Internet Directory instance that is using an Oracle RAC database. ODSM might display the message Failure accessing Oracle database (oracle errcode=
errcode
)
, where errcode
is one of the following values: 3113
, 3114
, 1092
, 28
, 1041
, or 1012
.
This error can occur during failover of the Oracle Database that the Oracle Internet Directory instance is using. The connection is reestablished in less than a minute, and you are able to continue without logging in again.
ODSM displays the error message: Error :Posn: -1, Size: 0
This error can be ignored. It usually indicates that Oracle Internet Directory has detected an error in an ODSM operation. JNDI, which ODSM uses to connect to Oracle Internet Directory, sometimes returns this error code instead of the actual error code. Oracle Internet Directory server log files show a more meaningful error message.
When you access ODSM in accessibility mode, using only the keyboard, in Internet Explorer 7, the cursor loses focus. This behavior has been observed under the following circumstances:
You access the directory in SSL-enabled mode and the server certificate appears.
You type an invalid password and the error dialog appears.
Press the Tab key nine times, then press the Enter key.
When Oracle Internet Directory is used as the Policy Store, during the migration from a Fusion Applications dedicated environment to a shared environment, migration of the Security Store results in slow OPSS queries to Oracle Internet Directory.
To improve query performance, set the following tuning values for the Oracle Internet Directory Policy Store:
Oracle Database Tuning Parameters
SGA_MAX_SIZE
: 4G or higher
Oracle Database server processes: 500 or higher
Oracle Internet Directory Attributes
orclecacheenabled
: 2 (Enable both Entry Cache and Result Set Cache.)
orclrscacheattr
- Set multi-valued attribute as follows:
orclrscacheattr: orcljaznprincipal orclrscacheattr: orcljaznpermissiontarget orclrscacheattr: orcljpsresourcename orclrscacheattr: uniquemember orclrscacheattr: orcljpsassignee
orclecachemaxsize
: 16G or higher
orclinmemfiltprocess
- Set multi-valued attribute as follows:
orclinmemfiltprocess: (orcljpsresourcetypename=taskflowresourcetype) orclinmemfiltprocess: (orcljpsresourcetypename=regionresourcetype
You can find more solutions on My Oracle Support (formerly MetaLink), http://support.oracle.com
. If you do not find a solution for your problem, log a service request.
See Also:
Oracle Fusion Middleware Release Notes for Microsoft Windows (32-Bit), available on the Oracle Technology Network: http://www.oracle.com/technology/documentation/index.html