D Troubleshooting the Oracle Directory Integration Platform
This appendix describes common problems that you might encounter when using the Oracle Directory Integration Platform and explains how to solve them.
Topics:
See Also:
-
Oracle by Example for Oracle Identity Management, available from the Oracle Technology Network at
http://www.oracle.com/technology/index.html
D.1 Checklist for Troubleshooting Oracle Directory Integration Platform
Use the following checklist as a starting point when troubleshooting Oracle Directory Integration Platform problems.
-
Verify that the Oracle Directory Integration Platform application has been deployed by using the Oracle WebLogic console.
-
Verify that the Oracle Directory Integration Platform application is running.
To verify the status of the Oracle Directory Integration Platform application using Oracle Enterprise Manager Fusion Middleware Control, open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is:
https://
host:port/em
.You can view the status of the Oracle Directory Integration Platform application in the status column of the Fusion Middleware section on the Oracle Enterprise Manager Fusion Middleware Control home page for your environment.
To verify the status of the Oracle Directory Integration Platform application from the command-line, use the
dipStatus
utility. If Oracle Directory Integration Platform is running,dipStatus
returns anODIP Application is active at this host and port
message.Note:
-
When using
dipStatus
, be sure you specify the host and port of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed, not the host and port of the Administration Server. -
For more information, see "dipStatus Utility".
-
-
Verify the appropriate profiles are enabled by listing their names and status using the
manageSyncProfiles
command as follows:manageSyncProfiles list -h host -p port -D user [-prfSt] [-help]
Note:
You will be prompted for the password.
-
Verify that the third-party LDAP directory server is running by executing the following command:
ldapbind -h ldap_host -p ldap_port -D binddn -q
Note:
You will be prompted for the password.
-
If you are using the PL/SQL plug-in, use
sqlplus
to verify that you can connect to the provisioning-integrated application.
D.2 General Issues
This section describes issues that affect Oracle Directory Integration Platform.
Topics:
D.2.1 LDIF Files That Contain Non-ASCII Characters Will Cause the testProfile
Command Option to Fail if the LDIF File has Native Encoding
This section describes how to resolve testProfile
Command Option failure.
When running DIP Tester from a command-line, the manageSyncProfiles testProfile
command will fail if the -ldiffile
option is specified and the LDIF file contains non-ASCII characters.
Note that LDIF files with UTF-8 encoding are not impacted by this limitation. If an LDIF file containing multibyte characters cannot be saved with UTF-8 encoding, then use the following workaround:
-
From a command-line, add the entry using the
ldapadd
command and include the-E
option to specify the locale. See the Oracle Fusion Middleware User Reference for Oracle Identity Management for the required command syntax. -
Get the specific
changeNumber
for the last add operation. -
Execute the
testProfile
command using thechangeNumber
from the previous step.
For more information, see Running DIP Tester From the WLST Command-Line Interface.
D.2.2 Some Changes May Not Get Synchronized Due to Race Condition in Heavily-Loaded Source Directory
If the source directory is heavily-loaded, a race condition may occur where database commits cannot keep pace with updates to the lastchangenumber
. If this race condition occurs, Oracle Directory Integration Platform may not be able to synchronize some of the changes.
To work around this issue, perform the following steps to enable database commits to keep pace with the lastchangenumber
:
-
Increase the value of the synchronization profile's Scheduling Interval.
-
Control the number of times the search is performed on the source directory during a synchronization cycle by setting the
searchDeltaSize
parameter in the profile. Oracle suggests starting with a value of 10, then adjusting the value as needed.
D.2.3 Synchronization Continues After Stopping Oracle Directory Integration Platform
If you stop the Oracle Directory Integration Platform application during synchronization, the synchronization process that the Quartz scheduler started will continue to run.
To work around this issue, restart the Oracle WebLogic Managed Server hosting Oracle Directory Integration Platform or redeploy the Oracle Directory Integration Platform application.
D.2.4 Synchronization of Deleted Objects Fails
This section explains how to resolve issue if the deleted objects are not synchronized.
If the deleted objects are not synchronized and the domain mapping rule is as shown below:
dc=example,dc=com:cn=users,dc=example,dc=com:cn=*,cn=users,dc=example,dc=com
To synchronize the deleted objects, you must remove the following line from the domain mapping rule:
cn=*,cn=users,dc=example,dc=com
If the cn=*
is mandatory because the RDN is different between the source and the destination, then the attribute used as the RDN must be marked as required in the attribute mapping rule.
D.3 Configuration Issues
This section describes configuration issues that affect Oracle Directory Integration Platform.
Topics:
D.3.1 You may Need to Restart the Directory Integration Platform After Running dipConfigurator Against Oracle Unified Directory
After running dipConfigurator
utility against an Oracle Unified Directory endpoint, if you are unable to open the Oracle Directory Integration Platform UI in Enterprise Manger, stop and start Oracle Directory Integration Platform to fix the UI problem.
D.3.2 When Configuring a Profile, you may Need to Scroll Past a Section of Whitespace to View Mapping Rules
If you are using Internet Explorer to view the Directory Integration Platform (DIP) UI, you may need to scroll past a large blank space to see the profile mapping rules section. This issue is not known to affect other browsers.
D.4 Problems and Solutions
This section describes common problems and solutions for Oracle Directory Integration Platform.
Topics:
-
Novell eDirectory and OpenLDAP Synchronization Errors and Problems
-
Oracle Password Filter for Microsoft Active Directory Errors and Problems
Note:
The Oracle Directory Integration Platform stores error messages in the appropriate file, as described in "Location and Naming of Files".
D.4.1 Provisioning Errors and Problems
This section provides solutions for provisioning errors and problems.
Problem
Unable to get the Entry from its GUID. Fatal Error...
Solution
Oracle Directory Integration Platform is attempting to retrieve an entry that has been deleted, but appears to not have been purged. However, when this error happens, the entry has been already purged. To avoid future errors, update the tombstone purge configuration settings in the Oracle Internet Directory garbage collection framework by. See Managing Garbage Collection in Administering Oracle Internet Directory.
Problem
LDAP connection failure.
Solution
Oracle Directory Integration Platform failed to connect to the directory server. Check the connection to the directory server.
See Also:
If your Oracle back-end directory is Oracle Internet Directory, see directory server administration in Administering Oracle Internet Directory. This topic contains information about directory server connections.
Problem
Initialization and database connection failures, and exceptions while calling an SQL operation.
Solution
To test the connection, use the Test Connection feature for the profile in Oracle Enterprise Manager Fusion Middleware Control. If the connection fails, examine the diagnostic log file at the following location for more information:
(UNIX) DOMAIN_HOME/servers/server_name/logs (Windows) DOMAIN_HOME\servers\server_name\logs
The default name of the log file is server-name-diagnostic.log
.
Note:
Problem
Provisioning Profiles Not Getting Executed by the DIP Provisioning Server.
Solution
Using Oracle Enterprise Manager Fusion Middleware Control or the manageProvProfiles
command, verify the profile is enabled and that the Oracle Directory Integration Platform scheduling interval is set to a positive integer.
Problem
Unable to Connect to the Application Database.
Solution
The application database connection requirements in a provisioning profile may be incorrect. Use sqlplus
to verify connectivity requirements.
Problem
User/Group Modify And Delete Events Not being consumed by the application.
Solution
Verify the host port details and credentials using the Test Connection feature for the profile in Oracle Enterprise Manager Fusion Middleware Control. If the connection fails after using the Test Connection option, an error message appears providing information about the failed connection.
For additional information about the failed connection, you can examine the diagnostic log using Oracle Enterprise Manager Fusion Middleware Control or from the command line. The diagnostic log is located at:
(UNIX) DOMAIN_HOME/servers/server_name/logs (Windows) DOMAIN_HOME\servers\server_name\logs
The default name of the log file is server-name-diagnostic.log
.
Problem
Subscription to binary attributes results in the event propagation error.
Solution
Binary attributes propagation is not supported. Remove the binary attribute assignments from the event subscription in the provisioning profile.
Problem
Insufficient Access Rights to do "proxy" as the Application DN.
Solution
The Oracle Directory Integration Platform server group has not been granted browse privilege by the application DN. Use the ldapmodify
command to load the following ACIs, which grant browse privileges from the application DN to the Oracle Directory Integration Platform group:
orclaci: access to attr=(*) by group="cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=products,cn=oraclecontext "(read,write,search,compare) orclaci: access to entry by group="cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=products,cn=oraclecontext"(browse,proxy)
Problem
Insufficient access rights to use an application DN as a proxy.
Solution
The Oracle Directory Integration Platform server group has not been granted proxy privileges by the application DN. Use the ldapmodify
command to load the following ACI, which grants proxy privileges from the application DN to the Oracle Directory Integration Platform group:
orclaci: access to entry by group=" cn=odisgroup, cn=odi,cn=oracle internet directory" (browse,proxy)
D.4.2 Synchronization Errors and Problems
This section provides solutions for synchronization errors and problems.
See Also:
Note: 276481.1—Troubleshooting OID DIP Synchronization Issues in My Oracle Support (formerly MetaLink) at http://support.oracle.com/
.
Problem
[DIP-10247] - Not able to construct DN
Solution
This error normally happens, if you define the domain mapping rule using a %
wildcard:
cn=Users,dc=example,dc=com : ou=employees,dc=example,dc=com : uid=%,ou=employees,dc=example,dc=com
To resolve the issue, set the required
flag in the in the domain mapping rule as follows:
SAMAccountName : 1 : : user : uid : : inetorgperson :
Problem
Hashed Password Synchronization to Oracle Unified Directory Fails
Solution
Before synchronizing hashed passwords (By copying the userPassword
attribute from any server to the Oracle Unified Directory), you must run the following command to allow hashed passwords storing:
dsconfig set-password-policy-prop --policy-name Default\ Password\ Policy --set allow-pre-encoded-passwords:true
Problem
LDAP: error code 50 - Insufficient Access Rights; remaining name 'CN=Users,dc=mycompany,dc=com'
Solution
The record target is not in a default container. Find the DST CHANGE RECORD
. Check the ACIs for the target container. If they are blank, then use DIP Tester to apply a known set of ACIs to the new container.
Problem
LDAP: error code 50 - Insufficient Access Rights; ACTIVECHGIMP MAPPING IMPORT OPERATION FAILURE; Agent execution successful, Mapping/import operation failure
Solution
By default the cn=Users,
default realm
contains the proper ACIs. However, this error can occur when trying to synchronize into a different container within the default realm. Open the trace file, locate the change record that is causing the error, and then check the ACIs for the record's parent container. Apply the same ACIs to the target container.
Problem
Log File Error: Not able to construct DN Output ChangeRecord : Changetype: 1 ChangeKey: cn=users, dc=us,dc=oracle,dc=com Exception javax.naming. ContextNotEmptyException: [LDAP: error code 66 - Not Allowed On Non-leaf]; remaining name 'cn=users,dc=us,dc=oracle,dc=com' Missing mandatory attribute(s).
Solution
There is a problem with the mapping file. Refer to Note: 261342.1—Understanding DIP Mapping in My Oracle Support (formerly MetaLink) at: http://support.oracle.com/
Problem
Trace File Error: IPlanetImport:Error in Mapping Enginejava.lang.NullPointerException java.lang.NullPointerException at oracle.ldap.odip.engine.Connector.setValues(Connector.java:101)
.
Solution
The orclcondirlastappliedchgnum
attribute is null or has no value. This may occur if bootstrapping failed or if you manually populated the Oracle back-end directory and did not assign a value to the orclcondirlastappliedchgnum
attribute. Verify that the orclcondirlastappliedchgnum
attribute has a value. If it does not have a value, set it using the DIP Tester
utility or using WLST to configure the DIP Mbean.
Problem
Invalid value is specified for the parameter "odip.bootstrap.srctype". Please verify: DB
Solution
This problem occurs when you are using a Oracle Database with the back-end directory and the Oracle Database is the source. To resolve the problem, do the following:
Note:
If a connected Oracle Database is used as the source directory then bootstrapping is not supported.-
Enable the existing synchronization profile using Oracle Enterprise Manager Fusion Middleware Control. See Enabling and Disabling Synchronization Profiles.
-
Log in to the Oracle Enterprise Manager Fusion Middleware Control and specify
0
as the value for the Last Change Number in the Advanced tab of the Edit Synchronization Profile page: -
Run DIP Tester using the Enterprise Manager. See Running DIP Tester From the Enterprise Manager User Interface.
-
Go to the Additional Configuration Parameters section. For Check All Entries, specify
true
as the value.
Problem
Add and change operations are successful, but delete operations fail without being recorded in the trace file.
Solution 1
Tombstones are not enabled in Oracle Directory Server Enterprise Edition or Sun Java System Directory Server. Verify that tombstones are enabled by referring to Note: 219835.1 in My Oracle Support (formerly MetaLink) at http://support.oracle.com/
.
Solution 2
In Microsoft Active Directory, the account used for the profile is not a member of the DIR SYNCH ADMIN group. This only occurs if you are not using a Microsoft Active Directory administrator account. Install the appropriate patch from Microsoft.
Problem
Data synchronization problems encountered after configuring Oracle Directory Integration import or export connectors to third-party LDAP directories.
Solution
Determine the cause using the testProfile
operation of the manageSyncProfiles
command.
Problem
Editing the attribute mapping rule for a synchronization profile using Oracle Enterprise Manager Fusion Middleware Control may cause the Schema not initialized for object class
error.
Solution
The problem could be caused by an invalid directory type specified for the third party directory connection details. Verify you have specified the correct directory type and connection details.
Problem
The Oracle back-end directory profile in Oracle Enterprise Manager Fusion Middleware Control shows "synchronization successful" yet no changes show up in the directory.
Solution
First, determine if synchronization is occurring by examining the following parameters for the synchronization profile using Oracle Enterprise Manager Fusion Middleware Control:
-
Successful Completion Time (on DIP Server Home page)
-
Last Execution Time (on DIP Server Home page)
-
Scheduling Interval (on Advanced tab for profile)
Synchronization is occurring if the Successful Completion Time and Last Execution Time metrics have time values relevant to the current time of the system. If these metrics indicate time values that are considerably older than the current time of the system, synchronization is not occurring.
If synchronization is occurring:
-
Verify synchronization is configured to occur in the correct location by examining the Source Container setting on the profile's Mapping tab in Oracle Enterprise Manager Fusion Middleware Control.
-
Verify the correct objects are being filtered by examining the Source Matching Filter setting on the profile's Filtering tab in Oracle Enterprise Manager Fusion Middleware Control.
If synchronization is not occurring:
-
Verify the synchronization profile is enabled using the DIP Server Home page in Oracle Enterprise Manager Fusion Middleware Control.
-
Check the status of the Quartz Scheduler using the DIP Server Home page in Oracle Enterprise Manager Fusion Middleware Control.
-
Test the synchronization profile using the
manageSyncProfiles
command and itstestProfile
operation. Refer to "Managing Synchronization Profiles Using manageSyncProfiles" for more information about themanageSyncProfiles
command.
D.4.3 Novell eDirectory and OpenLDAP Synchronization Errors and Problems
This section provides solutions to synchronization errors and problems that can occur with Novell eDirectory and OpenLDAP.
Problem
After configuring import synchronization, entries are not synchronizing from Novell eDirectory or OpenLDAP to the Oracle back-end directory, even though the profile's synchronization status is successful and the trace file does not show any exceptions.
Possible causes and their solutions:
Cause
Incorrect value assigned to the modifiersname
parameter of the odip.profile.condirfilter
property in the import profile.
Solution
Copy the connection DN from the Novell eDirectory or OpenLDAP export profile to the modifiersname
parameter of the odip.profile.condirfilter
property in the import profile.
Cause
The entries that the Oracle Directory Integration Platform are attempting to synchronize are created using the same DN that is assigned to the modifiersname
parameter of the odip.profile.condirfilter
property in the import profile.
Solution
Change the DN that is assigned to the modifiersname
parameter of the odip.profile.condirfilter
property in the import profile to a DN that does not create the entries in Novell eDirectory of OpenLDAP.
Cause
There is a time difference between the computer that is running the Oracle back-end directory and the computer that is running Novell eDirectory or OpenLDAP.
Solution
Assign to the ReduceFilterTimeInSeconds
parameter of the odip.profile.configfile
property in the import profile a value in seconds that is equal to the time difference between the two computers.
Problem
Unsupported exception thrown during reconciliation.
Solution
One or more of the Oracle back-end directory attributes that are specified in the Novell eDirectory or OpenLDAP reconciliation rules are not indexed. Index the corresponding attributes in the Oracle back-end directory.
Problem
Deleted entries are not synchronizing from Novell eDirectory or OpenLDAP to the Oracle back-end directory, even though the profile's reconciliation status is successful.
Possible causes and their solutions:
Cause
The deleted entries are not specified in the Novell eDirectory or OpenLDAP reconciliation rules.
Solution
Modify the Novell eDirectory or OpenLDAP reconciliation rules to include the deleted entries.
Cause
There are more entries in Novell eDirectory or OpenLDAP for a particular reconciliation rule than there are in the Oracle back-end directory.
Solution
Examine the $ORACLE_HOME/ldap/odi/log/
profile_name.trc
file for the following message:
No. of entries are less in destination directory compared to source directory.
The preceding message is usually generated when the entire Novell eDirectory or OpenLDAP DIT needs to be synchronized with the Oracle back-end directory. To resolve this problem, assign a value of true
to the CheckAllEntries
parameter of the odip.profile.configfile
property.
Caution:
Assigning a value of true
to the CheckAllEntries
parameter of the odip.profile.configfile
property will result in decreased performance.
D.4.4 Oracle Password Filter for Microsoft Active Directory Errors and Problems
This section provides solutions to errors and problems that can occur with the Oracle Password Filter for Microsoft Active Directory.
Problem
The Oracle Password Filter for Microsoft Active Directory cannot be installed and the following error is reported in the log:
(Aug 23, 2010 8:26:52 PM), Install, com.oracle.installshield.adpwd.ldapModify, dbg, C:\Program Files (x86)\oracle\ADPasswordFilter\prepAD.ldif
(Aug 23, 2010 8:26:52 PM), Install, com.oracle.installshield.adpwd.ldapModify, err, in LDAPOperation
(Aug 23, 2010 8:26:52 PM), Install, com.oracle.installshield.adpwd.ldapModify, err, [LDAP: error code 19 - 000020B5: AtrErr: DSID-03152704, #1:
0: 000020B5: DSID-03152704, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9030e (objectCategory)
Cause
This error may occur if the ActiveDirectory schemaNamingContext
object does not come under the defaultNamingContext
.
Solution
To solve this problem do one of the following:
-
Replace the
ObjectCategory
attribute inprepAD.ldif
with the value ofCN=Organizational-Unit,
schemaNaming Context where schemaNamingContext is replaced by the schema naming context value. -
Remove the
ObjectCategory
attribute fromprepAD.ldif
. Because the entry gets added in ActiveDirectory, theobjectcategory
attribute will be populated with the right value automatically.
Problem
Unable to find log file path.
Cause
Invalid log file path.
Solution
Specify a valid log file path by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
Problem
Cannot connect to Oracle Internet Directory in non-SSL mode (mode 1).
Note:
Oracle Unified Directory and Oracle Directory Server Enterprise Edition do not support non-SSL mode (mode 1).
Cause
Invalid Oracle Internet Directory configuration settings.
Solution
Correct the Oracle Internet Directory configuring settings by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
Problem
Cannot connect to the Oracle back-end directory in SSL mode.
Cause
The Oracle back-end directory certificate authority's trusted certificate has not been imported into the Microsoft Active Directory domain controller.
Solution
Import the trusted certificate into Microsoft Active Directory by following the instructions in "Importing a Trusted Certificate into a Microsoft Active Directory Domain Controller".
Problem
Cannot connect to Microsoft Active Directory.
Cause
Invalid Microsoft Active Directory configuration settings.
Solution
Correct the Microsoft Active Directory configuration settings by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
Problem
Cannot upload the prepAD.ldif
file.
Cause
The specified Microsoft Active Directory base DN container cannot store organizationalUnit
objects.
Solution
Specify a base DN for Microsoft Active Directory that can store organizationalUnit
objects by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
Problem
Password updates are looping between the Oracle back-end directory and Microsoft Active Directory.
Cause
The Oracle Password Filter is not configured to use the same bind DN and password that are specified in the synchronization profile that imports values from Microsoft Active Directory into the Oracle back-end directory.
Solution
Configure the Oracle Password Filter to use the same bind DN and password that are specified in the synchronization profile that imports values from Microsoft Active Directory into the Oracle back-end directory by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
Problem
Some passwords are not synchronizing between the Oracle back-end directory and Microsoft Active Directory.
Cause
The Oracle back-end directory and Microsoft Active Directory specify conflicting password policies.
Solution
Set the Oracle back-end directory password policies to the same policies that are set in Microsoft Active Directory or remove the password policies from the Oracle back-end directory.
Problem
Passwords are not synchronizing for some users.
Cause
You performed an advanced installation of the Oracle Password Filter and specified different values for the attributes that you want to synchronize between the Oracle back-end directory and Microsoft Active Directory.
Solution
Specify the same values for the attributes that you want to synchronize between the Oracle back-end directory and Microsoft Active Directory by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
Problem
User data synchronizes, but password synchronization is delayed.
Cause
Different time intervals are specified for user data synchronization and password synchronization.
Solution
Verify that the value assigned to the Oracle Password Filter's SleepTime
parameter is the same as the default scheduling interval for the synchronization profile. You can use Oracle Enterprise Manager Fusion Middleware Control tool or the manageSyncProfile
s command to view and change the default scheduling interval for synchronization profiles. To change the value assigned to the SleepTime
parameter, follow the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory" .
D.5 Troubleshooting Synchronization
This section describes how to troubleshoot synchronization with Oracle Directory Integration Platform.
Topics:
D.5.1 Oracle Directory Integration Platform Synchronization Process Flow
When debugging synchronization issues between the Oracle back-end directory and a connected directory, it helps to understand the synchronization process flow of the Oracle Directory Integration Platform.
Topics:
D.5.1.1 Oracle Directory Integration Platform Synchronization Process Flow for an Import Profile
The Oracle Directory Integration Platform reads all import profiles at startup. For each profile that is set to ENABLE
, the Oracle Directory Integration Platform performs the following tasks during the synchronization process:
-
Connects to a third-party directory.
-
Gets the value of the last change key from the connected directory.
-
Connects to the Oracle back-end directory.
-
Gets the value of the profile's last applied change key from the Oracle back-end directory.
-
If connecting from the Oracle back-end directory to Oracle Directory Server Enterprise Edition (previously Sun Java System Directory Server), the Oracle Directory Integration Platform searches the remote change logs for entries greater than the value of the last applied change key and less than or equal to the value of the last change key. For Microsoft Active Directory connections, the Oracle Directory Integration Platform searches for this information in the remote directory's
USNChanged
values. For the Novell eDirectory and OpenLDAP connectors, changes are identified based on themodifytimestamp
attribute of each entry. For other types of connectors, such as the Oracle Human Resources connector, the Oracle Directory Integration Platform performs similar types of searches, although the method by which data is exchanged varies according to the type of connection. -
Maps the data values from the connected directory to the Oracle back-end directory values.
-
Creates an Oracle back-end directory change record.
-
Applies the change (add, change, delete) in the Oracle back-end directory.
-
Updates the Oracle back-end directory import profile with the last execution times and the last applied change key from the connected directory.
-
Enters sleep mode for the number of seconds specified for the synchronization interval.
D.5.1.2 Oracle Directory Integration Platform Synchronization Process Flow for an Export Profile
The Oracle Directory Integration Platform reads all export profiles at startup. For each profile that is set to ENABLE
, the Oracle Directory Integration Platform performs the following tasks during the synchronization process:
-
Connects to a third-party directory.
-
Connects to the Oracle back-end directory.
-
Gets the value for the last change key from the Oracle back-end directory.
-
Gets the value of the profile's last applied change key from the Oracle back-end directory.
-
The Oracle Directory Integration Platform searches the Oracle back-end directory change logs for entries greater than the value of the last applied change key and less than or equal to the value of the last change key.
-
Maps the data values from the Oracle back-end directory to the connected directory values.
-
Creates a change record.
-
Applies the change (add, change, delete) on the connected directory.
-
Updates the Oracle back-end directory export profile with the last execution times and the last applied change key from the Oracle back-end directory.
-
Enters sleep mode for the number of seconds specified for the synchronization interval.
D.5.2 Understanding Synchronization Profile Registration
This section provides information about synchronization profile registration.
Validating Profiles Registered in DISABLED State
Validating registered profiles is not required. However, you may validate registered profiles as long as the validation does not prevent the profile from being created.
Registration of DISABLED Profiles that Fail Validation
If the validation of profile in DISABLED state fails, the profile is still registered. Profiles in the DISABLED state may contain errors or the credentials to the target system directory may be unknown, however, this does not prevent the profile from being registered.
Correcting Profile Errors
If you receive errors while registering a profile, for example, due to an incorrect third party directory password, use the manageSyncProfiles
command line tool to correct the errors in the profile. Refer to "Managing Synchronization Profiles Using manageSyncProfiles" for more information.
D.5.3 Understanding the diagnostic.log File
This section explains how to understand the Oracle Directory Integration Platform diagnostic.log
file.
The Oracle Directory Integration Platform diagnostic.log
file is located at the following location:
(UNIX) DOMAIN_HOME/servers/server_name/logs (Windows) DOMAIN_HOME\servers\server_name\logs
The default name of the log file is
server-name-diagnostic.log
.
Note:
The file name is NAME_OF_MANAGED_SERVER-diagnostic.log
.
This following is an example diagnostic.log file that is broken into sections and annotated to identify information that will be useful when troubleshooting Oracle Directory Integration Platform. Noteworthy information is shown in bold type, and the text Host: HOST_NAME: PORT indicates the host name and port of the machine on which Oracle Directory Integration Platform is connecting.
Startup Information
The following section of the diagnostic.log
file shows information
related to Oracle Directory Integration Platform startup. In this
section, notice the following:
-
SSL Mode: indicates the connection mode used for connecting to the Oracle back-end directory. You may see SSL Mode: 1 or SSL Mode: 2. If you see SSL Mode: 2, Oracle Directory Integration Platform uses certificates to connect to the Oracle back-end directory.
Note:
Oracle Unified Directory and Oracle Directory Server Enterprise Edition only support SSL mode 2.
-
Scheduler initialized indicates that the profile scheduler has initialized properly. A string indicating that a successful connection to the Oracle back-end directory server follows.
-
Schema objects are initialized and profiles are scheduled for synchronization.
[wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] SSL Mode : 1 [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] Host: HOST_NAME: PORT [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] Scheduler intialized [wls_ods1] [NOTIFICATION] [DIP-10571] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] Connection to LDAP Server Successful [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] OBJECT_SCHEMA_READER_INITIALIZING [wls_ods1] [NOTIFICATION] [DIP-10572] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] Object Schema Reader Initialized. [wls_ods1] [NOTIFICATION] [DIP-10573] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] Event Schema Reader Initialized. [wls_ods1] [NOTIFICATION] [DIP-10574] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] Data transfer interface defn initialized [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] INITALIZE_PROVJOBS [wls_ods1] [NOTIFICATION] [DIP-10566] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] [arg: \n----------EVENT TYPE CONFIGURATION ---------------\n--------------------------------\nEventLDAPChangeType : ADD,MODIFY,DELETE\nobjectclass: inetorgperson,orcluserv2\n--------------------------------\nEventLDAPChangeType : ADD,MODIFY,DELETE\nobjectclass: orclservicesubscriptiondetail\n--------------------------------\nEventLDAPChangeType : ADD,MODIFY,DELETE\nobjectclass: *\n--------------------------------\nEventLDAPChangeType : ADD,MODIFY,DELETE\nobjectclass: inetorgperson,orcluserv2\n--------------------------------\nEventLDAPChangeType : ADD,MODIFY,DELETE\nobjectclass: orclsubscriber\n--------------------------------\nEventLDAPChangeType : ADD,MODIFY,DELETE\nobjectclass: orclgroup,orclprivilegegroup,groupofuniquenames,groupofnames\n------------------------------------- -------------] Print Event Type Configuration...[[ ----------EVENT TYPE CONFIGURATION --------------- -------------------------------- EventLDAPChangeType : ADD,MODIFY,DELETE objectclass: inetorgperson,orcluserv2 -------------------------------- EventLDAPChangeType : ADD,MODIFY,DELETE objectclass: orclservicesubscriptiondetail -------------------------------- EventLDAPChangeType : ADD,MODIFY,DELETE objectclass: * -------------------------------- EventLDAPChangeType : ADD,MODIFY,DELETE objectclass: inetorgperson,orcluserv2 -------------------------------- EventLDAPChangeType : ADD,MODIFY,DELETE objectclass: orclsubscriber -------------------------------- EventLDAPChangeType : ADD,MODIFY,DELETE objectclass: orclgroup,orclprivilegegroup,groupofuniquenames,groupofnames -------------------------------------------------- ]] [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] INITALIZE_SYNCJOBS [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] Job submission successfulActiveExport SYNC_JOB 60 [wls_ods1] [NOTIFICATION] [EVENT_NOT_ENABLED] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] [wls_ods1] [NOTIFICATION] [DIP-10605] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8^kIXF0FQ6ubn3EH19awhV000001,0] [APP: DIP] [arg: ActiveExport] Profile : ActiveExport added successfully for scheduling.
UpdateThread Checking for Changes in Profiles
The following section of the diagnostic.log
file shows information related to the UpdateThread job, which checks for changes made to synchronization and provisioning profiles. If UpdateThread finds changes, the profile is modified and rescheduled. In this section, notice the following:
[wls_ods1] [NOTIFICATION] [DIP-10580] [oracle.dip] [tid:
UpdateThread] [userId: <anonymous>] [ecid: 0000Hy8fyF1F0FQ6ubn3EH19ax8V000003,0] [APP:
DIP] [arg:
(&(objectclass=changelogentry)(changenumber>=3340)(|(targetdn=*cn=Profiles,cn=Provisioning,cn=Direc
tory Integration Platform,cn=Products,cn=OracleContext)(targetdn=*cn=event definitions,cn=directory
integration platform,cn=products,cn=oraclecontext)(targetdn=*cn=object definitions,cn=directory
integration platform,cn=products,cn=oraclecontext)))] Changelog Filter :
(&(objectclass=changelogentry)(changenumber>=3340)(|(targetdn=*cn=Profiles,cn=Provisioning,cn=Direc
tory Integration Platform,cn=Products,cn=OracleContext)(targetdn=*cn=event definitions,cn=directory
integration platform,cn=products,cn=oraclecontext)(targetdn=*cn=object definitions,cn=directory
integration platform,cn=products,cn=oraclecontext)))
Profile Initialization
The following section of the diagnostic.log
file shows information related to profile initialization. In this section, notice that the ActiveImport profile is scheduled:
[wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8unSqF0FQ6ubn3EH19ay88000001,0] [APP: DIP] INITALIZE_SYNCJOBS [wls_ods1] [NOTIFICATION] [] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8unSqF0FQ6ubn3EH19ay88000001,0] [APP: DIP] Job submission successfulActiveImport SYNC_JOB 60 [wls_ods1] [NOTIFICATION] [EVENT_NOT_ENABLED] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8unSqF0FQ6ubn3EH19ay88000001,0] [APP: DIP] [wls_ods1] [NOTIFICATION] [DIP-10605] [oracle.dip] [tid: Scheduler] [userId: <anonymous>] [ecid: 0000Hy8unSqF0FQ6ubn3EH19ay88000001,0] [APP: DIP] [arg: ActiveImport] profile added successfully for scheduling : ActiveImport
Database Failure
The following section of the diagnostic.log
file shows information that appears if the database is not running:
org.quartz.impl.jdbcjobstore.JobStoreSupport$ClusterManager manage SEVERE: ClusterManager: Error managing cluster: Failed to obtain DB connection from data source 'schedulerDS': java.sql.SQLException: Could not retrieve datasource via JNDI url 'jdbc/schedulerDS' weblogic.jdbc.extensions.PoolDisabledSQLException: weblogic.common.resourcepool.ResourceDisabledException: Pool schedulerDS is disabled, cannot allocate resources to applications.. org.quartz.JobPersistenceException: Failed to obtain DB connection from data source 'schedulerDS': java.sql.SQLException: Could not retrieve datasource via JNDI url 'jdbc/schedulerDS' weblogic.jdbc.extensions.PoolDisabledSQLException: weblogic.common.resourcepool.ResourceDisabledException: Pool schedulerDS is disabled, cannot allocate resources to applications.. [See nested exception: java.sql.SQLException: Could not retrieve datasource via JNDI url 'jdbc/schedulerDS' weblogic.jdbc.extensions.PoolDisabledSQLException: weblogic.common.resourcepool.ResourceDisabledException: Pool schedulerDS is disabled, cannot allocate resources to applications..] at org.quartz.impl.jdbcjobstore.JobStoreSupport.getConnection(JobStoreSupport.java:636) at org.quartz.impl.jdbcjobstore.JobStoreTX.getNonManagedTXConnection(JobStoreTX.java:72) at org.quartz.impl.jdbcjobstore.JobStoreSupport.doCheckin(JobStoreSupport.java:3070) at org.quartz.impl.jdbcjobstore.JobStoreSupport$ClusterManager.manage(JobStoreSupport.java:3713) at org.quartz.impl.jdbcjobstore.JobStoreSupport$ClusterManager.run(JobStoreSupport.java:3749) Caused by: java.sql.SQLException: Could not retrieve datasource via JNDI url 'jdbc/schedulerDS' weblogic.jdbc.extensions.PoolDisabledSQLException: weblogic.common.resourcepool.ResourceDisabledException: Pool schedulerDS is disabled, cannot allocate resources to applications.. at org.quartz.utils.JNDIConnectionProvider.getConnection(JNDIConnectionProvider.java:166) at org.quartz.utils.DBConnectionManager.getConnection(DBConnectionManager.java:112) at org.quartz.impl.jdbcjobstore.JobStoreSupport.getConnection(JobStoreSupport.java:633)
Successful Synchronization Operation
The following section of the diagnostic.log
file shows the successful synchronization of a user:
QuartzJobListener says: Job ActiveImport Is about to be executed. createChangeRecord:ChangeRecord : ---------- Changetype: ADDRMODIFY ChangeKey: cn=myuser2,cn=users,dc=imtest,dc=com Attributes: Class: null Name: userprincipalname Type: null ChgType: DELETE Value: [ ] Class: null Name: givenname Type: null ChgType: DELETE Value: [ ] Class: null Name: employeeid Type: null ChgType: DELETE Value: [ ] Class: null Name: physicaldeliveryofficename Type: null ChgType: DELETE Value: [ ] Class: null Name: title Type: null ChgType: DELETE Value: [ ] Class: null Name: mobile Type: null ChgType: DELETE Value: [ ] Class: null Name: telephonenumber Type: null ChgType: DELETE Value: [ ] Class: null Name: facsimiletelephonenumber Type: null ChgType: DELETE Value: [ ] Class: null Name: l Type: null ChgType: DELETE Value: [ ] Class: null Name: thumbnailphoto Type: null ChgType: DELETE Value: [ ] Class: null Name: samaccountname Type: nonbinary ChgType: REPLACE Value: [MyUser2] Class: null Name: objectsid Type: nonbinary ChgType: REPLACE Value: [[B@1b994c4] Class: null Name: objectguid Type: nonbinary ChgType: REPLACE Value: [[B@1b990b5] Class: null Name: distinguishedname Type: nonbinary ChgType: REPLACE Value: [CN=MyUser2,CN=Users,DC=imtest,DC=com] Class: null Name: cn Type: nonbinary ChgType: REPLACE Value: [MyUser2] Class: null Name: objectclass Type: nonbinary ChgType: REPLACE Value: [top, person, organizationalPerson, user] ----------- copying : changeRecord to dstchange for writing In DIPSYNC: doOneIteration():execMapping status0 QuartzJobListener says: Job ActiveImport was executed.
D.6 Troubleshooting Integration with Microsoft Active Directory
This section describes how to troubleshoot integration with Microsoft Active Directory.
Topics:
D.6.1 Debugging Windows Native Authentication
Know more on how to debug Windows Native Authentication.
Once you have configured Windows Native Authentication (see "Configuring Access Manager for Windows Native Authentication" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management), you can enable logging for this feature at run time. Open the opmn.xml
file, located in $ORACLE_HOME/opmn/conf
, and add the following parameter:
-Djazn.debug.log.enable = {true | false}
Assigning a value of true
to the parameter enables debugging while assigning a value of false
disables it.
The boldface text in the following example show where you should place the parameter in the opmn.xml
file:
<process-type id="OC4J_SECURITY" module-id="OC4J">
<environment>
<variable id="DISPLAY" value="sun1.example.com:0.0"/>
<variable id="LD_LIBRARY_PATH" value="/private/ora1012/OraHome1/lib"/>
</environment>
<module-data>
<category id="start-parameters">
<data id="java-options" value="-server -Djazn.debug.log.enable=true
-Djava.security.policy=/private/ora1012/OraHome1/j2ee/OC4J_SECURITY/
config/java2.policy -Djava.awt.headless=true -Xmx512m
-Djava.awt.headless=true"/>
<data id="oc4j-options" value="-properties"/>
</category>
<category id="stop-parameters">
<data id="java-options" value="-Djava.security.policy=/private/ora1012/
OraHome1/j2ee/OC4J_SECURITY/config/java2.policy -Djava.awt.headless=true"/>
</category>
The log is written to the file OC4J~OC4J_SECURITY~default_island~1
, found at $ORACLE_HOME/opmn/logs
.
Note:
When accessing a protected application with Windows Native Authentication, Web browsers automatically return a "401 - Unauthorized" error that is logged by Oracle Enterprise Manager. This is normal behavior and can be safely ignored.
See Also:
-
Note: 283268.1—Troubleshooting Oracle Application Server Single Sign-On Windows Native Authentication in My Oracle Support (formerly MetaLink) at
http://support.oracle.com/
. -
The "Problems and Solutions for Windows Native Authentication Errors" section in the Troubleshooting chapter of the Oracle Fusion Middleware Enterprise Single Sign-On Suite Administrator's Guide for more information about Windows Native Authentication errors.
D.6.2 Synchronizing Changes Following a Period when the Oracle Back-end Directory is Unavailable
When the Oracle back-end directory is unavailable, changes are stored in Microsoft Active Directory. The Oracle Password Filter for Microsoft Active Directory attempts to synchronize these entries after connectivity is restored with the Oracle back-end directory. The SearchDeltaSize
parameter determines how many incremental changes are processed during each iteration in a synchronization cycle. By default, the SearchDeltaSize
parameter is assigned a value of 500. Depending on how long the Oracle back-end directory is unavailable, the default SearchDeltaSize
value of 500 may be too low to catch up all of the unsynchronized changes. To resolve this problem, you must create a catchup profile by copying the existing Microsoft Active Directory import synchronization profile and modifying the value assigned to the SearchDeltaSize
parameter.
To create a catchup synchronization profile:
D.7 Troubleshooting SSL/TLS
This section describes how to troubleshoot secure connection issues with either the Oracle back-end directory or connected directory.
Complete the following:
-
Create a boot identity file:
-
Open a text editor and name it as
boot.properties
. -
Add the following code snippet:
username=<weblogic admin user name> password=<weblogic admin user password>
-
Save the file to the following location:
$DOMAIN_HOME/servers/wls_ods1/security/
-
-
Open the
startWebLogic.sh
script (Located at$DOMAIN_HOME/bin/
)in a text editor. -
Locate the following line:
JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.util.logging.manager=oracle.core.ojdl.logging.ODLLogManager"
-
Replace it with the following line:
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.debug=ssl -Djava.util.logging.manager=oracle.core.ojdl.logging.ODLLogManager"
-
Restart the Oracle Directory Integration Platform Managed Server (
wls_ods1
):$DOMAIN_HOME/bin/startManagedWeblogic.sh wls_ods1 | tee ssl.log
D.8 Need More Help?
Access additional help through My Oracle Support and Oracle Directory Integration Platform Release Notes.
You can find more solutions in My Oracle Support (formerly MetaLink) at http://support.oracle.com/
. If you do not find a solution for your problem, log a service request.
See Also:
Oracle Directory Integration Platform in Oracle Fusion Middleware Release Notes for Oracle Identity Management.