1. Transitioning to Oracle Unified Directory
  2. Troubleshooting the Transition to Oracle Unified Directory

6 Troubleshooting the Transition to Oracle Unified Directory

If the transition fails, troubleshoot the cause using the log file and guidelines in this chapter.

6.1 Checklist for Troubleshooting the Transition to Oracle Unified Directory

Use the following checklist as a starting point when troubleshooting Oracle Unified Directory transition problems.

  • Verify that the Oracle Unified Directory directory server and replication gateway instance is running. For more information, see Starting the Server in Administering Oracle Unified Directory.
  • Verify that the replication gateway has been set up and is working correctly, add an entry on the Oracle Unified Directory server. Verify that the newly added entry has been successfully replicated to the Oracle Directory Server Enterprise Edition server. For more information, see Verifying the Replication Gateway Setup in Installing Oracle Unified Directory.
  • If Oracle Directory Integration Platform is configured for synchronization, verify that the servers are running. See in Starting the Stack in Administering Oracle Directory Integration Platform.
  • Verify that the audit, error, and debug logs are configured. For more information, see Configuring Logs in Administering Oracle Unified Directory.
  • Use the OUD dsreplication command or the ODSEE console to monitor replication status information. For more information see Monitoring a Replicated Topology in Administering Oracle Unified Directory.
  • Use dirtracer tool to gather debugging information about a running, hung, or stopped Oracle Directory Server Enterprise Edition process. For more information about the dirtracer script, see Using Troubleshooting Tools in Troubleshooting Guide for Oracle Directory Server Enterprise Edition.
  • Use the Remote Diagnostic Agent (RDA) to collect logs, configuration files, scripts and environment information for Oracle Unified Directory (OUD).

    Note:

    For more information on downloading and installing RDA, log into My Oracle Support. In the Search Knowledge Base field, enter 314422.1. This is the ID of the document that describes RDA installation.

    1. Configure RDA for collection of OUD information.

      Unix

      rda.sh -S -p OudStd -e OFM.OUD.N_TAIL=0

      Windows

      rda.cmd -S -p OudStd -e OFM.OUD.N_TAIL=0
  • Run RDA using the same command which uses the default configuration file (output.cfg)

    Unix

    rda.sh

    Windows

    rda.cmd

6.2 Troubleshooting Replication

This section describes issues associated with the replication gateway after transitioning from Oracle Directory Server Enterprise Edition to Oracle Unified Directory.

6.2.1 result=32 Error May Occur After Initializing the Replicated Server With Data

After initializing the replicated Server with ODSEE and OUD data, the following error is displayed in access logs (Located at instance_dir/OUD/logs): 

ADD RES conn=-1 op=16462142 msgID=16462143 result=32 etime=1

This issue occurs if the nsuniqueid attribute value in ODSEE does not match with the entryUUID attribute value in OUD.

To resolve the issue, ensure that the attributes value are same in both the ODSEE and OUD environments.

Example:

$ ldapsearch -p 11389 -D cn="Directory Manager" -j pwd-file -b dc=example,dc=com uid=employeeName nsuniqueid
dn: uid=uid=employeeName,ou=People,dc=example,dc=com
nsuniqueid: b725320e-455e11e7-80b1e853-9d225af6

$ ldapsearch -p 1389 -D cn="Directory Manager" -j pwd-file -b dc=example,dc=com employeeName entryUUID
dn: employeeName,ou=People,dc=example,dc=com
entryUUID: b725320e-455e-11e7-80b1-e8539d225af6

6.2.2 Error after Setting Up the Replication Gateway Using the Graphical User Interface (GUI)

After running the installer to set up the replication gateway server instance and the setup is complete, the following error may appear:

ReplicationGatewaySetupException: Error initializing. Could not find a peer to start the initialization after several tries. Details: Error during the initialization with contents from server <HOSTNAME>.<DOMAIN>:<ADMIN_PORT>. Last log details: [10/Jan/2018:10:18:45 -0700] severity="NOTICE" msgCount=0 msgID=9896349 message="Initialize From Replica task replication-gateway-setup-initialize5 started execution". Task state: STOPPED_BY_ERROR. Check the error logs of <HOSTNAME>.<DOMAIN>:<ADMIN_PORT> for more information.

This issue may occur if the firewall is enabled between the Oracle Unified Directory replication gateway and Oracle Unified Directory directory server instance and all transmission control protocol (TCP) network ports are blocked to incoming connections.

To resolve this issue, verify the firewall settings and ensure that all Oracle Unified Directory network ports are open to incoming connections.

6.2.3 Error while Setting Up the Replication Gateway Using the Command-Line Interface (CLI)

When you run the oud-replication-gateway-setup --cli to set up the replication gateway and enter the required configuration details, the following error may appear: 

Initializing basic replication gateway configuration ..... Done.
Starting Replication Gateway .......... Done.
Updating Registration Information ..... Done.
Configuring Oracle Unified Directory server <OUD_HOST_1> .....Done.
Initializing Registration Information .....
Error initializing.  Could not find replication ID in the server <OUD_HOST_1> for base DN cn=admin data.
If you want to report this error, provide the contents of file $MW_HOME/$OUD_GW_INST/OUD/logs/oud-setup
Error initializing.  Could not find replication ID in the server <OUD_HOST_1> for base DN cn=admin data.

This issue occurs when you enabled a server instance (replication gateway) for Oracle Enterprise User Security (EUS) and cn=oraclecontext and cn=oracleschemaversion naming contexts are created on the instance.

To resolve this issue, create a directory server instance without the EUS option and setup this instance as the replication gateway.

See:

6.2.4 Replication Server Fails to Start with moddn property Enabled

Replication from ODSEE to OUD fails and the following error appears in ODSEE:

ERROR - Replication - conn=-1 op=-1 msgId=-1 - [S] Unable to start a replication session with MODDN enabled. The consumer <HOSTNAME>:<PORT>/ou=people,<SUFFIX_DN> does not support MODDN operations.

This error if the moddnenabledsuffixes attribute is not available in OUD.

To resolve this issue

  1. Stop the replication server by running the stop-ds command.

  2. Make a backup of the OUD config.ldif file (Located at instance-path/config/ config.ldif).

  3. Open the config.ldif file in a text editor and update the ds-cfg-base-dn parameter with the ODSEE parameter.

    Example:

    dn: cn=Replication Gateway Domain 1,cn=domains,cn=Gateway Plugin,cn=Plugins,cn=config
ds-cfg-base-dn: ou=people,<SUFFIX_DN>

  4. Restart the replication server by running the start-ds command.

6.2.5 Replication Gateway Fails to Replicate the Resource Limit Attributes

The OUD and ODSEE replication gateway server instance does not replicate the following resource limit attributes:

  • nsSizeLimit

  • nsTimeLimit

  • nsLookThroughLimit

  • nsIdleTimeout

Syntax

To resolve this issue, enable the resource limit attributes:

  1. When the Replication Gateway is used, the OUD schema (02-config.ldif) must be modified so that each (O)DSEE attribute name (nsSizeLimit, nsTimeLimit, nsLookThroughLimit, and nsIdleTimeout) related to resource limits is declared as an alias name for each corresponding OUD attribute.

    Note:

    Corresponding attributes on OUD are: ds-rlim-size-limit, ds-rlim-time-limit, ds-rlim-lookthrough-limit, and ds-rlim-idle-time-limit.

    Update the OUD schema (02-config.ldif):

    1. Open the 02-config.ldif file (Located at OUD_ORACLE_HOME/config/schema/02-config.ldif) in a text editor and add the nsSizeLimit resource limit attribute, as shown in the following example: 

      attributeTypes: ( 1.3.6.1.4.1.26027.1.1.394
NAME ( 'ds-rlim-size-limit' 'nsSizeLimit' )
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE

    2. Restart the OUD Instance by running the start-ds command.

    3. You must repeat the above steps and update 02-config.ldif for nsTimeLimit, nsLookThroughLimit, and nsIdleTimeout.

  2. In (O)DSEE, -1 is used to disable a resource limit. In OUD, 0 is used. One way to address this difference is to create a virtual attribute on OUD to override the content of the OUD attribute when the value of the (O)DSEE attribute is equal to -1.

    Create new virtual attribute by running the create-virtual-attribute subcommand: 

    dsconfig create-virtual-attribute --name "mapping nsSizeLimit "
--type user-defined --set attribute-type:ds-rlim-size-limit \
--set filter:”(nsSizeLimit=-1)” \
--set conflict-behavior:virtual-overrides-real \
--set value:"0"
--set enabled:true

    You must repeat the above steps and create the virtual attributes for nsTimeLimit, nsLookThroughLimit, and nsIdleTimeout attributes.

  3. Remove the nsSizeLimit attribute from the OUD replication gateway server by running the dsconfig command: 

    dsconfig set-plugin-prop
--plugin-name "Gateway Plugin"
--remove dsee-specific-attribute-types:nsSizeLimit
--hostname myhost.example.com
--port 29444
--trustStorePath
/<path to root>/<Middleware_Home>/OUD target instance/OUD/config/admin-truststore
--bindDN cn=Directory Manager
--bindPasswordFile pwdFile
--no-prompt

    You must repeat the above steps and remove nsTimeLimit, nsLookThroughLimit, and nsIdleTimeout attributes from the OUD replication gateway server.

  4. Open the ODSEE 00core.ldif file (Located at instance-path/config/schema/) in a text editor and add the ds-rlim-size-limit OUD attribute, as shown in the following example: 

    attributeTypes: ( 2.16.840.1.113730.3.1.571 NAME ( 'nsSizeLimit'
'ds-rlim-size-limit' ) DESC 'Binder-based search operation size limit
(entries)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE USAGE
directoryOperation X-DS-USE 'internal' X-ORIGIN 'Sun ONE Directory Server' )

    Perform the above steps to add the corresponding OUD attributes to the ODSEE resource limit attributes.

6.2.6 Incompatible (O)DSEE Password Policy

After running the run the ds2oud --diagnose command, the following warning message is displayed: 

Warning : Incompatible password policy, the replication gateway only supports DS6-mode : You are currently using DS5-mode

This warning occur if you are using the DS5-compatibility-mode password policy.

To resolve this issue, you must switch to DS6-mode before exporting data from (O)DSEE.

  1. Change to DS6-migration-mode from DS5-compatible-mode by running the dsconf pwd-compat command.

    Example:

    dsconf pwd-compat -p 12000 -h <hostname> to-DS6-migration-mode
Enter "cn=Directory Manager" password:
## Beginning password policy compatibility changes.
## Password policy compatibility changes finished.

  2. Delete the DS5-mode password policy operational attributes, as described Programmatically Running DS5-Mode Password Policy Operational Attributes in DS6-Mode in Administrator's Guide for Oracle Directory Server Enterprise Edition

  3. Change from DS6-migration-mode to DS6-mode by running the dsconf pwd-compat command.

    Example:

    dsconf pwd-compat -p 12000 -h <hostname> to-DS6-mode
Enter "cn=Directory Manager" password:
## Beginning password policy compatibility changes.
## Password policy compatibility changes finished.

For more information about password policy, see Directory Server Password Policy in Administrator's Guide for Oracle Directory Server Enterprise Edition.

6.2.7 Violation Error after Multiple Modification to the (O)DSEE pwdLastAuthTime Operational Attribute

If you make multiple modification to the (O)DSEE pwdLastAuthTime operational attribute after creating the replication gateway, then the following error message may appear: 

category=SYNC severity=MILD_ERROR msgID=14876739 msg=Could not replay operation ModifyOperation

operation ModifyOperation(connID=-1, opID=362, dn=cn=<ADMIN>,ou=<OU>,dc=<SUFFIX_DN>) with 
ChangeNumber 000001610af1f2e0000500000005 
error Constraint Violation Entry cn=<ADMIN>,ou=<OU>,dc=<SUFFIX_DN> cannot 
be updated because the request did not contain any modifications

To resolve this issue:

  1. Remove the pwdLastAuthTime operational attribute from the OUD replication gateway server by running the dsconfig command: 

    $./dsconfig set-plugin-prop --plugin-name Gateway\ Plugin --remove dsee-specific-attribute-types:pwdlastauthtime

  2. Restart the OUD server using the start-ds command.

  3. Verify the OUD error logs (Located at INSTANCE_DIR/OUD/logs).

6.3 What to Do If the Transition Process Fails

If any step in the transition process fails, then terminate the transition process and restore the environment to its original state using the backup files you created in Creating a Complete Backup.

See:

Uninstall the Oracle Unified Directory server instances, as described in Uninstalling an Oracle Unified Directory Instance in Installing Oracle Unified Directory.