Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) B14082-02 |
|
Previous |
Next |
This appendix explains typical problems that you could encounter while running or installing Oracle Internet Directory. It contains these sections:
This section describes common Oracle Internet Directory error messages, problems and solutions. It contains the following topics:
During installation and configuration of the Oracle Database, Oracle recommends that you select the character set UTF-8 to avoid possible problems with multibyte characters.
TCP/IP bugs in the operating system can interfere with Oracle Internet Directory service.
If you use the F5 load balancer for monitoring Oracle Internet Directory server availability, configure the load balancer to use LDAP- or HTTP-based monitoring, as described in the Oracle Application Server High Availability Guide section "Configuring A Load Balancer For OracleAS Cluster (Identity Management)." Using TCP-based monitoring might cause the service to become unavailable, due to an operating system bug on Windows 2003 Server.
This section contains a list of all the Oracle directory server error messages that you can encounter. Each message is followed by its most probable causes.
Problem
If you attempt to add more schema components than can fit in the rollback segment space, you will encounter this error and the modifications will not commit.
Solution
To solve this, increase the size of the rollback segments in the database server.
You get the following error in oidldap*.log
:
ORA-01483: invalid length for DATE or NUMBER bind variable.
You may also see the following error on your screen:
LDAP: error code 19 - Constraint Violation
These errors might only occur intermittently.
Problem
If you loaded the OracleAS Metadata Repository into an Oracle 10g Database that uses the AL32UTF8 character set, you may encounter some errors when you try to edit a user or Group, or Create Identity Management Realms in Oracle Internet Directory. Editing a user includes editing attributes for an existing user.
Solution
As a workaround, you can wait a bit and try editing the user again.
Table J-1 lists standard error messages and their causes. Oracle Internet Directory also returns other messages listed and described in "Additional Directory Server Error Messages".
Table J-1 Standard Error Messages
Error | Cause |
---|---|
00—LDAP_SUCCESS |
The operation was successful. |
01—LDAP_OPERATIONS_ERROR |
General errors encountered by the server when processing the request. |
02—LDAP_PROTOCOL_ERROR |
The client request did not meet the LDAP protocol requirements, such as format or syntax. This can occur in the following situations: Server encounters a decoding error while parsing the incoming request. The request is an add or modify request that specifies the addition of an attribute type to an entry but no values specified. Error reading SSL credentials. An unknown type of modify operation is specified (other than LDAP_MOD_ADD, LDAP_MOD_DELETE, and LDAP_MOD_REPLACE) Unknown search scope |
03—LDAP_TIMELIMIT_EXCEEDED |
Search took longer than the time limit specified. If you have not specified a time limit for the search, Oracle Internet Directory uses a default time limit of one hour. |
04—LDAP_SIZELIMIT_EXCEEDED |
More entries match the search query than the size limit specified. If you have not specified a size limit for the search, Oracle Internet Directory uses a default size limit of 1000. |
05—LDAP_COMPARE_FALSE |
Presented value is not the same as the one in the entry. |
06—LDAP_COMPARE_TRUE |
Presented value is same as the one in the entry. |
07—LDAP_STRONG_AUTH_NOT_SUPPORTED |
The requested bind method is not supported by the server. For example, SASL clients requesting Kerberos authentication from Oracle Internet Directory receive this error in response. |
09—LDAP_PARTIAL_RESULTS |
Server returned a referral. |
10—LDAP_REFERRAL |
Server returned a referral. |
12—LDAP_UNAVAILABLE_CRITICALEXTENSION |
Specified request is not supported |
16—LDAP_NO_SUCH_ATTRIBUTE |
Attribute does not exist in the entry specified in the request. |
17—LDAP_UNDEFINED_TYPE |
Specified attribute type is undefined in the schema. |
19—LDAP_CONSTRAINT_VIOLATION |
The value in the request violated certain constraints. |
20—LDAP_TYPE_OR_VALUE_EXISTS |
Duplicate values specified for the attribute. |
21—LDAP_INVALID_SYNTAX |
Specified attribute syntax is invalid. In a search, the filter syntax is invalid. |
32—LDAP_NO_SUCH_OBJECT |
The base specified for the operation does not exist. |
34—LDAP_INVALID_DN_SYNTAX |
Error in the DN syntax. |
49—LDAP_INVALID_CREDENTIALS |
Bind failed because the credentials are not correct. |
50—LDAP_INSUFFICIENT_ACCESS |
The client does not have access to perform this operation. |
53—LDAP_UNWILLING_TO_PERFORM |
General error, or server is in read-only mode. |
65—LDAP_OBJECT_CLASS_VIOLATION |
A change to the entry violates the object class definition. |
66— LDAP_NOT_ALLOWED_ON_NONLEAF |
The entry to be deleted has children. |
67—LDAP_NOT_ALLOWED_ON_RDN |
Cannot perform the operation on RDN attributes—for example, you cannot delete the RDN attribute of the entry. |
68—LDAP_ALREADY_EXISTS |
Duplicate ADD condition. |
81—LDAP_SERVER_DOWN |
Cannot contact the directory server. This message is returned from the SDK. |
82—LDAP_LOCAL_ERROR |
The client encountered an internal error. This message is returned from the client SDK. |
83—LDAP_ENCODING_ERROR |
The client encountered an error in encoding the request. This message is returned from the SDK. |
84—LDAP_DECODING_ERROR |
The client encountered an error in decoding the request. This message is returned from the SDK. |
85—LDAP_TIMEOUT |
Client encountered the time out specified for the operation. This message is returned from the SDK. |
86—LDAP_AUTH_UNKNOWN |
Authentication method is unknown to the client SDK. |
87—LDAP_FILTER_ERROR |
Bad search filter |
88—LDAP_USER_CANCELLED |
User cancelled operation |
89—LDAP_PARAM_ERROR |
Bad parameter to an LDAP routine |
90—LDAP_NO_MEMORY |
Out of memory |
Table J-2 lists additional directory server error messages and their causes. These messages do not display error codes.
The Oracle Internet Directory application replaces the parameter
tag seen in some of the following messages with the appropriate runtime value.
Table J-2 Additional Error Messages
Error | Cause |
---|---|
%s attribute not found |
The particular attribute type is not defined in the schema. |
<parameter> not found for attribute <parameter> |
Value not found in the attribute. (ldapmodify) |
Admin domain does not contain schema information for objectclass <parameter> |
The object class specified in the request is not present in the schema. |
Attempted to add a Class with oid <parameter> taken by other class |
Duplicate object identifier specified. (schema modification) |
Attribute <parameter> already in use |
Duplicate attribute name. (schema modification) |
Attribute <parameter> has syntax error. |
Syntax error in the attribute name definition. (schema modification) |
Attribute <parameter> is not supported in the schema. |
Attribute not defined. (all operations) |
Attribute <parameter> is single valued. |
Attribute is single-valued. (ldapadd and ldapmodify) |
Attribute <parameter> not present in the entry. |
This attribute does not exist in the entry. (ldapmodify) |
Bad attribute definition. |
Syntax error in attribute definition. (schema modification) |
Currently Not Supported |
The version of LDAP request is not supported by this server. |
Entry to be deleted not found. |
DN specified in the delete operation not found. |
Entry to be modified not found |
The entry specified in the request is not found. |
Error encountered while adding <parameter> to the entry |
Returned when modify add operation is invoked. A possible cause is that the system resource is unavailable. |
Error encountered while encrypting an attribute value. |
Error in encrypting user password. (all operations) |
Error in DN Normalization. |
DN specified is invalid. Syntax error encountered in parsing the DN. (all operations) |
Error in hashing <parameter> attribute. |
Error in creating hash entry for the attribute. (schema modification) |
Error in hashing <parameter> objectclass. |
Error in creating hash entry for the objectclass. (schema modification) |
Error in Schema hash creation. |
Error while creating hash table for schema. (schema modification) |
Error replacing <parameter>. |
Error in replacing this attribute. (ldapmodify) |
Error while normalizing value for attribute <parameter>. |
Error in normalizing value for the attribute. (all operations) |
Failed to find <parameter> in mandatory or optional attribute list. |
Attribute specified does not exist in either the mandatory or optional attribute list as required by the object class(es). |
Function Not Implemented |
The feature/request is currently not supported. |
INVALID ACI is <parameter> |
The particular ACI you specified in a request is invalid. |
Mandatory attribute <parameter> is not defined in Admin Domain <parameter>. |
MUST refers to attribute not defined. (schema modification) |
Mandatory Attribute missing. |
The mandatory attribute for the particular entry is missing, as required by the particular object class. |
Matching rule, <parameter>, not defined. |
Matching rule not defined in the server. (schema modification) |
MaxConn Reached |
The maximum number of concurrent connections to the LDAP server has been reached. |
Modifying the Naming attribute for the entry without modifying the DN. |
Cannot modify the naming attributes using ldapmodify. A naming attribute, such as |
New Parent not found. |
New parent specified in modifydn operation does not exist.(ldapmodifydn) |
Object already exists. |
Duplicate entry. (ldapadd and ldapmodifydn) |
Object ID <parameter> already in use. |
Duplicate object identifier specified. (schema modification) |
Objectclass <parameter> already in use. |
Duplicate Objectclass name. (schema modification) |
Objectclass attribute missing. |
The objectclass attribute is missing for this particular entry. |
OID <parameter> has syntax error. |
syntax error in the object identifier definition. (schema modification) |
One of the attributes in the entry has duplicate value. |
You entered two values for the same attribute in the entry you are creating. |
Operation not allowed on the <parameter>. |
Operation not allowed on this entry. (modify, add, and delete) |
Operation not allowed on the DSE Entry. |
Can't do this operation on DSE entry. (delete) |
Optional attribute <parameter> is not defined in Admin Domain <parameter>. |
MAY refers to attribute not defined. (schema modification) |
Parent entry not found in the directory. |
Parent entry does not exist. (ldapadd and perhaps ldapmodifydn) |
Super object <parameter> is not defined in Admin Domain <parameter>. |
SUP types refer to non-existing class. (schema modification) |
Super type undefined. |
SUP type does not exist. (schema modification) |
Super user addition not permitted. |
Cannot create super user entry. (ldapadd) |
Syntax, <parameter>, not defined. |
Syntax not defined in the server. (schema modification) |
The attribute or the value specified in the RDN does not exist in the entry. |
AVA specified as the RDN does not exist in the entry. (ldapadd) |
Unknown search scope |
The search scope specified in the LDAP request is not recognized. |
Version Not Supported |
The version of the LDAP request is not supported by this server. |
This section describes error messages and problems related to password policies.
Table J-3 contains the error messages sent to the client as a result of password policy violations. The error codes are not standard LDAP error codes. They are messages sent as a part of additional information in the LDAP result.
Table J-3 Password Policy Violation Error Messages
Error Number | Exception | Comment or Resolution |
---|---|---|
9000 |
|
User's password has expired. |
9001 |
|
User account is locked. |
9002 |
|
User password will expire in |
9003 |
|
User password is not the required number of characters long. |
9004 |
|
User password does not contain required numeric characters. |
9005 |
|
User password is a null password, which is disallowed. |
9006 |
|
User's new password is the same as the old one, which is disallowed. |
9007 |
|
User password is the same as your |
9008 |
|
User password has expired. User has |
9050 |
|
User account has been disabled. |
This section describes some of the potential problems with password policies and the corresponding solutions.
You get the error:PASSWORD POLICY ERROR :9000: GSL_PWDEXPIRED_EXCP.
Problem
Beginning with Release 9.0.4, the pwdmaxage
attributes of the password policies are defaulted to time value of 60 days.
Beginning with Release 9.0.4, the default value for Password Expiry Time is set to 5184000—that is, 60 days. After 60 days from your installation date, the password for the Oracle directory integration and provisioning server (and any other assigned passwords) automatically expire. If you have Directory Synchronization or Provisioning running, the ODISRV process will attempt to process the active profiles. Soon after password expiration, this repeated trying causes the connector to exceed the max grace logins exceeded, and the account to become locked. A view of the odisrv.trc file for each profile shows: [LDAP: error code 49 - Password Policy Error:9000: GSL_PWDEXPIRED_EXCP:Your Password has expired. Please contact the Administrator to change your password.] along with Java errors.
Solution
Do the following:
Use oidpasswd
utility to unlock the orcladmin account. You will be prompted for the OID password, this is the ODS password which by default is the same as the ias_admin
password:
$ oidpasswd connect=asdb unlock_su_acct=true OID DB user password: OID super user account unlocked successfully.
This unlocks only the super user account, cn=orcladmin
. Do not confuse this account with the realm-specific orcladmin account cn=orcladmin,cn=users,dc=xxxxx,dc=yyyyy
. They are two separate accounts.
After you reset it, the super user account still cannot login to OracleAS Single Sign-On by using the orcladmin account until you perform the next step.
Launch the Oracle Directory Manager (must be a release 10g client) and navigate to Password Policy Management. You will see two entries: cn=PwdPolicyEntry
and the password policy for your realm—for example, password_policy_entry
,dc=acme,dc=com
.
Edit each of these, changing the pwdmaxage
attribute to an appropriate value:
5184000 = 60 days (default)
7776000 = 90 days
10368000 = 120 days
15552000 = 180 days
31536000 = 1 year
0 = never expire (Oracle Internet Directory 10.1.2.0 and 9.0.4.2.0)
4294967295 = never expire (Oracle Internet Directory 9.0.4.1.0 and 9.0.4.0.0)
Note: It is very important to change this value in both places. |
Launch the Oracle Directory Manager and navigate to the realm-specific orcladmin
account. Find the userpassword
attribute and reset the value to something new. You should then be able to launch any Oracle component that uses OracleAS Single Sign-On and login as orcladmin
.
Rerun the odisrvreg utility to reset the randomly generated password for Directory Integration and Provisioning. Make sure odisrv
is down. For example:
$ odisrvreg -D cn=orcladmin -w welcome1 -p 3060 Already Registered...Updating DIS password... DIS registration successful. $
Launch Oracle Directory Manager, expand Server Management, select Integration Servers and reset the UserPassword field under the General tab of each active connector.
This section gives some quick pointers for common performance-related problems.
LDAP search performance is poor.
Problem
Various problems.
Solution
Make sure that:
Schema associated with the ODS
user is ANALYZED
For searches involving multiple filter operands, make sure that the order in which they are given goes from the most specific to the least specific. For example, &(uid=john.doe)(objectclass=person)
is better than &(objectclass=person)(uid=john.doe)
.
LDAP add or modify performance is poor.
Problem
Various problems
Solution
Make sure that:
There are enough redo log files in the database
The undo tablespace in the database is large enough
The schema associated with the ODS
user is ANALYZED
When estimating the statistics, you can use the OID Database Statistics Collection tool to analyze the various database ODS schema objects.
Both the tracing functionality described in "Using Debug Logging" and the database tracing event 10046 can assist you in diagnosing performance issues.
See Also: The "oidstats.sql" command-line tool reference in Oracle Identity Management User Reference for instructions on using the OID Database Statistics Collection tool"Optimizing Searches" for instructions on optimizing searches MetaLink note 243006.1 on Oracle MetaLink, |
To troubleshoot starting and stopping the directory server, you must know the purpose of each tool involved, how all the tools work together, and the overall process for starting and stopping the server.
The tool usedto start and stop the directory server as an Oracle Application Server component is OPMN. For information on troubleshooting OPMN, see the "Troubleshooting" appendix in Oracle Process Manager and Notification Server Administrator's Guide.
There are two tools used to start, stop, and restart directory server instances: OID Control Utility (OIDCTL) and OID Monitor (OIDMON).
OIDCTL When OIDCTL is executed, it connects to the database as user ODS
. Depending on the options used in the command, it either inserts or updates rows into a table named ODS.ODS_PROCESS
. If the START
option is used, then a row is inserted. If either the STOP
or RESTART
option is used, then a row is updated.
The ODS.ODS_PROCESS table includes the following information:
instance
—The unique number of the instance, any value between 0 and 1000
pid
—Process identifier, which will be updated by OIDMON when the process is started
state
—The type of operation requested
The possible values for state
are:
0=stop
1=start
2=running
3=restart
4=shutdown
5=failedover
Note: When OPMN is used to stop the directory server, the value for state is initially 4, that is, shutdown. However, once OPMN starts the directory server again, the state value becomes 2, that is, running. |
OIDMON To start, stop, or restart a directory server instance, OIDMON must be running. At specified intervals, this daemon checks the value of the state
column in the ODS.ODS_PROCESS
table.
state=0
, then it reads the pid
and stops the process.
state=1
or state=4
, then it starts a new process and updates the pid column with a new process identifier.
state=2
, then it reads the pid
and verifies that the process with that pid
is running. If it is not running, then OIDMON starts a new process and updates the pid
column with a new process identifier.
state=3
, then OIDMON reads the pid
, stops the process, starts a new one, and updates the pid
accordingly.
ODS.ODS_PROCESS
table. If OIDMON is running on a node in a Oracle Application Server Cluster (Identity Management) configuration, it retries 100 times.
In short, OIDCTL inserts and updates state information in the rows in the ODS.ODS_PROCESS
table. OIDMON then reads that information and performs the specified task.
About the Processes Involved in Starting, Stopping, and Restarting the Directory Server
Starting, stopping and restarting the directory server involves a number of processes. OIDMON is one process. On Unix, it is called oidmon
. In a Microsoft Windows environment, it is called oidmon.exe
.
To start an instance, OIDMON checks the unique number in the instance
column mentioned in the previous section. It then starts another process, namely, the listener/dispatcher, which is different from the Oracle Net Services listener process. It stores the process identifier for that new process in the pid
column.
The listener/dispatcher, in turn, starts a number of server processes as defined in the configuration set entry. Note that these server processes are controlled by the listener/dispatcher and not by OIDMON. If one of these processes fails, then it is automatically restarted by the listener/dispatcher.
Together, the listener/dispatcher and the server processes constitute a directory server instance. On UNIX, this directory server instance is called oidldapd
. On Microsoft Windows, they are called oidldapd.exe
.
In short, there are at least three processes: one for OIDMON and at least two for the directory server itself. When all processes are running, you should see something like the following on UNIX computers:
% ps -ef|grep oid root 12387 12381 0 Mar 28 ? 0:05 oidldapd -i 1 -conf 0 key=811436710 root 12381 1 0 Mar 28 ? 0:10 oidmon start root 13297 1 0 Mar 28 ? 0:14 oidldapd
Another way to obtain server information is by running ldapcheck. When you do this, you may see something like this:
Checking Oracle Internet Directory Processes ... Process oidmon is Alive as PID 12381 Process oidldapd is Alive as PID 12387 Process oidldapd is Alive as PID 13297 Not Running ---- Process oidrepld
This section describes some problems you might have when starting, stopping, or restarting the directory server.
Either OIDCTL or OIDMON can fail for a number of reasons.
Problem
Incorrect syntax
Solution
Verify that you are using the correct syntax as described in "Oracle Internet Directory Server Administration Tools" in Oracle Identity Management User Reference. Note that the correct value of the connect option when using OIDCTL is the TNS alias—that is, the connect string—and not a host name or other value. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com
.
Problem
The Oracle Internet Directory-designated database is not running.
The Oracle Net Services configurations are incorrect.
Solution
Verify that the Oracle Internet Directory-designated database and the Oracle Net Services components are correctly configured and running. To do this, see if you can connect to the database by using SQL*Plus that is installed in the same ORACLE_HOME
as OIDCTL. Log in as ODS
/ods_password
@
tns_alias w
here tns_alias
is the same as that used in the connect
option with OIDCTL. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com
.
Problem
LDAP name resolution requires two instances of Oracle Internet Directory, but only one is running.
Solution
Verify that the value of the DIRECTORY_SERVERS
parameter in the file ldap.ora
is different from that specified in NAMES.DIRECTORY_PATH
in the file sqlnet.ora
. Both of these files are found in ORACLE_HOME
/network/admin
. If everything is working correctly, then selecting from ODS.ODS_PROCESS
retrieves rows with state values described in "OIDCTL". See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com
.
Information in ODS.ODS_PROCESS is correct, but processes still do not start.
When everything is working correctly, you should see at least three processes: one named oidmon, and at least two named oidldapd. OIDMON starts, stops, and restarts the server processes, and, because it does so at specified intervals, give it time to complete the requested operation.
Problem
Missing oidldapd
file.
Solution
See oidmon.log
. Look for the message: No such file or directory
. To correct the problem, replace the executable file.
Problem
Wrong permissions on oidldapd
executable file.
Solution
Look for the message Exec of OIDLDAPD failed with error 13
. On UNIX, the $ORACLE_HOME/bin/oidldapd
file must have the following permissions:
-rws--x--- 1 root dba 1691802 Jan 20 10:30 oidldapd
If the permissions are not correct, type the following, as root:
cd $ORACLE_HOME/bin chown root:dba oidldapd chmod 0710 oidldapd chmod u+s oidldapd
Problem
You are running as a user with insufficient privilege
Solution
To confirm that this is the problem, see oidmon.log
. Look for the message: Permission denied
or Open Wallet failed
. This happens if you are not running either as root
or as the user who is in the dba
group. To correct the problem, try again as the correct user.
Problem
A port is in use.
Solution
See oidldapd
XX
.log
, where XX
is the server instance number. Look for the message: Bind failed on...
This indicates that the port that oidldapd
is configured to listen on is in use by some other process. To determine which process is using the port, type:
netstat -a | grep portNum
If necessary, reconfigure the other process to use a different port or configure oidladapd
to listen on another port by adding a configset. Remember that, by default, oidladapd
listens on two ports, an SSL and non-SSL port.
Problem
On a cluster or Oracle Application Server Cluster (Identity Management) configuration, OIDMON pushes the server to another node in a cluster when it cannot start the server on the local node.
Solution
See oidmon.log
. Look for the message: gslsgfrPushServer: Could not start
server
on
NodeA
, trying to start on node
NodeB
. To correct this problem, you must first determine why OIDMON cannot start the server on the local node.
Problem
A possible problem with Oracle Net Services or with the database itself.
Solution
See oidmon.log
, oidsrv.log
, oidldapd
xx
.log
, where xx
is the server instance number, and oidrepd
xx
.log
where XX
is Oracle directory integration and provisioning server instance number, for details about the problem.
A Row is Missing from ODS.ODS_PROCESS
Problem
In a cluster or Oracle Application Server Cluster (Identity Management) configuration, OIDMON successfully starts oidldapd
on both nodes, but then initiates failover due to a time stamp difference.
Solution
See oidmon.log
. On the node with the missing row, look for the message: Successfully failed over from
NodeA
to
NodeB
. On the other node, you will see an extra oidldapd
. To correct the problem, adjust the system time on all nodes so that they are all within 250 seconds of one another.
Solution
See the trace files oidldapd
xx
.log
where xx
is the instance number, and oidldapd
xx
syy
.log
where xx
is the instance number and yy
is the process identifier. If the trace files do not give useful information or pointers to Oracle MetaLink documents, then do the following: (1) Stop the directory server processes; (2) Remove or rename old trace files; (3) Start OIDMON and a directory server with maximum debug level, namely, 11744051. Note that, to get the trace files, you must first stop, then start, the server; you cannot simply restart it. Investigate the new trace files, and, if needed, log an iTAR with Oracle Support Services and upload the trace files to the iTAR. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com
.
See Also: "How Failover Works in an Oracle Application Server Cluster (Identity Management) Environment" in Oracle Application Server High Availability Guide for more information on failover. |
No processes are running, but using OIDCTL gives an error saying that the specified instance is already in use
Problem
This can occur, for example, after a machine restart when OIDMON is not running.
Solution
Start OIDMON, which, in turn, starts the directory server. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com
.
Solution
Use the stop
option of OIDCTL to stop the specified instance. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com
.
Solution
If the directory server fails to start, you can override all user-specified configuration parameters to start it and then return the configuration sets to a workable state by using the ldapmodify operation. Use command-line options to oidctl
to start the server with different configuration values, overriding any defined configuration sets except for the values in configset0
. Do not modify configset0
because this technique relies on its minimal, default contents.
Solution
To see debug log files generated by the OID Control Utility, navigate to $
ORACLE_HOME/ldap/log
.
See Also: The "oidctl" command-line tool reference in Oracle Identity Management User Reference for more information on failover. |
This section discusses directory replication problems.
Whenever you investigate a replication problem, be sure to consult the log files $ORACLE_HOME/ldap/oidrepld00.log
and oidldapd
xx
.log
for information.
The replication server supports multiple debugging levels. To turn on replication debugging, specify the -d
decimal_debug_level
flag when you start the server. For example:
oidctl server=oidrepld connect=connect_string instance=instance_number \ flags="-h host -p port -d decimal_debug_level"
Note: Turning on debugging will affect replication performance. |
See Also: Chapter 10, "Logging, Auditing, and Monitoring the Directory" for more information about debugging. |
There are several problems that can prevent the replication server from starting.
Problem
Invalid oidctl
syntax
Solution
Use the following syntax to start the replication server.:
oidctl server=oidrepld connect=connect string instance=instance_number \ flags="-h host -p port"
Problem
Oracle Internet Directory is not running at the host and port you specified on the command line when you attempted to start the replication server. This caused the anonymous bind to the target Oracle Internet Directory to fail.
Solution
Make sure the target Oracle Internet Directory is up and running at the specified host and port.
Problem
The replication server is attempting to bind to the host and port specified in either the orclreplicaprimaryurl
or the orclreplicasecondaryurl
attribute of the Replica entry, but Oracle Internet Directory is running at a different host or port.
Solution
If you decide to run Oracle Internet Directory at a different host or port, add the new information to the orclreplicasecondaryurl
attribute of the replica entry, as follows:
Prepare a modification file, mod.ldif
. For example, to change to host my.us.oracle.com and port 4444, you would specify:
dn: orclreplicaid=replica_ID, cn=replication configuration
changetype: modify
add: orclreplicasecondaryurl
orclreplicasecondaryurl: ldap://my.us.oracle.com:4444/
Run:
ldapmodify -h host -p port -f mod.ldif
Problem
The ReplBind
credential in the replication wallet $ORACLE_HOME/ldap/admin/oidr
ORACLE_SID
is corrupt or invalid. That is, the password stored in the wallet is not the same as the password that is stored in the directory, or the wallet does not exist. This causes the replication bind to fail and the replication server to exit with an error.
You might see messages similar to this example in the file oidrepld
XX
.log
:
2005/07/21:11:13:28 * gslrcfdReadReplDnPswd:Error reading repl passwd 2005/07/21:11:13:28 * gslrcfcReadReplConfig:Error found. 2005/07/21:11:13:28 * Failed to read replication configuration information.
Solution
Use remtool
to fix the replication bind credential in the replication wallet or to synchronize between Oracle Internet Directory and the replication wallet.
remtool -pchgpwd
changes the password of the replication dn of a replica. Use this option if you know the current replication DN password stored in the directory and you want to change it both in the directory and in the wallet.
remtool -presetpwd
resets the password or the replication dn of a replica. Use this option if you know the current replication DN password stored in the directory and you want to change it both in the directory and in the wallet.
remtool -pchgwalpwd
changes password of replication dn of a replica only in the wallet. Use this option if you know the replication DN password stored in the directory but you are not sure whether the wallet has the correct password or you want to create the wallet file.
All of these options will create a wallet if one does not already exist.
See Also:
|
Problem
When you use the Oracle Application Server tool RepCA to load Oracle Internet Directory schema into an existing Oracle 10.1.0.3 Database, you might see the following error message in the $ORACLE_HOME/assistants/repca/log/repca*log
file:
SP2-0332: Cannot create spool file.
Solution
This error message can be ignored.
A number of errors can occur in replication bootstrap.
Problem
Some of the naming contexts failed to be bootstrapped.
Solution
Identify the naming contexts that failed to be bootstrapped, and use the oidreconcile
tool to reconcile them.Then resume replication by setting the consumer's replica state to ONLINE mode
Problem
Various causes.
Solution
Identify the cause of the bootstrap failure and fix the cause, then restart bootstrapping by setting consumer's replica state to BOOTSTRAP mode.
Solution
To determine the exact cause of the error, examine the log file oidldapd
xx
.log
. Look for error messages like those in the following example:
2004/09/14:12:57:23 * Starting OIDREPLD against dlsun1418:4444... 2004/09/14:12:57:25 * Starting scheduler... 2004/09/14:12:57:26 * Start to BootStrap from supplier=dlsun1418_replica to consumer=dlsun1418_replica2 2004/09/14:12:57:27 * gslrbssSyncDIT:Replicating namingcontext=cn=oraclecontext ...... 2004/09/14:12:58:21 * gslrbssSyncDIT:Sync done successfully for namingctx: cn=oraclecontext, 222 entries matched 2004/09/14:12:58:21 * gslrbssSyncDIT:Replicating namingcontext=cn=joe smith ...... 2004/09/14:12:58:23 * BootStrap failure when adding DN=cn=Joe Smith, server=dlsun1418_replica2,err=Constraint violation. 2004/09/14:12:58:23 * gslrbssSyncDIT:Sync failed for namingctx: cn=joe smith, only 1 entries retrieved 2004/09/14:12:58:23 * gslrbssSyncDIT:Replicating namingcontext=cn=oracleschemaversion ...... 2004/09/14:12:58:25 * gslrbssSyncDIT:Sync done successfully for namingctx: cn=oracleschemaversion, 10 entries matched 2004/09/14:12:58:51 * gslrbsbBootStrap: Failure occured when bootstrapping 1 out of 3 namingcontext(s) from the supplier
Identify the cause of the bootstrap failure and fix it. You can identify the naming contexts that caused the problem, then use oidreconcile
to compare and reconcile the naming contexts. Once you have resolved the problem, start bootstrapping again by starting the Oracle Internet Directory replication server.
Problem
The Oracle Internet Directory server was shut down during the bootstrapping
Solution
Make sure both the supplier Oracle Internet Directory and the consumer Oracle Internet Directory servers are up and running during replication bootstrapping.
Problem
Some of the entries being bootstrapped cannot be applied at the consumer due to a constraint violation.
Solution
Make sure the Oracle Internet Directory schema of the consumer are synchronized with those of the supplier before starting replication bootstrap. When you add an LDAP replica, remtool
ensures that the Oracle Internet Directory schema on the consumer replica are synchronized with those on the supplier replica.
Problem
Improper replication filtering during bootstrapping. Replication supports excluding one or more attributes during bootstrapping. However, if a mandatory attribute of an entry is configured to be excluded, that entry cannot be applied at the consumer due to an objectclass violation.
Solution
Follow the replication naming context configuration rules in Chapter 25, "Oracle Internet Directory Replication Administration" to configure replication filtering properly.
If you are debugging LDAP replication, you should become familiar with the LDAP replica states. If LDAP-based replication is configured, when the replication server starts, it reads the replica state from the local replica. The replication server behaves differently, depending upon the local replica state. LDAP replication errors appear in oidldapd
xx
.log
Problem
When you restart the replication server after the replication server failed to bootstrap a naming context having more than 5000 entries, you may see error messages similar to this in the log file oidrepld00.log
:
2005/04/05:13:21:55 * gslrbssSyncDIT:Replicating namingcontext=dc=com ...... 2005/04/05:15:36:09 * gslrbssSyncDIT:Subtree delete on dc=com failed. Error=DSA is unwilling to perform 2005/04/05:15:36:09 * gslrbssSyncDIT:Sync failed for namingctx: dc=com, only 0 entries retrieved
The replication server performs two steps during bootstrap operation. First, in the consumer, it deletes the naming contexts that it has to bootstrap. Second, it copies entries belonging to those naming contexts from supplier to consumer. Deletion by the replication server of a naming context having several thousands of entries results in a big transaction. The undo tablespace needs to have sufficient space to accomodate a big transaction. If the database's undo tablespace does not have sufficient space, it will result in an ORA-30036 error.
Solution
Either have the database administrator add more space to the undo tablespace, or use the bulkdelete
tool to delete the required naming context before you start the replication server.
Changes are not replicated from one node to another.
Problem
The replication server has run out of table space
Solution
Look for the following message in the server log:
OCI Error ORA-1653 : ORA-01653: unable to extend table ODS.ASR_CHG_LOG by 8192 in tablespace OLTS_DEFAULT
Extend the table space and investigate why the table space keeps growing.
Problem
The target Oracle Internet Directory server is down.
Solution
Restart the target Oracle Internet Directory server.
Problem
Various causes
Solution
Make sure the replication server is started on all nodes, in multi-master replication, and at the consumer node in single-master or fan-out replication.
For multi-master Oracle Database Advanced Replication, use remtool
to diagnostic and fix problems.
remtool -asrverify
verifies the correctness of a DRG setup and reports problems.
remtool -asrrectify
verifies the correctness of a DRG setup, reports problems, and attempts to rectify the problems.
Check the replication log and LDAP log for error messages and fix the cause of the error after investigation.
See Also: The "remtool" command-line tool reference in Oracle Identity Management User Reference for more information about usingremtool .
|
Problem
Data is not replicated between the replicas. In some cases, a working replication setup stops working after OID Human Intervention Queue entries are applied to one of the nodes. In other cases, adding or deleting a new replica causes problems or failures.
Problem
Various causes
Solution
See the following Oracle MetaLink notes on Oracle MetaLink, http://metalink.oracle.com
:
Note 171693.1, "Resolving Conflicts"
Note 122039.1, "Troubleshooting Basics for Advanced Replication"
Note 213910.1, "Debugging OID Replication when ASR_CHG_LOG Never Gets Populated."
You can search for Oracle MetaLink notes by entering a term such as "replication" into the search box.
Describe symptom
Problem
Setting up Oracle Internet Directory for one-way LDAP connections over SSL fails.
Solution
Do not set up the SSL port of configset 0 with wallet mode 2 or 3. If you do, you will break Oracle Delegated Administration Services and other services and applications that expect to communicate with Oracle Internet Directory on the encrypted SSL port.
To correctly configure and test Oracle Internet Directory for SSL, follow the instructions in Oracle Metalink note 178714.1, on Oracle MetaLink, http://metalink.oracle.com
. Also see the SSL section of the tutorial "Getting Started with Oracle Internet Directory" at http://www.oracle.com/technology/obe/obe_as_10g.
This section discusses possible problems when configuring SSL
Both replication and Oracle Directory Integration and Provisioning use change logs to propagate information from a supplier directory to a consumer directory. All change logs are stored in the table ods_chg_log
. In addition, replication change logs are stored in asr_chg_log
.
This section discusses possible problems you might encounter with change log garbage collection.
Change logs grow very large.
Problem
Change logs are not being purged due to a replication issue. For example, if a replication server has been down for a few days, replication change logs will not be purged because they are needed for replication recovery.
Solution
Resolve the replication issue. See "Troubleshooting Oracle Internet Directory Replication"".
Problem
The attribute orclpurgetargetage
is set too high and there are one or more enabled but inactive change log subscribers that do not update orclLastAppliedChangeNumber
in their subscriber profiles. Change number-based purging won't purge change logs that are not yet consumed and time-based purging won't purge them because they're not old enough.
Solution
Set the attribute orclpurgetargetage
to a smaller value so that change logs are purged sooner.
Solution
Disable inactive changelog subscribers so that change logs are purged by change log number-based purging. Locate such enabled but incactive subscriber profiles by examining the orclLastAppliedChangeNumber
in all subscriber profiles by typing:
ldapsearch -v -p port -h host -D cn=orcladmin -w password \ -b "cn=changelog subscriber,cn=oracle internet directory" \ -s sub "objectclass=orclchangesubscriber" \ orcllastappliedchangenumber orclsubscriberdisable
Look for an entry that has orclSubscriberDisabled
equal to zero and an orclLastAppliedChangeNumber
value that never changes. If such an entry exists, and the change log garbage collector's orclpurgetargetage
is zero or greater, delete the value of orclpurgetargetage
. When orclpurgetargetage
is not defined or less than zero, the garbage collector will purge changes applied by the replication server, even if another subscriber has not updated its orclLastAppliedChangeNumber
.
Table J-4 lists and describes the error messages for dynamic password verifiers.
Table J-4 Error Messages for Dynamic Password Verifiers
Error Code | Description |
---|---|
9022 |
A reversible encrypted password is missing from the user entry. |
9023 |
The crypto type specified in the LDAP request control is not supported. |
9024 |
The username parameter is missing from the LDAP request control. |
If the directory is able to compare verifiers, and the comparison evaluates as false, the directory sends the standard error LDAP_COMPARE_FALSE to the client. Similarly, if the user being authenticated lacks a directory entry, the directory sends the standard error LDAP_NO_SUCH_OBJECT.
The Oracle Internet Directory Server has two password wallets: oidpwdlldap1
and oidpwdr
SID
.
The oidpwdlldap1
file contains the DN and password of an ODS user in encrypted format. The Oracle Internet Directory server uses the credential to connect to the backend database at startup time.
Either oidctl
or opmn
fails to start an Oracle Internet Directory server instance.
Problem
The password stored in the oidpwdlldap1
wallet is not synchronized with the ODS password in the backend database.
Solution
Try to connect to the database again using the sqlplus
command:
sqlplus ods /ods_password@connect_string
If the connection succeeds, try to synchronize the password in the wallet with the ODS password by using the oidpasswd
tool to create a new wallet with the correct password. For example:
>> oidpasswd connect=connect_string create_wallet=true
If the connection attempt fails, you must login into the backend database as a database administrator and change the ODS password by using the sql command:
>> alter user ods identified by some_new_password
Then try to create a new oidpwdlldap1
to store the new password.
Solution
Try to start the Oracle Internet Directory server again.
The oidpwdr
SID
file contains the DN and password of a replica DN in an encrypted format. The Oracle Internet Directory replication server uses the credential to connect to the Oracle Internet Directory server at startup time.
This is an example of a replication password wallet, oidpwdr
SID
:
/------BEGIN REPL CREDENTIAL:cn=replication dn,orclreplicaid=qdinh-sun_ adeldap,cn=replication configuration----- ezNkZXMtY2JjLXBrY3M1cGFkfQUnaz0TsfzcP0nM1HcHAXchf5mJw+sb4y0bLvvw3RvSg7H S7/WsKJB02fdSGRlmfWAV+6llkRQ26g== -----END REPL CREDENTIAL:cn=replication dn,orclreplicaid=qdinh-sun_ adeldap,cn=replication configuration-----/
Either oidctl
or opmn
fails to start an Oracle Internet Directory server instance and the replication server log file oidrepld00.log
reports that it is not able to bind.
Problem
The replica DN password stored in the oidpwdr
SID
is not synchronized with the replica DN password in the Oracle Internet Directory server.
Solution
Try to connect to the Oracle Internet Directory server instance using the ldapbind
command. Specify the replica DN stored in oidpwdr
SID
and the replica DN password. For example:
>> ldapbind -h host -p port -D "cn=replication dn,orclreplicaid=qdinh-sun_adeldap, cn=replication configuration" -w replica_dn_password
If the connection succeeds, then you can reset the password in the oidpwdr
SID
wallet using remtool
with the option -pchgwalpwd
, which changes the password of the replication DN of a replica only in the wallet. If you do not remember the replication dn password, then you can reset it using remtool
with the option -prestpwd
, which resets the password of the replication dn of a replica.
After resetting the replication password wallet, restart the replication server instance again a using opmnctl
or oidctl
.
Problem
The bulkload
command-line tool might hang if you run it on Windows using a version of MKS Toolkit earlier than 8.6.
Solution
If a hang occurs during the -check
or -generate
phase of bulkload
, you should cancel the bulkload
command and repeat it.
If a hang occurs during the -load
phase of bulkload
, you should follow these steps:
Cancel the bulkload
command.
Execute this command:
bulkload.sh -connect conn_str -recover
Repeat the original bulkload
command.
Note: To update MKS Toolkit, visit http://www.datafocus.com/. |
You can find more solutions on Oracle MetaLink, http://metalink.oracle.com
. If you do not find a solution for your problem, log a service request.
See Also: Oracle Application Server Release Notes, available on the Oracle Technology Network:http://www.oracle.com/technology/documentation/index.html
|