Skip Headers
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2)
B14082-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

J Troubleshooting Oracle Internet Directory

This appendix explains typical problems that you could encounter while running or installing Oracle Internet Directory. It contains these sections:

J.1 Problems and Solutions

This section describes common Oracle Internet Directory error messages, problems and solutions. It contains the following topics:

J.1.1 Installation Errors

During installation and configuration of the Oracle Database, Oracle recommends that you select the character set UTF-8 to avoid possible problems with multibyte characters.

J.1.2 TCP/IP Problems

TCP/IP bugs in the operating system can interfere with Oracle Internet Directory service.

J.1.2.1 Do Not Use TCP-Based Monitoring of Oracle Internet Directory Server Availability on Microsoft Windows 2003 Server

If you use the F5 load balancer for monitoring Oracle Internet Directory server availability, configure the load balancer to use LDAP- or HTTP-based monitoring, as described in the Oracle Application Server High Availability Guide section "Configuring A Load Balancer For OracleAS Cluster (Identity Management)." Using TCP-based monitoring might cause the service to become unavailable, due to an operating system bug on Windows 2003 Server.

J.1.2.2 Do Not Install DaimondCS Port Explorer

Oracle Internet Directory will not work if DaimondCS Port Explorer is installed on the system.

J.1.3 Directory Server Error Messages and Causes

This section contains a list of all the Oracle directory server error messages that you can encounter. Each message is followed by its most probable causes.

J.1.3.1 Oracle Database Server Error Due to Schema Modifications

You get error ORA-1562

Problem

If you attempt to add more schema components than can fit in the rollback segment space, you will encounter this error and the modifications will not commit.

Solution

To solve this, increase the size of the rollback segments in the database server.

J.1.3.2 Constraint Violation Error Due to Editing a User or Group or Creating a Realm

You get the following error in oidldap*.log:

ORA-01483: invalid length for DATE or NUMBER bind variable.

You may also see the following error on your screen:

LDAP: error code 19 - Constraint Violation

These errors might only occur intermittently.

Problem

If you loaded the OracleAS Metadata Repository into an Oracle 10g Database that uses the AL32UTF8 character set, you may encounter some errors when you try to edit a user or Group, or Create Identity Management Realms in Oracle Internet Directory. Editing a user includes editing attributes for an existing user.

Solution

As a workaround, you can wait a bit and try editing the user again.

J.1.3.3 Standard Error Messages Returned from Oracle Directory Server

Table J-1 lists standard error messages and their causes. Oracle Internet Directory also returns other messages listed and described in "Additional Directory Server Error Messages".

Table J-1 Standard Error Messages

Error Cause

00—LDAP_SUCCESS

The operation was successful.

01—LDAP_OPERATIONS_ERROR

General errors encountered by the server when processing the request.

02—LDAP_PROTOCOL_ERROR

The client request did not meet the LDAP protocol requirements, such as format or syntax. This can occur in the following situations: Server encounters a decoding error while parsing the incoming request. The request is an add or modify request that specifies the addition of an attribute type to an entry but no values specified. Error reading SSL credentials. An unknown type of modify operation is specified (other than LDAP_MOD_ADD, LDAP_MOD_DELETE, and LDAP_MOD_REPLACE) Unknown search scope

03—LDAP_TIMELIMIT_EXCEEDED

Search took longer than the time limit specified. If you have not specified a time limit for the search, Oracle Internet Directory uses a default time limit of one hour.

04—LDAP_SIZELIMIT_EXCEEDED

More entries match the search query than the size limit specified. If you have not specified a size limit for the search, Oracle Internet Directory uses a default size limit of 1000.

05—LDAP_COMPARE_FALSE

Presented value is not the same as the one in the entry.

06—LDAP_COMPARE_TRUE

Presented value is same as the one in the entry.

07—LDAP_STRONG_AUTH_NOT_SUPPORTED

The requested bind method is not supported by the server. For example, SASL clients requesting Kerberos authentication from Oracle Internet Directory receive this error in response.

09—LDAP_PARTIAL_RESULTS

Server returned a referral.

10—LDAP_REFERRAL

Server returned a referral.

12—LDAP_UNAVAILABLE_CRITICALEXTENSION

Specified request is not supported

16—LDAP_NO_SUCH_ATTRIBUTE

Attribute does not exist in the entry specified in the request.

17—LDAP_UNDEFINED_TYPE

Specified attribute type is undefined in the schema.

19—LDAP_CONSTRAINT_VIOLATION

The value in the request violated certain constraints.

20—LDAP_TYPE_OR_VALUE_EXISTS

Duplicate values specified for the attribute.

21—LDAP_INVALID_SYNTAX

Specified attribute syntax is invalid. In a search, the filter syntax is invalid.

32—LDAP_NO_SUCH_OBJECT

The base specified for the operation does not exist.

34—LDAP_INVALID_DN_SYNTAX

Error in the DN syntax.

49—LDAP_INVALID_CREDENTIALS

Bind failed because the credentials are not correct.

50—LDAP_INSUFFICIENT_ACCESS

The client does not have access to perform this operation.

53—LDAP_UNWILLING_TO_PERFORM

General error, or server is in read-only mode.

65—LDAP_OBJECT_CLASS_VIOLATION

A change to the entry violates the object class definition.

66— LDAP_NOT_ALLOWED_ON_NONLEAF

The entry to be deleted has children.

67—LDAP_NOT_ALLOWED_ON_RDN

Cannot perform the operation on RDN attributes—for example, you cannot delete the RDN attribute of the entry.

68—LDAP_ALREADY_EXISTS

Duplicate ADD condition.

81—LDAP_SERVER_DOWN

Cannot contact the directory server. This message is returned from the SDK.

82—LDAP_LOCAL_ERROR

The client encountered an internal error. This message is returned from the client SDK.

83—LDAP_ENCODING_ERROR

The client encountered an error in encoding the request. This message is returned from the SDK.

84—LDAP_DECODING_ERROR

The client encountered an error in decoding the request. This message is returned from the SDK.

85—LDAP_TIMEOUT

Client encountered the time out specified for the operation. This message is returned from the SDK.

86—LDAP_AUTH_UNKNOWN

Authentication method is unknown to the client SDK.

87—LDAP_FILTER_ERROR

Bad search filter

88—LDAP_USER_CANCELLED

User cancelled operation

89—LDAP_PARAM_ERROR

Bad parameter to an LDAP routine

90—LDAP_NO_MEMORY

Out of memory


J.1.3.4 Additional Directory Server Error Messages

Table J-2 lists additional directory server error messages and their causes. These messages do not display error codes.

The Oracle Internet Directory application replaces the parameter tag seen in some of the following messages with the appropriate runtime value.

Table J-2 Additional Error Messages

Error Cause

%s attribute not found

The particular attribute type is not defined in the schema.

<parameter> not found for attribute <parameter>

Value not found in the attribute. (ldapmodify)

Admin domain does not contain schema information for objectclass <parameter>

The object class specified in the request is not present in the schema.

Attempted to add a Class with oid <parameter> taken by other class

Duplicate object identifier specified. (schema modification)

Attribute <parameter> already in use

Duplicate attribute name. (schema modification)

Attribute <parameter> has syntax error.

Syntax error in the attribute name definition. (schema modification)

Attribute <parameter> is not supported in the schema.

Attribute not defined. (all operations)

Attribute <parameter> is single valued.

Attribute is single-valued. (ldapadd and ldapmodify)

Attribute <parameter> not present in the entry.

This attribute does not exist in the entry. (ldapmodify)

Bad attribute definition.

Syntax error in attribute definition. (schema modification)

Currently Not Supported

The version of LDAP request is not supported by this server.

Entry to be deleted not found.

DN specified in the delete operation not found.

Entry to be modified not found

The entry specified in the request is not found.

Error encountered while adding <parameter> to the entry

Returned when modify add operation is invoked. A possible cause is that the system resource is unavailable.

Error encountered while encrypting an attribute value.

Error in encrypting user password. (all operations)

Error in DN Normalization.

DN specified is invalid. Syntax error encountered in parsing the DN. (all operations)

Error in hashing <parameter> attribute.

Error in creating hash entry for the attribute. (schema modification)

Error in hashing <parameter> objectclass.

Error in creating hash entry for the objectclass. (schema modification)

Error in Schema hash creation.

Error while creating hash table for schema. (schema modification)

Error replacing <parameter>.

Error in replacing this attribute. (ldapmodify)

Error while normalizing value for attribute <parameter>.

Error in normalizing value for the attribute. (all operations)

Failed to find <parameter> in mandatory or optional attribute list.

Attribute specified does not exist in either the mandatory or optional attribute list as required by the object class(es).

Function Not Implemented

The feature/request is currently not supported.

INVALID ACI is <parameter>

The particular ACI you specified in a request is invalid.

Mandatory attribute <parameter> is not defined in Admin Domain <parameter>.

MUST refers to attribute not defined. (schema modification)

Mandatory Attribute missing.

The mandatory attribute for the particular entry is missing, as required by the particular object class.

Matching rule, <parameter>, not defined.

Matching rule not defined in the server. (schema modification)

MaxConn Reached

The maximum number of concurrent connections to the LDAP server has been reached.

Modifying the Naming attribute for the entry without modifying the DN.

Cannot modify the naming attributes using ldapmodify. A naming attribute, such as cn is an element in the DN.

New Parent not found.

New parent specified in modifydn operation does not exist.(ldapmodifydn)

Object already exists.

Duplicate entry. (ldapadd and ldapmodifydn)

Object ID <parameter> already in use.

Duplicate object identifier specified. (schema modification)

Objectclass <parameter> already in use.

Duplicate Objectclass name. (schema modification)

Objectclass attribute missing.

The objectclass attribute is missing for this particular entry.

OID <parameter> has syntax error.

syntax error in the object identifier definition. (schema modification)

One of the attributes in the entry has duplicate value.

You entered two values for the same attribute in the entry you are creating.

Operation not allowed on the <parameter>.

Operation not allowed on this entry. (modify, add, and delete)

Operation not allowed on the DSE Entry.

Can't do this operation on DSE entry. (delete)

Optional attribute <parameter> is not defined in Admin Domain <parameter>.

MAY refers to attribute not defined. (schema modification)

Parent entry not found in the directory.

Parent entry does not exist. (ldapadd and perhaps ldapmodifydn)

Super object <parameter> is not defined in Admin Domain <parameter>.

SUP types refer to non-existing class. (schema modification)

Super type undefined.

SUP type does not exist. (schema modification)

Super user addition not permitted.

Cannot create super user entry. (ldapadd)

Syntax, <parameter>, not defined.

Syntax not defined in the server. (schema modification)

The attribute or the value specified in the RDN does not exist in the entry.

AVA specified as the RDN does not exist in the entry. (ldapadd)

Unknown search scope

The search scope specified in the LDAP request is not recognized.

Version Not Supported

The version of the LDAP request is not supported by this server.


J.1.4 Troubleshooting Password Policies

This section describes error messages and problems related to password policies.

J.1.4.1 Password Policy Error Messages

Table J-3 contains the error messages sent to the client as a result of password policy violations. The error codes are not standard LDAP error codes. They are messages sent as a part of additional information in the LDAP result.

Table J-3 Password Policy Violation Error Messages

Error Number Exception Comment or Resolution

9000

GSL_PWDEXPIRED_EXCP

User's password has expired.

9001

GSL_ACCOUNTLOCKED_EXCP

User account is locked.

9002

GSL_EXPIREWARNING_EXCP

User password will expire in pwdexpirewarning seconds. Please change your password now.

9003

GSL_PWDMINLENGTH_EXCP

User password is not the required number of characters long.

9004

GSL_PWDNUMERIC_EXCP

User password does not contain required numeric characters.

9005

GSL_PWDNULL_EXCP

User password is a null password, which is disallowed.

9006

GSL_PWDINHISTORY_EXCP

User's new password is the same as the old one, which is disallowed.

9007

GSL_PWDILLEGALVALUE_EXCP

User password is the same as your orclpwdillegalvalues, which is disallowed.

9008

GSL_GRACELOGIN_EXCP

User password has expired. User has pwdgraceloginlimit grace logins left.

9050

GSL_ACCTDISABLED_EXCP

User account has been disabled.


J.1.4.2 Possible Password Policy Problems

This section describes some of the potential problems with password policies and the corresponding solutions.

J.1.4.2.1 PASSWORD POLICY ERROR

You get the error:PASSWORD POLICY ERROR :9000: GSL_PWDEXPIRED_EXCP.

Problem

Beginning with Release 9.0.4, the pwdmaxage attributes of the password policies are defaulted to time value of 60 days.

Beginning with Release 9.0.4, the default value for Password Expiry Time is set to 5184000—that is, 60 days. After 60 days from your installation date, the password for the Oracle directory integration and provisioning server (and any other assigned passwords) automatically expire. If you have Directory Synchronization or Provisioning running, the ODISRV process will attempt to process the active profiles. Soon after password expiration, this repeated trying causes the connector to exceed the max grace logins exceeded, and the account to become locked. A view of the odisrv.trc file for each profile shows: [LDAP: error code 49 - Password Policy Error:9000: GSL_PWDEXPIRED_EXCP:Your Password has expired. Please contact the Administrator to change your password.] along with Java errors.

Solution

Do the following:

  1. Use oidpasswd utility to unlock the orcladmin account. You will be prompted for the OID password, this is the ODS password which by default is the same as the ias_admin password:

    $ oidpasswd connect=asdb unlock_su_acct=true
    OID DB user password:
    OID super user account unlocked successfully.
    
    

    This unlocks only the super user account, cn=orcladmin. Do not confuse this account with the realm-specific orcladmin account cn=orcladmin,cn=users,dc=xxxxx,dc=yyyyy. They are two separate accounts.

    After you reset it, the super user account still cannot login to OracleAS Single Sign-On by using the orcladmin account until you perform the next step.

  2. Launch the Oracle Directory Manager (must be a release 10g client) and navigate to Password Policy Management. You will see two entries: cn=PwdPolicyEntry and the password policy for your realm—for example, password_policy_entry,dc=acme,dc=com.

    Edit each of these, changing the pwdmaxage attribute to an appropriate value:

    • 5184000 = 60 days (default)

    • 7776000 = 90 days

    • 10368000 = 120 days

    • 15552000 = 180 days

    • 31536000 = 1 year

    • 0 = never expire (Oracle Internet Directory 10.1.2.0 and 9.0.4.2.0)

    • 4294967295 = never expire (Oracle Internet Directory 9.0.4.1.0 and 9.0.4.0.0)


      Note:

      It is very important to change this value in both places.

  3. Launch the Oracle Directory Manager and navigate to the realm-specific orcladmin account. Find the userpassword attribute and reset the value to something new. You should then be able to launch any Oracle component that uses OracleAS Single Sign-On and login as orcladmin.

  4. Rerun the odisrvreg utility to reset the randomly generated password for Directory Integration and Provisioning. Make sure odisrv is down. For example:

    $ odisrvreg -D cn=orcladmin -w welcome1 -p 3060
    Already Registered...Updating DIS password...
    DIS registration successful.
    $
    
    
  5. Launch Oracle Directory Manager, expand Server Management, select Integration Servers and reset the UserPassword field under the General tab of each active connector.

J.1.5 Troubleshooting Directory Performance

This section gives some quick pointers for common performance-related problems.

J.1.5.1 Poor LDAP Search Performance

LDAP search performance is poor.

Problem

Various problems.

Solution

Make sure that:

  • Schema associated with the ODS user is ANALYZED

  • For searches involving multiple filter operands, make sure that the order in which they are given goes from the most specific to the least specific. For example, &(uid=john.doe)(objectclass=person) is better than &(objectclass=person)(uid=john.doe).

J.1.5.2 Poor LDAP Add or Modify Performance

LDAP add or modify performance is poor.

Problem

Various problems

Solution

Make sure that:

  • There are enough redo log files in the database

  • The undo tablespace in the database is large enough

  • The schema associated with the ODS user is ANALYZED

When estimating the statistics, you can use the OID Database Statistics Collection tool to analyze the various database ODS schema objects.

Both the tracing functionality described in "Using Debug Logging" and the database tracing event 10046 can assist you in diagnosing performance issues.


See Also:

The "oidstats.sql" command-line tool reference in Oracle Identity Management User Reference for instructions on using the OID Database Statistics Collection tool

"Optimizing Searches" for instructions on optimizing searches

MetaLink note 243006.1 on Oracle MetaLink, http://metalink.oracle.com, for information on performance issues with group entries


J.1.6 Troubleshooting Starting, Stopping, and Restarting of the Directory Server

To troubleshoot starting and stopping the directory server, you must know the purpose of each tool involved, how all the tools work together, and the overall process for starting and stopping the server.

J.1.6.1 About the Tools for Starting, Stopping, and Restarting the Directory Server Instance

The tool usedto start and stop the directory server as an Oracle Application Server component is OPMN. For information on troubleshooting OPMN, see the "Troubleshooting" appendix in Oracle Process Manager and Notification Server Administrator's Guide.

There are two tools used to start, stop, and restart directory server instances: OID Control Utility (OIDCTL) and OID Monitor (OIDMON).

OIDCTL When OIDCTL is executed, it connects to the database as user ODS. Depending on the options used in the command, it either inserts or updates rows into a table named ODS.ODS_PROCESS. If the START option is used, then a row is inserted. If either the STOP or RESTART option is used, then a row is updated.

The ODS.ODS_PROCESS table includes the following information:

  • instance—The unique number of the instance, any value between 0 and 1000

  • pid—Process identifier, which will be updated by OIDMON when the process is started

  • state—The type of operation requested

    The possible values for state are:

    • 0=stop

    • 1=start

    • 2=running

    • 3=restart

    • 4=shutdown

    • 5=failedover


Note:

When OPMN is used to stop the directory server, the value for state is initially 4, that is, shutdown. However, once OPMN starts the directory server again, the state value becomes 2, that is, running.

OIDMON To start, stop, or restart a directory server instance, OIDMON must be running. At specified intervals, this daemon checks the value of the state column in the ODS.ODS_PROCESS table.

If it finds a row with state=0, then it reads the pid and stops the process.
If it finds one with state=1 or state=4, then it starts a new process and updates the pid column with a new process identifier.
If it finds one with state=2, then it reads the pid and verifies that the process with that pid is running. If it is not running, then OIDMON starts a new process and updates the pid column with a new process identifier.
If it finds a row with state=3, then OIDMON reads the pid, stops the process, starts a new one, and updates the pid accordingly.
If OIDMON cannot start the server for some reason, it retries. If it is not running on a node in an Oracle Application Server Cluster (Identity Management) configuration, and it is still unsuccessful after 10 retries, it deletes the row from the ODS.ODS_PROCESS table. If OIDMON is running on a node in a Oracle Application Server Cluster (Identity Management) configuration, it retries 100 times.
If it is still unsuccessful, it pushes the request to another node.

In short, OIDCTL inserts and updates state information in the rows in the ODS.ODS_PROCESS table. OIDMON then reads that information and performs the specified task.

About the Processes Involved in Starting, Stopping, and Restarting the Directory Server

Starting, stopping and restarting the directory server involves a number of processes. OIDMON is one process. On Unix, it is called oidmon. In a Microsoft Windows environment, it is called oidmon.exe.

To start an instance, OIDMON checks the unique number in the instance column mentioned in the previous section. It then starts another process, namely, the listener/dispatcher, which is different from the Oracle Net Services listener process. It stores the process identifier for that new process in the pid column.

The listener/dispatcher, in turn, starts a number of server processes as defined in the configuration set entry. Note that these server processes are controlled by the listener/dispatcher and not by OIDMON. If one of these processes fails, then it is automatically restarted by the listener/dispatcher.

Together, the listener/dispatcher and the server processes constitute a directory server instance. On UNIX, this directory server instance is called oidldapd. On Microsoft Windows, they are called oidldapd.exe.

In short, there are at least three processes: one for OIDMON and at least two for the directory server itself. When all processes are running, you should see something like the following on UNIX computers:

% ps -ef|grep oid
root 12387 12381 0 Mar 28 ? 0:05 oidldapd -i 1 -conf 0 key=811436710
root 12381 1 0 Mar 28 ? 0:10 oidmon start
root 13297 1 0 Mar 28 ? 0:14 oidldapd

Another way to obtain server information is by running ldapcheck. When you do this, you may see something like this:

Checking Oracle Internet Directory Processes ...
Process oidmon is Alive as PID 12381
Process oidldapd is Alive as PID 12387 
Process oidldapd is Alive as PID 13297
Not Running ---- Process oidrepld

J.1.6.2 Problems Starting, Stopping, and Restarting the Directory Server

This section describes some problems you might have when starting, stopping, or restarting the directory server.

J.1.6.2.1 OIDCTL or OIDMON fails

Either OIDCTL or OIDMON can fail for a number of reasons.

Problem

Incorrect syntax

Solution

Verify that you are using the correct syntax as described in "Oracle Internet Directory Server Administration Tools" in Oracle Identity Management User Reference. Note that the correct value of the connect option when using OIDCTL is the TNS alias—that is, the connect string—and not a host name or other value. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com.

Problem

The Oracle Internet Directory-designated database is not running.

The Oracle Net Services configurations are incorrect.

Solution

Verify that the Oracle Internet Directory-designated database and the Oracle Net Services components are correctly configured and running. To do this, see if you can connect to the database by using SQL*Plus that is installed in the same ORACLE_HOME as OIDCTL. Log in as ODS/ods_password@tns_alias where tns_alias is the same as that used in the connect option with OIDCTL. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com.

Problem

LDAP name resolution requires two instances of Oracle Internet Directory, but only one is running.

Solution

Verify that the value of the DIRECTORY_SERVERS parameter in the file ldap.ora is different from that specified in NAMES.DIRECTORY_PATH in the file sqlnet.ora. Both of these files are found in ORACLE_HOME/network/admin. If everything is working correctly, then selecting from ODS.ODS_PROCESS retrieves rows with state values described in "OIDCTL". See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com.

Information in ODS.ODS_PROCESS is correct, but processes still do not start.

When everything is working correctly, you should see at least three processes: one named oidmon, and at least two named oidldapd. OIDMON starts, stops, and restarts the server processes, and, because it does so at specified intervals, give it time to complete the requested operation.

Problem

Missing oidldapd file.

Solution

See oidmon.log. Look for the message: No such file or directory. To correct the problem, replace the executable file.

Problem

Wrong permissions on oidldapd executable file.

Solution

Look for the message Exec of OIDLDAPD failed with error 13. On UNIX, the $ORACLE_HOME/bin/oidldapd file must have the following permissions:

-rws--x---    1 root     dba       1691802 Jan 20 10:30 oidldapd

If the permissions are not correct, type the following, as root:

cd $ORACLE_HOME/bin
chown root:dba oidldapd
chmod 0710 oidldapd    
chmod u+s oidldapd

Problem

You are running as a user with insufficient privilege

Solution

To confirm that this is the problem, see oidmon.log. Look for the message: Permission denied or Open Wallet failed. This happens if you are not running either as root or as the user who is in the dba group. To correct the problem, try again as the correct user.

Problem

A port is in use.

Solution

See oidldapdXX.log, where XX is the server instance number. Look for the message: Bind failed on... This indicates that the port that oidldapd is configured to listen on is in use by some other process. To determine which process is using the port, type:

netstat -a | grep portNum

If necessary, reconfigure the other process to use a different port or configure oidladapd to listen on another port by adding a configset. Remember that, by default, oidladapd listens on two ports, an SSL and non-SSL port.

Problem

On a cluster or Oracle Application Server Cluster (Identity Management) configuration, OIDMON pushes the server to another node in a cluster when it cannot start the server on the local node.

Solution

See oidmon.log. Look for the message: gslsgfrPushServer: Could not start serveron NodeA, trying to start on nodeNodeB. To correct this problem, you must first determine why OIDMON cannot start the server on the local node.

Problem

A possible problem with Oracle Net Services or with the database itself.

Solution

See oidmon.log, oidsrv.log, oidldapdxx.log, where xx is the server instance number, and oidrepdxx.log where XX is Oracle directory integration and provisioning server instance number, for details about the problem.

A Row is Missing from ODS.ODS_PROCESS

Problem

In a cluster or Oracle Application Server Cluster (Identity Management) configuration, OIDMON successfully starts oidldapd on both nodes, but then initiates failover due to a time stamp difference.

Solution

See oidmon.log. On the node with the missing row, look for the message: Successfully failed over from NodeA to NodeB. On the other node, you will see an extra oidldapd. To correct the problem, adjust the system time on all nodes so that they are all within 250 seconds of one another.

Solution

See the trace files oidldapdxx.log where xx is the instance number, and oidldapdxxsyy.log where xx is the instance number and yy is the process identifier. If the trace files do not give useful information or pointers to Oracle MetaLink documents, then do the following: (1) Stop the directory server processes; (2) Remove or rename old trace files; (3) Start OIDMON and a directory server with maximum debug level, namely, 11744051. Note that, to get the trace files, you must first stop, then start, the server; you cannot simply restart it. Investigate the new trace files, and, if needed, log an iTAR with Oracle Support Services and upload the trace files to the iTAR. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com.


See Also:

"How Failover Works in an Oracle Application Server Cluster (Identity Management) Environment" in Oracle Application Server High Availability Guide for more information on failover.

J.1.6.2.2 OIDCTL Error

No processes are running, but using OIDCTL gives an error saying that the specified instance is already in use

Problem

This can occur, for example, after a machine restart when OIDMON is not running.

Solution

Start OIDMON, which, in turn, starts the directory server. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com.

Solution

Use the stop option of OIDCTL to stop the specified instance. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com.

Solution

If the directory server fails to start, you can override all user-specified configuration parameters to start it and then return the configuration sets to a workable state by using the ldapmodify operation. Use command-line options to oidctl to start the server with different configuration values, overriding any defined configuration sets except for the values in configset0. Do not modify configset0 because this technique relies on its minimal, default contents.

Solution

To see debug log files generated by the OID Control Utility, navigate to $ORACLE_HOME/ldap/log.


See Also:

The "oidctl" command-line tool reference in Oracle Identity Management User Reference for more information on failover.

J.1.7 Troubleshooting Oracle Internet Directory Replication

This section discusses directory replication problems.

Whenever you investigate a replication problem, be sure to consult the log files $ORACLE_HOME/ldap/oidrepld00.log and oidldapdxx.log for information.

The replication server supports multiple debugging levels. To turn on replication debugging, specify the -d decimal_debug_level flag when you start the server. For example:

oidctl server=oidrepld connect=connect_string instance=instance_number \
       flags="-h host -p port -d decimal_debug_level"


Note:

Turning on debugging will affect replication performance.


See Also:

Chapter 10, "Logging, Auditing, and Monitoring the Directory" for more information about debugging.

J.1.7.1 Replication Server Does Not Start

There are several problems that can prevent the replication server from starting.

Problem

Invalid oidctl syntax

Solution

Use the following syntax to start the replication server.:

oidctl server=oidrepld connect=connect string instance=instance_number \
       flags="-h host -p port"

Problem

Oracle Internet Directory is not running at the host and port you specified on the command line when you attempted to start the replication server. This caused the anonymous bind to the target Oracle Internet Directory to fail.

Solution

Make sure the target Oracle Internet Directory is up and running at the specified host and port.

Problem

The replication server is attempting to bind to the host and port specified in either the orclreplicaprimaryurl or the orclreplicasecondaryurl attribute of the Replica entry, but Oracle Internet Directory is running at a different host or port.

Solution

If you decide to run Oracle Internet Directory at a different host or port, add the new information to the orclreplicasecondaryurl attribute of the replica entry, as follows:

  1. Prepare a modification file, mod.ldif. For example, to change to host my.us.oracle.com and port 4444, you would specify:

    dn: orclreplicaid=replica_ID, cn=replication configuration
    changetype: modify 
    add: orclreplicasecondaryurl 
    orclreplicasecondaryurl: ldap://my.us.oracle.com:4444/ 
    
    
  2. Run:

    ldapmodify -h host -p port -f mod.ldif
    
    

Problem

The ReplBind credential in the replication wallet $ORACLE_HOME/ldap/admin/oidrORACLE_SID is corrupt or invalid. That is, the password stored in the wallet is not the same as the password that is stored in the directory, or the wallet does not exist. This causes the replication bind to fail and the replication server to exit with an error.

You might see messages similar to this example in the file oidrepldXX.log:

2005/07/21:11:13:28 * gslrcfdReadReplDnPswd:Error reading repl passwd 
2005/07/21:11:13:28 * gslrcfcReadReplConfig:Error found. 
2005/07/21:11:13:28 * Failed to read replication configuration information. 

Solution

Use remtool to fix the replication bind credential in the replication wallet or to synchronize between Oracle Internet Directory and the replication wallet.

  • remtool -pchgpwd changes the password of the replication dn of a replica. Use this option if you know the current replication DN password stored in the directory and you want to change it both in the directory and in the wallet.

  • remtool -presetpwd resets the password or the replication dn of a replica. Use this option if you know the current replication DN password stored in the directory and you want to change it both in the directory and in the wallet.

  • remtool -pchgwalpwd changes password of replication dn of a replica only in the wallet. Use this option if you know the replication DN password stored in the directory but you are not sure whether the wallet has the correct password or you want to create the wallet file.

All of these options will create a wallet if one does not already exist.


See Also:


J.1.7.2 Repository Creation Assistant Error

Problem

When you use the Oracle Application Server tool RepCA to load Oracle Internet Directory schema into an existing Oracle 10.1.0.3 Database, you might see the following error message in the $ORACLE_HOME/assistants/repca/log/repca*log file:

SP2-0332: Cannot create spool file.

Solution

This error message can be ignored.

J.1.7.3 Errors in Replication Bootstrap

A number of errors can occur in replication bootstrap.

Problem

Some of the naming contexts failed to be bootstrapped.

Solution

Identify the naming contexts that failed to be bootstrapped, and use the oidreconcile tool to reconcile them.Then resume replication by setting the consumer's replica state to ONLINE mode

Problem

Various causes.

Solution

Identify the cause of the bootstrap failure and fix the cause, then restart bootstrapping by setting consumer's replica state to BOOTSTRAP mode.

Solution

To determine the exact cause of the error, examine the log file oidldapdxx.log. Look for error messages like those in the following example:

2004/09/14:12:57:23 * Starting OIDREPLD against dlsun1418:4444...
2004/09/14:12:57:25 * Starting scheduler...
2004/09/14:12:57:26 * Start to BootStrap from supplier=dlsun1418_replica to consumer=dlsun1418_replica2
2004/09/14:12:57:27 * gslrbssSyncDIT:Replicating namingcontext=cn=oraclecontext ......
2004/09/14:12:58:21 * gslrbssSyncDIT:Sync done successfully for namingctx: cn=oraclecontext, 222 entries matched
2004/09/14:12:58:21 * gslrbssSyncDIT:Replicating namingcontext=cn=joe smith ......
2004/09/14:12:58:23 * BootStrap failure when adding DN=cn=Joe Smith,
server=dlsun1418_replica2,err=Constraint violation.
2004/09/14:12:58:23 * gslrbssSyncDIT:Sync failed for namingctx: cn=joe smith, only 1 entries retrieved
2004/09/14:12:58:23 * gslrbssSyncDIT:Replicating namingcontext=cn=oracleschemaversion ......
2004/09/14:12:58:25 * gslrbssSyncDIT:Sync done successfully for namingctx: cn=oracleschemaversion, 10 entries matched
2004/09/14:12:58:51 * gslrbsbBootStrap: Failure occured when bootstrapping 1 out of 3 namingcontext(s) from the supplier

Identify the cause of the bootstrap failure and fix it. You can identify the naming contexts that caused the problem, then use oidreconcile to compare and reconcile the naming contexts. Once you have resolved the problem, start bootstrapping again by starting the Oracle Internet Directory replication server.

Problem

The Oracle Internet Directory server was shut down during the bootstrapping

Solution

Make sure both the supplier Oracle Internet Directory and the consumer Oracle Internet Directory servers are up and running during replication bootstrapping.

Problem

Some of the entries being bootstrapped cannot be applied at the consumer due to a constraint violation.

Solution

Make sure the Oracle Internet Directory schema of the consumer are synchronized with those of the supplier before starting replication bootstrap. When you add an LDAP replica, remtool ensures that the Oracle Internet Directory schema on the consumer replica are synchronized with those on the supplier replica.

Problem

Improper replication filtering during bootstrapping. Replication supports excluding one or more attributes during bootstrapping. However, if a mandatory attribute of an entry is configured to be excluded, that entry cannot be applied at the consumer due to an objectclass violation.

Solution

Follow the replication naming context configuration rules in Chapter 25, "Oracle Internet Directory Replication Administration" to configure replication filtering properly.

If you are debugging LDAP replication, you should become familiar with the LDAP replica states. If LDAP-based replication is configured, when the replication server starts, it reads the replica state from the local replica. The replication server behaves differently, depending upon the local replica state. LDAP replication errors appear in oidldapdxx.log

Problem

When you restart the replication server after the replication server failed to bootstrap a naming context having more than 5000 entries, you may see error messages similar to this in the log file oidrepld00.log:

2005/04/05:13:21:55 * gslrbssSyncDIT:Replicating namingcontext=dc=com ...... 
2005/04/05:15:36:09 * gslrbssSyncDIT:Subtree delete on dc=com failed. 
Error=DSA is unwilling to perform 
2005/04/05:15:36:09 * gslrbssSyncDIT:Sync failed for namingctx: dc=com, only 
0 entries retrieved 

The replication server performs two steps during bootstrap operation. First, in the consumer, it deletes the naming contexts that it has to bootstrap. Second, it copies entries belonging to those naming contexts from supplier to consumer. Deletion by the replication server of a naming context having several thousands of entries results in a big transaction. The undo tablespace needs to have sufficient space to accomodate a big transaction. If the database's undo tablespace does not have sufficient space, it will result in an ORA-30036 error.

Solution

Either have the database administrator add more space to the undo tablespace, or use the bulkdelete tool to delete the required naming context before you start the replication server.

J.1.7.4 Changes Are Not Replicated

Changes are not replicated from one node to another.

Problem

The replication server has run out of table space

Solution

Look for the following message in the server log:

OCI Error ORA-1653 : ORA-01653: unable to extend table ODS.ASR_CHG_LOG by 8192 in tablespace OLTS_DEFAULT

Extend the table space and investigate why the table space keeps growing.

Problem

The target Oracle Internet Directory server is down.

Solution

Restart the target Oracle Internet Directory server.

Problem

Various causes

Solution

Make sure the replication server is started on all nodes, in multi-master replication, and at the consumer node in single-master or fan-out replication.

For multi-master Oracle Database Advanced Replication, use remtool to diagnostic and fix problems.

  • remtool -asrverify verifies the correctness of a DRG setup and reports problems.

  • remtool -asrrectify verifies the correctness of a DRG setup, reports problems, and attempts to rectify the problems.

Check the replication log and LDAP log for error messages and fix the cause of the error after investigation.


See Also:

The "remtool" command-line tool reference in Oracle Identity Management User Reference for more information about using remtool.

J.1.7.5 Replication Stops Working

Problem

Data is not replicated between the replicas. In some cases, a working replication setup stops working after OID Human Intervention Queue entries are applied to one of the nodes. In other cases, adding or deleting a new replica causes problems or failures.

Problem

Various causes

Solution

See the following Oracle MetaLink notes on Oracle MetaLink, http://metalink.oracle.com:

Note 171693.1, "Resolving Conflicts"

Note 122039.1, "Troubleshooting Basics for Advanced Replication"

Note 213910.1, "Debugging OID Replication when ASR_CHG_LOG Never Gets Populated."

You can search for Oracle MetaLink notes by entering a term such as "replication" into the search box.

J.1.8 Troubleshooting SSL Setup

Describe symptom

Problem

Setting up Oracle Internet Directory for one-way LDAP connections over SSL fails.

Solution

Do not set up the SSL port of configset 0 with wallet mode 2 or 3. If you do, you will break Oracle Delegated Administration Services and other services and applications that expect to communicate with Oracle Internet Directory on the encrypted SSL port.

To correctly configure and test Oracle Internet Directory for SSL, follow the instructions in Oracle Metalink note 178714.1, on Oracle MetaLink, http://metalink.oracle.com. Also see the SSL section of the tutorial "Getting Started with Oracle Internet Directory" at http://www.oracle.com/technology/obe/obe_as_10g.

This section discusses possible problems when configuring SSL

J.1.9 Troubleshooting Change Log Garbage Collection

Both replication and Oracle Directory Integration and Provisioning use change logs to propagate information from a supplier directory to a consumer directory. All change logs are stored in the table ods_chg_log. In addition, replication change logs are stored in asr_chg_log.

This section discusses possible problems you might encounter with change log garbage collection.

J.1.9.1 Change Logs Are Not Purged

Change logs grow very large.

Problem

Change logs are not being purged due to a replication issue. For example, if a replication server has been down for a few days, replication change logs will not be purged because they are needed for replication recovery.

Solution

Resolve the replication issue. See "Troubleshooting Oracle Internet Directory Replication"".

Problem

The attribute orclpurgetargetage is set too high and there are one or more enabled but inactive change log subscribers that do not update orclLastAppliedChangeNumber in their subscriber profiles. Change number-based purging won't purge change logs that are not yet consumed and time-based purging won't purge them because they're not old enough.

Solution

Set the attribute orclpurgetargetageto a smaller value so that change logs are purged sooner.

Solution

Disable inactive changelog subscribers so that change logs are purged by change log number-based purging. Locate such enabled but incactive subscriber profiles by examining the orclLastAppliedChangeNumber in all subscriber profiles by typing:

ldapsearch -v -p port -h host -D cn=orcladmin -w password \
           -b "cn=changelog subscriber,cn=oracle internet directory" \
           -s sub "objectclass=orclchangesubscriber" \
           orcllastappliedchangenumber orclsubscriberdisable
 

Look for an entry that has orclSubscriberDisabled equal to zero and an orclLastAppliedChangeNumber value that never changes. If such an entry exists, and the change log garbage collector's orclpurgetargetage is zero or greater, delete the value of orclpurgetargetage. When orclpurgetargetage is not defined or less than zero, the garbage collector will purge changes applied by the replication server, even if another subscriber has not updated its orclLastAppliedChangeNumber.

J.1.10 Troubleshooting Dynamic Password Verifiers

Table J-4 lists and describes the error messages for dynamic password verifiers.

Table J-4 Error Messages for Dynamic Password Verifiers

Error Code Description

9022

A reversible encrypted password is missing from the user entry.

9023

The crypto type specified in the LDAP request control is not supported.

9024

The username parameter is missing from the LDAP request control.


If the directory is able to compare verifiers, and the comparison evaluates as false, the directory sends the standard error LDAP_COMPARE_FALSE to the client. Similarly, if the user being authenticated lacks a directory entry, the directory sends the standard error LDAP_NO_SUCH_OBJECT.


See Also:

"Password Verifier Schema Elements" in Oracle Identity Management User Reference

J.1.11 Troubleshooting Oracle Internet Directory Password Wallets

The Oracle Internet Directory Server has two password wallets: oidpwdlldap1 and oidpwdrSID.

The oidpwdlldap1 file contains the DN and password of an ODS user in encrypted format. The Oracle Internet Directory server uses the credential to connect to the backend database at startup time.

J.1.11.1 Oracle Internet Directory Server Does Not Start

Either oidctl or opmn fails to start an Oracle Internet Directory server instance.

Problem

The password stored in the oidpwdlldap1 wallet is not synchronized with the ODS password in the backend database.

Solution

Try to connect to the database again using the sqlplus command:

sqlplus ods /ods_password@connect_string

If the connection succeeds, try to synchronize the password in the wallet with the ODS password by using the oidpasswd tool to create a new wallet with the correct password. For example:

>> oidpasswd connect=connect_string create_wallet=true

If the connection attempt fails, you must login into the backend database as a database administrator and change the ODS password by using the sql command:

>> alter user ods identified by some_new_password

Then try to create a new oidpwdlldap1 to store the new password.

Solution

Try to start the Oracle Internet Directory server again.

The oidpwdrSID file contains the DN and password of a replica DN in an encrypted format. The Oracle Internet Directory replication server uses the credential to connect to the Oracle Internet Directory server at startup time.

This is an example of a replication password wallet, oidpwdrSID:

/------BEGIN REPL CREDENTIAL:cn=replication dn,orclreplicaid=qdinh-sun_
adeldap,cn=replication configuration-----
ezNkZXMtY2JjLXBrY3M1cGFkfQUnaz0TsfzcP0nM1HcHAXchf5mJw+sb4y0bLvvw3RvSg7H
S7/WsKJB02fdSGRlmfWAV+6llkRQ26g==
-----END REPL CREDENTIAL:cn=replication dn,orclreplicaid=qdinh-sun_
adeldap,cn=replication configuration-----/

J.1.11.2 Password Not Synchronized

Either oidctl or opmn fails to start an Oracle Internet Directory server instance and the replication server log file oidrepld00.log reports that it is not able to bind.

Problem

The replica DN password stored in the oidpwdrSID is not synchronized with the replica DN password in the Oracle Internet Directory server.

Solution

Try to connect to the Oracle Internet Directory server instance using the ldapbind command. Specify the replica DN stored in oidpwdrSID and the replica DN password. For example:

>> ldapbind -h host -p port -D "cn=replication dn,orclreplicaid=qdinh-sun_adeldap, cn=replication configuration" -w replica_dn_password

If the connection succeeds, then you can reset the password in the oidpwdrSID wallet using remtool with the option -pchgwalpwd, which changes the password of the replication DN of a replica only in the wallet. If you do not remember the replication dn password, then you can reset it using remtool with the option -prestpwd, which resets the password of the replication dn of a replica.

After resetting the replication password wallet, restart the replication server instance again a using opmnctl or oidctl.

J.1.12 Troubleshooting bulkload

Problem

The bulkload command-line tool might hang if you run it on Windows using a version of MKS Toolkit earlier than 8.6.

Solution

If a hang occurs during the -check or -generate phase of bulkload, you should cancel the bulkload command and repeat it.

If a hang occurs during the -load phase of bulkload, you should follow these steps:

  1. Cancel the bulkload command.

  2. Execute this command:

    bulkload.sh -connect conn_str -recover
    
    
  3. Repeat the original bulkload command.


Note:

To update MKS Toolkit, visit http://www.datafocus.com/.

J.2 Need More Help?

You can find more solutions on Oracle MetaLink, http://metalink.oracle.com. If you do not find a solution for your problem, log a service request.


See Also:

Oracle Application Server Release Notes, available on the Oracle Technology Network: http://www.oracle.com/technology/documentation/index.html