Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
Previous |
Next |
This section describes common problems and solutions for Oracle Directory Integration and Provisioning. It contains the following topics:
Note: The Oracle directory integration and provisioning server stores error messages in the appropriate file, as described in "Location and Naming of Files". |
This section provides solutions for errors and problems you may encounter with the Oracle directory integration and provisioning server.
Problem
PASSWORD POLICY ERROR :9000: GSL_PWDEXPIRED_EXCP.
Solution
Beginning with Oracle Internet Directory 10g (9.0.4), the default password expiry time, which is assigned to the pwdmaxage
attribute, is set to 60 days. To fix this problem, perform the following steps:
You must first unlock the cn=orcladmin
super user account before you can modify password policies. Use the oidpasswd
utility to unlock the super user account as follows:
oidpasswd connect=asdb unlock_su_acct=true OID DB user password: OID super user account unlocked successfully.
This unlocks only the super user account, cn=orcladmin
. Do not confuse this account with the cd=orcladmin account within the default realm cn=orcladmin,cn=users,dc=xxxxx,dc=yyyyy
. They are two separate accounts.
Launch an Oracle Internet Directory 10g (10.1.2) version of Oracle Directory Manager and navigate to Password Policy Management. You will see two entries: cn=PwdPolicyEntry
and the password policy for your realm—for example, password_policy_entry
,dc=acme,dc=com
.
Change the pwdmaxage
attribute in each password policy to an appropriate value:
5184000 = 60 days (default)
7776000 = 90 days
10368000 = 120 days
15552000 = 180 days
31536000 = 1 year
Note: It is very important to change this value in both places. |
Launch the Oracle Directory Manager and navigate to the realm-specific orcladmin
account. Find the userpassword
attribute and assign a new value. You should then be able to launch any Oracle component that uses OracleAS Single Sign-On and log in as orcladmin
.
Rerun the odisrvreg
utility to reset the randomly generated password for Directory Integration and Provisioning:
odisrvreg -D cn=orcladmin -w welcome1 -p 3060 Already Registered...Updating DIS password... DIS registration successful.
This section provides solutions for provisioning errors and problems.
Problem
Unable to get the Entry from its GUID. Fatal Error...
Solution
The Oracle directory integration and provisioning server is attempting to retrieve an entry that has been deleted, but not yet purged. Update the tombstone purge configuration settings in the Garbage Collection Management node of Oracle Directory Manager.
Problem
LDAP connection failure.
Solution
Directory Integration and Provisioning failed to connect to the directory server. Check the connection to the directory server.
See Also: The chapter on directory server administration in Oracle Internet Directory Administrator's Guide for information about directory server connections |
Problem
LDAP authentication failure.
Solution
The provisioning profile is not able to connect to the LDAP server as administrator. Verify Oracle directory integration and provisioning server entry in the directory. Re-register the Oracle directory integration and provisioning server by using odisrvreg
.
Problem
Initialization failure.
Solution
Problem in connecting to the directory server using JNDI. Examine the trace/audit file in $ORACLE_HOME/ldap/odi/log/profile_name.trc.
Problem
Database connection failure.
Solution
Problem connecting to the database with the given account information; either the database is not running or there is an authentication problem. Examine the trace/audit file in $ORACLE_HOME/ldap/odi/log/profile_name.trc.
Problem
Exception while calling SQL operation.
Solution
Problem in executing the package. Verify the package usability. Examine the trace/audit file in $ORACLE_HOME/ldap/odi/log/profile_name.trc.
Problem
Provisioning Profiles Not Getting Executed by the DIP Provisioning Server.
Solution
Provisioning profiles only execute when the Oracle directory integration and provisioning server is started with configuration set 0. Ensure that the Oracle directory integration and provisioning server has been started with the argument configset=0
.
Problem
Unable to Connect to the Application Database.
Solution
The application database connection requirements in a provisioning profile may be incorrect. Use sqlplus
to verify connectivity requirements.
Problem
USER/GROUP MODIFY and DELETE Events Not being consumed by the application.
Solution
The Oracle Provisioning Service first queries an application database about the existence of a user or group. If the application database responds with a negative value, then the user or group does not exist, and the event is not propagated to the application. Examine the trace/audit file in $ORACLE_HOME/ldap/odi/log/profile_name.trc to determine whether the user or group exists in the application database.
Problem
Subscription to Binary Attributes results in the Event propagation error.
Solution
Binary attributes propagation is not supported. Remove the binary attribute assignments from the event subscription in the provisioning profile.
Problem
Insufficient Access Rights to do "proxy" as the Application DN.
Solution
The Oracle Directory Integration and Provisioning server group has not been granted browse privilege by the application DN. Use the ldapmodify
command to load the following ACIs, which grant browse privileges from the application DN to the Oracle Directory Integration and Provisioning group:
orclaci: access to attr=(*) by group="cn=odisgroup,cn=odi,cn=oracle internet directory"(read,write,search,compare) orclaci: access to entry by group="cn=odisgroup,cn=odi,cn=oracle internet directory"(browse,proxy)
Problem
Insufficient access rights to use an application DN as proxy.
Solution
The Oracle Directory Integration and Provisioning server group has not been granted proxy privileges by the application DN. Use the ldapmodify
command to load the following ACI, which grants proxy privileges from the application DN to the Oracle Directory Integration and Provisioning group:
orclaci: access to entry by group=" cn=odisgroup, cn=odi,cn=oracle internet directory" (browse,proxy)
This section provides solutions for synchronization errors and problems.
See Also: MetaLink Note: 276481.1—Troubleshooting OID DIP Synchronization Issues available on Oracle MetaLink athttp://metalink.oracle.com/
|
Problem
LDAP: error code 50 - Insufficient Access Rights; remaining name 'CN=Users,dc=mycompany,dc=com'
Solution
The record target is not in a default container. Find the DST CHANGE RECORD. Check the ACIs for the target container. If they are blank, then use DIP Tester to apply a known set of ACIs to the new container.
Problem
LDAP: error code 50 - Insufficient Access Rights; ACTIVECHGIMP MAPPING IMPORT OPERATION FAILURE; Agent execution successful, Mapping/import operation failure
Solution
By default the cn=Users,<
default realm
>
contains the proper ACIs. However, this error can occur when trying to synchronize into a different container within the default realm. Open the trace file, locate the change record that is causing the error, and then check the ACIs for the record's parent container. Apply the same ACIs to the target container.
Problem
Trace File Error: Not able to construct DN Output ChangeRecord ChangeRecord : Changetype: 1 ChangeKey: cn=users, dc=us,dc=oracle,dc=com Exception javax.naming. ContextNotEmptyException: [LDAP: error code 66 - Not Allowed On Non-leaf]; remaining name 'cn=users,dc=us,dc=oracle,dc=com' Missing mandatory attribute(s).
Solution
Problem with the mapping file. Follow the instructions in Oracle MetaLink Note: 261342.1—Understanding DIP Mapping available on Oracle MetaLink at http://metalink.oracle.com/
.
Problem
Trace File Error: IPlanetImport:Error in Mapping Enginejava.lang.NullPointerException java.lang.NullPointerException at oracle.ldap.odip.engine.Connector.setValues(Connector.java:101).
Solution 1
The mapping file has not been loaded. In the Oracle Directory Integration and Provisioning Server Administration tool, verify that the Mapping tab contains the values from your mapping file. If your values are not available, then use DIP Tester to reload the mapping file.
Solution 2
The orclcondirlastappliedchgnum
attribute is null or has no value. This may occur if bootstrapping failed or if you manually populated Oracle Internet Directory and did not assign a value to the orclcondirlastappliedchgnum
attribute. Verify that the orclcondirlastappliedchgnum
attribute has a value. If not, then use DIP Tester
to set the orclcondirlastappliedchgnum
attribute.
Problem
Trace File Error: Command exec successful IPlanetImport:Error in Mapping Enginejava.lang.NullPointerException java.lang.NullPointerException at oracle.ldap.odip.engine.Connector.setValues(Connector.java:101) at oracle.ldap.odip.gsi.LDAPReader.initialise(LDAPReader.java:169) Updated Attributes orclodipLastExecutionTime: 20040601143204.
Solution
Missing LDAP port on connected directory URL attribute value (hostname:port
). Specify the LDAP port in the connected directory URL attribute.
Problem
Trace File Error: LDAP URL : (xxxxxx.com:389<login credentials to 3rd party ldap server> LDAP Connection success ActiveChgImp:Error in Mapping EngineODIException: DIP_GEN_INITIALIZATION_EXCEPTION ODIException: DIP_GEN_INITIALIZATION_EXCEPTION at oracle.ldap.odip.util.DirUtils.getLastChgNum(DirUtils.java:48) at oracle.ldap.odip.gsi.LDAPReader.initAvailableChgKey(LDAPReader.java:719) at oracle.ldap.odip.gsi.LDAPReader.initialise(LDAPReader.java:212) at oracle.ldap.odip.engine.AgentThread.mapInitialise(AgentThread.java:327) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:253) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:149) ActiveChgImp:about to Update exec status Error in proxy connection : java.lang.NullPointerException.
Solution
Permissions and ownership of the files in $ORACLE_HOME/ldap/odi/conf should be owned by Oracle installer id. Use ldapmodify
to fix the following two entries:
dn: orclODIPAgentName=profile_name,cn=subscriber profile,
cn=changelog subscriber, cn=oracle internet directory
changetype: modify
replace: orclaci
orclaci: access to attr = (*) by group="cn=odisgroup,cn=odi,cn=oracle
internet directory" (read,write,search,compare)
orclaci: access to entry by group="cn=odisgroup,cn=odi,cn=oracle
internet directory" (browse,proxy)
dn: orclodipAgentName=ActiveChgImp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
orclodipagentconfiginfo:: W0lOVEVSRkFDRURFVEFJTFNdClBhY2thZ2U6IGdzaQpSZWFkZXI 6IEFjdGl2ZUNoZ1JlYWRlcgo=
Note: The preceding entry is a binary object representing an import profile for the ActiveChange Reader. If you are fixing an SunONE/iPlanet, or and EXPORT profile, then you must dump theorclodipagentconfiginfo attribute for the corresponding profile from a existing profile or another node.
|
See Also: The following for information about LDAP error code 49 and Error 9000: GSL_PWDEXPIRED_EXCP:
|
Problem
Mapping tab in the Oracle Directory Integration and Provisioning Server Administration tool shows file name instead of mapping rules.
Solution
The absolute path was not included when the mapping file was loaded. Reload the map file using full absolute path. You can reload the map file using the Directory Integration and Provisioning Assistant (dipassistant
) or DIP Tester.
This section provides solutions for errors and problems you may encounter when integrating Oracle Identity Management with Windows Native Authentication.
Problem
Internal Server error. Please contact your administrator.
Solution
Windows native authentication is misconfigured on the middle tier computer. To fix this problem, perform the following steps:
Check the opmn.log file for errors.
Check ssoServer.log for errors.
Make sure that the keytab file is located in the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory and that the principal name configured in jazn-data.xml is correct.
Make sure that the single sign-on middle tier computer is properly configured to access the Key Distribution Center. See "Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server".
Problem
Could not authenticate to KDC.
Solution
This error message may be invoked if the realm name in krb5.conf is incorrectly configured. Check the values default_realm
and domain_realm
in /etc/krb5/krb5.conf. Note that the realm name is case sensitive.
Problem
Your browser does not support the Windows Kerberos authentication or is not configured properly.
Solution
The user's Web browser is not supported or is misconfigured. Follow the instructions in "Task 6: Configure Internet Explorer for Windows Native Authentication".
Problem
"Access forbidden" or "HTTP error code 403" or "Windows Native Authentication Failed. Please contact your administrator."
Solution
These error messages have the same cause: the user entry cannot be found in Oracle Internet Directory. A local administrator working at a Windows desktop may be trying to access a single sign-on partner application whose entry may not have been synchronized with Oracle Internet Directory. Determine whether the user entry exists in the directory and if the Kerberos principal attributes for the user are properly synchronized from Microsoft Active Directory.
Problem
The windows login dialog box (with username, password, and domain fields in it) comes up when accessing the partner application.
Solution
The single sign-on server was not able to authenticate the Kerberos token because the corresponding user entry could not be found in Oracle Internet Directory. Add the user entry to the directory.
Problem
Single sign-on server fails to start. Log file contains an exception bearing the message "Credential not found."
Solution
The parameter kerberos-servicename
may not be configured correctly. To fix this problem, perform the following steps:
Make sure that kerberos-servicename
is configured correctly in the files orion-application.xml and jazn-data.xml. In orion-application.xml, the format for this parameter is HTTP@sso.mycompany.com
. In the jazn-data.xml, the format is HTTP/sso.mycompany.com
.
Check ssoServer.log for errors.
Make sure that the keytab file is located in the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory and that the principal name configured in jazn-data.xml is correct.
Make sure that the single sign-on middle tier computer is configured to access the Kerberos domain controller. See "Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server".
This section provides solutions to synchronization errors and problems that can occur with Microsoft Active Directory and SunONE Directory Server.
Problem
LDAP: error code 50 - Insufficient Access Rights.
Solution
The odi agent orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn= changelog subscriber,cn=oracle internet directory
does not have full read/write access to the synchronized entries in Oracle Internet Directory. Because the cn=oracleDASCreateUser,cn=groups,cn=oraclecontext,
identity_management_realm
group will already have the required ACLs defined, this entry should be a member of this group. In this case, <subscriber DN> is set to identity_management_realm
. You must add the orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
user entry to the cn=oracleDASCreateUser,cn=groups,cn=oraclecontext,
identity_management_realm
group, so that it will have the required ACL access to perform the updates: In Oracle Directory Manager, navigate through: Entry Management ->dc=com,identity_management_realm
,cn=oraclecontext-> cn=groups-> cn=oracleDASCreateUser. From here, against the attribute 'uniquemember' add: orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory.
Problem
Add and change operations are successful, but delete operations fail without being recorded in the trace file.
Solution 1
In SunONE/iPlanet: Tombstones are not enabled. Verify that tombstones are enabled as described in Oracle MetaLink Note: 219835.1, available on Oracle MetaLink at http://metalink.oracle.com/
.
Solution 2
In Microsoft Active Directory: The account used for the profile is not a member of the DIR SYNCH ADMIN group. This only occurs if you are not using a Microsoft Active Directory administrator account. Install the appropriate patch from Microsoft.
Problem
Data synchronization problems encountered after configuring Oracle Directory Integration import or export connectors to third-party LDAP directories.
Solution
Determine the cause by running the oditest
utility. Run the oditest
utility as described in Troubleshooting Integration with the SunONE Connector or Debugging the Active Directory Connector.
Problem
The Oracle Internet Directory profile in Oracle Directory Manager shows "synchronization successful" yet no changes show up in the directory.
Solution
The synchronization interval is set to occur too infrequently to be of use during testing. By default, the synchronization interval is set to occur every 60 seconds. However, you may increase the synchronization interval for better performance. For example, you may increase your synchronization interval to a value such as 300 seconds (5 minutes) or 600 seconds (10 minutes). Follow these steps to decrease your synchronization interval:
WARNING: Decreasing your synchronization interval may significantly impact the performance of your connected directory server. Before changing your synchronization interval, try debugging your connector with the |
In the Oracle Directory Integration and Provisioning Server Administration tool, in the navigator pane, navigate to the Integration Server and modify the Scheduling Interval attribute in the profiles to 20 seconds.
Use the odisrv
command to stop the directory integration and provisioning server and restart it with the parameter debug=63
.
Add a test entry in your connected directory.
In Oracle Internet Directory, change to the $ORACLE_HOME/ldap/odi/log directory and use the cat
command to display the file ActiveChgImp.trc. When the directory integration and provisioning server wakes up and processes the record from the connected directory changelog, you will see the details listed in the IplanetImport.trc or ActiveChgImp.trc file.
Examine the trace files for possible clues as to what is actually taking place: You should see the handshake/login to the connected directory server, then the change being captured and reformatted according to the mapping rules, and finally the change being attempted in Oracle Internet Directory. If there are handshake or mapping problems they will appear in this file.
A common mistake is to set the Connect Directory Account DN to Administrator. This field must contain the entire distinguished name of the Active Directory administrator—for example:
cn=Administrator,cn=Users,dc=myoracle,dc=com
The first domain component is the value of the third field of the Windows Login Page: User Name, Password, Log on to.
The following ldapsearch
commands may be helpful in identifying problems with the configuration.
To check the default identity management realm:
ldapsearch -h host -p port -D cn=orcladmin -w password -b "cn=common,cn=products, cn=oraclecontext" -L -s base "objectclass=*" orcldefaultsubscriber
To dump the directory integration and provisioning server configuration set:
ldapsearch -h host -p port -D cn=orcladmin -w password -b cn=instance1,cn=odisrv, cn=subregistrysubentry -s base -v "objectclass=*"
To check profiles:
ldapsearch -h host -p port -D cn=orcladmin -w password -b "orclODIPAgentName=profile,cn=subscriber profile,cn=changelog Subscriber,cn=oracle internet directory" -s sub objectclass=*
To check the agent credentials:
Note: This command returns the password in clear text only if you run it using orcladmin
credentials.
ldapsearch -p port -D cn=orcladmin -w password -b "orclODIPAgentName=profile, cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" -s sub "objectclass=*"
Problem
Bootstrap Error: DIP_GEN_AUTHENTICATION_FAILURE when trying to Synchronize Active Directory with Oracle Internet Directory
Solution
Invalid credentials. Check the synchronization profile and ensure that it contains the proper credentials to log in to the Active Directory server.