Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
Previous |
Next |
This section describes how to troubleshoot provisioning problems in the Oracle Internet Directory Provisioning Console. It contains these topics:
You can use the Oracle Delegated Administration Services diagnostic settings to debug provisioning problems in the Oracle Internet Directory Provisioning Console without having to examine the log files. For more information on viewing and configuring diagnostic settings, see the chapter on managing users and groups with the Oracle Internet Directory Self-Service Console in the Oracle Identity Management Guide to Delegated Administration.
After you install a new provisioning-integrated application in Oracle Internet Directory, the application does not appear in the Provisioning Console until you reload the application cache. You must also reload the application cache whenever a provisioning-integrated application is enabled or disabled in Oracle Internet Directory. To reload the application cache, follow the procedures described in "Reloading the Application Cache".
The Oracle Provisioning Service uses plug-ins to create new users. This section contains the following topics, which describe how to troubleshoot the Oracle Provisioning Service plug-ins to resolve user creation problems:
Provisioning-integrated applications can invoke the Pre-Data Entry and Post-Data Entry plug-ins to enhance provisioning intelligence and implement business policies. This section describes how to troubleshoot problems with both plug-ins.
When you follow the instructions described in "Creating Users with the Provisioning Console", the Provisioning Console invokes the Pre-Data Entry plug-in after you click the Next button in the General Provisioning window. The primary purpose of this plug-in is to determine whether a user should be provisioned in the applications selected in the General Provisioning window. If a user has provisioning permission for an application, then the Pre-Data Entry plug-in populates fields in the next window, the Application Provisioning window, according to the application's provisioning policies.
In the event of a problem with the Pre-Data Entry plug-in, an error containing an exception message and stack trace will display in the General Provisioning window. You can find the user attributes that were passed to the plug-in by locating the following line in the stack trace:
******preplugin base user prop set for <Application Name> …
You can locate the error in the log files by searching for the following:
oracle.idm.provisioning.plugin.PluginException
When you follow the instructions described in "Creating Users with the Provisioning Console", the Provisioning Console invokes the Pre-Data Entry plug-in after you click the Next button in the Application Attributes window. The Post-Data Entry plug-in validates data entered by users for common and application-specific attributes. The validation for the plug-in must be successful in order for provisioning to continue.
In the event of a problem with the Post-Data Entry plug-in, an error will display in the Application Attributes window. The exception stack trace will be located after the following line:
UserPlguInMgmt::postPlugInProcess(): apptype <Application Type> appname <Application Name> error when executing plugin logics
Provisioning-integrated applications can be provisioned either through a PL/SQL plug-in or the Data Access Java plug-in. The PL/SQL plug-in is invoked by the Oracle directory integration and provisioning server while the Data Access Java plug-in is invoked directly by Oracle Delegated Administration Services.
When you follow the instructions described in "Creating Users with the Provisioning Console", user creation may be successful even though provisioning for a specific application may fail. You will know when provisioning has failed if you receive a warning status along with a provisioning error message after you click the Submit button in the Review window. For details on the failure, search the log files for "Data Access plug-in execution failure". The lines following this statement list details of why provisioning failed.
You can use the provisioning status of a user entry to help identify provisioning problems.
To view a user entry's provisioning status:
In the Provisioning Console, select the Directory tab, then select Users. The Search for Users window appears.
In the Search for User field, enter the first few characters of the user's first name, last name, e-mail address, or user ID. For example, if you are searching for Anne Smith, you could enter Ann
or Smi
. To generate a list of all users in the directory, leave this field blank.
Choose Go to display the search results.
Select the user whose entry you want to view, then click the View button to display the View User window.
This window is described in Oracle Identity Management Guide to Delegated Administration
In the View User window, examine the entries in the Provisioning Status table. If the Provisioning Status column for an application contains a value of PROVISIONING_FAILURE
, then the Provisioning Status Description column will contain one of the following values to describe the reason for the failure:
PROVISIONING_REQUIRED
PENDING_UPGRADE
PROVISIONING_NOT_REQUIRED
PROVISIONING_FAILURE
See Also: "Understanding User Provisioning Statuses" for more information on user provisioning statuses |
To resolve typical problems that prevent users from logging in after account creation:
Examine the user provisioning statuses to identify the applications in which the user was not successfully provisioned by following the instructions described in "Using Provisioning Status to Identify Problems".
Identify the application provisioning approach for applications in which the user was not successfully provisioned.
For user accounts created with the Oracle Internet Directory Provisioning Console, examine the following Oracle Delegated Administration Services log file:
$ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1
For user accounts created with the PL/SQL plug-in or the Data Access Java plug-in, examine the following trace/audit file:
$ORACLE_HOME/ldap/odi/log/applicationType_realmName_E.trc
You can use the Oracle Enterprise Manager 10g Application Server Control Console to monitor the provisioning execution status of provisioning integration profiles.
On the main Application Server Control Console page, select the name of the Oracle Application Server instance you want to manage in the Standalone Instances section. The Oracle Application Server home page opens for the selected instance.
In the System Components table, select OID in the Name column. The Oracle Internet Directory page opens. The status should be green if the required packages are installed properly. This does not indicate whether the Oracle directory integration and provisioning server is running or not.
To check the status of the servers, select Directory Integration to display the Directory Integration Platform Status page. This page displays the various running instances of Oracle directory integration and provisioning servers—including those for both provisioning and synchronization. The main data displayed for provisioning integration profiles in this window are:
Name of the subscribed application
Name of the organization for which the subscription was made
Status of the profile (ENABLED or DISABLED)
Change key in Oracle Internet Directory up to which the events have been propagated to the application that is represented by the profile
Last Execution Time
Last Successful Execution Time of the profile.
Errors, if any
Note: The Directory Integration Platform Status page does not currently display the various event subscriptions for this profile |
You can also get detailed output on provisioning integration status by running the oidprovtool
utility with the operation argument status
. The oidprovtool
utility is located in the $ORACLE_HOME/bin directory.
Note: The chapter on Oracle Directory Integration and Provisioning tools in the Oracle Identity Management User Reference for information on how to use theoidprovtool utility
|
When troubleshooting provisioning, use the following as a checklist.
On UNIX, use the following command to verify that the Oracle directory integration and provisioning server process (odisrv
) is running:
ps -ef | grep odisrv
For Windows operating systems, obtain the value of process ID (PID) for the odisrv
process from $ORACLE_HOME/ldap/log/oidmon.log. Then, launch Task Manager and click the Processes tab to verify that the process is running.
Check whether there is also a directory integration and provisioning server instance running.
If OracleAS Portal, Oracle Collaboration Suite, or another component needs provisioning, then there is probably a directory integration and provisioning server provisioning process running as instance 1 on configuration set 0. In this case, you should start your directory integration and provisioning server as instance 2 with either the default configset=1
argument or using your custom created configuration set number.
Check $ORACLE_HOME/ldap/log/odisrv0x.log. When the provisioning integration service is running, it logs to odisrv01.log. The directory synchronization service then logs to odisrv02.log.
Verify that the profile is enabled by using the Oracle Directory Integration and Provisioning Server Administration tool or DIP Tester.
Verify that trace files are being generated. The trace file can be found at: $ORACLE_HOME/ldap/odi/log/profilename.trc
If no trace file is generated, then check the odisrv0x.log for possible problems in startup of the directory integration and provisioning server, as described earlier in this list.
Verify that correct syntax is used to start the directory integration and provisioning server. For example:
oidctl connect=asdb server=odisrv instance=2 configset=1 flags="host=myhost port=3060" start
For debugging, verify that the value of the debug flag set to 63 when starting the directory integration and provisioning server, as follows:
oidctl connect=asdb server=odisrv instance=2 configset=1 flags="host=myhost port=3060 debug=63" start
Edit the profile and set the debug level to 63 by using the Oracle Directory Integration and Provisioning Server Administration tool or DIP Tester.
Validate the all required parameters in the profile.
See Also:
|
Verify that you are using the Oracle Internet Directory 10g (10.1.2) version of the Oracle Directory Integration and Provisioning Server Administration tool or Oracle Directory Manager to update the profile. Previous releases of these utilities display different information on the Profile tab pages and should not be used.
If you are using the PL/SQL plug-in, use sqlplus
to verify that you can connect to the provisioning-integrated application.
See Also: MetaLink Note: 265397.1—Password Policy Expires available on Oracle MetaLink athttp://metalink.oracle.com/
|