|
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
 Previous |
 Next |
|
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
|
Previous |
Next |
This section describes how to troubleshoot synchronization with Oracle Directory Integration and Provisioning. It contains these topics:
When debugging synchronization issues between Oracle Internet Directory and a connected directory, it helps to understand the synchronization process flow of the Oracle directory integration and provisioning server.
The Oracle directory integration and provisioning server reads all import profiles at startup. For each profile that is set to ENABLE, the Oracle directory integration and provisioning server performs the following tasks during the synchronization process:
Connects to a third-party directory
Gets the value of the last change key from the connected directory
Connects to Oracle Internet Directory
Gets the value of the profile's last applied change key from Oracle Internet Directory
For SunONE connections, the Oracle directory integration and provisioning server searches the remote change logs for entries greater than the value of the last applied change key and less than or equal to the value of the last change key. For Active Directory connections, the Oracle directory integration and provisioning server searches for this information in the remote directory's uSNChanged values. For other types of connectors, such as the Oracle Human Resources connector, the Oracle directory integration and provisioning server performs similar types of searches, although the method by which data is exchanged varies according to the type of connection.
Maps the data values from the connected directory to Oracle Internet Directory values
Creates an Oracle Internet Directory change record
Processes change (add, change, delete)
Updates the Oracle Internet Directory import profile with the last execution times and the last applied change key from the connected directory
Enters sleep mode for the number of seconds specified for the synchronization interval
The Oracle directory integration and provisioning server reads all export profiles at startup. For each profile that is set to ENABLE, the Oracle directory integration and provisioning server performs the following tasks during the synchronization process:
Connects to a third-party directory
Connects to Oracle Internet Directory
Gets the value for the last change key from Oracle Internet Directory
Gets the value of the profile's last applied change key from Oracle Internet Directory
For SunONE connections, the Oracle directory integration and provisioning server searches the remote change logs for entries greater than the value of the last applied change key and less than or equal to the value of the last change key. For Active Directory connections, the Oracle directory integration and provisioning server searches for this information in the remote directory's uSNChanged values. For other types of connectors, such as the Oracle Human Resources connector, the Oracle directory integration and provisioning server performs similar types of searches, although the method by which data is exchanged varies according to the type of connection.
Maps the data values from Oracle Internet Directory to the connected directory values
Creates a change record
Processes change (add, change, delete) on the connected directory
Updates the Oracle Internet Directory export profile with the last execution times and the last applied change key from Oracle Internet Directory
Enters sleep mode for the number of seconds specified for the synchronization interval
When troubleshooting synchronization, use the following as a checklist.
On UNIX, use the following command to verify that the Oracle directory integration and provisioning server process (odisrv) is running:
ps -ef | grep odisrv
For Windows operating systems, obtain the value of process ID (PID) for the odisrv process from $ORACLE_HOME/ldap/log/oidmon.log. Then, launch Task Manager and click the Processes tab to verify that the process is running.
Check whether there is also a directory integration and provisioning server instance running.
If OracleAS Portal, Oracle Collaboration Suite, or another component needs provisioning, then there is probably a directory integration and provisioning server provisioning process running as instance 1 on configuration set 0. In this case, you should start your directory integration and provisioning server as instance 2 with either the default configset=1 argument or using your custom created configuration set number.
Check $ORACLE_HOME/ldap/log/odisrv0x.log. When the provisioning integration service is running, it logs to odisrv01.log. The directory synchronization service then logs to odisrv02.log.
Verify that the profile is enabled by using the Oracle Directory Integration and Provisioning Server Administration tool or DIP Tester.
Verify that trace files are being generated. The trace file can be found at: $ORACLE_HOME/ldap/odi/log/profilename.trc
If no trace file is generated, then check the odisrv0x.log for possible problems in startup of the directory integration and provisioning server, as described earlier in this list.
Verify that correct syntax is used to start the directory integration and provisioning server. For example:
oidctl connect=asdb server=odisrv instance=2 configset=1 flags="host=myhost port=3060" start
For debugging, verify that the value of the debug flag set to 63 when starting the directory integration and provisioning server, as follows:
oidctl connect=asdb server=odisrv instance=2 configset=1 flags="host=myhost port=3060 debug=63" start
Edit the profile and set the debug level to 63 by using the Oracle Directory Integration and Provisioning Server Administration tool or DIP Tester.
Validate the all required parameters in the profile.
|
See Also:
|
Verify that you are using the Oracle Internet Directory 10g (10.1.2) version of the Oracle Directory Integration and Provisioning Server Administration tool or Oracle Directory Manager to update the profile. Previous releases of these utilities display different information on the Profile tab pages and should not be used.
Verify that the third-party LDAP directory server is running by executing the following command:
ldapbind -h ldap_host -p ldap_port -D account -w password
If the directory integration and provisioning server does not start or if it starts and then fails, then check the following:
The instance number and configset being used
Whether the flags="host=xxx port=xxxx" parameter is used with oidctl
The odisrv0x.log to see whether:
Whether the connector successfully started
Whether the password expired
To re-register the connector, enter the following command:
odisrvreg -p port -D cn=orcladmin -w passwd -h host
|
See Also: MetaLink Note: 265397.1—Password Policy Expires available on Oracle MetaLink athttp://metalink.oracle.com/
|
The following is the beginning and end portions of a valid sample trace file for an Active Directory connector synchronized addition operation:
------------------------------------------------------------------------------- Trace Log Started at Tue Jun 08 11:22:25 EDT 2004 ------------------------------------------------------------------------------- Command exec succesful LDAP URL : (activedir.oracle.com:389 administrator@oracle.com LDAP Connection success Applied ChangeNum : 28017Available chg num = 28019 Reader Initialised !! LDAP URL : (sun1:3060 cn=odisrv+orclhostname=sun1,cn=odi,cn=oracle internet directory LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! searchF : CHGLOGFILTER : (&(USNChanged>=28018)(USNChanged<=28022)) Search Time 8 Search Successful till # 28022 Search Changes Done Changenumber uSNChanged: 28022 targetdn distinguishedName: CN=Test User56,CN=Users,DC=US,DC=ORACLE,DC=com ChangeRecord : ---------- Changetype: 4 ChangeKey: CN=Test User56,CN=Users,DC=US,DC=ORACLE,DC=com Attributes: Class: null Name: ou Type: null ChgType: 1 Value: [ ] Class: null Name: objectGUID Type: null ChgType: 2 Value: [[B@d0a5d9] ... Class: null Name: mail Type: null ChgType: 1 Value: [ ] Class: null Name: displayname Type: null ChgType: 2 Value: [Test User56] Class: null Name: cn Type: null ChgType: 2 Value: [Test User56] Class: null Name: sn Type: null ChgType: 2 Value: [Test User56] Class: null Name: krbprincipalname Type: null ChgType: 1 Value: [@ ] Class: null Name: uid Type: null ChgType: 1 Value: [ ] Class: null Name: orcluserprincipalname Type: null ChgType: 1 Value: [ ] Class: null Name: orclsamaccountname Type: null ChgType: 2 Value: [$Test User56] ----------- DN : CN=Test User56,cn=users,dc=us,dc=oracle,dc=com Normalized DN : CN=Test User56,cn=users,dc=us,dc=oracle,dc=com Processing modifyRadd Operation .. Entry Not Found. Converting to an ADD op.. Processing Insert Operation .. Performing createEntry.. Entry Added Successfully : CN=Test User56,cn=users,dc=us,dc=oracle,dc=com Updated Attributes orclodipLastExecutionTime: 20040608112226 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20040608112226
The following is the beginning and end portions of a valid sample trace file for an Active Directory connector synchronized deletion operation:
------------------------------------------------------------------------------- Trace Log Started at Wed Aug 18 09:10:05 EDT 2004 ------------------------------------------------------------------------------- Command exec succesful LDAP URL : (sun1.mycompany.com:389 administrator@mycompany.com LDAP Connection success Applied ChangeNum : 31940Available chg num = 31940 Reader Initialised !! LDAP URL : (sun2.mycompany.com:3060 cn=odisrv+orclhostname=sun2,cn=odi,cn=oracle internet directory LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! searchF : CHGLOGFILTER : (&(USNChanged>=31941)(USNChanged<=31941)) Search Time 10 Search Successful till # 31941 Search Changes Done Changenumber uSNChanged: 31941 Deleted isDeleted: TRUE Deleted isDeleted: TRUE ChangeRecord : ---------- Changetype: 1 ChangeKey: * Attributes: Class: null Name: objectGUID Type: null ChgType: 3 Value: [[B@ece65] ... Output ChangeRecord ChangeRecord : ---------- Changetype: 1 ChangeKey: * Attributes: Class: null Name: objectclass Type: null ChgType: 3 Value: [organizationalunit, orclcontainer, orcladuser, orcluserv2, orcladgroup] Class: null Name: krbprincipalname Type: null ChgType: 3 Value: [@ ] Class: null Name: orclsamaccountname Type: null ChgType: 3 Value: [$ ] Class: null Name: orclobjectguid Type: null ChgType: 3 Value: [2xR7Nas8UUKtzmPk0jpSFg==] ----------- DN : * Normalized DN : cn=TUser2007,cn=users,dc=us,dc=oracle,dc=com Processing Delete Operation .. Deleted entry Successfully : cn=TUser2007,cn=users,dc=us,dc=oracle,dc=com Updated Attributes orclodipLastExecutionTime: 20040818091005 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20040818091005
The following is the beginning and end portions of a valid sample trace file for an Active Directory connector synchronized modify operation:
------------------------------------------------------------------------------- Trace Log Started at Wed Sep 29 09:40:18 EDT 2004 ------------------------------------------------------------------------------- Command exec succesful LDAP URL : (server.mycompany.com:389 administrator@mycompany.com LDAP Connection success Applied ChangeNum : 35322Available chg num = 35322 Reader Initialised !! LDAP URL : (sun2.mycompany.com:3060 cn=odisrv+orclhostname=sun2,cn=odi,cn=oracle internet directory LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! searchF : CHGLOGFILTER : (&(USNCreated>=35323)(USNCreated<=35323)) Search Time 7 Search Successful till # 35323 Search Changes Done searchF : CHGLOGFILTER : (&(USNChanged>=35323)(USNChanged<=35323)(USNCreated<=35322)) Search Time 15 Search Successful till # 35323 Changenumber uSNChanged: 35323 targetdn distinguishedName: CN=Test User111,CN=Users,DC=US,DC=ORACLE,DC=com ChangeRecord : ---------- Changetype: 4 ChangeKey: CN=Test User111,CN=Users,DC=US,DC=ORACLE,DC=com Attributes: Class: null Name: distinguishedname Type: null ChgType: 1 Value: [ ] Class: null Name: samaccountname,userprincipalname Type: null ChgType: 1 Value: [ ] Class: null Name: userprincipalname Type: null ChgType: 1 Value: [ ] ... Output ChangeRecord ChangeRecord : ---------- Changetype: 4 ChangeKey: cn=TUser111,cn=users,dc=us,dc=oracle,dc=com Attributes: Class: null Name: objectclass Type: null ChgType: 3 Value: [orcluserv2, orcladuser, inetorgperson, person] Class: null Name: orclObjectSID Type: null ChgType: 2 Value: [AQUAAAAAAAUVAAAAiqcyP8CFOF0VJa9HCAYAAA==] Class: null Name: orclObjectGUID Type: null ChgType: 2 Value: [6uEo05+F/0CHj4PTpPCchQ==] Class: null Name: mail Type: null ChgType: 2 Value: [Tuser111@oracle.com] Class: null Name: displayName Type: null ChgType: 2 Value: [Test User111] Class: null Name: cn Type: null ChgType: 2 Value: [TUser111] Class: null Name: sn Type: null ChgType: 2 Value: [TUser111] Class: null Name: krbPrincipalName Type: null ChgType: 1 Value: [@ ] Class: null Name: uid Type: null ChgType: 2 Value: [TUser111] Class: null Name: orclUserPrincipalName Type: null ChgType: 1 Value: [ ] Class: null Name: orclSAMAccountName Type: null ChgType: 2 Value: [$TUser111] Class: null Name: orclDefaultProfileGroup Type: null ChgType: 1 Value: [ ] ----------- DN : cn=TUser111,cn=users,dc=us,dc=oracle,dc=com Normalized DN : cn=TUser111,cn=users,dc=us,dc=oracle,dc=com Processing modifyRadd Operation .. Entry found. Converting To a Modify Operation.. Proceeding with checkNReplace.. Performing checkNReplace.. Naming attribute: cn Naming attribute value: orclDefaultProfileGroup Naming attribute value: orclSAMAccountName Naming attribute value: orclUserPrincipalName Naming attribute value: uid Naming attribute value: krbPrincipalName Naming attribute value: sn Naming attribute value: cn Naming attribute value: displayName Naming attribute value: mail Adding Attribute in OID : mail Naming attribute value: orclObjectGUID Naming attribute value: orclObjectSID Total # of Mod Items : 1 Modified Entry Successfully : cn=TUser111,cn=users,dc=us,dc=oracle,dc=com Replacing Attribute orclodipLastSuccessfulExecutionTime in the Profile with value : 20040929094018 Removed Existing attribute RePopulated Attribute.. Updated Attributes orclodipLastExecutionTime: 20040929094018 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20040929094018
