Skip Headers
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2)
B14085-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

C.4 Troubleshooting Synchronization

This section describes how to troubleshoot synchronization with Oracle Directory Integration and Provisioning. It contains these topics:

C.4.1 Oracle Directory Integration and Provisioning Server Synchronization Process Flow

When debugging synchronization issues between Oracle Internet Directory and a connected directory, it helps to understand the synchronization process flow of the Oracle directory integration and provisioning server.

C.4.1.1 Oracle Directory Integration and Provisioning Server Synchronization Process Flow for an Import Profile

The Oracle directory integration and provisioning server reads all import profiles at startup. For each profile that is set to ENABLE, the Oracle directory integration and provisioning server performs the following tasks during the synchronization process:

  1. Connects to a third-party directory

  2. Gets the value of the last change key from the connected directory

  3. Connects to Oracle Internet Directory

  4. Gets the value of the profile's last applied change key from Oracle Internet Directory

  5. For SunONE connections, the Oracle directory integration and provisioning server searches the remote change logs for entries greater than the value of the last applied change key and less than or equal to the value of the last change key. For Active Directory connections, the Oracle directory integration and provisioning server searches for this information in the remote directory's uSNChanged values. For other types of connectors, such as the Oracle Human Resources connector, the Oracle directory integration and provisioning server performs similar types of searches, although the method by which data is exchanged varies according to the type of connection.

  6. Maps the data values from the connected directory to Oracle Internet Directory values

  7. Creates an Oracle Internet Directory change record

  8. Processes change (add, change, delete)

  9. Updates the Oracle Internet Directory import profile with the last execution times and the last applied change key from the connected directory

  10. Enters sleep mode for the number of seconds specified for the synchronization interval

C.4.1.2 Oracle Directory Integration and Provisioning Server Synchronization Process Flow for an Export Profile

The Oracle directory integration and provisioning server reads all export profiles at startup. For each profile that is set to ENABLE, the Oracle directory integration and provisioning server performs the following tasks during the synchronization process:

  1. Connects to a third-party directory

  2. Connects to Oracle Internet Directory

  3. Gets the value for the last change key from Oracle Internet Directory

  4. Gets the value of the profile's last applied change key from Oracle Internet Directory

  5. For SunONE connections, the Oracle directory integration and provisioning server searches the remote change logs for entries greater than the value of the last applied change key and less than or equal to the value of the last change key. For Active Directory connections, the Oracle directory integration and provisioning server searches for this information in the remote directory's uSNChanged values. For other types of connectors, such as the Oracle Human Resources connector, the Oracle directory integration and provisioning server performs similar types of searches, although the method by which data is exchanged varies according to the type of connection.

  6. Maps the data values from Oracle Internet Directory to the connected directory values

  7. Creates a change record

  8. Processes change (add, change, delete) on the connected directory

  9. Updates the Oracle Internet Directory export profile with the last execution times and the last applied change key from Oracle Internet Directory

  10. Enters sleep mode for the number of seconds specified for the synchronization interval

C.4.2 Checklist for Debugging Synchronization

When troubleshooting synchronization, use the following as a checklist.

  • On UNIX, use the following command to verify that the Oracle directory integration and provisioning server process (odisrv) is running:

    ps -ef | grep odisrv
    
    

    For Windows operating systems, obtain the value of process ID (PID) for the odisrv process from $ORACLE_HOME/ldap/log/oidmon.log. Then, launch Task Manager and click the Processes tab to verify that the process is running.

  • Check whether there is also a directory integration and provisioning server instance running.

    If OracleAS Portal, Oracle Collaboration Suite, or another component needs provisioning, then there is probably a directory integration and provisioning server provisioning process running as instance 1 on configuration set 0. In this case, you should start your directory integration and provisioning server as instance 2 with either the default configset=1 argument or using your custom created configuration set number.

    Check $ORACLE_HOME/ldap/log/odisrv0x.log. When the provisioning integration service is running, it logs to odisrv01.log. The directory synchronization service then logs to odisrv02.log.

  • Verify that the profile is enabled by using the Oracle Directory Integration and Provisioning Server Administration tool or DIP Tester.

  • Verify that trace files are being generated. The trace file can be found at: $ORACLE_HOME/ldap/odi/log/profilename.trc

    If no trace file is generated, then check the odisrv0x.log for possible problems in startup of the directory integration and provisioning server, as described earlier in this list.

  • Verify that correct syntax is used to start the directory integration and provisioning server. For example:

    oidctl connect=asdb server=odisrv instance=2 configset=1 flags="host=myhost port=3060" start
    
    
  • For debugging, verify that the value of the debug flag set to 63 when starting the directory integration and provisioning server, as follows:

    oidctl connect=asdb server=odisrv instance=2 configset=1 flags="host=myhost port=3060 debug=63" start
     
    
  • Edit the profile and set the debug level to 63 by using the Oracle Directory Integration and Provisioning Server Administration tool or DIP Tester.

  • Validate the all required parameters in the profile.


    See Also:


  • Verify that you are using the Oracle Internet Directory 10g (10.1.2) version of the Oracle Directory Integration and Provisioning Server Administration tool or Oracle Directory Manager to update the profile. Previous releases of these utilities display different information on the Profile tab pages and should not be used.

  • Verify that the third-party LDAP directory server is running by executing the following command:

    ldapbind -h ldap_host -p ldap_port -D account -w password
    
    
  • If the directory integration and provisioning server does not start or if it starts and then fails, then check the following:

    • The instance number and configset being used

    • Whether the flags="host=xxx port=xxxx" parameter is used with oidctl

    • The odisrv0x.log to see whether:

      • Whether the connector successfully started

      • Whether the password expired

    To re-register the connector, enter the following command:

    odisrvreg -p port -D cn=orcladmin -w passwd -h host
    

See Also:

MetaLink Note: 265397.1—Password Policy Expires available on Oracle MetaLink at http://metalink.oracle.com/

C.4.3 Sample Valid Trace Files in Debug Level 63 Mode

The following is the beginning and end portions of a valid sample trace file for an Active Directory connector synchronized addition operation:

-------------------------------------------------------------------------------
Trace Log Started at Tue Jun 08 11:22:25 EDT 2004
-------------------------------------------------------------------------------
Command exec succesful
LDAP URL : (activedir.oracle.com:389 administrator@oracle.com
LDAP Connection success
Applied ChangeNum : 28017Available chg num = 28019
Reader Initialised !!
LDAP URL : (sun1:3060 cn=odisrv+orclhostname=sun1,cn=odi,cn=oracle internet directory
LDAP Connection success
Writer Initialised!!
MapEngine Initialised!!
Filter Initialised!!
searchF : 
CHGLOGFILTER : (&(USNChanged>=28018)(USNChanged<=28022))
Search Time 8
Search Successful till # 28022
Search Changes Done
Changenumber uSNChanged: 28022
targetdn distinguishedName: CN=Test User56,CN=Users,DC=US,DC=ORACLE,DC=com
ChangeRecord : ----------
Changetype: 4
ChangeKey: CN=Test User56,CN=Users,DC=US,DC=ORACLE,DC=com
Attributes: 
Class: null Name: ou Type: null ChgType: 1 Value: [ ]
Class: null Name: objectGUID Type: null ChgType: 2 Value: [[B@d0a5d9]
 
...
 
Class: null Name: mail Type: null ChgType: 1 Value: [ ]
Class: null Name: displayname Type: null ChgType: 2 Value: [Test User56]
Class: null Name: cn Type: null ChgType: 2 Value: [Test User56]
Class: null Name: sn Type: null ChgType: 2 Value: [Test User56]
Class: null Name: krbprincipalname Type: null ChgType: 1 Value: [@ ]
Class: null Name: uid Type: null ChgType: 1 Value: [ ]
Class: null Name: orcluserprincipalname Type: null ChgType: 1 Value: [ ]
Class: null Name: orclsamaccountname Type: null ChgType: 2 Value: [$Test User56]
-----------
DN : CN=Test User56,cn=users,dc=us,dc=oracle,dc=com
Normalized DN : CN=Test User56,cn=users,dc=us,dc=oracle,dc=com
Processing modifyRadd Operation ..
Entry Not Found. Converting to an ADD op..
Processing Insert Operation ..
Performing createEntry..
Entry Added Successfully : CN=Test User56,cn=users,dc=us,dc=oracle,dc=com
Updated Attributes 
orclodipLastExecutionTime: 20040608112226
orclOdipSynchronizationStatus: Synchronization Successful
orclodipLastSuccessfulExecutionTime: 20040608112226

The following is the beginning and end portions of a valid sample trace file for an Active Directory connector synchronized deletion operation:

-------------------------------------------------------------------------------
 Trace Log Started at Wed Aug 18 09:10:05 EDT 2004
-------------------------------------------------------------------------------
Command exec succesful
LDAP URL : (sun1.mycompany.com:389 administrator@mycompany.com
LDAP Connection success
Applied ChangeNum : 31940Available chg num = 31940
Reader Initialised !!
LDAP URL : (sun2.mycompany.com:3060 cn=odisrv+orclhostname=sun2,cn=odi,cn=oracle internet directory
LDAP Connection success
Writer Initialised!!
MapEngine Initialised!!
Filter Initialised!!
searchF :
CHGLOGFILTER : (&(USNChanged>=31941)(USNChanged<=31941))
Search Time 10
Search Successful till # 31941
Search Changes Done
Changenumber uSNChanged: 31941
Deleted isDeleted: TRUE
Deleted isDeleted: TRUE
ChangeRecord : ----------
Changetype: 1
ChangeKey: *
Attributes:
Class: null Name: objectGUID Type: null ChgType: 3 Value: [[B@ece65]
 
...
 
Output ChangeRecord ChangeRecord : ----------
Changetype: 1
ChangeKey: *
Attributes:
Class: null Name: objectclass Type: null ChgType: 3 Value: [organizationalunit,
orclcontainer, orcladuser, orcluserv2, orcladgroup]
Class: null Name: krbprincipalname Type: null ChgType: 3 Value: [@ ]
Class: null Name: orclsamaccountname Type: null ChgType: 3 Value: [$ ]
Class: null Name: orclobjectguid Type: null ChgType: 3 Value: [2xR7Nas8UUKtzmPk0jpSFg==]
-----------
DN : *
Normalized DN : cn=TUser2007,cn=users,dc=us,dc=oracle,dc=com
Processing Delete Operation ..
Deleted entry Successfully : cn=TUser2007,cn=users,dc=us,dc=oracle,dc=com
Updated Attributes
orclodipLastExecutionTime: 20040818091005
orclOdipSynchronizationStatus: Synchronization Successful
orclodipLastSuccessfulExecutionTime: 20040818091005
 

The following is the beginning and end portions of a valid sample trace file for an Active Directory connector synchronized modify operation:

-------------------------------------------------------------------------------
 Trace Log Started at Wed Sep 29 09:40:18 EDT 2004
-------------------------------------------------------------------------------
Command exec succesful
LDAP URL : (server.mycompany.com:389 administrator@mycompany.com
LDAP Connection success
Applied ChangeNum : 35322Available chg num = 35322
Reader Initialised !!
LDAP URL : (sun2.mycompany.com:3060 cn=odisrv+orclhostname=sun2,cn=odi,cn=oracle internet directory
LDAP Connection success
Writer Initialised!!
MapEngine Initialised!!
Filter Initialised!!
searchF :
CHGLOGFILTER : (&(USNCreated>=35323)(USNCreated<=35323))
Search Time 7
Search Successful till # 35323
Search Changes Done
searchF :
CHGLOGFILTER : (&(USNChanged>=35323)(USNChanged<=35323)(USNCreated<=35322))
Search Time 15
Search Successful till # 35323
Changenumber uSNChanged: 35323
targetdn distinguishedName: CN=Test User111,CN=Users,DC=US,DC=ORACLE,DC=com
ChangeRecord : ----------
Changetype: 4
ChangeKey: CN=Test User111,CN=Users,DC=US,DC=ORACLE,DC=com
Attributes:
Class: null Name: distinguishedname Type: null ChgType: 1 Value: [ ]
Class: null Name: samaccountname,userprincipalname Type: null ChgType: 1 Value: [ ]
Class: null Name: userprincipalname Type: null ChgType: 1 Value: [ ]
 
...
 
 Output ChangeRecord ChangeRecord : ----------
Changetype: 4
ChangeKey: cn=TUser111,cn=users,dc=us,dc=oracle,dc=com
Attributes:
Class: null Name: objectclass Type: null ChgType: 3 Value: [orcluserv2, orcladuser, inetorgperson, person]
Class: null Name: orclObjectSID Type: null ChgType: 2 Value: [AQUAAAAAAAUVAAAAiqcyP8CFOF0VJa9HCAYAAA==]
Class: null Name: orclObjectGUID Type: null ChgType: 2 Value: [6uEo05+F/0CHj4PTpPCchQ==]
Class: null Name: mail Type: null ChgType: 2 Value: [Tuser111@oracle.com]
Class: null Name: displayName Type: null ChgType: 2 Value: [Test User111]
Class: null Name: cn Type: null ChgType: 2 Value: [TUser111]
Class: null Name: sn Type: null ChgType: 2 Value: [TUser111]
Class: null Name: krbPrincipalName Type: null ChgType: 1 Value: [@ ]
Class: null Name: uid Type: null ChgType: 2 Value: [TUser111]
Class: null Name: orclUserPrincipalName Type: null ChgType: 1 Value: [ ]
Class: null Name: orclSAMAccountName Type: null ChgType: 2 Value: [$TUser111]
Class: null Name: orclDefaultProfileGroup Type: null ChgType: 1 Value: [ ]
-----------
DN : cn=TUser111,cn=users,dc=us,dc=oracle,dc=com
Normalized DN : cn=TUser111,cn=users,dc=us,dc=oracle,dc=com
Processing modifyRadd Operation ..
Entry found. Converting To a Modify Operation..
Proceeding with checkNReplace..
Performing checkNReplace..
Naming attribute: cn
Naming attribute value: orclDefaultProfileGroup
Naming attribute value: orclSAMAccountName
Naming attribute value: orclUserPrincipalName
Naming attribute value: uid
Naming attribute value: krbPrincipalName
Naming attribute value: sn
Naming attribute value: cn
Naming attribute value: displayName
Naming attribute value: mail
Adding Attribute in OID : mail
Naming attribute value: orclObjectGUID
Naming attribute value: orclObjectSID
Total # of Mod Items : 1
Modified Entry Successfully : cn=TUser111,cn=users,dc=us,dc=oracle,dc=com
Replacing Attribute orclodipLastSuccessfulExecutionTime in the Profile with value : 20040929094018
Removed Existing attribute
RePopulated Attribute..
Updated Attributes
orclodipLastExecutionTime: 20040929094018
orclOdipSynchronizationStatus: Synchronization Successful
orclodipLastSuccessfulExecutionTime: 20040929094018