C.2 Problems and Solutions

C.2.1 Oracle Directory Integration and Provisioning Server Errors

This section provides solutions for errors and problems you may encounter with the Oracle directory integration and provisioning server.

Problem

PASSWORD POLICY ERROR :9000: GSL_PWDEXPIRED_EXCP.

Solution

Beginning with Oracle Internet Directory 10g (9.0.4), the default password expiry time, which is assigned to the pwdmaxage attribute, is set to 60 days. To fix this problem, perform the following steps:

1. You must first unlock the cn=orcladmin super user account before you can modify password policies. Use the oidpasswd utility to unlock the super user account as follows:

   oidpasswd connect=asdb unlock_su_acct=true
   OID DB user password:
   OID super user account unlocked successfully.
   
   

   This unlocks only the super user account, cn=orcladmin. Do not confuse this account with the cd=orcladmin account within the default realm cn=orcladmin,cn=users,dc=xxxxx,dc=yyyyy. They are two separate accounts.

2. Launch an Oracle Internet Directory 10g (10.1.2) version of Oracle Directory Manager and navigate to Password Policy Management. You will see two entries: cn=PwdPolicyEntry and the password policy for your realm—for example, password_policy_entry,dc=acme,dc=com.

   Change the pwdmaxage attribute in each password policy to an appropriate value:

   • 5184000 = 60 days (default)

   • 7776000 = 90 days

   • 10368000 = 120 days

   • 15552000 = 180 days

   • 31536000 = 1 year

     
     

     Note: It is very important to change this value in both places.

     
     

3. Launch the Oracle Directory Manager and navigate to the realm-specific orcladmin account. Find the userpassword attribute and assign a new value. You should then be able to launch any Oracle component that uses OracleAS Single Sign-On and log in as orcladmin.

4. Rerun the odisrvreg utility to reset the randomly generated password for Directory Integration and Provisioning:

   odisrvreg -D cn=orcladmin -w welcome1 -p 3060
   Already Registered...Updating DIS password...
   DIS registration successful.
   

C.2.2 Provisioning Errors and Problems

This section provides solutions for provisioning errors and problems.

Problem

Unable to get the Entry from its GUID. Fatal Error...

Solution

The Oracle directory integration and provisioning server is attempting to retrieve an entry that has been deleted, but not yet purged. Update the tombstone purge configuration settings in the Garbage Collection Management node of Oracle Directory Manager.

Problem

LDAP connection failure.

Solution

Directory Integration and Provisioning failed to connect to the directory server. Check the connection to the directory server.

Problem

LDAP authentication failure.

Solution

The provisioning profile is not able to connect to the LDAP server as administrator. Verify Oracle directory integration and provisioning server entry in the directory. Re-register the Oracle directory integration and provisioning server by using odisrvreg.

Problem

Initialization failure.

Solution

Problem in connecting to the directory server using JNDI. Examine the trace/audit file in $ORACLE_HOME/ldap/odi/log/profile_name.trc.

Problem

Database connection failure.

Solution

Problem connecting to the database with the given account information; either the database is not running or there is an authentication problem. Examine the trace/audit file in $ORACLE_HOME/ldap/odi/log/profile_name.trc.

Problem

Exception while calling SQL operation.

Solution

Problem in executing the package. Verify the package usability. Examine the trace/audit file in $ORACLE_HOME/ldap/odi/log/profile_name.trc.

Problem

Provisioning Profiles Not Getting Executed by the DIP Provisioning Server.

Solution

Provisioning profiles only execute when the Oracle directory integration and provisioning server is started with configuration set 0. Ensure that the Oracle directory integration and provisioning server has been started with the argument configset=0.

Problem

Unable to Connect to the Application Database.

Solution

The application database connection requirements in a provisioning profile may be incorrect. Use sqlplus to verify connectivity requirements.

Problem

USER/GROUP MODIFY and DELETE Events Not being consumed by the application.

Solution

The Oracle Provisioning Service first queries an application database about the existence of a user or group. If the application database responds with a negative value, then the user or group does not exist, and the event is not propagated to the application. Examine the trace/audit file in $ORACLE_HOME/ldap/odi/log/profile_name.trc to determine whether the user or group exists in the application database.

Problem

Subscription to Binary Attributes results in the Event propagation error.

Solution

Binary attributes propagation is not supported. Remove the binary attribute assignments from the event subscription in the provisioning profile.

Problem

Insufficient Access Rights to do "proxy" as the Application DN.

Solution

The Oracle Directory Integration and Provisioning server group has not been granted browse privilege by the application DN. Use the ldapmodify command to load the following ACIs, which grant browse privileges from the application DN to the Oracle Directory Integration and Provisioning group:

orclaci: access to attr=(*) by group="cn=odisgroup,cn=odi,cn=oracle internet directory"(read,write,search,compare)
orclaci: access to entry by group="cn=odisgroup,cn=odi,cn=oracle internet directory"(browse,proxy)

Problem

Insufficient access rights to use an application DN as proxy.

Solution

The Oracle Directory Integration and Provisioning server group has not been granted proxy privileges by the application DN. Use the ldapmodify command to load the following ACI, which grants proxy privileges from the application DN to the Oracle Directory Integration and Provisioning group:

orclaci: access to entry by group=" cn=odisgroup, cn=odi,cn=oracle internet directory" (browse,proxy)

C.2.3 Synchronization Errors and Problems

This section provides solutions for synchronization errors and problems.

Problem

LDAP: error code 50 - Insufficient Access Rights; remaining name 'CN=Users,dc=mycompany,dc=com'

Solution

The record target is not in a default container. Find the DST CHANGE RECORD. Check the ACIs for the target container. If they are blank, then use DIP Tester to apply a known set of ACIs to the new container.

Problem

LDAP: error code 50 - Insufficient Access Rights; ACTIVECHGIMP MAPPING IMPORT OPERATION FAILURE; Agent execution successful, Mapping/import operation failure

Solution

By default the cn=Users,<default realm> contains the proper ACIs. However, this error can occur when trying to synchronize into a different container within the default realm. Open the trace file, locate the change record that is causing the error, and then check the ACIs for the record's parent container. Apply the same ACIs to the target container.

Problem

Trace File Error: Not able to construct DN Output ChangeRecord ChangeRecord : Changetype: 1 ChangeKey: cn=users, dc=us,dc=oracle,dc=com Exception javax.naming. ContextNotEmptyException: [LDAP: error code 66 - Not Allowed On Non-leaf]; remaining name 'cn=users,dc=us,dc=oracle,dc=com' Missing mandatory attribute(s).

Solution

Problem with the mapping file. Follow the instructions in Oracle MetaLink Note: 261342.1—Understanding DIP Mapping available on Oracle MetaLink at http://metalink.oracle.com/.

Problem

Trace File Error: IPlanetImport:Error in Mapping Enginejava.lang.NullPointerException java.lang.NullPointerException at oracle.ldap.odip.engine.Connector.setValues(Connector.java:101).

Solution 1

The mapping file has not been loaded. In the Oracle Directory Integration and Provisioning Server Administration tool, verify that the Mapping tab contains the values from your mapping file. If your values are not available, then use DIP Tester to reload the mapping file.

Solution 2

The orclcondirlastappliedchgnum attribute is null or has no value. This may occur if bootstrapping failed or if you manually populated Oracle Internet Directory and did not assign a value to the orclcondirlastappliedchgnum attribute. Verify that the orclcondirlastappliedchgnum attribute has a value. If not, then use DIP Tester to set the orclcondirlastappliedchgnum attribute.

Problem

Trace File Error: Command exec successful IPlanetImport:Error in Mapping Enginejava.lang.NullPointerException java.lang.NullPointerException at oracle.ldap.odip.engine.Connector.setValues(Connector.java:101) at oracle.ldap.odip.gsi.LDAPReader.initialise(LDAPReader.java:169) Updated Attributes orclodipLastExecutionTime: 20040601143204.

Solution

Missing LDAP port on connected directory URL attribute value (hostname:port). Specify the LDAP port in the connected directory URL attribute.

Problem

Trace File Error: LDAP URL : (xxxxxx.com:389<login credentials to 3rd party ldap server> LDAP Connection success ActiveChgImp:Error in Mapping EngineODIException: DIP_GEN_INITIALIZATION_EXCEPTION ODIException: DIP_GEN_INITIALIZATION_EXCEPTION at oracle.ldap.odip.util.DirUtils.getLastChgNum(DirUtils.java:48) at oracle.ldap.odip.gsi.LDAPReader.initAvailableChgKey(LDAPReader.java:719) at oracle.ldap.odip.gsi.LDAPReader.initialise(LDAPReader.java:212) at oracle.ldap.odip.engine.AgentThread.mapInitialise(AgentThread.java:327) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:253) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:149) ActiveChgImp:about to Update exec status Error in proxy connection : java.lang.NullPointerException.

Solution

Permissions and ownership of the files in $ORACLE_HOME/ldap/odi/conf should be owned by Oracle installer id. Use ldapmodify to fix the following two entries:

dn: orclODIPAgentName=profile_name,cn=subscriber profile,
  cn=changelog subscriber, cn=oracle internet directory 
changetype: modify 
replace: orclaci 
orclaci: access to attr = (*) by group="cn=odisgroup,cn=odi,cn=oracle 
  internet directory"  (read,write,search,compare) 
orclaci: access to entry by group="cn=odisgroup,cn=odi,cn=oracle 
  internet directory"  (browse,proxy) 

dn: orclodipAgentName=ActiveChgImp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory 
orclodipagentconfiginfo:: W0lOVEVSRkFDRURFVEFJTFNdClBhY2thZ2U6IGdzaQpSZWFkZXI 6IEFjdGl2ZUNoZ1JlYWRlcgo= 

Problem

Mapping tab in the Oracle Directory Integration and Provisioning Server Administration tool shows file name instead of mapping rules.

Solution

The absolute path was not included when the mapping file was loaded. Reload the map file using full absolute path. You can reload the map file using the Directory Integration and Provisioning Assistant (dipassistant) or DIP Tester.

C.2.4 Windows Native Authentication Error and Problems

This section provides solutions for errors and problems you may encounter when integrating Oracle Identity Management with Windows Native Authentication.

Problem

Internal Server error. Please contact your administrator.

Solution

Windows native authentication is misconfigured on the middle tier computer. To fix this problem, perform the following steps:

1. Check the opmn.log file for errors.

2. Check ssoServer.log for errors.

3. Make sure that the keytab file is located in the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory and that the principal name configured in jazn-data.xml is correct.

4. Make sure that the single sign-on middle tier computer is properly configured to access the Key Distribution Center. See "Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server".

Problem

Could not authenticate to KDC.

Solution

This error message may be invoked if the realm name in krb5.conf is incorrectly configured. Check the values default_realm and domain_realm in /etc/krb5/krb5.conf. Note that the realm name is case sensitive.

Problem

Your browser does not support the Windows Kerberos authentication or is not configured properly.

Solution

The user's Web browser is not supported or is misconfigured. Follow the instructions in "Task 6: Configure Internet Explorer for Windows Native Authentication".

Problem

"Access forbidden" or "HTTP error code 403" or "Windows Native Authentication Failed. Please contact your administrator."

Solution

These error messages have the same cause: the user entry cannot be found in Oracle Internet Directory. A local administrator working at a Windows desktop may be trying to access a single sign-on partner application whose entry may not have been synchronized with Oracle Internet Directory. Determine whether the user entry exists in the directory and if the Kerberos principal attributes for the user are properly synchronized from Microsoft Active Directory.

Problem

The windows login dialog box (with username, password, and domain fields in it) comes up when accessing the partner application.

Solution

The single sign-on server was not able to authenticate the Kerberos token because the corresponding user entry could not be found in Oracle Internet Directory. Add the user entry to the directory.

Problem

Single sign-on server fails to start. Log file contains an exception bearing the message "Credential not found."

Solution

The parameter kerberos-servicename may not be configured correctly. To fix this problem, perform the following steps:

1. Make sure that kerberos-servicename is configured correctly in the files orion-application.xml and jazn-data.xml. In orion-application.xml, the format for this parameter is HTTP@sso.mycompany.com. In the jazn-data.xml, the format is HTTP/sso.mycompany.com.

2. Check ssoServer.log for errors.

3. Make sure that the keytab file is located in the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory and that the principal name configured in jazn-data.xml is correct.

4. Make sure that the single sign-on middle tier computer is configured to access the Kerberos domain controller. See "Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server".

C.2.5 Microsoft Active Directory and SunONE Directory Server Synchronization Errors and Problems

This section provides solutions to synchronization errors and problems that can occur with Microsoft Active Directory and SunONE Directory Server.

Problem

LDAP: error code 50 - Insufficient Access Rights.

Solution

The odi agent orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn= changelog subscriber,cn=oracle internet directory does not have full read/write access to the synchronized entries in Oracle Internet Directory. Because the cn=oracleDASCreateUser,cn=groups,cn=oraclecontext,identity_management_realm group will already have the required ACLs defined, this entry should be a member of this group. In this case, <subscriber DN> is set to identity_management_realm. You must add the orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory user entry to the cn=oracleDASCreateUser,cn=groups,cn=oraclecontext,identity_management_realm group, so that it will have the required ACL access to perform the updates: In Oracle Directory Manager, navigate through: Entry Management ->dc=com,identity_management_realm,cn=oraclecontext-> cn=groups-> cn=oracleDASCreateUser. From here, against the attribute 'uniquemember' add: orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory.

Problem

Add and change operations are successful, but delete operations fail without being recorded in the trace file.

Solution 1

In SunONE/iPlanet: Tombstones are not enabled. Verify that tombstones are enabled as described in Oracle MetaLink Note: 219835.1, available on Oracle MetaLink at http://metalink.oracle.com/.

Solution 2

In Microsoft Active Directory: The account used for the profile is not a member of the DIR SYNCH ADMIN group. This only occurs if you are not using a Microsoft Active Directory administrator account. Install the appropriate patch from Microsoft.

Problem

Data synchronization problems encountered after configuring Oracle Directory Integration import or export connectors to third-party LDAP directories.

Solution

Determine the cause by running the oditest utility. Run the oditest utility as described in Troubleshooting Integration with the SunONE Connector or Debugging the Active Directory Connector.

Problem

The Oracle Internet Directory profile in Oracle Directory Manager shows "synchronization successful" yet no changes show up in the directory.

Solution

The synchronization interval is set to occur too infrequently to be of use during testing. By default, the synchronization interval is set to occur every 60 seconds. However, you may increase the synchronization interval for better performance. For example, you may increase your synchronization interval to a value such as 300 seconds (5 minutes) or 600 seconds (10 minutes). Follow these steps to decrease your synchronization interval:

1. In the Oracle Directory Integration and Provisioning Server Administration tool, in the navigator pane, navigate to the Integration Server and modify the Scheduling Interval attribute in the profiles to 20 seconds.

2. Use the odisrv command to stop the directory integration and provisioning server and restart it with the parameter debug=63.

3. Add a test entry in your connected directory.

4. In Oracle Internet Directory, change to the $ORACLE_HOME/ldap/odi/log directory and use the cat command to display the file ActiveChgImp.trc. When the directory integration and provisioning server wakes up and processes the record from the connected directory changelog, you will see the details listed in the IplanetImport.trc or ActiveChgImp.trc file.

5. Examine the trace files for possible clues as to what is actually taking place: You should see the handshake/login to the connected directory server, then the change being captured and reformatted according to the mapping rules, and finally the change being attempted in Oracle Internet Directory. If there are handshake or mapping problems they will appear in this file.

A common mistake is to set the Connect Directory Account DN to Administrator. This field must contain the entire distinguished name of the Active Directory administrator—for example:

cn=Administrator,cn=Users,dc=myoracle,dc=com

The first domain component is the value of the third field of the Windows Login Page: User Name, Password, Log on to.

The following ldapsearch commands may be helpful in identifying problems with the configuration.

To check the default identity management realm:

ldapsearch -h host -p port -D cn=orcladmin -w password -b "cn=common,cn=products, cn=oraclecontext" -L -s 
base "objectclass=*" orcldefaultsubscriber

To dump the directory integration and provisioning server configuration set:

ldapsearch -h host -p port -D cn=orcladmin -w password -b cn=instance1,cn=odisrv, cn=subregistrysubentry 
-s base -v "objectclass=*"

To check profiles:

ldapsearch -h host -p port -D cn=orcladmin -w password -b "orclODIPAgentName=profile,cn=subscriber profile,cn=changelog Subscriber,cn=oracle internet directory" -s sub objectclass=*

To check the agent credentials:

Note: This command returns the password in clear text only if you run it using orcladmin credentials.

ldapsearch -p port -D cn=orcladmin -w password -b "orclODIPAgentName=profile,
cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory"
-s sub "objectclass=*"

Problem

Bootstrap Error: DIP_GEN_AUTHENTICATION_FAILURE when trying to Synchronize Active Directory with Oracle Internet Directory

Solution

Invalid credentials. Check the synchronization profile and ensure that it contains the proper credentials to log in to the Active Directory server.