Troubleshooting OID DIP Synchronization Issues [ID 276481.1] Modified 29-OCT-2010 Type TROUBLESHOOTING Status PUBLISHED Applies to: Oracle Internet Directory - Version: 9.0.4 to 10.1.4.3 - Release: 10gR1 to 10gR3 Purpose This document is provided to assist in identifying Oracle Internet Directory Synchronization issues. Last Review Date August 13, 2010 Instructions for the Reader A Troubleshooting Guide is provided to assist in debugging a specific issue. When possible, diagnostic tools are included in the document to assist in troubleshooting. Troubleshooting Details SCOPE & APPLICATION ------------------The user of this document should have a good understanding of LDAP, OID, and the Directory Integration Product. This procedure provides troubleshooting techniques as well as documented problems, causes and known solutions. Many of the issues here have been fixed at version 10.1.2.0.2 and 10.1.4.0. However, if you are running 9.0.4.1 you should download and apply DIP Patch Bundle 4726481. Many of these symptoms/solutions may still be applicable at 11g however, the architecture of the DIP server has changed completely (there is no longer any odisrv or dipassistant) and logging is all done in the WebLogic diagnostic logs. Therefore any solutions that involve oidctl stopping and starting, or dipassistant commands must be achieved via the new 11g commandline tools. Troubleshooting DIP Synchronization =================================== Getting Started ---------------The DIPTESTER can be used to make any of the changes to the DIP Profile in question, view log files, create test entries, get/set LACN, dump entire profile contents, reload map file, as well as stop and start of the odisrv process. DIPTester can be downloaded from OTN. Note: When the odisrv process is started it reads LACN an caches it. At each interval it wakes up, it will write out update times and LACN. Therefore, you MUST stop the odisrv prior to making changes to the LACN, otherwise the next wakeup interval will cause your change to be overwrittenby the cached value. In fact, its not a bad idea to stop OIDSRV prior to making ANY changes to the profile. In debugging DIP Synchronization issues it is important to understand the DIP Connector Flow. ODISRV Processing Flow For an Import Profile -------------------------------------------For any and all profiles that have been configured and set to ENABLE... ODISRV process reads all profiles at startup Processes each profile that is ENABLED as follows: 1. Connects to 3rd Party LDAP Server, HR Database, or Oracle Database DB Connector (using odipcondiraccessaccount, odipcondiraccesspassword, orclodipcondirurl) 2. Gets current LastChangeNumber from 3rd Party LDAP Server 3. Connects to OID 4. Gets Profile's Last Applied Change Number (orclodipcondirlastappliedchgnum) 5. Searches changelogs on 3rd Party LDAP server for entries greater than LACN (value from step 4) and less than or equal to LastChangeNumber (value from step 2) 6. Maps Domain and each Attribute to OID values 7. Creates an OID change record 8. Processes change (add, change, delete) 9. Updates Profile with time and LACN, (orclodiplastexecutiontime, orclodiplastsuccessfulexecutiontime and orclodipcondirlastappliedchgnum) 10. Goes to sleep mode for X seconds (orclodipschedulinginterval) ODISRV Processing Flow For an Export Profile -------------------------------------------For any and all profiles that have been configured and set to ENABLE... ODISRV process reads all profiles at startup Processes each profile that is ENABLED as follows: 1. Connects to 3rd Party LDAP Server, HR Database, or Oracle Database DB Connector (using odipcondiraccessaccount, odipcondiraccesspassword, orclodipcondirurl) 2. Connects to OID 3. Gets Last Change Number (lastchangenumber) from OID 4. Gets Profile's LACN Last Applied Change Number (orcllastappliedchangenumber) 5. Searches changelogs in OID for entries greater than LACN (value from step 4) and less than or equal to LastChangeNumber (value from step 3) 6. Maps Domain and each Attribute to OID values 7. Creates an OID change record 8. Processes change (add, change, delete) 9. Updates Profile with time and LACN, (orclodiplastexecutiontime, orclodiplastsuccessfulexecutiontime and orclodipcondirlastappliedchgnum) 10. Goes to sleep mode for X seconds (orclodipschedulinginterval) Debugging Checklist ------------------1. IS odisrv process running? Run $ORACLE_HOME/ldap/bin/ldapcheck 2. Is there also a provisioning server instance? If Portal, Collabsuite, or other app that needs provisioning there will most likely be an odisrv running as instance 1 on configset 0. The DIP therefore, must run as instance 2 on configset 1. Check $ORACLE_HOME/ldap/odisrv0x.log When DIP provisioning is running it will log to odisrv01.log. Then DIP sych would be logging to odisrv02.log. 3. Is the Profile Enabled? Check in Oracle Directory Manager 4. Are Tracing files being generated? $ORACLE_HOME/ldap/odi/log/ .trc If no .trc is generated, check the odisrv0x.log for possible problems in startup of odisrv. (see previous step). 5. Is correct syntax being used to start odisrv? oidctl conn=asdb serv=odisrv inst=2 conf=1 flags="host=myhost port=3060" start note: beginning with release 10.1.4.2 additional parameter grpid is needed: oidctl conn=asdb serv=odisrv inst=2 conf=1 grpid=defaultgroup flags="host=myhost port=3060" start 6. Stop and Start the odisrv with flags="debug=63" oidctl conn=asdb serv=odisrv inst=2 conf=1 flags="host=myhost port=3060 debug=63" start note: beginning with release 10.1.4.2 additional parameter grpid is needed: oidctl conn=asdb serv=odisrv inst=2 conf=1 grpid=defaultgroup flags="host=myhost port=3060 debug=63" start 7. Edit the Profile and set Profile Debug to 63 using Oracle Directory Manager or DIPTESTER 8. Validate the All Required Parameters in the Profile Note: 268341.1 - Quick Start Setup for Iplanet Note: 267153.1 - Quick Start Setup for Active Dir Note: 261342.1 - Understanding DIP Mapping 9. Are they using different verison of ODM to update profile? ODM previous release has different information on the Profile Tabs DO NOT USE ANY ODM except the 9.0.4 that is shipped with 10g. 10. Is the 3rd Party LDAP Server Up? ldapbind -h -p -D -w Check OID AS Version (AD ONLY supported in 10g) 11. ODI SRV will not start or starts and dies What instance name and configset is being used? Is the . flags="host=xxx port=xxxx" used with oidctl Check the odisrv0x.log Does it show the connector successfully start? Does it show DIP Password expired? Re-register the connector.. Odisrvreg -p -D cn=orcladmin -w See Note: 265397.1 Password Expires and DIP Fails. Sample GOOD ActiveChgImp.trc file ---------------------------------------------------------------Trace Log Started at Tue Jun 08 11:22:55 EDT 2004 ---------------------------------------------------------------Command exec succesful LDAP URL : (my-adserver.us.oracle.com:389 administrator@my_domain.us.oracle.com LDAP Connection success Applied ChangeNum : 28022Available chg num = 28022 Reader Initialised !! LDAP URL : (sun1:3060 cn=odisrv+orclhostname=sun1,cn=odi,cn=oracle internet directory LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! Updated Attributes orclodipLastExecutionTime: 20040608112255 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20040608112255 Common Problems & Causes/Solutions ================================== 1. Problem (error in trace file) LDAP AuthenticationException javax.naming. AuthenticationException: [LDAP: error code 49 - Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired. Please contact the Administrator to change your password.] Causes/Solution odisrv needs re-registerning. Re-register the connector.. Odisrvreg -p -D cn=orcladmin -w See Note: 265397.1 Password Expires and DIP Fails. 2.1 Another variation of the LDAP error 49: Problem (error in trace file) LDAP URL : (LVL-X-ELIXIRDB:389 cn=odisrv+orclhostname=LVLX-ELIXIRDB,cn=odi,cn= oracle internet directory LDAP AuthenticationException javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] [LDAP: error code 49 - Invalid Credentials] ElixirInternal:Error in Mapping EngineODIException: DIP_GEN_AUTHENTICATION_ FAILURE ODIException: DIP_GEN_AUTHENTICATION_FAILURE at oracle.ldap.odip.gsi.LDAPConnector.connectLdap(LDAPConnecto r.java:257) at oracle.ldap.odip.gsi.LDAPWriter.initialise(LDAPWriter.java: 166) at oracle.ldap.odip.engine.AgentThread.mapInitialise(AgentThre ad.java:371) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread .java:288) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:17 4) CAUSE/SOLUTION ============== DIP was registered with incorrect password The Invalid Credentials error relates to the user used to connect to OID, shown in the tracefile as: cn=odisrv+orclhostname=LVL-X-ELIXIRDB,cn=odi,cn=oracle internet directory This is the DIP profile user, the password for this user is configured when DIP is registered with odisrvreg 1. Stop odisrv oidctl connect= server=odisrv instance= configset=1 flags="port=" stop 2. Rename the profile tracefile in /ldap/odi/log 3. Run odisrvreg to reset the DIP server password: odisrvreg -p -D cn=orcladmin -w 4. Start odisrv oidctl connect= server=odisrv instance= configset= 1 flags="port= debug=63" start 6. Check profile tracefile, the LDAP error code 49: Invalid Credentials error should no longer occur ---------------------------------------------------------------------------------------------------- 3. Problem (error in trace file) Not able to construct DN Output ChangeRecord ChangeRecord : Changetype: 1 ChangeKey: cn=users, dc=us,dc=oracle,dc=com Exception javax.naming. ContextNotEmptyException: [LDAP: error code 66 - Not Allowed On Non-leaf]; remaining name 'cn=users,dc=us,dc=oracle,dc=com` Missing mandatory attribute(s) Causes/Solution Note: 261342.1 - Understanding DIP Mapping ---------------------------------------------------------------------------------------------------4. Problem (error in trace file) IPlanetImport:Error in Mapping Enginejava.lang.NullPointerException java.lang.NullPointerException at oracle.ldap.odip.engine.Connector.setValues(Connector.java: 101) at Causes/Solution Verify Mapping File has been loaded Check Mapping Tab of Profile in Oracle Directory Manager Has bootstrapping been done yet? (it sets the LACN) Does ORCLCONDIRLASTAPPLIEDCHGNUM have value? Use DIPTESTER to reload map file and/or set LACN ---------------------------------------------------------------------------------------------------5. Problem (error in trace file) Command exec succesful IPlanetImport:Error in Mapping Enginejava.lang.NullPointerException java.lang.NullPointerException at oracle.ldap.odip.engine.Connector.setValues(Connector.java: 101) at oracle.ldap.odip.gsi.LDAPReader.initialise(LDAPReader.java: 169) Updated Attributes orclodipLastExecutionTime: 20040601143204 Causes/Solution Missing LDAP Port on Connected Dir URL attribute value (hostname:port) ---------------------------------------------------------------------------------------------------6. Problem Adds and Changes Work But Deletes Fail Never see anything in .trc file Causes/Solution Iplanet: check to see if tombstones are enabled Note: 272226.1 Doc Bug: 3236139 Active Dir: make sure the account used for profile is a member of the DIR SYNCH ADMIN group Only occurs if not using AD Admin account. Problem: In order to synchronize adds or modifies from Active Directory to Oracle Internet Directory using the usnChanged method, the synchronization connector only needs read privileges on the entries being synchronized. In order to synchronize deletes from AD to OID, the user must also be able to see the Deleted Objects container (cn=Deleted Objects, ). For both AD2000 and AD2003, the Deleted Objects container is hidden and permissions can not be modified for the object using standard Microsoft tools like adsiedit or ntrights. The only way (out of the box) to grant permission to see the container’s contents is to make the synchronization user a member of the Built-In group, Administrators (cn=Administrators,cn=BUILTINS,dc=domain,dc=com). Many AD administrators are reluctant to grant this permission because it exposes too many privileges to what should be a read-only process. We need to configure AD such that the synchronization user can be used without being a member of the administrators group. Solution: Microsoft's ldp.exe tool (part of the Windows Server system tools) can be used to view deleted objects in Active Directory as described in 'How to let non-administrators view the Active Directory deleted objects container in Windows Server 2003 and in Windows 2000 Server' http://support.microsoft.com/kb/892806 Cause/Solution -------------Note: Check any connected dir filter: for example, the following filter's intent is to limit entries to just users and orgainzation units.... searchfilter=(|(objectclass=organizationalunit) (&(objectclass=user)(userprincipalname=*)(! (objectclass=computer)))). however Deleted entries will fail. To correct this modify filter as follows: searchfilter=(|(objectclass=organizationalunit) (&(objectclass=user)(userprincipalname=*)(! (objectclass=computer)))(isDeleted=TRUE)) ---------------------------------------------------------------------------------------------------7. Problem Mapping Tab in ODM shows filename instead of mapping rules Causes/Solution The absolute path was not included when ldapUploadAgentFile.sh was run Reload map file using full pathname to map file using dipassistant or DIPTESTER ---------------------------------------------------------------------------------------------------8. Problem (error in trace file) LDAP URL : (xxxxxx.com:389 LDAP Connection success ActiveChgImp:Error in Mapping EngineODIException: DIP_GEN_INITIALIZATION_EXCEPTION ODIException: DIP_GEN_INITIALIZATION_EXCEPTION at oracle.ldap.odip.util.DirUtils.getLastChgNum(DirUtils.java: 48) at oracle.ldap.odip.gsi.LDAPReader.initAvailableChgKey(LDAPRea der.java:719) at oracle.ldap.odip.gsi.LDAPReader.initialise(LDAPReader.java: 212) at oracle.ldap.odip.engine.AgentThread.mapInitialise(AgentThre ad.java:327) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread .java:253) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:14 9) ActiveChgImp:about to Update exec status Error in proxy connection : java.lang.NullPointerException Causes/Solution Permissions and ownership of the files in $ORACLE_HOME/ldap/odi/conf should be owned by oracle installer id Profile was created in ODM using "create like" (see BUG 3236064) and the ACIs are missing as well as the [INTERFACE DETAILS] as normally shown on the Execution Tab when viewing the profile in Oracle Directory Manager. Use LDAP MODIFY to fix the following two entries: dn: orclODIPAgentName= ,cn=subscriber profile,cn=changelog subscriber, cn=oracle internet directory changetype: modify replace: orclaci orclaci: access to attr = (*) by group="cn=odisgroup,cn=odi,cn=oracle internet directory" (read,write,search,compare) orclaci: access to entry by group="cn=odisgroup,cn=odi,cn=oracle internet directory" (browse,proxy) dn: orclodipAgentName=ActiveChgImp,cn=subscriber profile,cn=changelog subscrib er,cn=oracle internet directory changetype: modify replace: orclodipagentconfiginfo orclodipagentconfiginfo:: W0lOVEVSRkFDRURFVEFJTFNdClBhY2thZ2U6IGdzaQpSZWFkZXI 6IEFjdGl2ZUNoZ1JlYWRlcgo= Note: the preceeding entry is a BINARY OBJECT representing an import profile for the ActiveChange Reader. If you are fixing an IPlanet, or and EXPORT profile you will need to dump the orclodipagentconfiginfo for the corresponding profile from a existing profile or another node. Alternatively, the default agent config info files are stored in $ORACLE_HOME/ldap/odi/conf as .cfg.master. You should copy the " .cfg.master to .cfg. Then use dipassistant to load the info into OID as a binary object: dipassistant mp -host -port -dn cn=orcladmin -passwd -profile odip.profile.configfile=c:\oracle\as1041\ldap\odi\conf\ .cfg 9. Problem ----------orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not > Attempted > orclOdipSynchronizationErrors: Error Getting Next Change From OID > Sleeping for 4secs > Attribute member has no value > ActiveChgImp:Error in Mapping EngineODIException: > DIP_OIDREADER_ERROR_GET_NEXT_CHANGE > ODIException: DIP_OIDREADER_ERROR_GET_NEXT_CHANGE Causes/Solutions ---------------Check to see if the AD group you are trying to sync has >1000 members. If so then you are hitting bug 3615155. For version prior to 10.1.2.0.2 download and apply patch 4484751 to fix this problem. For AS/OID 10.1.2.0.2, there is a one-off patch for generic platform available in Metalink under the base Bug 3615155 : Patch 3615155 Description AD-OID SYNCHRONIZATION WITH GROUPS >1000 MEMBERS FAILS Product Internet Directory Select a Release 10.1.2.0.2 Platforms ---Generic Platform Last Updated 29-JAN-2007 Size 11K (11321 bytes) 10. Problem ----------Bootstrap works fine and users appear in OID. However, synchronization fails with a Mapping Failure as follows: DN : CN=Last\, First,cn=users,dc=oasas,dc=state,dc=ny,dc=us Normalized DN : CN=Last\, First,cn=users,dc=oasas,dc=state,dc=ny,dc=us Processing modifyRadd Operation .. Entry Not Found. Converting to an ADD op.. Processing Insert Operation .. Performing createEntry.. Exception creating Entry : javax.naming.NamingException: [LDAP: error code 1 Operations Error]; remaining name 'CN=Last\, First,cn=users,dc=acme,dc=com' [LDAP: error code 1 - Operations Error] Error in Mapping ActiveChgImp:Error in Mapping EngineODIException: DIP_OIDWRITER_ERROR_CREATE ODIException: DIP_OIDWRITER_ERROR_CREATE at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java :951) at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:321) at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java: 609) at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.jav a:252) at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread. java:398) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread .java:254) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:14 9) ActiveChgImp:about to Update exec status Updated Attributes orclodipLastExecutionTime: 20040714115334 orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted orclOdipSynchronizationErrors: Error Creating Entry in OID null Error in proxy connection : ODIException: DIP_GEN_AUTHENTICATION_FAILURE ODIException: DIP_GEN_AUTHENTICATION_FAILURE at oracle.ldap.odip.gsi.LDAPConnector.proxyConnectAs(LDAPConne ctor.java:291) at oracle.ldap.odip.engine.AgentThread.updateExecStatus(AgentT hread.:487) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:19 2) Updated Attributes orclodipLastExecutionTime: 20040714115334 orclOdipSynchronizationStatus: Agent Execution Successful, Mapping/IMPORT operation Failure orclOdipSynchronizationErrors: Agent Execution Successful, Mapping/IMPORT operation Failure Causes/Solutions ---------------Check and see if the Users in Active Diretory are stored as "cn=lastname,firstname" The COMMA is causing a problem for the DIP connector. Apply 9.0.4.1 Patchset or if not possible to upgrade the following is a known workaround: 1. Modify the mapping as follows: find the line that reads: cn: : :person:cn: :person and change to sAMAccountName: : :user:cn: :person this will force your entries to be stored as "cn=LastnameFirstinitial" for example: cn=smithj. 2. stop odisrv 3. get and set the LACN in the profile. 4. reload modified map file 5. restart odisrv 11. Problem (Not applicable in 11g environment) ----------[LDAP: error code 50 - Insufficient Access Rights]; remaining name 'CN=Users,dc=acme,dc=com' Causes/Solution 11.1. Check .trc file Does TOP of .trc show successful connection to both OID and 3rd party LDAP Server? Find DST CHANGE RECORD Is the record target in a non default container? Check the ACIs for the target container, are they blank? Is the entry that is failing a group entry? In Active Directory the group entries are stored in the same container as the users. However, in OID by default, the group entries are stored in cn=groups, . The default ACI that exists on the cn=users, container does NOT allow the DIP sync agent to store a group. This is easly corrected by applying the existing ACIs from the cn=group container to the cn=users container. The DIPTESTER tool can be used to do this easier than editing and applying the documented 'grantrole.ldif' file. 11.2. Another variation of the LDAP: error code 50 Insufficient Access Rights ACTIVECHGIMP MAPPING IMPORT OPERATION FAILURE Agent execution successful, Mapping/import operation failure And a full example of the error in the trace: DN : CN=Test User4,cn=users,dc=mycompany,dc=com Normalized DN : CN=Test User4,cn=users,dc=mycompany,dc=com Processing modifyRadd Operation .. Entry Not Found. Converting to an ADD op.. Processing Insert Operation .. Performing createEntry.. Exception creating Entry : javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'CN=Test User4,cn=users,dc=mycompany,dc=com' [LDAP: error code 50 - Insufficient Access Rights] Error in Mapping ActiveChgImp:Error in Mapping EngineODIException: DIP_OIDWRITER_ERROR_CREATE ODIException: DIP_OIDWRITER_ERROR_CREATE at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java :951) at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:321) at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java: 609) at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.jav a:252) at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread. java: 398) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread .java: 254) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:14 9) ActiveChgImp:about to Update exec status Updated Attributes orclodipLastExecutionTime: 20040701120359 orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted orclOdipSynchronizationErrors: Error Creating Entry in OID Sleeping for 1secs 11.3. Another variation of the LDAP: error code 50 Followed by LDAP: error code 65 DN : cn=users,dc=oracle,dc=com Normalized DN : cn=users,dc=oracle.dc=com Processing modifyRadd Operation .. Entry found. Converting To a Modify Operation.. Proceeding with checkNReplace.. Performing checkNReplace.. Adding Attribute in OID : ou Adding Attribute in OID : orclobjectguid Total # of Mod Items : 2 Exception Modifying Entry : javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'cn=users,dc=oracle,dc=com' [LDAP: error code 50 - Insufficient Access Rights] Entry Not Found. Converting to an ADD op.. Processing Insert Operation .. Performing createEntry.. Exception creating Entry : javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Failed to find cn in mandatory or optional attribute l ist.]; remaining name 'cn=users,dc=oracle,dc=com' [LDAP: error code 65 - Failed to find cn in mandatory or optional attribute list.] Error in Mapping ActiveChgImp:Error in Mapping EngineODIException: DIP_OIDWRITER_ERROR_CREATE ODIException: DIP_OIDWRITER_ERROR_CREATE at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java :951) at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:321) at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java: 609) at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.jav a:252) at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread. java:398) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread .java:254) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:14 9) ActiveChgImp:about to Update exec status .... Causes/Solutions ---------------1) Check that the 'orclodipagent' has privileges for the DIT: Below is a paste of an example ldif file content (note that the orclaci definition below is in one long, continuous line): ### --- cut here --dn: dc=mycompany,dc=com changetype: modify add: orclaci orclaci: access to entry by dn="orclodipagentname=ActiveChgImp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" (browse,add,delete) orclaci: access to attr=(*) by dn="orclodipagentname=ActiveChgImp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" (read,search,write,compare) ### --- cut here --2) Then load this ldif file with, ie: ldapmodify -h -p -D cn=orcladmin -w -f And again, you can try the same for another individual container that you may have listed in your mapping file. 3) Apply the ACIs to each individual level of the container before the sync, ie, if applied to OU=computers,ou=internal,dc=mycompany,dc=com Also apply to each: ou=internal,dc=mycompany,dc=com dc=mycompany,dc=com dc=com 4) Ensure that entry cn=odisrv+orclhostname= is a uniqueMember of the following groups: OID 10.1.2.1.0 -------------"cn=odisrv+orclhostname=,cn=registered instances,cn=directory integration platform,cn=products,cn=oraclecontext" OID 10.1.2.0.0 and 9.0.4.X -------------------------"cn=odisrv+orclhostname=,cn=odi,cn=oracle internet directory" Groups: cn=oracledascreategroup, cn=groups,cn=OracleContext,dc=mycompany,dc=com cn=oracledasdeletegroup, cn=groups,cn=OracleContext,dc=mycompany,dc=com cn=oracledaseditgroup, cn=Groups,cn=OracleContext,dc=mycompany,dc=com cn=oracledascreateuser, cn=Groups,cn=OracleContext,dc=mycompany,dc=com cn=oracledasdeleteuser, cn=Groups,cn=OracleContext,dc=mycompany,dc=com cn=oracledasedituser, cn=Groups,cn=OracleContext,dc=mycompany,dc=com And retry. =========================================================== =============== NOTE: If applying any of these solutions, the ldapmodify result in error: modifying entry dc=mycompany,dc=com ldap_modify: Invalid syntax ldap_modify: additional info: INVALID ACI is access to entry by dn="orclodipagentname=TESTDBIMPORT,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" (browse,add,delete) And there is no problems found in the ldif file itself, then enter the changes in the command line instead of via ldif file, ie: (this can only be done on UNIX). ldapmodify -h -p -D cn=orcladmin -w < -p -D cn=orcladmin -w -b orclODIPAgentName=ActiveChgImp,cn=subscriber profile,cn=changelog Subscriber, cn=oracle internet directory -s sub objectclass=* Check orclcondirlastappliedchgnum value, if zero (0), it will prevent sync from working. IF EXPORT Profile Get: ldapsearch -h -p -D cn=orcladmin -w -b orclODIPAgentName=ActiveExport,cn=subscriber profile,cn=changelog Subscriber, cn=oracle internet directory -s sub objectclass=* Check orcllastappliedchangenumber value, if zero (0), it will prevent sync from working. If the value is zero stop odisrv, then use DIPTESTER to obtain and set the LACN value. Before restarting, make any mapping file changes if any are needed, ie: 1. stop odisrv 2. Edit and reload mapping file 3. get LACN 4 set LACN 5. start odisrv 6. test 12. Problem ------------AD to OID sync and/or bootstrap Error: DIP_GEN_AUTHENTICATION_FAILURE followed by LDAP: error code 49. Example 1: ----------Bootstrap.trc shows: Trace Log Started at Thu Aug 19 14:43:40 EDT 2004 -----------------------------------------------------------------------------Mapping init successful LDAP URL : (AD1.mycompany.om:389 cn=oracle,dc=mycompany,dc=com LDAP AuthenticationException javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: Acceptror, data 525, v893] [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893] Example 2: ----------ActiveChgImp.trc shows: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ActiveChgImpUsers:Error in Mapping EngineODIException: DIP_GEN_AUTHENTICATION_FAILURE javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece Cause: ====== This is an error coming from AD, not from OID. The error means "invalid credentials." To confirm, test the AD credentials directly to AD via ldapbind: Review the sync profile and gather: - The ldap url (AD's hostname and port) - The Connected Directory AD username and password Then use the information above to test with ldapbind from OID server's command prompt, ie: ldapbind -h -p -D -w This should also return the same ldap error code 49 / invalid credentials, confirming the problem. Solution: ========== Work with the AD sysadmin to obtain the correct AD hostname, port, username and password, and make sure it is a user who is going to make changes to AD and has administrator privileges. Test again with the above ldapbind to ensure it works. Once the credentials work, update the AD sync profile with the correct information, which can be done in oidamin / Oracle Directory Manager: - Login as orcladmin - Navigate to Server Management > Integration Server > Configuration Set1 - Edit the ActiveChgImp profile > click Execution tab to see: "Connected Directory Account" = enter the working AD username "Connected Directory Account Password" = enter the working AD password "Connected Directory URL" = ensure it has the correct host:port for AD - Click OK to apply when done, and exit. NOTE: If any problems/errors while updating the profile above, try temporarily disabling the profile status, then update it, then re-enable the profile. Next, stop and restart the odisrv for sync process with oidctl to ensure the changes take effect, ie: oidctl connect= server=odisrv instance=2 configset=1 flags="" stop oidctl connect= server=odisrv instance=2 configset=1 flags="" start 13. Problem -----------In bootstrapping or synchronization you may see the following error: ERROR: [LDAP: error code 2 - Decoding Error] For example: dipassistant mp -host sunburn.us.oracle.com -port060 -passwd ***passwd*** -profile ActiveChgImp od.p.mapfile=/export/home/oracle/diptester/activechg.map dipassistant ERROR: [LDAP: error code 2 - Decoding Error] Cause and Solution -----------------More than 8 lines in the DomainRules portion of the mapping file(domain rules OR comments) Fix #1 - Remove comment lines or multiple domain rules as necessary to have less than 9 lines. Hint: You can create multiple profiles each of which can have 8 lines/rules. Fix #2 - Change orclODIPAttributeMappingRules from Directory String type to Binary Launch Oracle Directory Manager Navigate to SchemaManagement Select the Attributes Tab Scroll down and find orclODIPAttributeMappingRules Highlight it and scroll to the right and find the field Syntax Change from Directory String to Binary 14. Problem ------------ Another Cause of LDAP 50 Error Symptoms User entry fails to synchronize to OID. odisrv trace shows ... Processing Modify Operation .. Processing Modification element modItem : Add attribute: uniquemember: ... Processing Modification element Total # of Mod Items : 1 Exception Modifying Entry : javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name '...' [LDAP: error code 50 - Insufficient Access Rights] Error in Mapping IplanetImport:Error in Mapping EngineODIException: DIP_OIDWRITER_ERROR_MODIFY ... Cause and Solution -----------------The entry being syncronized did not have a value for the "uid" attrribute. The presence of the "uid" is used by the mapping rules to add the objectclass "orclUserV2" to the entry being created in OID. The DIP agent user only has write permission to the User Create Base in OID if the entry has the "orclUserV2" objectclass. This is intend behaviour to stop invalid user entries being copied to OID. There are several options available: a. Ignore the errors. b. Satise the supplier directory DIT(s) to remove all invalid entries. c. Add filters to the DIP profile to exclude the invalid entries. 15. Problem -----------When running odisrv with ActiveChgImp agent enabled. No changes are copied from Active Directory (AD) to Oracle Internet Directory (OID). $ORACLE_HOME/ldap/odi/log/ActiveChgImp.trc shows following error repeating: ... Updating the profile's last change number ..... Exception in thread "main" java.lang.NullPointerException at oracle.ldap.odip.engine.Connector.setValues(Connector.java: 114) at oracle.ldap.odip.gsi.ActiveChgReader.initialise(ActiveChgRe ader.java:183) at oracle.ldap.odip.engine.ProfileManager.updateProfileChgNum( ProfileManager.java:609) at oracle.ldap.odip.engine.DIPAssistant.handleBootstrapCmd(DIP Assistant.java:1347) at oracle.ldap.odip.engine.DIPAssistant.main(DIPAssistant.java :342) ... Cause and Solution ------------------The "orclodipcondirurl" attribute of the "orclODIPAgentName=activechgimp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" entry is set to the servername of the AD host only, where it should include the port of the AD server as well, e.g. ldapsearch -h -p -D "cn=orcladmin" -w -B -s base -b "orclODIPAgentName=activechgimp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" "(objectclass=orclODIProfile)" "orclodipcondirurl" orclodipAgentName=ActiveChgImp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory orclodipcondirurl= This can also be seen in the Oracle Dirictory Manager (ODM) GUI (oidadmin on Unix): -> Server Management -> Integration Server -> Configuration Set1, select profile ActiveChgImp and click "Edit" button. Select "Execution" tab, "Connected Directory URL" Fix Stop the odisrv. Update the "orclodipcondirurl" attribute of the "orclODIPAgentName=activechgimp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" entry to include the AD host and AD port, e.g. : Start the odisrv. 16. Problem ------------After applying the 9.0.4.1 Patchset the .trc file shows continuous looping without any successful synchronization as follows: cn=administrator,cn=users,dc=nasasec,dc=us,dc=oracle,dc=com LDAP Connection success Applied ChangeNum : 2431Available chg num = 700 Reader Initialised !! LDAP URL : (chi-opidemo:3060 cn=odisrv+orclhostname=chi-opidemo,cn=odi,cn=oracle internet directory LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! searchF : Command exec succesful cn=administrator,cn=users,dc=nasasec,dc=us,dc=oracle,dc=com LDAP Connection success Applied ChangeNum : 2431Available chg num = 3034 Reader Initialised !! LDAP URL : (chi-opidemo:3060 cn=odisrv+orclhostname=chi-opidemo,cn=odi,cn=oracle internet directory LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! searchF : Command exec succesful Causes/Solutions ----------------1. If MS Windows view the %ORACLE_HOME%\odisrv.bat file with notepad.exe Go to the line that sets the %CLASSPATH% = set CLASSPATH="J:\oracle\Ora904\jdbc\lib\classes12.jar;J:\oracl e\Ora904\jdbc\lib\nls_charset11.j ar;J:\oracle\Ora904\jdbc\lib\nls_charset12.jar; %ORACLE_HOME\ldap\odi\jlib\ldapbp.jar;J:\oracle\O ra904\jlib\oraclepki103.jar;J:\oracle\Ora904\ldap\odi\jlib\ sync.jar;J:\oracle\Ora904\ldap\odi\jl ib\dsps.jar;J:\oracle\Ora904\jlib\ldapjclnt9.jar;J:\oracle\ Ora904\jlib\netcfg.jar;J:\oracle\Ora9 04\jlib\javax-ssl-1_2.jar;J:\oracle\Ora904\jlib\jssl1_2.jar;J:\oracle\Ora904\jlib\ojmisc.jar" NOTE that the second line where the path for ldapbp.jar is being set reads: %ORACLE_HOME\ldap\odi\jlib\ldapbp.jar Each of the classpaths orininally had %ORACLE_HOME% and were substituted by the installer for the actual path of the ORACLE_HOME. However, this one was missing the trailing % sigh, and therefore the substitution was never made. This results in the ldapbp.jar class path not being defined at all. This is the root cause of the looping issue in Symtom #3. Fix: replace the %ORACLE_HOME with the actual path. In the example above the corrected class path would then read: set CLASSPATH="J:\oracle\Ora904\jdbc\lib\classes12.jar;J:\oracl e\Ora904\jdbc\lib\nls_charset11.j ar;J:\oracle\Ora904\jdbc\lib\nls_charset12.jar;J:\oracle\Or a904\ldap\odi\jlib\ldapbp.jar;J:\oracle\O ra904\jlib\oraclepki103.jar;J:\oracle\Ora904\ldap\odi\jlib\ sync.jar;J:\oracle\Ora904\ldap\odi\jl ib\dsps.jar;J:\oracle\Ora904\jlib\ldapjclnt9.jar;J:\oracle\ Ora904\jlib\netcfg.jar;J:\oracle\Ora9 04\jlib\javax-ssl-1_2.jar;J:\oracle\Ora904\jlib\jssl1_2.jar;J:\oracle\Ora904\jlib\ojmisc.jar" See additional Information in: Note 303269.1 DIP Synchronization Fails After Applying 9.0.4.1 Patch 17. Problem ----------Odisrv Error Log contains: Mon Nov 29 17:57:44 EST 2004 : Starting Server to run ConfigSet :1 against LDAP Server (oid1.nems.noaa.gov:1636) Mon Nov 29 17:57:44 EST 2004 : Retrieved Credentials from Local Wallet.. Mon Nov 29 17:57:45 EST 2004 : LDAP Server is down. SleepingFor 10 secs..! Mon Nov 29 17:57:56 EST 2004 : LDAP Server is down. SleepingFor 10 secs..! ... ... Mon Nov 29 18:00:57 EST 2004 : LDAP Server is down. SleepingFor 10 secs..! Mon Nov 29 18:01:07 EST 2004 : Aborting.. Unable To Connect to LDAP Server after 20 Retries...: null Mon Nov 29 18:01:07 EST 2004 : Exiting with Status -1: null Causes/Solutions ----------------1. Check the oidctl syntax used for starting up. Make sure you have supplied the flags="host= port= ". This is the info the odisrv uses to connect to the oidldapd server for submitting syncronized entries. 2. If you are running the odisrv in ssl mode ...eg... "flags="host= port= sslauth=2" make sure you have given the SSL port value to the SSL port of the oidldapd server. The odi.properties file (as shipped in the $OH/ldap/odi/conf directory) contains a whitespace at the end of the example lines. When you edit the examples replacing the certWalletFile and the certWalletPwdF theres a good change the white space was left on the end of the line. Open the file with unix 'vi' and issue :set list to see the end of line chars ($), or on windows open with WORD and display control chars. Make sure you can do an SSL bind, mode U 2 to the ldapserver. 18. PROBLEM -----------customer is using the AD Administrator and deletes a user in AD the delete does not take place in OID. Error in ActivechgImp.trc Output ChangeRecord ChangeRecord : ---------Changetype: 1 ChangeKey: * Attributes: Class: null Name: objectclass Type: null ChgType: 3 Value: [organizationalunit, orclcontainer, orcladuser, orcluserv2, orcladgroup] Class: null Name: krbprincipalname Type: null ChgType: 3 Value: [@ ] Class: null Name: orclsamaccountname Type: null ChgType: 3 Value: [$ ] Class: null Name: orclobjectguid Type: null ChgType: 3 Value: [JKqfZ3AWc0Op3l5F9upYxA==] ----------DN : * Exception in looking for java.lang.NullPointerException Normalized DN : * Error in DN formation.. Updated Attributes orclodipLastExecutionTime: 20050202093108 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20050202093108 Updated Attributes orclodipLastExecutionTime: 20050202093108 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20050202093108 Causes/Soloution: ----------------Customer did not have The OID MATCHING FILTER set to: orclobjectguid (orclodipoidmatchingfilter). This was determined in Profile dump examination.. After setting this correctly and stop and restart of Odisrv deletes now work. 19. Using Oracle Database Connector -----------------------------------Error in DBImport.trc Processing modifyRadd Operation .. Entry Not Found. Converting to an ADD op.. Processing Insert Operation .. Performing createEntry.. Exception creating Entry : javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial Error in Mapping LastChangeKey:0 Causes/Soloution: ----------------The database synching from contained 125K rows. Stopped and restarted odisrv and added flag "commitsz=130000" 20. Synchronization Fails After Applying 9.0.4.1 Patchset ---------------------------------------------------------Errors in trace file any of the following: - Error Getting Next Change From OID - Unprocessed Continuation Reference(s) - Trace file loops...eg.. never see "Synchronization Successful" - Last Applied Change Number gets decremented by 1 at each update Causes/Solutions ---------------Known bugs. Need to apply the DIP Sync Merge Patch 4726481 Solution --------Download and apply latest Merge Patch for DIP Sync 4726481. See Note: 303269.1 for additional details. 21. Synch Trace File Shows Hanging, Nothing Synchronized -------------------------------------------------------------------------------------------------------------------------------------Trace Log Started at Thu Mar 31 18:08:39 PST 2005 -----------------------------------------------------------------------------Initialized debug!! Set retry Count!! Set Scheduling Interval!! Initialised src connector Initialized Src Connector. TAG FOUND:(INTERFACEDETAILS) LINE,11:(Package: gsi) key:(Package) Value Continuation Not Present Putting Key into Hash :PACKAGE LINE,22:(Reader: ActiveChgReader) key:(Reader) Value Continuation Not Present Putting Key into Hash :READER Skip error to synchronize next change is set to: false Search Delta Size set to: 500 Initialized Config Info. Initialized Sync Mode. Mapping init successful Initialized Mapping Info. Initialized Filter Info. Initialized Execution Cmd. Initialized Status Attrs. Causes/Solutions ---------------The values in the profile for Last Execution Time and Last Successful Execution Time were set into the future. Correct these two values using Oracle Directory Manager to a time in the recent past. This will force a wake up and sync whatever records may be waiting since bootstrap. 22. Error "Invalid Name" shows in .trc file -----------------------------------------------------DN : cn=187913,cn=users,dc=acme,dc=com Normalized DN : cn=187913,cn=users,dc=acme,dc=com Processing modifyRadd Operation .. Entry Not Found. Converting to an ADD op.. Processing Insert Operation .. Performing createEntry.. Invalid Name Found. Causes and Solution ------------------The value stored in the database that is being mapped to the manager attribute is not appropriately mapped to OID within the proper syntax. Verify proper syntax by examination of OID Schema object "manager" using Oracle Directory Manager. The SYNTAX for this attribute is "distinguishedNameMatch". The value stored in manager MUST be in the form of a DN....for example: cn=manager name,cn=users,dc=acme,dc=com 1. Modify attribute mapping rule to include an editor operation as follows: REPORTS_TO_ID: : : :manager: :inetOrgperson:"cn="+REPORTS_TO_ID+",cn=users,dc=acme,dc=co m" 2. stop odisrv 3. reload mapping file 4. start odisrv 5. test synchronization 23. Configured ODISRV to run in SSL mode, errors in trace file --------------------------------------------------------------Request: 1 cancelled ActiveChgImp:Error in Mapping EngineODIException: DIP_GEN_CONNECTION_FAILURE ODIException: DIP_GEN_CONNECTION_FAILURE at oracle.ldap.odip.gsi.LDAPConnector.connectLdap(LDAPConnecto r.java:249) at oracle.ldap.odip.gsi.ActiveChgReader.initialise(ActiveChgRe ader.java:190) at oracle.ldap.odip.engine.AgentThread.mapInitialise(AgentThre ad.java:335) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread .java:261) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:15 5) ActiveChgImp:about to Update exec status Error in proxy connection : java.lang.NullPointerException java.lang.NullPointerException at oracle.ldap.odip.engine.AgentThread.updateExecStatus(AgentT hread.java:500) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread .java:278) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:15 5) Updated Attributes orclodipLastExecutionTime: 20050418142800 Cause/Solution -------------Check the following: 1. ldapbind in mode -U 2 to the oidldapd SSL configset port 2. make sure there are no white space at the end of each line in odi.properties 3. make sure you have run dipassistant wpasswd 4. make sure you can run odisrvreg in ssl mode, this validates the odi.properties and wallet 5. make sure you are not using 4096bit certificates (bug.4300794) 6. check the profile value connected directory URL contains host:sslport:authmode for example: ldaphost:636:2 24. Error in .trc debug level 63 trace file... LDAP: error code 1 - User does not exist in directory for Proxy Switch -------------------------------------------------------------------------Initialized Status Attrs. Command exec succesful LDAP URL : (test1.ahhost.acme.com:389
[email protected] LDAP Connection success Applied ChangeNum : 80090308Available chg num = 700 Reader Initialised !! LDAP URL : (oidhost.acme.com:3060 cn=orcladmin LDAP Connection success Writer Initialised!! MapEngine Initialised!! Filter Initialised!! [LDAP: error code 1 - User does not exist in directory for Proxy Switch] Error in proxy connection : ODIException: DIP_GEN_AUTHENTICATION_FAILURE Cause/Solution -------------In this trace file note the LDAP URL: (oidhost.acme.com:3060 cn=orcladmin In a properly configured environment when the connection is made to OID to obtain the LACN the LDAP URL should look something like: LDAP URL : (oidhost.acme.com:389 cn=odisrv+orclhostname=oidhost,cn=odi,cn=oracle internet directory Reload the profile properties from $ORACLE_HOME/ldap/odi/conf/ .properties, ensuring not to specify any OID credentials so that it uses the default odisrv entry. 25. Last Applied Change Number Not Updating in Database Connector ----------------------------------------------------------------Audit log shows all database records repeated being synchronized. Tue Jul 12 11:10:17 CDT 2005 - Audit Log Start 20050101010101 : Success : 2 : cn=michael.jordan,cn=users,dc=acme,dc=com 20050101010101 : Success : 2 : cn=frederick.abbott,cn=users,dc=acme,dc=com 20050101010101 : Success : 2 : cn=michael.jordan,cn=users,dc=acme,dc=com 20050101010101 : Success : 2 : cn=frederick.abbott,cn=users,dc=acme,dc=com Causes/Solution ---------------This is due to bug 4245927. Download and apply latest DIP Merge patch 4726481 25. LDAP: error code 65 - sn attribute not found. Mandatory Attribute missing. -----------------------------------------------------------------------------DN : cn=users,dc=oracle,dc=com Normalized DN : cn=users,dc=oracle.dc=com Processing modifyRadd Operation .. Entry found. Converting To a Modify Operation.. Proceeding with checkNReplace.. Performing checkNReplace.. Adding Attribute in OID : ou Adding Attribute in OID : orclobjectguid Total # of Mod Items : 2 Exception Modifying Entry : javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'cn=users,dc=oracle,dc=com' [LDAP: error code 50 - Insufficient Access Rights] Entry Not Found. Converting to an ADD op.. Processing Insert Operation .. Performing createEntry.. Exception creating Entry : javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Failed to find cn in mandatory or optional attribute l ist.]; remaining name 'cn=users,dc=oracle,dc=com' [LDAP: error code 65 - Failed to find cn in mandatory or optional attribute list.] Error in Mapping ActiveChgImp:Error in Mapping EngineODIException: DIP_OIDWRITER_ERROR_CREATE ODIException: DIP_OIDWRITER_ERROR_CREATE at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java :951) at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:321) at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java: 609) at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.jav a:252) at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread. java:398) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread .java:254) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:14 9) ActiveChgImp:about to Update exec status .... Causes/Solution --------------1. By default the DIP connector does not have permissions to CREATE containers in the cn=users, To allow the creation of the OU container under cn=users, execute the following steps: Grant the necessary privileges so that the DIP connector (ActiveChgImp) profile can modify the cn=users,dc=oracle,dc=com entry in OID: a. Create file aci.ldif containing the following: dn: cn=users,dc=oracle,dc=com changetype: modify add: orclaci orclaci: access to entry by dn="orclodipagentname=ActiveChgImp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" (browse,add,delete) orclaci: access to attr=(*) by dn="orclodipagentname=ActiveChgImp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" (read,se arch,write,compare) b. Implement this ACL: ldapmodify -h -p -D "cn=orcladmin" -w -v -f aci.ldif c. See problem/solution 11 for additional details on the ACL.. 2. The error can also occur in Active Directory where the SN attribute is not mandatory and especially if the AD was migrated from an older NT Domain Controller it is possible to have entries that do not have the SN attribute. You will generally see this error during bootstrapping. When the SN is NOT present in the entry, and that entry is, in fact, a user you need to modify your mapping file as follows to map an alternate attribute to the mandatory SN attribute: sn,SAMAccountName: : :person:sn: : person:sn|SAMAccountName 26. Error in Mapping EngineODIException: DIP_OIDWRITER_ERROR_CREATE Trace file shows: Updated Attributes orclodipLastExecutionTime: 20050909004218 orclOdipSynchronizationStatus: Synchronization Successful orclodipLastSuccessfulExecutionTime: 20050909004218 Exception in looking for cn=BOSA612569$,cn=users,ou=green,dc=fmrco,dc=com:javax.nami ng.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial Exception creating Entry : javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial ActiveChgImp:Error in Mapping EngineODIException: DIP_OIDWRITER_ERROR_CREATE ODIException: DIP_OIDWRITER_ERROR_CREATE at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java :975) at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:328) at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.jav a:239) at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread. java:406) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread .java:262) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:15 5) ActiveChgImp:about to Update exec status null Error in proxy connection : ODIException: DIP_GEN_AUTHENTICATION_FAILURE ODIException: DIP_GEN_AUTHENTICATION_FAILURE at oracle.ldap.odip.gsi.LDAPConnector.proxyConnectAs(LDAPConne ctor.java:291) at oracle.ldap.odip.engine.AgentThread.updateExecStatus(AgentT hread.java:500) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread .java:278) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:15 5) CAUSE / FIX =========== The Interface Details were missing from the loaded profile. Use DIP Tester to "Load Config File" ActiveChgImp.cfg into the ActiveChgImp Profile 27. When creating a parent and children within the AD directory, in some cases the USNChanged of the parent entry is greater than the USNChanged of the children by the time odisrv tries to sync them when the sync interval is more than a few seconds. Because of this odisrv tries to create the child befire the parent, detects the error, and then tries to create the parent. When the child entry DN contained a comma the following error is seen in the trace file: DN : CN=Group\, A Child,OU=Parent,OU=OracleOID,dc=tidir,dc=bctest Normalized DN : CN=Group\, A Child,OU=Parent,OU=OracleOID,dc=tidir,dc=bctest Processing modifyRadd Operation .. Entry Not Found. Converting to an ADD op.. Processing Insert Operation .. Performing createEntry.. Parent Entry not Found. Updated Attributes orclodipLastExecutionTime: 20050324132417 orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted orclOdipSynchronizationErrors: Synchronization Successful Creating parent DN:a child,ou=parent,ou=oracleoid,dc=tidir,dc=bctest javax.naming.InvalidNameException: a child,ou=parent,ou=oracleoid,dc=tidir,dc=bctest: [LDAP: error code 34 0000208F: NameErr: DSID-03 1001AA, problem 2006 (BAD_NAME), data 8350, best match of: 'a child,ou=parent,ou=oracleoid,dc=tidir,dc=bctest' at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:29 26) In some cases, odisrv fails to create the parent, and gives the messages above. It appears in the sample above that odisrv is parsing the dn "CN=Group\, A Child,OU=Parent,OU=OracleOID,dc=tidir,dc=bctest" looking for the parent stops at the first comma, in this case the escaped one following group, and tries to create the parent "A Child,OU=Parent,OU=OracleOID,dc=tidir,dc=bctest", which isn't the actual parent. CAUSE/FIX ---------This is due to improper fix of bug 3990034 which has been fixed with version 10.1.2.2 Optionally, if one uses the DIRSYNC method to sync (ActiveImport) then the incremental changes are used based on the objectguid instead of the USNCHANGED attribute. 28. PROBLEM -----------Fatal error in bootstrap when there is more than 1 member in the AD group and the profile mapping uses the TRUNC function for uniquemember: ERROR: [Tue Feb 21 17:28:14 IST 2006] java.lang.ArrayIndexOutOfBoundsException: 1 >= 1 at java.util.Vector.elementAt(Vector.java:427) at oracle.ldap.odip.map.MapEngine.evaluate(MapEngine.java:771) at oracle.ldap.odip.map.MapEngine.evalstack(MapEngine.java:109 3) at oracle.ldap.odip.map.MapEngine.ConvertValue(MapEngine.java: 691) at oracle.ldap.odip.map.MapEngine.mapAttribs(MapEngine.java:46 6) at oracle.ldap.odip.map.MapEngine.map(MapEngine.java:236) at oracle.ldap.odip.bootstrap.ODIBootstrap$WriterThread.run(OD IBootstrap.java:1031) CAUSE/FIX ---------Bug 4390930 GROUP MAPPING RULE W/ [TRUNC(MEMBER,',') +",CN=USERS,"] BOOTSTRAP FAILS. For OID version 10.1.2.1, Bug 4390930 is fixed with Patch 5015167. 29. Oracle Database Connector Error in Trace File: -------------------------------------------------Ending Mapping execution. Command exec succesful Loaded driver..: oracle.jdbc.OracleDriver Connecting as : URL : jdbc:oracle:thin:@,user : odip.profile.condirpassword=welcome1 Connecting as : URL : jdbc:oracle:thin:@,user : odip.profile.condirpassword=welcome1 ODIException in DB Reader Initialization : DIP_GEN_SPACE_STR Reader initialization failed! LDAP URL : (solaris1.acme.com:389 cn=odisrv+orclhostname=solaris1,cn=registered instances,cn=directory integration platform,cn=products,cn=oraclecontext Specifying binary attributes: mpegvideo objectguid objectsid guid usercertificate orclodipcondirlastappliedchgnum LDAP Connection success Writer Initialised!! Writer proxy connection initialised!! MapEngine Initialised!! Filter Initialised!! DBImport:Error in Mapping EngineODIException: ODIException in DB Reader Initialization : DIP_GEN_SPACE_STR ODIException: ODIException in DB Reader Initialization : DIP_GEN_SPACE_STR at oracle.ldap.odip.gsi.DBReader.initialise(DBReader.java:278) at oracle.ldap.odip.engine.AgentThread.readerInitialise(AgentT hread.java:390) at oracle.ldap.odip.engine.AgentThread.mapInitialise(AgentThre ad.java:439) at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread .java:305) at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:18 6) DBImport:about to Update exec status CAUSE/FIX --------Connection info was missing from profile: The Database connector needs the following three components in order to connect to the database: 1. connected dir account : in a db connector profile this represents the database login name 2. connected dir account password: in a db connector profile this represents the database login password 3. connected dir URL: in a db connector profile this represents the JDBC connect string in HOST:DBPORT:SID format 30. A new DIP Active Directory -> OID synchronization profile is not synchronizing anything. -------------------------------------------------------------------------------------------There are no errors in the profile debug trace, only the following: Applied ChangeNum : 1414700Available chg num = 1321542 CAUSE/FIX ---------The Last Applied Change Number set in the profile was much greater than the highestCommittedUSN in Active Directory. Therefore DIP synchronization searches based on the Last Applied Change Number did not retrieve any entries from Active Directory to be processed. To clarify, from the log: Applied ChangeNum : 1414700Available chg num = 1321542 The first number is the Last Applied Change number set in the DIP profile. The Available Chg Num is the highestCommittedUSN in Active Directory. If the second is smaller than the first, the range based search performed by DIP synchronization will never retrieve any entries from AD. To correct this, Perform bootstrap using the profile. This will reset the Last Applied Change Number in the profile to the highestCommittedUSN in Active Directory. The profile can then be enabled and will process new changes in Active Directory. 31. Nothing is being syncrhonized. No errors in any of the log files. The Last Applied Change Number has been set to higher than the Highest Committed USN. CAUSE/FIX --------The Active Directory hostname used in the profile is a virtual host name that resolves to more than one GC (global catalog server). Each visit to this hostname can return a different HighestCommittedUSN value. Once the value has been set in the Import profile subsequent searches to other servers where the HCUSN is lower will make the import connector think it is up to date. To verify if this is happening, run the following ldapsearch repeatedly: ldapsearch -p -h -D "administrator@" -w -b "" -s base "objectclass=*" highestCommittedUSN If the result is not consistently the same or higher value, then it is likely you are hitting a virtual hostname. To correct this, use a REAL HOSTNAME in the Connected Dir URL setting in the profile. DIPTESTER ========= Get the DIPTESTER tool to assist in configuring, testing, and troubleshooting DIP connectors. Available for download on OTN. About Diptester --------------This tool is a stand alone platform independent java application that aids in the configuration, testing, and debugging of SunOne/iPlanet, Active Directory and Oracle Database Connector synchronization environments. Uses dipassistant commands for profile modifications. Has been tested on Solaris, Linux, and Windows versions 9.0.4.x and 10.1.4 with SunOne/Iplanet/Netscape and Microsoft Active Directory LDAP as well as the Oracle Database Connector. A GUI Interface that provides an easy to use point and click graphical interface. References NOTE:261342.1 - Understanding DIP Mapping Files NOTE:262985.1 - Running DIP Provisioning AND DIP Synchronization on Same System NOTE:265397.1 - PASSWORD POLICY EXPIRES PASSWORD, THEN DIP CONNECTER LOCKS OUT ACCOUNT NOTE:267153.1 - DIP Synchronization with Microsoft Active Directory Quick Start Guide NOTE:268341.1 - DIP Synchronization with SunOne/Iplanet Quick Start Guide NOTE:303269.1 - DIP Synchronization Problems After Applying 9.0.4.1 Patch NOTE:397077.1 - DIP Synchronization Troubleshooting Check List NOTE:434300.1 - How To Read A DIP Synchronization Trace File - CHANGE NOTE:889262.1 - Quick Reference - 11g DIP Management Commands Usage and Syntax Related Products • Middleware > Identity Management > Oracle Internet Directory > Oracle Internet Directory Keywords SYNC; IPLANET; DIP; SUNONE; OID Errors LDAP ERROR CODE 65; 5-TEST; ERROR CODE 49; ERROR CODE 2; ERROR CODE 50; ERROR CODE 66; ERROR CODE 34; ERROR CODE 1 Back to top