Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) Part No. B14082-01 |
|
![]() Previous |
![]() Next |
This appendix explains typical problems that you could encounter while running or installing Oracle Internet Directory. It contains these topics:
During installation and configuration of the Oracle Database, Oracle recommends that you select the character set UTF-8 to avoid possible problems with multibyte characters.
This section contains a list of all the Oracle directory server error messages that you can encounter. Each message is followed by its most probable causes.
This section contains these topics:
Cause: If you attempt to add more schema components than can fit in the rollback segment space, you will encounter this error and the modifications will not commit. To solve this, increase the size of the rollback segments in the database server.
Table K-1 lists standard error messages and their causes. Oracle Internet Directory also returns other messages listed and described in "Additional Directory Server Error Messages".
Table K-1 Standard Error Messages
Error | Cause |
---|---|
00—LDAP_SUCCESS | The operation was successful. |
01—LDAP_OPERATIONS_ERROR | General errors encountered by the server when processing the request. |
02—LDAP_PROTOCOL_ERROR | The client request did not meet the LDAP protocol requirements, such as format or syntax. This can occur in the following situations: Server encounters a decoding error while parsing the incoming request. The request is an add or modify request that specifies the addition of an attribute type to an entry but no values specified. Error reading SSL credentials. An unknown type of modify operation is specified (other than LDAP_MOD_ADD, LDAP_MOD_DELETE, and LDAP_MOD_REPLACE) Unknown search scope |
03—LDAP_TIMELIMIT_EXCEEDED | Search took longer than the time limit specified. If you have not specified a time limit for the search, Oracle Internet Directory uses a default time limit of one hour. |
04—LDAP_SIZELIMIT_EXCEEDED | More entries match the search query than the size limit specified. If you have not specified a size limit for the search, Oracle Internet Directory uses a default size limit of 1000. |
05—LDAP_COMPARE_FALSE | Presented value is not the same as the one in the entry. |
06—LDAP_COMPARE_TRUE | Presented value is same as the one in the entry. |
07—LDAP_STRONG_AUTH_NOT_SUPPORTED | The requested bind method is not supported by the server. For example, SASL clients requesting Kerberos authentication from Oracle Internet Directory receive this error in response. |
09—LDAP_PARTIAL_RESULTS | Server returned a referral. |
10—LDAP_REFERRAL | Server returned a referral. |
12—LDAP_UNAVAILABLE_CRITICALEXTENSION | Specified request is not supported |
16—LDAP_NO_SUCH_ATTRIBUTE | Attribute does not exist in the entry specified in the request. |
17—LDAP_UNDEFINED_TYPE | Specified attribute type is undefined in the schema. |
19—LDAP_CONSTRAINT_VIOLATION | The value in the request violated certain constraints. |
20—LDAP_TYPE_OR_VALUE_EXISTS | Duplicate values specified for the attribute. |
21—LDAP_INVALID_SYNTAX | Specified attribute syntax is invalid. In a search, the filter syntax is invalid. |
32—LDAP_NO_SUCH_OBJECT | The base specified for the operation does not exist. |
34—LDAP_INVALID_DN_SYNTAX | Error in the DN syntax. |
49—LDAP_INVALID_CREDENTIALS | Bind failed because the credentials are not correct. |
50—LDAP_INSUFFICIENT_ACCESS | The client does not have access to perform this operation. |
53—LDAP_UNWILLING_TO_PERFORM | General error, or server is in read-only mode. |
65—LDAP_OBJECT_CLASS_VIOLATION | A change to the entry violates the object class definition. |
66— LDAP_NOT_ALLOWED_ON_NONLEAF | The entry to be deleted has children. |
67—LDAP_NOT_ALLOWED_ON_RDN | Cannot perform the operation on RDN attributes—for example, you cannot delete the RDN attribute of the entry. |
68—LDAP_ALREADY_EXISTS | Duplicate ADD condition. |
81—LDAP_SERVER_DOWN | Cannot contact the directory server. This message is returned from the SDK. |
82—LDAP_LOCAL_ERROR | The client encountered an internal error. This message is returned from the client SDK. |
83—LDAP_ENCODING_ERROR | The client encountered an error in encoding the request. This message is returned from the SDK. |
84—LDAP_DECODING_ERROR | The client encountered an error in decoding the request. This message is returned from the SDK. |
85—LDAP_TIMEOUT | Client encountered the time out specified for the operation. This message is returned from the SDK. |
86—LDAP_AUTH_UNKNOWN | Authentication method is unknown to the client SDK. |
87—LDAP_FILTER_ERROR | Bad search filter |
88—LDAP_USER_CANCELLED | User cancelled operation |
89—LDAP_PARAM_ERROR | Bad parameter to an LDAP routine |
90—LDAP_NO_MEMORY | Out of memory |
Table K-2 lists additional directory server error messages and their causes. These messages do not display error codes.
The Oracle Internet Directory application replaces the parameter
tag seen in some of the following messages with the appropriate runtime value.
Table K-2 Additional Error Messages
Error | Cause |
---|---|
%s attribute not found | The particular attribute type is not defined in the schema. |
<parameter> not found for attribute <parameter> | Value not found in the attribute. (ldapmodify) |
Admin domain does not contain schema information for objectclass <parameter> | The object class specified in the request is not present in the schema. |
Attempted to add a Class with oid <parameter> taken by other class | Duplicate object identifier specified. (schema modification) |
Attribute <parameter> already in use | Duplicate attribute name. (schema modification) |
Attribute <parameter> has syntax error. | Syntax error in the attribute name definition. (schema modification) |
Attribute <parameter> is not supported in the schema. | Attribute not defined. (all operations) |
Attribute <parameter> is single valued. | Attribute is single-valued. (ldapadd and ldapmodify) |
Attribute <parameter> not present in the entry. | This attribute does not exist in the entry. (ldapmodify) |
Bad attribute definition. | Syntax error in attribute definition. (schema modification) |
Currently Not Supported | The version of LDAP request is not supported by this server. |
Entry to be deleted not found. | DN specified in the delete operation not found. |
Entry to be modified not found | The entry specified in the request is not found. |
Error encountered while adding <parameter> to the entry | Returned when modify add operation is invoked. A possible cause is that the system resource is unavailable. |
Error encountered while encrypting an attribute value. | Error in encrypting user password. (all operations) |
Error in DN Normalization. | DN specified is invalid. Syntax error encountered in parsing the DN. (all operations) |
Error in hashing <parameter> attribute. | Error in creating hash entry for the attribute. (schema modification) |
Error in hashing <parameter> objectclass. | Error in creating hash entry for the objectclass. (schema modification) |
Error in Schema hash creation. | Error while creating hash table for schema. (schema modification) |
Error replacing <parameter>. | Error in replacing this attribute. (ldapmodify) |
Error while normalizing value for attribute <parameter>. | Error in normalizing value for the attribute. (all operations) |
Failed to find <parameter> in mandatory or optional attribute list. | Attribute specified does not exist in either the mandatory or optional attribute list as required by the object class(es). |
Function Not Implemented | The feature/request is currently not supported. |
INVALID ACI is <parameter> | The particular ACI you specified in a request is invalid. |
Mandatory attribute <parameter> is not defined in Admin Domain <parameter>. | MUST refers to attribute not defined. (schema modification) |
Mandatory Attribute missing. | The mandatory attribute for the particular entry is missing, as required by the particular object class. |
Matching rule, <parameter>, not defined. | Matching rule not defined in the server. (schema modification) |
MaxConn Reached | The maximum number of concurrent connections to the LDAP server has been reached. |
Modifying the Naming attribute for the entry without modifying the DN. | Cannot modify the naming attributes using ldapmodify. A naming attribute, such as cn is an element in the DN.
|
New Parent not found. | New parent specified in modifydn operation does not exist.(ldapmodifydn) |
Object already exists. | Duplicate entry. (ldapadd and ldapmodifydn) |
Object ID <parameter> already in use. | Duplicate object identifier specified. (schema modification) |
Objectclass <parameter> already in use. | Duplicate Objectclass name. (schema modification) |
Objectclass attribute missing. | The objectclass attribute is missing for this particular entry. |
OID <parameter> has syntax error. | syntax error in the object identifier definition. (schema modification) |
One of the attributes in the entry has duplicate value. | You entered two values for the same attribute in the entry you are creating. |
Operation not allowed on the <parameter>. | Operation not allowed on this entry. (modify, add, and delete) |
Operation not allowed on the DSE Entry. | Can't do this operation on DSE entry. (delete) |
Optional attribute <parameter> is not defined in Admin Domain <parameter>. | MAY refers to attribute not defined. (schema modification) |
Parent entry not found in the directory. | Parent entry does not exist. (ldapadd and perhaps ldapmodifydn) |
Super object <parameter> is not defined in Admin Domain <parameter>. | SUP types refer to non-existing class. (schema modification) |
Super type undefined. | SUP type does not exist. (schema modification) |
Super user addition not permitted. | Cannot create super user entry. (ldapadd) |
Syntax, <parameter>, not defined. | Syntax not defined in the server. (schema modification) |
The attribute or the value specified in the RDN does not exist in the entry. | AVA specified as the RDN does not exist in the entry. (ldapadd) |
Unknown search scope | The search scope specified in the LDAP request is not recognized. |
Version Not Supported | The version of the LDAP request is not supported by this server. |
This section contains these topics:
Table K-3 contains the error messages sent to the client as a result of password policy violations. The error codes are not standard LDAP error codes. They are messages sent as a part of additional information in the LDAP result.
Table K-3 Password Policy Violation Error Messages
Error Number | Exception | Comment or Resolution |
---|---|---|
9000 | GSL_PWDEXPIRED_EXCP
|
User's password has expired. |
9001 | GSL_ACCOUNTLOCKED_EXCP
|
User account is locked. |
9002 | GSL_EXPIREWARNING_EXCP
|
User password will expire in pwdexpirewarning seconds. Please change your password now.
|
9003 | GSL_PWDMINLENGTH_EXCP
|
User password is not the required number of characters long. |
9004 | GSL_PWDNUMERIC_EXCP
|
User password does not contain required numeric characters. |
9005 | GSL_PWDNULL_EXCP
|
User password is a null password, which is disallowed. |
9006 | GSL_PWDINHISTORY_EXCP
|
User's new password is the same as the old one, which is disallowed. |
9007 | GSL_PWDILLEGALVALUE_EXCP
|
User password is the same as your orclpwdillegalvalues , which is disallowed.
|
9008 | GSL_GRACELOGIN_EXCP
|
User password has expired. User has pwdgraceloginlimit grace logins left.
|
9050 | GSL_ACCTDISABLED_EXCP
|
User account has been disabled. |
This section describes some of the potential problems with password policies and the corresponding solutions.
pwdmaxage
attributes of the password policies are defaulted to time value of 60 days.
Use oidpasswd utility to unlock the orcladmin account:
$ oidpasswd connect=asdb unlock_su_acct=true OID DB user password: OID super user account unlocked successfully.
This unlocks only the super user account, cn=orcladmin
. Do not confuse this account with the realm-specific orcladmin account cn=orcladmin,cn=users,dc=xxxxx,dc=yyyyy
. They are two separate accounts.
After you reset it, the super user account still cannot login to OracleAS Single Sign-On by using the orcladmin account until you perform the next step.
Launch the Oracle Directory Manager (must be a release 10g client) and navigate to Password Policy Management. You will see two entries: cn=PwdPolicyEntry
and the password policy for your realm—for example, password_policy_entry
,dc=acme,dc=com
.
Edit each of these, changing the pwdmaxage
attribute to an appropriate value:
5184000 = 60 days (default)
7776000 = 90 days
10368000 = 120 days
15552000 = 180 days
31536000 = 1 year
Note: It is very important to change this value in both places. |
Launch the Oracle Directory Manager and navigate to the realm-specific orcladmin
account. Find the userpassword
attribute and reset the value to something new. You should then be able to launch any Oracle component that uses OracleAS Single Sign-On and login as orcladmin
.
Rerun the odisrvreg utility to reset the randomly generated password for Directory Integration and Provisioning. For example:
$ odisrvreg -D cn=orcladmin -w welcome1 -p 3060 Already Registered...Updating DIS password... DIS registration successful. $
Launch Oracle Directory Manager, expand Server Management, select Integration Servers and reset the UserPassword field under the General tab of each active connector.
This section gives some quick pointers for common performance-related problems.
If LDAP search performance is poor, make sure that:
Schema associated with the ODS
user is ANALYZED
For searches involving multiple filter operands, make sure that the order in which they are given goes from the most specific to the least specific. For example, &(uid=john.doe)(objectclass=person)
is better than &(objectclass=person)(uid=john.doe)
.
If LDAP add or modify performance is poor, make sure that:
There are enough redo log files in the database
The undo tablespace in the database is large enough
The schema associated with the ODS
user is ANALYZED
When estimating the statistics, you can use the OID Database Statistics Collection tool to analyze the various database ODS schema objects.
Both the tracing functionality described in "Using Debug Logging" and the database tracing event 10046 can assist you in diagnosing performance issues.
See Also: "OID Database Statistics Collection Tool (oidstats.sql) Syntax" for instructions on using the OID Database Statistics Collection tool"Optimizing Searches" for instructions on optimizing searches MetaLink note 243006.1 on Oracle MetaLink, |
To troubleshoot starting and stopping the directory server, you must know the purpose of each tool involved, how all the tools work together, and the overall process for starting and stopping the server.
About the Tools for Starting, Stopping, and Restarting the Directory Server
There are two tools used to start, stop, and restart directory server instances: OID Control Utility (OIDCTL) and OID Monitor (OIDMON).
OIDCTL
When OIDCTL is executed, it connects to the database as user ODS
. Depending on the options used in the command, it either inserts or updates rows into a table named ODS.ODS_PROCESS
. If the START
option is used, then a row is inserted. If either the STOP
or RESTART
option is used, then a row is updated.
The ODS.ODS_PROCESS table includes the following information:
instance
—The unique number of the instance, any value between 0 and 1000
pid
—Process identifier, which will be updated by OIDMON when the process is started
state
—The type of operation requested
The possible values for state
are:
0=stop
1=start
2=running
3=restart
4=shutdown
5=failedover
Note: When OPMN is used to stop the directory server, the value for state is initially 4, that is, shutdown. However, once OPMN starts the directory server again, the state value becomes 2, that is, running. |
OIDMON
To start, stop, or restart a directory server instance, OIDMON must be running. At specified intervals, this daemon checks the value of the state
column in the ODS.ODS_PROCESS
table.
state=0
, then it reads the pid
and stops the process.
state=1
or state=4
, then it starts a new process and updates the pid column with a new process identifier.
state=2
, then it reads the pid
and verifies that the process with that pid
is running. If it is not running, then OIDMON starts a new process and updates the pid
column with a new process identifier.
state=3
, then OIDMON reads the pid
, stops the process, starts a new one, and updates the pid
accordingly.
ODS.ODS_PROCESS
table. If OIDMON is running on a node in a RAC or rack configuration, it retries 100 times.
In short, OIDCTL inserts and updates state information in the rows in the ODS.ODS_PROCESS
table. OIDMON then reads that information and performs the specified task.
About the Processes Involved in Starting, Stopping, and Restarting the Directory Server
Starting, stopping and restarting the directory server involves a number of processes. OIDMON is one process. On Unix, it is called oidmon
. In a Microsoft Windows environment, it is called oidmon.exe
.
To start an instance, OIDMON checks the unique number in the instance
column mentioned in the previous section. It then starts another process, namely, the listener/dispatcher, which is different from the Oracle Net Services listener process. It stores the process identifier for that new process in the pid
column.
The listener/dispatcher, in turn, starts a number of server processes as defined in the configuration set entry. Note that these server processes are controlled by the listener/dispatcher and not by OIDMON. If one of these processes fails, then it is automatically restarted by the listener/dispatcher.
Together, the listener/dispatcher and the server processes constitute a directory server instance. On UNIX, this directory server instance is called oidldapd
. On Microsoft Windows, they are called oidldapd.exe
.
In short, there are at least three processes: one for OIDMON and at least two for the directory server itself. When all processes are running, you should see something like the following on UNIX computers:
% ps -ef|grep oid root 12387 12381 0 Mar 28 ? 0:05 oidldapd -i 1 -conf 0 key=811436710 root 12381 1 0 Mar 28 ? 0:10 oidmon start root 13297 1 0 Mar 28 ? 0:14 oidldapd
Another way to obtain server information is by running ldapcheck. When you do this, you may see something like this:
Checking Oracle Internet Directory Processes ... Process oidmon is Alive as PID 12381 Process oidldapd is Alive as PID 12387 Process oidldapd is Alive as PID 13297 Not Running ---- Process oidrepld
Possible Problems when Starting, Stopping, or Restarting the Directory Server
http://metalink.oracle.com
.
ORACLE_HOME
as OIDCTL. Log in as ODS
/ods_password
@
tns_alias w
here tns_alias
is the same as that used in the connect
option with OIDCTL. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com
.
DIRECTORY_SERVERS
parameter in the file ldap.ora
is different from that specified in NAMES.DIRECTORY_PATH
in the file sqlnet.ora
. Both of these files are found in ORACLE_HOME
/network/admin
. If everything is working correctly, then selecting from ODS.ODS_PROCESS
retrieves rows with state values described in "OIDCTL". See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com
.
oidldapd
file.
oidmon.log
. Look for the message: No such file or directory
. To correct the problem, replace the executable file.
oidmon.log
. Look for the message: Permission denied
or Open Wallet failed
. This happens if you are not running either as root
or as the user who is in the dba
group. To correct the problem, try again as the correct user.
oidldapd
XX
.log
, where XX
is the server instance number. Look for the message: Bind failed on...
This indicates that the port that oidldapd
is configured to listen on is in use by some other process. To determine which process is using the port, type:
netstat -a | grep portNum
If necessary, reconfigure the other process to use a different port or configure oidladapd
to listen on another port by adding a configset. Remember that, by default, oidladapd
listens on two ports, an SSL and non-SSL port.
oidmon.log
. Look for the message: gslsgfrPushServer: Could not start
server
on
NodeA
, trying to start on node
NodeB
. To correct this problem, you must first determine why OIDMON cannot start the server on the local node.
oidmon.log
, oidsrv.log
, oidldapd
xx
.log
, where xx
is the server instance number, and oidrepd
xx
.log
where XX
is Oracle directory integration and provisioning server instance number, for details about the problem.
oidldapd
on both nodes, but then initiates failover due to a time stamp difference.
oidmon.log
. On the node with the missing row, look for the message: Successfully failed over from
NodeA
to
NodeB
. On the other node, you will see an extra oidldapd
. To correct the problem, adjust the system time on all nodes so that they are all within 250 seconds of one another.
oidldapd
xx
.log
where xx
is the instance number, and oidldapd
xx
syy
.log
where xx
is the instance number and yy
is the process identifier. If the trace files do not give useful information or pointers to Oracle MetaLink documents, then do the following: (1) Stop the directory server processes; (2) Remove or rename old trace files; (3) Start OIDMON and a directory server with maximum debug level, namely, 11744051. Note that, to get the trace files, you must first stop, then start, the server; you cannot simply restart it. Investigate the new trace files, and, if needed, log an iTAR with Oracle Support Services and upload the trace files to the iTAR. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com
.
See Also: "How Failover Works in an Oracle Application Server Cluster (Identity Management) Environment" for more information on failover. |
http://metalink.oracle.com
.
stop
option of OIDCTL to stop the specified instance. See Oracle MetaLink note 155790.1, on Oracle MetaLink, http://metalink.oracle.com
.
oidctl
to start the server with different configuration values, overriding any defined configuration sets except for the values in configset0
. Do not modify configset0
because this technique relies on its minimal, default contents.
To see debug log files generated by the OID Control Utility, navigate to $
ORACLE_HOME/ldap/log
.
This section discusses directory replication problems.
Whenever you investigate a replication problem, be sure to consult the log files $ORACLE_HOME/ldap/oidrepld00.log
and oidldapd
xx
.log
for information. The replication server supports multiple debugging levels. To turn on replication debugging, specify the -d
decimal_debug_level
flag when you start the server. For example:
oidctl server=oidrepld connect=connect_string instance=instance_number \ flags="-h host -p port -d decimal_debug_level"
Note: Turning on debugging will affect replication performance. |
See Also: Chapter 10, "Logging, Auditing, and Monitoring the Directory" for more information about debugging. |
oidctl
syntax
oidctl server=oidrepld connect=connect string instance=instance_number \ flags="-h host -p port"
orclreplicaprimaryurl
or the orclreplicasecondaryurl
attribute of the Replica entry, but Oracle Internet Directory is running at a different host or port.
orclreplicasecondaryurl
attribute of the replica entry, as follows:
Prepare a modification file, mod.ldif
. For example, to change to host my.us.oracle.com and port 4444, you would specify:
dn: orclreplicaid=replica_ID, cn=replication configuration
changetype: modify
add: orclreplicasecondaryurl
orclreplicasecondaryurl: ldap://my.us.oracle.com:4444/
Type:
ldapmodify -h host -p port -f mod.ldif
ReplBind
credential in the replication wallet $ORACLE_HOME/ldap/admin/oidr
ORACLE_SID
is corrupt or invalid. This causes the replication bind to fail and the replication server to exit with an error.
remtool
to fix the replication bind credential in the replication wallet or to synchronize between Oracle Internet Directory and the replication wallet.
remtool -pchgpwd
changes the password of the replication dn of a replica.
remtool -presetpwd
resets the password or the replication dn of a replica.
remtool -pchgwalpwd
changes password of replication dn of a replica only in the wallet.
oidreconcile
tool to reconcile them.Then resume replication by setting the consumer's replica state to ONLINE mode
oidldapd
xx
.log
. Look for error messages like those in the following example:
2004/09/14:12:57:23 * Starting OIDREPLD against dlsun1418:4444... 2004/09/14:12:57:25 * Starting scheduler... 2004/09/14:12:57:26 * Start to BootStrap from supplier=dlsun1418_replica to consumer=dlsun1418_replica2 2004/09/14:12:57:27 * gslrbssSyncDIT:Replicating namingcontext=cn=oraclecontext ...... 2004/09/14:12:58:21 * gslrbssSyncDIT:Sync done successfully for namingctx: cn=oraclecontext, 222 entries matched 2004/09/14:12:58:21 * gslrbssSyncDIT:Replicating namingcontext=cn=joe smith ...... 2004/09/14:12:58:23 * BootStrap failure when adding DN=cn=Joe Smith, server=dlsun1418_replica2,err=Constraint violation. 2004/09/14:12:58:23 * gslrbssSyncDIT:Sync failed for namingctx: cn=joe smith, only 1 entries retrieved 2004/09/14:12:58:23 * gslrbssSyncDIT:Replicating namingcontext=cn=oracleschemaversion ...... 2004/09/14:12:58:25 * gslrbssSyncDIT:Sync done successfully for namingctx: cn=oracleschemaversion, 10 entries matched 2004/09/14:12:58:51 * gslrbsbBootStrap: Failure occured when bootstrapping 1 out of 3 namingcontext(s) from the supplier
Identify the cause of the bootstrap failure and fix it. You can identify the naming contexts that caused the problem, then use oidreconcile
to compare and reconcile the naming contexts. Once you have resolved the problem, start bootstrapping again by starting the Oracle Internet Directory replication server.
remtool
ensures that the Oracle Internet Directory schema on the consumer replica are synchronized with those on the supplier replica.
If you are debugging LDAP replication, you should become familiar with the LDAP replica states. If LDAP-based replication is configured, when the replication server starts, it reads the replica state from the local replica. The replication server behaves differently, depending upon the local replica state. LDAP replication errors appear in oidldapd
xx
.log
OCI Error ORA-1653 : ORA-01653: unable to extend table ODS.ASR_CHG_LOG by 8192 in tablespace OLTS_DEFAULT
Extend the table space and investigate why the table space keeps growing.
For multi-master Oracle Database Advanced Replication, use remtool
to diagnostic and fix problems.
remtool -asrverify
verifies the correctness of a DRG setup and reports problems.
remtool -asrrectify
verifies the correctness of a DRG setup, reports problems, and attempts to rectify the problems.
Check the replication log and LDAP log for error messages and fix the cause of the error after investigation.
http://metalink.oracle.com
:
Note 171693.1, "Resolving Conflicts"
Note 122039.1, "Troubleshooting Basics for Advanced Replication"
Note 213910.1, "Debugging OID Replication when ASR_CHG_LOG Never Gets Populated."
You can search for Oracle MetaLink notes by entering a term such as "replication" into the search box.
This section discusses possible problems when configuring SSL
http://metalink.oracle.com
. Also see the SSL section of the tutorial "Getting Started with Oracle Internet Directory" at http://www.oracle.com/technology/obe/obe_as_10g.
This section discusses possible problems you might encounter with change log garbage collection.
orclLastAppliedChangeNumber
in their subscriber profiles.
orclLastAppliedChangeNumber
in all subscriber profiles by typing:
ldapsearch -v -p port -h host -D cn=orcladmin -w password \ -b "cn=changelog subscriber,cn=oracle internet directory" \ -s sub "objectclass=orclchangesubscriber" \ orcllastappliedchangenumber orclsubscriberdisable
Look for an entry that has orclSubscriberDisabled
equal to zero and an orclLastAppliedChangeNumber
value that never changes. If such an entry exists, and the change log garbage collector's orclpurgetargetage
is not NULL, delete the value of orclpurgetargetage
. When orclpurgetargetage
is NULL, the garbage collector will purge changes applied by the replication server, even if another subscriber has not updated its orclLastAppliedChangeNumber
.
Table K-4 lists and describes the error messages for dynamic password verifiers.
Table K-4 Error Messages for Dynamic Password Verifiers
Error Code | Description |
---|---|
9022 | A reversible encrypted password is missing from the user entry. |
9023 | The crypto type specified in the LDAP request control is not supported. |
9024 | The username parameter is missing from the LDAP request control. |
If the directory is able to compare verifiers, and the comparison evaluates as false, the directory sends the standard error LDAP_COMPARE_FALSE to the client. Similarly, if the user being authenticated lacks a directory entry, the directory sends the standard error LDAP_NO_SUCH_OBJECT.
The Oracle Internet Directory Server has two password wallets: oidpwdlldap1
and oidpwdr
SID
.
The oidpwdlldap1
file contains the DN and password of an ODS user in encrypted format. The Oracle Internet Directory server uses the credential to connect to the backend database at startup time.
oidctl
or opmn
fails to start an Oracle Internet Directory server instance.
oidpwdlldap1
wallet is not synchronized with the ODS password in the backend database.
sqlplus
command:
sqlplus ods /ods_password@connect_string
If the connection succeeds, try to synchronize the password in the wallet with the ODS password by using the oidpasswd
tool to create a new wallet with the correct password. For example:
>> oidpasswd connect=connect_string create_wallet=true
If the connection attempt fails, you must login into the backend database as a database administrator and change the ODS password by using the sql command:
>> alter user ods identified by some_new_password
Then try to create a new oidpwdlldap1
to store the new password.
The oidpwdr
SID
file contains the DN and password of a replica DN in an encrypted format. The Oracle Internet Directory replication server uses the credential to connect to the Oracle Internet Directory server at startup time.
This is an example of a replication password wallet, oidpwdr
SID
:
/------BEGIN REPL CREDENTIAL:cn=replication dn,orclreplicaid=qdinh-sun_adeldap,cn=replication configuration----- ezNkZXMtY2JjLXBrY3M1cGFkfQUnaz0TsfzcP0nM1HcHAXchf5mJw+sb4y0bLvvw3RvSg7HS7/WsKJB02fdSGRlmfWAV+6llkRQ26g== -----END REPL CREDENTIAL:cn=replication dn,orclreplicaid=qdinh-sun_adeldap,cn=replication configuration-----/
oidctl
or opmn
fails to start an Oracle Internet Directory server instance and the replication server log file oidrepld00.log
reports that it is not able to bind.
oidpwdr
SID
is not synchronized with the replica DN password in the Oracle Internet Directory server.
ldapbind
command. Specify the replica DN stored in oidpwdr
SID
and the replica DN password. For example:
>> ldapbind -h host -p port -D "cn=replication dn,orclreplicaid=qdinh-sun_adeldap, cn=replication configuration" -w replica_dn_password
If the connection succeeds, then you can reset the password in the oidpwdr
SID
wallet using remtool
with the option -pchgwalpwd
, which changes the password of the replication DN of a replica only in the wallet. If you do not remember the replication dn password, then you can reset it using remtool
with the option -prestpwd
, which resets the password of the replication dn of a replica.
After resetting the replication password wallet, restart the replication server instance again a using opmnctl
or oidctl
.
You can find more solutions on Oracle MetaLink, http://metalink.oracle.com
. If you do not find a solution for your problem, log a service request.
See Also: Oracle Application Server Release Notes, available on the Oracle Technology Network:http://www.oracle.com/technology/documentation/index.html
|