Archive
Microsoft AD and OID synchronization not happening
Support team reported an issue where they were not able to see some of the new users created in AD (Active Directory) flowing to OID (Oracle Internet Directory)
I started looking into the issue. I checked ODI synchronization services (odisrv process)
Logged into the infra tier and ran the command
$ $ORACLE_HOME/ldap/bin/ldapcheck Checking Oracle Internet Directory Processes ...ALL Process oidmon is Alive as PID 30596 Process oidldapd is Alive as PID 30603 Process oidldapd is Alive as PID 30609 Not Running ---- Process oidrepld Process odisrv is Alive as PID 17381
then checked the ldap synchronization log ($ORACLE_HOME/ldap/oid/log/_.aud
and this showed last successful synchronization happened on 23rd Feb 2015
No Errors were seen in the ldap trace file, oidsrv log or oidmon log.
I looked into the highest COMMITTED USN in the AD
$ ldapsearch -h -b "" -s base "objectclass=*" highestcommittedusn highestCommittedUSN=464557938
And searched for highest committed USN from the DIP profile
$ ldapsearch -h -p -D "cn=orcladmin" -w -b "cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" -s sub "objectclass=*" > /tmp/PROD_DIP_Profile.txt $ grep -i "orclodipcondirlastappliedchgnum" /tmp/PROD_DIP_Profile1.txt $ orclodipcondirlastappliedchgnum=0 orclodipcondirlastappliedchgnum=455736457 orclodipcondirlastappliedchgnum=0 orclodipcondirlastappliedchgnum=0 orclodipcondirlastappliedchgnum=0 orclodipcondirlastappliedchgnum=0 orclodipcondirlastappliedchgnum=0 orclodipcondirlastappliedchgnum=0
So there was huge difference between the highestCommittedUSN between AD and that in the DIPprofile.
This is the reason Synchronization got stopped.
I followed below steps to make this synchronization work again.
1) Stop the odisrv process
$ oidctl connect= server=odisrv instance=1 stop
2) Disable the DIP profile
– Set the DISPLAY
– Open a VNC sessions and run the below command
$ORACLE_HOME/bin/oidadmin
Login to oid console with user as “cn=orcladmin”
Go to Integration Server
Select the profile which should be something like <OID_SID>_PortalImport
Edit the same and make it “Disable”
You can check this by running the below command on Infra Node.
ldapsearch –h [oid_hostname with fully qualified domain] –p 389 –D “cn=orcladmin” –w –b “orclodipAgentName=xxxx_PortalImport,cn=subscriber profile ,cn=changelog subscriber,cn=oracle internet directory” –s base “objectclass=*” orclodipagentcontrol
3) update the Highest committed USN in the DIP profile with that obtained from AD
— Now again edit the same profile and go into ‘Status’ Tab
— Update the value against “Last Applied Change Number” with the value obtained above from AD
4) Enable the profile again
— Edit the Profile and make it enable
5) Move the old and existing odisrv log, odimon log, synchronization log ($ORACLE_INFRA_HOME/ldap/oid/log/*.aud and *.trc)
6) Start the odisrv process
$oidctl connect==[tns_alias] server=odisrv instance=1 configset=1 flags=”host=[oid_hostname with fully qualified domain] port=389″ start
7) Run “ldapcheck” command to see the odisrv process.
$ORACLE_HOME/ldap/bin/ldapcheck Process oidmon is Alive as PID 28339 Process oidldapd is Alive as PID 28347 Process oidldapd is Alive as PID 28361 Not Running ---- Process oidrepld Process odisrv is Alive as PID 28348
Now again search for Highest Committed USN in AD and in DIP profile and it matches.
This resolved the issue and synchronization resumed between Microsoft AD and OID.
How to change “orcladmin” user password when it is expired
- Login to $ORACLE_HOME/bin (Infra Home)
- Make sure vnc process is running and DISPLAY variable is configured to the VNC port
- export DISPLAY=<server_name>:<port_no>
- Invoke the script -oidamin
- $ ./oidadmin
- Now login to the GUI (onVNC) with the following credential
- User = “cn=orcladmin”
- Password = default it is the same as that of “ias_admin”
- Once logged in, navigate as below
- Entry Management
- cn=OracleContext
- dc=com
- dc=abc <domain_name>
- cn=Users
- cn=<orcladmin>
- cn=OracleContext
- Click on cn=<orcladmin>
- Scroll to the bottom in “Properties” tab
- Look for the attribute “userpassword”
- Update the value with the password and then click on “Apply”
Deleting duplicate users in Oracle Portal
In one of our PROD application (Oracle portal), user reported that he is not able to login and getting some weird error message. Later on while troubleshooting, it was found that this is happening due to duplicate user in OID.
-
How to remove the duplicate user from Oracle portal
Step1 : Login to Portal using ‘orcladmin’ accound and query the problematic user and you will see 2 entries for the same user
Step2 : Login to OID database using ‘portal’ user
a)Query wwsec_person$ table – this table is populated ONLY when the user logs into the portal
b)DELETE the entry from wwsec_person$ table. If there is an error while deleting the user, disable the below triggers, delete the record and then enable the trigger again
-portal.wwsec_pers_brd_trg
-portal.wwsec_pers_ard_trg
Step3 : Remove the entry from LDAP using ldapdelete command
-ldapdelete -h -D “cn=orcladmin” -w -p -v “”
Step4 : Confirm by running the ldapsearch command on the Infra tier
-ldapsearch -h -p -D “cn=orcladmin” -w -b ” -s base “objectclass=*” orclobjectguid
Now the user must be made to synch again with OID. This can be verified from LDAP log.