Hi Janet

Take a look at the trace files. They are located in your $ORACLE_HOME/ldap/odi/log

You should see a file that contains the name of your agent profile with a .trc extention.

Example:

ActiveChgImp.trc

Do a tail on this log to see if there are any error messages.

Typically when I see the problem you are having its usually that the DIP server is unable to connect to the AD server.

Things to look for:

Verify you are using the correct port number for AD
Verify you have the correct FQDN or IP address for the AD server
Verify the Connected Directory Account and password are correct.
Verify you have enabled the Agent profile
Verify there are changes in AD that need to be synced. It is possible that after you bootstrapped AD to OID that there have been no changes yet made.
Verify you have started the odisrv server process for configset1

Jay

Hi Geiger

First lets check a few obvious things. If you are checking the status of your Agent by using the Oracle Directory Manager (ODM), remember that this is a Java tool that takes a snapshot of your status. Each time you want to check the status you need to click the refresh button while you have your agent profile highlighted.

Another thing you can check would be to perform a simple ldapbind test. Assuming that the user you are using to connect to AD has the proper permissions to read the AD changelogs, try this ldapbind command:

ldapbind -p <AD_port_num> -h <AD_FQDN> -D "administrator@acme.com" -w admin_password

Substitute that name of the admin user for the "-D" option. If you are able to connect successfully you will get a message back that reads "bind successful".

The way you start your odisrv server process is as follows:

oidctl connect=iasdb serevr=odisrv instance=1 configset=1 flags="port=3130 debug=63" start

Notice that I used the "debug" flag. Also, substitute your own DB conncet string for the "connect parameter. This will record any error messages in the trace files that will help you troubleshoot any problems with your agent profile. While your agent profile is running, monitor the "ActiveChgImp.trc" trace file that should be in your $ORACLE_HOME/ldap/odi/log directory. If your odisrv server process for configset=1 is running and you started it with the debug flag of 63 you should see all of the details in the trace file concerning why your agent profile has not started to sync.

Have you seen this training collateral?

http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics01.htm

Jay

Hi Geiger

The error message you are getting indicates that there is an access control policy preventing you from making a modification.

Have you applied the new access control policy as mentioned in the OID admin guide in chapter 43? You can also see a sample of this new policy at the following URL:

http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics02.htm#Grant

Jay

Thanks.

I tried to modify the grandrole.ldif, but by uploading the file I get the following error message:

modifying entry cn=Users,dc=vi,dc=vector,dc=int
ldap_modify: Undefined attribute type
ldap_modify: additional info: Attribute dn is not supported in schema.

What is this?

And a small question: I have under dc=vi,dc=vector,dc=int a couple of directories, for example ou=Stuttgart, ou=Paris, ou=Sweden and so on. How can I grand the access to this directories for cn=orcladmin?

Thanks and regards

Heinrich.

Hi Geiger

When I ran this command on Solaris against the grantrole.ldif file that is located in the online tutorial it ran ok.

When I ran the same command using the same file on a Linux machine I was getting all kinds of errors.

It turns out there was a hidden character in the file that did not effect Solaris but caused all kinds of problems in Linux. I created a new file that works in both Solaris and Linux.

To access the file download the "samplefiles.zip" file located here:

http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics02.htm#Grant

Try it and let me know if it works.

Jay

Hello John,

thanks for your help. I wrote a new grantrole.ldif and I could upload this without any errors.

But I have still the same problem. So I deleted all the entries in OID, applied the grantrole.ldif, and bootstraped the entries. I don't get any error messages. My groups and users are under cn=Users,dc=vi,dc=vector,dc=int. If I change an attribute in AD, and try to synchronise it with OID, I have a lots of errors.

Here is the text of error message:

Performing createEntry..
Exception creating Entry : javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'CN=Geiger\, Heinrich,OU=ADP1,OU=ADP,ou=vi,cn=users,dc=vi,dc=vector,dc=int'
[LDAP: error code 50 - Insufficient Access Rights]
Error in Mapping
ActiveChgImp:Error in Mapping EngineODIException: DIP_OIDWRITER_ERROR_CREATE
ODIException: DIP_OIDWRITER_ERROR_CREATE
at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java:951)
at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:321)
at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:609)
at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:252)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:398)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:254)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:149)
ActiveChgImp:about to Update exec status
Updated Attributes
orclodipLastExecutionTime: 20040920132907
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors: Error Creating Entry in OID
null
Error in proxy connection : ODIException: DIP_GEN_AUTHENTICATION_FAILURE
ODIException: DIP_GEN_AUTHENTICATION_FAILURE
at oracle.ldap.odip.gsi.LDAPConnector.proxyConnectAs(LDAPConnector.java:291)
at oracle.ldap.odip.engine.AgentThread.updateExecStatus(AgentThread.java:487)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:192)
Updated Attributes
orclodipLastExecutionTime: 20040920132907
orclOdipSynchronizationStatus: Agent Execution Successful, Mapping/IMPORT operation Failure
orclOdipSynchronizationErrors: Agent Execution Successful, Mapping/IMPORT operation Failure

Thank you very much.

Regards Heinrich.

Hello John,

it is a normal domain user account. Without admin rights and so on. It don't know about the abbility to read the changelog or delete the users log.

I will try it with a domain admin account.

Thanks and regards

Heinrich.