Portal clone - ptlconfig fails with ORA-31201 DBMS_LDAP
| Topic ID: 2385 | |
| Created By: | 2007-MAY-15 19:59:49 [Vitaliy] |
| Updated By: | 2007-MAY-16 15:07:50 [Vitaliy] |
| Status: | Open |
| Severity: | Normal |
| Read Only: | No |
|
7841
2007-MAY-15 19:59:49
|
||||
|
Portal clone - ptlconfig fails with ORA-31201 DBMS_LDAP
ISSUE:
After succesfully performing most of the steps in:
http://download-west.oracle.com/docs/cd/B14099_18/core.1012/b13995/prodtest.htm
Oracle Application Server Administrator's Guide
10g Release 2 (10.1.2)
Part No. B13995-07
11 Staging a Test Environment from a Production Environment
http://download-west.oracle.com/docs/cd/B14099_18/core.1012/b13995/prodtest.htm
You get to step 4 :
4. Update the OracleAS Portal instance from the Portal Dependency
Settings file (iasconfig.xml) file by running the ptlconfig script:
Which fails with the following error:
portalbox.portal-> ptlconfig -dad portal
~/product/10gAS/portal/conf ~/product/10gAS/portal/conf
Portal Dependency Settings Tool
Processing Portal instance '/pls/portal' (cn=orasid,cn=oraclecontext)
Enter either the Portal schema or OID Admin password:
Problem processing Portal instance: Configuring OID settings : Populating
OID data : SQL exception: Generated errors of type ORA-, PLS-, SP2-, ERROR:
or IMP-. Refer to the log file for details.
Processing complete
portalbox.portal->
ptlconfig.log logfile shows the following errors (cleaned up for clarity):
Error in create_user
LDAP Error: 1030: UnKnown Error Encountered
ERROR: creating PORTAL user.
Error code : -31201
Error message: ORA-31201: DBMS_LDAP: generic error: Invalid input pointer
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06502: PL/SQL: numeric or value error
ERROR: creating lightweight users and groups in OID ... exiting
INSTALL_ERROR: sqlExecuter() : Raised Exception
oracle.webdb.config.PortalWiringException: Generated errors of type ORA-,
PLS-, SP2-, ERROR: or IMP-. Refer to the log file for details.
INSTALL_ERROR : Populating Portal seed in OID Raised Exception for secoidd.sql
SQL exception: Generated errors of type ORA-, PLS-, SP2-, ERROR: or IMP-.
Refer to the log file for details.
ERROR: Wire OID mode raised exception.
Additionally any attempt to login to OID or PORTAL via SSO fails with the following error:
"Error: Authentication failed. Please try again"
and your /u01/app/oracle/product/10gAS/sso/log/ssoServer.log shows the following errors:
Tue May 15 17:52:32 PDT 2007 [ERROR] AJPRequestHandler-ApplicationServerThread-6 Could not get attributes for user, portal
oracle.ldap.util.UtilException: NamingException encountered when resolving user - SIMPLE NAME = portal [LDAP: error code 32 -
No Such Object]
at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1214)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:912)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:859)
at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:493)
at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:485)
at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:796)
at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:328)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:824)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)
SOLUTION:
The problem is that PORTAL "lightweight" account cannot be found in OID.
The problem is in the following attributes:
orclcommonusersearchbase
orclcommongroupsearchbase
EXPLANATION:
per B13995-07:
Staging a Test Environment from a Production Environment ->
Task 4: Copy Data from Production Identity Management to the Test Environment ->
7. On the test directory server, configure Oracle Context parameters
it says to modify Context parameters as follows:
dn: cn=common, cn=products,cn=OracleContext, default_subscriber
Changetype: modify
replace: orclCommonUserSearchBase
OrclCommonUserSearchBase: value1 <== note this
OrclCommonUserSearchBase: value2 <== note this
-
replace: orclCommonGroupSearchBase
OrclCommonGroupSearchBase: value1 <== note this
OrclCommonGroupSearchBase: value2 <== note this
-
replace: orclCommonNickNameattribute
orclCommonNickNameattribute: value
if these instructions are followed literraly (which they were) these settings
become corrupt as with this case:
--- INCORRECT SETTING ---
dn: cn=Common,cn=Products,cn=OracleContext,dc=ind,dc=somedomain,dc=com
Changetype: modify
replace: orclCommonUserSearchBase
OrclCommonUserSearchBase: cn=users
OrclCommonUserSearchBase: dc=ind,dc=somedomain,dc=com
-
replace: orclCommonGroupSearchBase
OrclCommonGroupSearchBase: cn=Groups
OrclCommonGroupSearchBase: dc=ind,dc=somedomain,dc=com
-
replace: orclCommonNickNameattribute
orclCommonNickNameattribute: uid
Correct format for modifying Oracle Context parameters is as follows (this
example is based on our default_subscriber and OrclCommon%SearchBase values):
--- CORRECT SETTING ---
dn: cn=Common,cn=Products,cn=OracleContext,dc=ind,dc=somedomain,dc=com
Changetype: modify
replace: orclCommonUserSearchBase
OrclCommonUserSearchBase: cn=users,dc=ind,dc=somedomain,dc=com
-
replace: orclCommonGroupSearchBase
OrclCommonGroupSearchBase: cn=Groups,dc=ind,dc=somedomain,dc=com
-
replace: orclCommonNickNameattribute
orclCommonNickNameattribute: uid
Once these corrections were made using ldapmodify this issue was resolved -
here's the session output:
## configure Oracle Context parameters
##
infrabox.ORASID-> more OracleContext.ldif
dn: cn=Common,cn=Products,cn=OracleContext,dc=ind,dc=somedomain,dc=com
orclcommonusersearchbase: cn=users, dc=ind,dc=somedomain,dc=com
orclcommongroupsearchbase: cn=Groups, dc=ind,dc=somedomain,dc=com
orclcommonnicknameattribute: uid
vi OracleContext_Import.ldif
-------------- INSERT THIS ----------
dn: cn=Common,cn=Products,cn=OracleContext,dc=ind,dc=somedomain,dc=com
Changetype: modify
replace: orclCommonUserSearchBase
OrclCommonUserSearchBase: cn=users,dc=ind,dc=somedomain,dc=com
-
replace: orclCommonGroupSearchBase
OrclCommonGroupSearchBase: cn=Groups,dc=ind,dc=somedomain,dc=com
-
replace: orclCommonNickNameattribute
orclCommonNickNameattribute: uid
## Configure the user and group search base on the test directory server
##
ldapmodify -D cn=orcladmin \
-w testpass05 -h infrabox.ind.somedomain.com -p 389 \
-v -f /u01/app/oracle/clone/export_files/OracleContext_Import.ldif
infrabox.ORASID-> ldapmodify -D cn=orcladmin \
-w testpass05 -h infrabox.ind.somedomain.com -p 389 \
-v -f /u01/app/oracle/clone/export_files/OracleContext_Import.ldif
> -w testpass05 -h infrabox.ind.somedomain.com -p 389 \
> -v -f /u01/app/oracle/clone/export_files/OracleContext_Import.ldif
replace OrclCommonUserSearchBase:
cn=users,dc=ind,dc=somedomain,dc=com
replace OrclCommonGroupSearchBase:
cn=Groups,dc=ind,dc=somedomain,dc=com
replace orclCommonNickNameattribute:
uid
modifying entry cn=Common,cn=Products,cn=OracleContext,dc=ind,dc=somedomain,dc=com
modify complete
infrabox.ORASID->
RESEARCH:
This is a research I did to come up with the solution described above - you
don't really have to read this it's just an FYI:
The error message we see is raised half way in the
anonymous PLSQL block by an OTHERS exception handler (see secoidd.sql) which
means that we were able to connect then process half way through the block and
then we failed calling wwsec_api_private.sync_local_user_profile for PORTAL
user. Here's the except of the exception where it fails:
l_user_profile := wwsec_api_private.sync_local_user_profile
(
p_User_Name => p_user_name,
p_GUID => l_guid,
p_DN => l_dn
);
print_message('Local profile for user ' || p_user_name ||
' synchronized with OID');
exception
when others then
print_message('ERROR: creating ' || p_user_name ||
' user.'); <==== here's where the error is trapped
The actual error message trapped by this exception was:
ORA-31201: DBMS_LDAP: generic error: Invalid input pointer
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06502: PL/SQL: numeric or value error
Here's what I changed in secoidd.sql to trap a little more details of the
parameters that were being passed to wwsec_api_private.sync_local_user_profile:
portalbox.portal-> cp -p ./admin/plsql/wwc/secoidd.sql ./admin/plsql/wwc/secoidd.sql.ORG
portalbox.portal-> find . -name secoidd.sql -ls
123415 176 -rwx------ 1 oracle dba 170268 Aug 11 2005 ./admin/plsql/wwhost/secoidd.sql
123389 176 -rwx------ 1 oracle dba 170268 Aug 11 2005 ./admin/plsql/wwc/secoidd.sql
portalbox.portal-> cp -p ./admin/plsql/wwhost/secoidd.sql ./admin/plsql/wwhost/secoidd.sql.ORG
portalbox.portal->
portalbox.portal-> diff ./admin/plsql/wwhost/secoidd.sql ./admin/plsql/wwc/secoidd.sql
portalbox.portal->
portalbox.portal-> vi ./admin/plsql/wwc/secoidd.sql
l_user_profile := wwsec_api_private.sync_local_user_profile
(
p_User_Name => p_user_name,
p_GUID => l_guid,
p_DN => l_dn
);
print_message('Local profile for user ' || p_user_name ||
' synchronized with OID');
exception
when others then
print_message('ERROR: creating ' || p_user_name ||
' user.');
print_message('VM-ERROR-TRAP: p_User_Name = ' ||p_user_name );
print_message('VM-ERROR-TRAP: p_GUID = ' || l_guid );
print_message('VM-ERROR-TRAP: p_DN = ' || l_dn );
dbms_ldap.free_mod_array
(
modptr => l_array
);
raise;
end;
portalbox.portal-> cp -p ./admin/plsql/wwc/secoidd.sql ./admin/plsql/wwhost/secoidd.sql
portalbox.portal-> grep VM-ERROR-TRAP ./admin/plsql/wwc/secoidd.sql
print_message('VM-ERROR-TRAP: p_User_Name = ' ||p_user_name );
print_message('VM-ERROR-TRAP: p_GUID = ' || l_guid );
print_message('VM-ERROR-TRAP: p_DN = ' || l_dn );
portalbox.portal-> grep VM-ERROR-TRAP ./admin/plsql/wwhost/secoidd.sql
print_message('VM-ERROR-TRAP: p_User_Name = ' ||p_user_name );
print_message('VM-ERROR-TRAP: p_GUID = ' || l_guid );
print_message('VM-ERROR-TRAP: p_DN = ' || l_dn );
portalbox.portal->
portalbox.portal-> cd $ORACLE_HOME/portal/conf
portalbox.portal-> ptlconfig -dad portal
~/product/10gAS/portal/conf ~/product/10gAS/portal/conf
Portal Dependency Settings Tool
Processing Portal instance '/pls/portal' (cn=orasid,cn=oraclecontext)
Enter either the Portal schema or OID Admin password:
Problem processing Portal instance: Configuring OID settings : Populating OID
data : SQL exception: Generated errors of type ORA-, PLS-, SP2-, ERROR: or
IMP-. Refer to the log file for details.
Processing complete
portalbox.portal->
portalbox.portal-> cd ../logs
portalbox.portal-> ls -lta
total 166
-rw-r--r-- 1 oracle dba 11885 May 15 14:51 ptlconfig.log
drwx------ 2 oracle dba 512 May 15 14:51 .
-rw-r--r-- 1 oracle dba 47068 May 15 14:45 ptlconfig.log.OLD2
-rw-r--r-- 1 oracle dba 23534 May 11 10:00 ptlconfig.log.OLD
drwx------ 12 oracle dba 512 May 8 16:30 ..
portalbox.portal->
here's what was in the logfile now:
- - - - - - - - - - - - - - - - - -- - - - - - - -- - - - - - - - -
ERROR: creating PORTAL user.
VM-ERROR-TRAP: p_User_Name = PORTAL
VM-ERROR-TRAP: p_GUID = 308A3CD077541AC9E044080020D21635
VM-ERROR-TRAP: p_DN =
Error code : -31201
Error message: ORA-31201: DBMS_LDAP: generic error: Invalid input pointer
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06502: PL/SQL: numeric or value error
ERROR: creating lightweight users and groups in OID ... exiting
- - - - - - - - - - - - - - - - - -- - - - - - - -- - - - - - - - -
More info on:
p_GUID = 308A3CD077541AC9E044080020D21635
this value is generated by this call (see secoidd.sql):
l_guid := rawtohex(sys_guid());
... it gets to this point after get_user_dns() doesn't return a record for
PORTAL user (fails to find it in OID?) so it tries to create a new record ...
and it fails. I also noticed that any attempt to login through SSO homepage:
http://infrabox.ind.somedomain.com:7777/pls/orasso/orasso.home
fails with "Authentication failed. Please try again" for both orcladmin and portal
accounts (I know for a sure I am using correct passwords as I can login OK
through oidadmin using orcladmin).
I dug a little deeper ...
When "Error: Authentication failed. Please try again" is raised the following stack can be
seen in here:
/u01/app/oracle/product/10gAS/sso/log/ssoServer.log
Tue May 15 17:52:32 PDT 2007 [ERROR] AJPRequestHandler-ApplicationServerThread-6 Could not get attributes for user, portal
oracle.ldap.util.UtilException: NamingException encountered when resolving user - SIMPLE NAME = portal [LDAP: error code 32 -
No Such Object]
at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1214)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:912)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:859)
at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:493)
at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:485)
at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:796)
at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:328)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:824)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)
Then after reading:
Note:282484.1 Single Sign-On Realms and Multiple Search Bases
I was led to belive the our Oracle context search base entry was corrupted.
[edited by: Vitaliy at 15:07 (CST) on May. 16, 2007]