Next step after we are done importing users is to Enable ActiveChgImp profile. This is how we do in IDM version 1.4.0.1:
Access OID administration tool as “orcladmin” super-user. Navigate to “Integration Server” -> “Configuration Set 1”. Select the import profile “ActiveChgImp” and click edit. This should display the profile attributes. Enable the profile and save the modified profile
But in IDM 1.4.2, here are the steps to follow:
====================
Profiles are now managed with the Oracle Directory Integration and Provisioning Server Administration tool ...e.g.. dipassistant -gui
To incorporate these changes into the upgraded OID please do the following:
1. launch the admin tool (dipassistant -gui) and navigate to Connector Group Management and expand the tree. Notice that there are two entries:
- defaultgroup
- configset1
2. Expand configset1 to see the old 10.1.4.1 synchronization profiles.
3. Since a 'profile group' must now be supplied when starting odisrv it is recommended to rename this 'configset' as it will become confusing when starting the server. To rename the profile group:
- highlight configset1 and right click the mouse, then select rename
Give it a new name, for instance: Group1 and click OK
4. The defaultgroup contains NO profiles after the upgrade so one may wish to (re)associate any profiles previously configured and enabled to become part of the default group. To do so:
- expand the Group1
- highlight the profile to be made part of default group, then click Dissociate Profile (you will be prompted to confirm, note that when confirmed it will disappear from the list)
- highlight the defaultgroup and click Associate Profile
- highlight the profile from the list and click Select (the new profile will now appear in the defaultgroup)
NOTE: One MUST always Dissociate a profile before Associating it with a new group.
5. Start the odisrv using the additional grpID flag: For example:
oidctl connect=orcl server=odisrv instance=2 configset=1 flags="host=jdsmith-us port=13060 grpid=defaultgroup debug=63" start
Check the logs under $ORACLE_HOME/ldap/odi/log directory for synchronization errors in “ActiveChgImp.trc” and “ActiveChgImp.aud”
Happy Troubleshooting !!!
Thursday, August 28, 2008
Oracle 10g SSO Integration with E-Biz 11.5.10.2 - Implementation-2
Now we are going to modify import connector profile so that we can import users from AD to OID.
1. Create the “mapping rules” listed her and save to a file named “ActiveChgImp.map”
--------------------------------------------------------------------------------------------
DomainRules
OU=OU_MYUSERS,DC=corp,DC=mygrp,DC=com:cn=adusers,cn=users,dc=corp, dc=mygrp, dc=com:
###
AttributeRules
# attribute rule common to all objects
objectguid: :binary: :orclobjectguid:string: :bin2b64(objectguid)
ObjectSID: :binary: :orclObjectSID:string: :bin2b64(ObjectSID)
distinguishedName: : : :orclSourceObjectDN: :orclADObject
# attribute rule for mapping windows organizationalunit
ou: : :organizationalunit:ou: : organizationalunit
# attribute rule for mapping directory containers
cn: : :container: cn: :orclContainer
# attribute rule for mapping directordomains
dc: : :domain: dc: :domain
# USER ENTRY MAPPING RULES
# attribute rule for mapping windows LOGIN id
sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:sAMAccountNametrunc(userPrincipalName,'@')
# attribute rule for mapping Active Directory LOGIN id
userPrincipalName: : :user:orclUserPrincipalName: :orclADUser:userPrincipalName
# Map the userprincipalname to the nickname attr by default
samAccountName,userPrincipalName: : :user:uid: :inetorgperson:sAMAccountNametrunc(userPrincipalName,'@')
# Assign the userprincipalname to Kerberos principalname
# userPrincipalName: : :user:krbPrincipalName: :orcluserv2:trunc(userPrincipalName,'@')+'@'+toupper(truncl(userPrincipalName,
'@'))
samAccountName: : :user:krbPrincipalName: :orcluserv2:samAccountName+'@'+'DOMAINNAME.COM'
# This rule is mapped as SAMAccountName is a mandatory attr on AD
# and sn is mandatory on OID. sn is not mandatory on Active Directory
sn,SAMAccountName: : :person:sn: : person:snSAMAccountName
# attributes to map to cn - normally this is the given name
cn: : :person:cn: :person:
# attribute rule for mapping entry and to create orclUserV2
# There should be a mapping rule with orcluserv2 objectclass
# without which the PORTAL may not function properly
givenName: : :user:displayName: :inetorgperson:
employeeID: : :user:employeeNumber: :inetOrgPerson:
physicalDeliveryOfficeName: : :user:physicalDeliveryOfficeName: :organizationalPerson:
title: : :user:title: :organizationalPerson:
mobile: : :organizationalperson:mobile: :inetorgperson:
telephonenumber: : :organizationalperson:telephonenumber: :inetorgperson:
facsimileTelephoneNumber: : :organizationalperson:facsimileTelephoneNumber: :inetorgperson:
l: : :user:l: :organizationalperson:
# mail needs to be assigned valid value for default settings in DAS
userPrincipalName: : :user:mail: :inetorgperson:
# GROUP ENTRY MAPPING RULES
cn: : :group:cn: :groupofuniquenames:
# displayname needs to be assigned a valid value for default settings on DAS
SAMAccountName: : :group:displayName: :orclgroup:
# Description needs tobe assigned a valid value for default settings on DAS
Description: : :group:Description: :groupOfUniqueNames:
member: : :group:uniquemember: :groupofUniqueNames:
managedby: : :group:owner: :orclprivilegegroup:
sAMAccountName: : :group:orclSAMAccountName: :orclADGroup:
-----------------------------------------------------------------------------------------
2. Create the “Import Profile Configuration” listed here and save to a file named “ActiveChgImp.cfg”
-----------------------------------------------------------------------------------------
[INTERFACEDETAILS]
Package: gsi
Reader: ActiveChgReader
SkipErrorToSyncNextChange: true
SearchDeltaSize: 500
----------------------------------------------------------------------------------------
3. Replace the “-h” OID host and “-p” port in the command below and execute:
$ORACLE_HOME/bin/dipassistant modifyprofile \
-h hostname.domainname.com \
-p 389 \
-D cn=orcladmin \
-w \
-profile ActiveChgImp \
odip.profile.condiraccount="ADUSERname" \
odip.profile.condirpassword= \
odip.profile.condirurl="activedirectoryhostname:389" \
odip.profile.configfile="ActiveChgImp.cfg" \
odip.profile.condirfilter="((objectclass=organizationalunit)(&(objectclass=user)(!(objectclass=computer))))" \
odip.profile.mapfile="ActiveChgImp.map"
4. On the IDM host where OID component is installed, replace the “-h” OID host and “-p” port in the command below and execute:
$ORACLE_HOME/bin/dipassistant bootstrap \
-h \
-p \
-D “cn=orcladmin” \
-w \
-profile ActiveChgImp
Check the bootstrap log file located in $ORACLE_HOME/ldap/odi/log directory for errors. If no errors Vola you are done importing all users in OID.
Watch out my next post for modifying ActiveChgImp profile. As it has some new steps in IDM version 1.4.2.0.
Happy Troubleshooting !!!
1. Create the “mapping rules” listed her and save to a file named “ActiveChgImp.map”
--------------------------------------------------------------------------------------------
DomainRules
OU=OU_MYUSERS,DC=corp,DC=mygrp,DC=com:cn=adusers,cn=users,dc=corp, dc=mygrp, dc=com:
###
AttributeRules
# attribute rule common to all objects
objectguid: :binary: :orclobjectguid:string: :bin2b64(objectguid)
ObjectSID: :binary: :orclObjectSID:string: :bin2b64(ObjectSID)
distinguishedName: : : :orclSourceObjectDN: :orclADObject
# attribute rule for mapping windows organizationalunit
ou: : :organizationalunit:ou: : organizationalunit
# attribute rule for mapping directory containers
cn: : :container: cn: :orclContainer
# attribute rule for mapping directordomains
dc: : :domain: dc: :domain
# USER ENTRY MAPPING RULES
# attribute rule for mapping windows LOGIN id
sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:sAMAccountNametrunc(userPrincipalName,'@')
# attribute rule for mapping Active Directory LOGIN id
userPrincipalName: : :user:orclUserPrincipalName: :orclADUser:userPrincipalName
# Map the userprincipalname to the nickname attr by default
samAccountName,userPrincipalName: : :user:uid: :inetorgperson:sAMAccountNametrunc(userPrincipalName,'@')
# Assign the userprincipalname to Kerberos principalname
# userPrincipalName: : :user:krbPrincipalName: :orcluserv2:trunc(userPrincipalName,'@')+'@'+toupper(truncl(userPrincipalName,
'@'))
samAccountName: : :user:krbPrincipalName: :orcluserv2:samAccountName+'@'+'DOMAINNAME.COM'
# This rule is mapped as SAMAccountName is a mandatory attr on AD
# and sn is mandatory on OID. sn is not mandatory on Active Directory
sn,SAMAccountName: : :person:sn: : person:snSAMAccountName
# attributes to map to cn - normally this is the given name
cn: : :person:cn: :person:
# attribute rule for mapping entry and to create orclUserV2
# There should be a mapping rule with orcluserv2 objectclass
# without which the PORTAL may not function properly
givenName: : :user:displayName: :inetorgperson:
employeeID: : :user:employeeNumber: :inetOrgPerson:
physicalDeliveryOfficeName: : :user:physicalDeliveryOfficeName: :organizationalPerson:
title: : :user:title: :organizationalPerson:
mobile: : :organizationalperson:mobile: :inetorgperson:
telephonenumber: : :organizationalperson:telephonenumber: :inetorgperson:
facsimileTelephoneNumber: : :organizationalperson:facsimileTelephoneNumber: :inetorgperson:
l: : :user:l: :organizationalperson:
# mail needs to be assigned valid value for default settings in DAS
userPrincipalName: : :user:mail: :inetorgperson:
# GROUP ENTRY MAPPING RULES
cn: : :group:cn: :groupofuniquenames:
# displayname needs to be assigned a valid value for default settings on DAS
SAMAccountName: : :group:displayName: :orclgroup:
# Description needs tobe assigned a valid value for default settings on DAS
Description: : :group:Description: :groupOfUniqueNames:
member: : :group:uniquemember: :groupofUniqueNames:
managedby: : :group:owner: :orclprivilegegroup:
sAMAccountName: : :group:orclSAMAccountName: :orclADGroup:
-----------------------------------------------------------------------------------------
2. Create the “Import Profile Configuration” listed here and save to a file named “ActiveChgImp.cfg”
-----------------------------------------------------------------------------------------
[INTERFACEDETAILS]
Package: gsi
Reader: ActiveChgReader
SkipErrorToSyncNextChange: true
SearchDeltaSize: 500
----------------------------------------------------------------------------------------
3. Replace the “-h” OID host and “-p” port in the command below and execute:
$ORACLE_HOME/bin/dipassistant modifyprofile \
-h hostname.domainname.com \
-p 389 \
-D cn=orcladmin \
-w
-profile ActiveChgImp \
odip.profile.condiraccount="ADUSERname" \
odip.profile.condirpassword=
odip.profile.condirurl="activedirectoryhostname:389" \
odip.profile.configfile="ActiveChgImp.cfg" \
odip.profile.condirfilter="((objectclass=organizationalunit)(&(objectclass=user)(!(objectclass=computer))))" \
odip.profile.mapfile="ActiveChgImp.map"
4. On the IDM host where OID component is installed, replace the “-h” OID host and “-p” port in the command below and execute:
$ORACLE_HOME/bin/dipassistant bootstrap \
-h
-p
-D “cn=orcladmin” \
-w
-profile ActiveChgImp
Check the bootstrap log file located in $ORACLE_HOME/ldap/odi/log directory for errors. If no errors Vola you are done importing all users in OID.
Watch out my next post for modifying ActiveChgImp profile. As it has some new steps in IDM version 1.4.2.0.
Happy Troubleshooting !!!
Oracle 10g SSO Integration with E-Biz 11.5.10.2 - Implementation
I guess you might be kept on waiting for my update. But here I come. Now as a next step we will create adusers container in OID so that we can load users from AD to OID under this realm.
1. Create a file “create_aduser_container.ldif” containing following lines:
dn: cn=adusers,cn=users,dc=corp, dc=mygrp, dc=com
cn: adusers
objectclass: top
objectclass: orclContainer
description: Container for Enterprise AD Users
2. On the IDM host, execute the following command after replacing the “-h” oidhost and “-p” oidport parameter:
$ORACLE_HOME/bin/ldapadd \
-c -v \
-h \
-p \
-D “cn=orcladmin” \
-w \
-f create_aduser_container.ldif
With the above step you can see container adusers in OID.
to be continue .......
1. Create a file “create_aduser_container.ldif” containing following lines:
dn: cn=adusers,cn=users,dc=corp, dc=mygrp, dc=com
cn: adusers
objectclass: top
objectclass: orclContainer
description: Container for Enterprise AD Users
2. On the IDM host, execute the following command after replacing the “-h” oidhost and “-p” oidport parameter:
$ORACLE_HOME/bin/ldapadd \
-c -v \
-h
-p
-D “cn=orcladmin” \
-w
-f create_aduser_container.ldif
With the above step you can see container adusers in OID.
to be continue .......
Monday, August 4, 2008
Can't Publish Reports in ADI 7.2
We are using Oracle names server to connect to our database. We have issue last week regarding Publishing reports via ADI 7.2 . Getting following error :
"An error occured while attempting to establish an Applications File Server connection.There may be a network configuration problem, or the TNS listener may not be running.Nodename : Hostname"
It is clear something wrong with Apps listener, we tried bouncing it and Run one report like "Active Users" and tried viewing output. It was working, but still ADI Report Publishing was not working. We were clue less what is happening, we thought Names server might be an issue and we bounced Names server too, but that too didn't helped. As truely said if nothing works go and read the readme. We went and look at how ADI select FNDFS values, this is how
"ADI selects the node_name from the FND_CONCURRENT_REQUESTS table, appends that value to FNDFS_ and then looks in the TNSNAMES.ora file for 'directions' on what host to go
to and what port to ping for the FNDFS listener service"
So while checking for node_name value we got 2 records, one for virtual host and other one for physical host. That clears our issue, we looked at our concurrent manager node name. Again we have virtual host entry in that. For resolving this without downtime, we add one more entry in names server for virtual host FNDFS_. And vola it worked. But during weekend we took downtime to resolve concurrent manager node_name back to physical host.
Happy Troubleshooting !!!
"An error occured while attempting to establish an Applications File Server connection.There may be a network configuration problem, or the TNS listener may not be running.Nodename : Hostname"
It is clear something wrong with Apps listener, we tried bouncing it and Run one report like "Active Users" and tried viewing output. It was working, but still ADI Report Publishing was not working. We were clue less what is happening, we thought Names server might be an issue and we bounced Names server too, but that too didn't helped. As truely said if nothing works go and read the readme. We went and look at how ADI select FNDFS values, this is how
"ADI selects the node_name from the FND_CONCURRENT_REQUESTS table, appends that value to FNDFS_ and then looks in the TNSNAMES.ora file for 'directions' on what host to go
to and what port to ping for the FNDFS listener service"
So while checking for node_name value we got 2 records, one for virtual host and other one for physical host. That clears our issue, we looked at our concurrent manager node name. Again we have virtual host entry in that. For resolving this without downtime, we add one more entry in names server for virtual host FNDFS_. And vola it worked. But during weekend we took downtime to resolve concurrent manager node_name back to physical host.
Happy Troubleshooting !!!
XML Based Concurrent Program -SSLHandshake Error
We have one of the concurrent program which developed in XML and it has been used for printing checks in one of the location where we operates. This issue occure only in condition when we have combination of following setup :
1. Portal 3.0.9 login server (iAS 1.0.2.2.2).
2. Siteminder as authentication software.
3. SSL.
4. Concurrent Managers are running on Virtual Host.
The only solution which I found to overcome this situation to move our Concurrent Manger from Virtual Host to Physical Host. Other than that we do not have any other problem in using Virtual host.
Happy Troubleshooting !!!
1. Portal 3.0.9 login server (iAS 1.0.2.2.2).
2. Siteminder as authentication software.
3. SSL.
4. Concurrent Managers are running on Virtual Host.
The only solution which I found to overcome this situation to move our Concurrent Manger from Virtual Host to Physical Host. Other than that we do not have any other problem in using Virtual host.
Happy Troubleshooting !!!
Subscribe to:
Posts (Atom)
