Never delete the OIM users. That is the OIM recommendation. But while playing in development environment, we sometime mess up OIM with too many unwanted Users. In case you wanted to clean it up here is the little script that may help. I got this from http://forums.oracle.com/forums/thread.jspa?threadID=1997648&tstart=15 .
delete from oud where oiu_key in (select oiu_key from oiu where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from osi where req_key in (select req_key from req where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX'));
delete from osi where osi_assigned_to_usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from osh where osh_assigned_to_usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from rcd where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rch where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rcu where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rcb where rce_key in (select rce_key from rce,orc,usr where rce.orc_key = orc.orc_key and orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from rpc where rce_key in (select rce_key from rce where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from rcm where rce_key in (select rce_key from rce where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from rcp where rce_key in (select rce_key from rce where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX'));
delete from rce where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from oio where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from oiu where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from oti where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from osi where orc_key in (select orc_key from orc,usr where orc.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from orc where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from upd where upp_key in (select upp_key from upp,usr where upp.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from upp where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from usg where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from uhd where uph_key in (select uph_key from uph,usr where uph.usr_key = usr.usr_key and USR_LOGIN='USERXXX');
delete from uph where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from pcq where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from rcu where usr_key in (select usr_key from usr where USR_LOGIN='USERXXX');
delete from usr where USR_LOGIN='USERXXX';
Tuesday, November 2, 2010
Monday, April 12, 2010
OAM "No schema definition for attribute XX found" error.
Does this error below looks familiar to you ? This occurs if an attribute is deleted from one of the configured object without deleting the corresponding object configuration of COREid.
{
Bug Report Form
An error has occurred while executing the application.
Your browser doesn't support sending mail automatically!
Please send E-Mail to with the following information:
# Your Name
# Organization
# E-Mail Address
# Phone Number
# Comment
Make sure to append the following traceback in the mail.
Traceback
data\module_main.cpp:568: Error: Exception re-thrown in HandleEvent.
common\obprogram_registry.cpp:794: Error: Exception re-thrown in ObProgramRegistry::Execute.
common\obprogramservice.cpp:314: Error: Exception re-thrown in ObProgramService::Execute.
admin_console\acps_metaattribute.cpp:39: Error: Exception re-thrown in ACMetaAttributeProgram::Execute.
admin_console\metaattribute.cpp:1513: Error: Exception re-thrown in ACPS::MetaAttributeGenTabMainMetaAttributePage().
admin_console\metaattribute.cpp:1412: Error: No schema definition for attribute mdeTempEscalationAuthZId was found.
Product
User Manager AdminVersion
Platform
Microsoft Windows
}
For example, say you have an an extra attribute called 'userPreference' configured part of an auxiliary object 'myCompanyAddistionalUser'. All the attributes with this object is configured via "Common Configuration" as well as in some specific user tab in "User Configuration". If you delete this attribute 'userPreference' in LDAP, make sure you delete it from corresponding common and tab configuration. Otherwise you will see this error.
For the above said example, The common configuration may be found at "dn: obattr=userPreference, obclass=myCompanyAddistionalUser, o=Oblix,o=abc,dc=com". Similarly the tab configuration may be found out at "dn: obattr=userPreference, obpanelid=Employees, obapp=userservcenter, o=Oblix,o=abc,dc=com". Just delete these two entries in LDAP followed by clearing the cache of Identity Server. Your Id Server will be happy again.
{
Bug Report Form
An error has occurred while executing the application.
Your browser doesn't support sending mail automatically!
Please send E-Mail to with the following information:
# Your Name
# Organization
# E-Mail Address
# Phone Number
# Comment
Make sure to append the following traceback in the mail.
Traceback
data\module_main.cpp:568: Error: Exception re-thrown in HandleEvent.
common\obprogram_registry.cpp:794: Error: Exception re-thrown in ObProgramRegistry::Execute.
common\obprogramservice.cpp:314: Error: Exception re-thrown in ObProgramService::Execute.
admin_console\acps_metaattribute.cpp:39: Error: Exception re-thrown in ACMetaAttributeProgram::Execute.
admin_console\metaattribute.cpp:1513: Error: Exception re-thrown in ACPS::MetaAttributeGenTabMainMetaAttributePage().
admin_console\metaattribute.cpp:1412: Error: No schema definition for attribute mdeTempEscalationAuthZId was found.
Product
User Manager AdminVersion
Platform
Microsoft Windows
}
For example, say you have an an extra attribute called 'userPreference' configured part of an auxiliary object 'myCompanyAddistionalUser'. All the attributes with this object is configured via "Common Configuration" as well as in some specific user tab in "User Configuration". If you delete this attribute 'userPreference' in LDAP, make sure you delete it from corresponding common and tab configuration. Otherwise you will see this error.
For the above said example, The common configuration may be found at "dn: obattr=userPreference, obclass=myCompanyAddistionalUser, o=Oblix,o=abc,dc=com". Similarly the tab configuration may be found out at "dn: obattr=userPreference, obpanelid=Employees, obapp=userservcenter, o=Oblix,o=abc,dc=com". Just delete these two entries in LDAP followed by clearing the cache of Identity Server. Your Id Server will be happy again.
Wednesday, February 17, 2010
Deploying Sun IDM 8.1 on Weblogic
Here are few quick steps to deploy Sun IDM (now called Oracle_Waveset) on Weblogic app server on a Window box. Note that Sun IDM is a web application which requires any standard application server and a db repository. The installable is just a war file.
A. ENVIRONMENT PREPARATION
(1) download IDM 8.1 from here. Extract the downloaded file IDM_8_1_0_0.zip to a temporary directory say C:\Sun\idm_setup .
(2) Create database, say 'waveset' of any of the supported RDMS like MySql, Oracle, MS SQLServer. Create the IDM related tables in this database using your db specific sql script available in C:\Sun\idm_setup\db_scripts directory. For example, run data file ..\db_scripts\create_waveset_tables.sqlserver if your db is MS SQL server.
(3) Create an Weblogic instance meant for running the IDM application later.
B. IDM INSTALLATION
(1) From command prompt :-
-> cd C:\Sun\idm_setup (This is where you extracted the IDM installables)
-> set WSHOME=C:\Sun\idm (Assuming this is your installation directory)
-> set JAVA_Home=C:\bea\jdk150_04 (You can choose your jdk )
-> run install.bat
select the component installation directory as 'C:\Sun\idm'
This will create the application (exploded IDM war file) at 'C:\Sun\idm'
(2) Next step is to set up the jdbc driver. IDM application will use this to connect to its repository. Here is a example of jdbc setup for MS SQL Server db repository.
-> copy sqljdbc.jar file to C:\Sun\idm\WEB-INF\lib\sqljdbc.jar
-> click 'next' on "launch setup" screen and enter the followings
URL : jdbc:sqlserver://YourSQLServer:1433;DatabaseName=waveset
JDBC Driver : com.microsoft.sqlserver.jdbc.SQLServerDriver
connectAsUSer : waveset-db-userid
connect password: password
-> click next :- (if error shows up here then exit from setup and do c:\sun\idm\bin\lh setup )
(3) Next initialize Identity Manager with default init.xml
-> Continue Demo setup : No
-> import init.xml identity Manager Configuration. Click 'Execute' .
(4) Finally deploy the application from weblogic console.
-> run weblogic server that is created for IDM purpose
-> go to http://weblogicMachineName:7001/console/
-> After authentication, select deployment and pick the application location as 'C:\Sun\idm'.
-> Make sure the deployment status of IDM is "active". Now go to http:// weblogicMachineName:7001/idm
UserId / password : configurator/configurator
OR
UserId / password : administrator/administrator
You will see the IDM administration related screens.
Happy Learning..
A. ENVIRONMENT PREPARATION
(1) download IDM 8.1 from here. Extract the downloaded file IDM_8_1_0_0.zip to a temporary directory say C:\Sun\idm_setup .
(2) Create database, say 'waveset' of any of the supported RDMS like MySql, Oracle, MS SQLServer. Create the IDM related tables in this database using your db specific sql script available in C:\Sun\idm_setup\db_scripts directory. For example, run data file ..\db_scripts\create_waveset_tables.sqlserver if your db is MS SQL server.
(3) Create an Weblogic instance meant for running the IDM application later.
B. IDM INSTALLATION
-> cd C:\Sun\idm_setup (This is where you extracted the IDM installables)
-> set WSHOME=C:\Sun\idm (Assuming this is your installation directory)
-> set JAVA_Home=C:\bea\jdk150_04 (You can choose your jdk )
-> run install.bat
select the component installation directory as 'C:\Sun\idm'
This will create the application (exploded IDM war file) at 'C:\Sun\idm'
(2) Next step is to set up the jdbc driver. IDM application will use this to connect to its repository. Here is a example of jdbc setup for MS SQL Server db repository.
-> copy sqljdbc.jar file to C:\Sun\idm\WEB-INF\lib\sqljdbc.jar
-> click 'next'
JDBC Driver : com.microsoft.sqlserver.jdbc.SQLServerDriver
connectAsUSer : waveset-db-userid
connect password: password
-> click next :- (if error shows up here then exit from setup and do c:\sun\idm\bin\lh setup )
(3) Next initialize Identity Manager with default init.xml
-> Continue Demo setup : No
-> import init.xml identity Manager Configuration. Click 'Execute' .
(4) Finally deploy the application from weblogic console.
-> run weblogic server that is created for IDM purpose
-> go to http://weblogicMachineName:7001/console/
-> After authentication, select deployment and pick the application location as 'C:\Sun\idm'.
-> Make sure the deployment status of IDM is "active". Now go to http://
UserId / password : configurator/configurator
OR
UserId / password : administrator/administrator
You will see the IDM administration related screens.
Happy Learning..
Monday, August 3, 2009
Few Useful Tips on Sun LDAP Multi-Master Replication
If you are using Sun Directory Server 5.2, here are few useful tips on Multi Master replications.
(1) The typical steps of configuring multi-master (say M1 and M2 fro reference) is to define replication agreement on each of the LDAP which push changes to other. But initially both the LDAPs has to be in sync. While defining the agreement from console, it usually displays a message that "remote replica of the selected agreement has not been initialized from this replica". The same message will be seen on other LDAP's console's agreement definition screen. This gives an impression as if both the LDAP has to be initialized with each other to be in perfect synchronization to start with. But NEVER do initialize both way.
For example, After defining replication agreement on each of the LDAP, only do a full initialization from M1 to M2. Never do the same from M2, even if agreement in M2 console displays the above said message of "remote replica of the selected agreement has not been initialized from this replica".
(2) While doing full initialization from M1 to M2, the schema MAY NOT not get loaded to M2. So copy ".../slapd-M2/config/schema" directory from M1 to M2 followed by restarting M2. Do the initialization after the schema at both M1 and M2 are same.
(3) Index information does not get loaded to when an initialization is done from one master to other. So export the index from source master and import it to other master followed by a re-indexing.
(4) For some reason, if you have to delete the existing agreement and create the same again, make sure you are assigning a new replica-id. This will avoid possible data corruption.
(5) When exporting data from any of the LDAPs participating in multi-master replication, you will see replication info(e.g. obEnabled;vucsn-49de55e5000000010000;deleted: disabled) in exported data. what if you wanted clean data only? There are many ways, here is one of them.
ldapsearch.exe -h yourHost -p yourPort -D myUser -w myPassword -b obname=o=Finance,dc=company,dc=com -s sub (objectclass=Top) > exported.ldif
(1) The typical steps of configuring multi-master (say M1 and M2 fro reference) is to define replication agreement on each of the LDAP which push changes to other. But initially both the LDAPs has to be in sync. While defining the agreement from console, it usually displays a message that "remote replica of the selected agreement has not been initialized from this replica". The same message will be seen on other LDAP's console's agreement definition screen. This gives an impression as if both the LDAP has to be initialized with each other to be in perfect synchronization to start with. But NEVER do initialize both way.
For example, After defining replication agreement on each of the LDAP, only do a full initialization from M1 to M2. Never do the same from M2, even if agreement in M2 console displays the above said message of "remote replica of the selected agreement has not been initialized from this replica".
(2) While doing full initialization from M1 to M2, the schema MAY NOT not get loaded to M2. So copy ".../slapd-M2/config/schema" directory from M1 to M2 followed by restarting M2. Do the initialization after the schema at both M1 and M2 are same.
(3) Index information does not get loaded to when an initialization is done from one master to other. So export the index from source master and import it to other master followed by a re-indexing.
(4) For some reason, if you have to delete the existing agreement and create the same again, make sure you are assigning a new replica-id. This will avoid possible data corruption.
(5) When exporting data from any of the LDAPs participating in multi-master replication, you will see replication info(e.g. obEnabled;vucsn-49de55e5000000010000;deleted: disabled) in exported data. what if you wanted clean data only? There are many ways, here is one of them.
ldapsearch.exe -h yourHost -p yourPort -D myUser -w myPassword -b obname=o=Finance,dc=company,dc=com -s sub (objectclass=Top) > exported.ldif
Monday, July 27, 2009
OAM Server Issue After Pointing to a New Ldap Instance
Let's say you moved one of your (or the only) LDAP server(s) to a different machine. You did all the correct changes in OAM System Console to reflect your new Ldap's host and port. But your OAM server (CoreId & Access) does not start for some reason. One of the solution could be some of your configuration xml/ lst files has not got the new host information yet.
For CoreId Server :- Check all xml files like AccessDB.xml, AppDB. xml etc in ..\NetPoint\identity\oblix\config\ldap directory.
For Access Server:- Check all lst files like AppDB.lst, ConfigDB.lst etc in ..\NetPoint\access\oblix\config\ldap directory.
Correct the Ldap host and ip address and restart the server. Good luck!
For CoreId Server :- Check all xml files like AccessDB.xml, AppDB. xml etc in ..\NetPoint\identity\oblix\config\ldap directory.
For Access Server:- Check all lst files like AppDB.lst, ConfigDB.lst etc in ..\NetPoint\access\oblix\config\ldap directory.
Correct the Ldap host and ip address and restart the server. Good luck!
Monday, June 8, 2009
SSO between webgates
I was configuring OAM Load balancing. I had two set of servers (Each set has IDM, Access Svr, Policy Mgr) front ended by two iPlanet webservers (host1.abc.com and host2.abc.com) having respective webgate. To configure the SSO between these two Webgates, I appropriately mentioned the "primary Http Cookie Domain" for both webgates as "abc.com" .
Now it is testing time. I authenticated to http://host1/myPage.jsp and typed http://host2/myPage.jsp on the browser's address bar expecting I am authenticated to http://host2 as well. Nope, I saw that login screen again. I banged my head for whole day till I found my mistake next morning.
The solution was very simple. Start typing http://host1.abc.com/myPage.jsp instead of http://host1/myPage.jsp . After authentication to host1 type http://host2.abc.com/myPage.jsp . This will work as I am mentioning domain name in the URL which is set as "Primary Http Cookie Domain".
Since the set up was inside the network, I do not have mention the domain name(...abc.com) to access my web content. IPlanet was serving me the page even if I typed the URI as http://host1/myPage.jsp .
Now it is testing time. I authenticated to http://host1/myPage.jsp and typed http://host2/myPage.jsp on the browser's address bar expecting I am authenticated to http://host2 as well. Nope, I saw that login screen again. I banged my head for whole day till I found my mistake next morning.
The solution was very simple. Start typing http://host1.abc.com/myPage.jsp instead of http://host1/myPage.jsp . After authentication to host1 type http://host2.abc.com/myPage.jsp . This will work as I am mentioning domain name in the URL which is set as "Primary Http Cookie Domain".
Since the set up was inside the network, I do not have mention the domain name(...abc.com) to access my web content. IPlanet was serving me the page even if I typed the URI as http://host1/myPage.jsp .
Thursday, April 9, 2009
Helpful Tips for COREid to Ldap Load Balancing Setup
Before doing a any OAM components to Ldap load balancing setup , make sure you have taken the back up of node "obcontainerid=dbagents,o=oblix,dc=abc,dc=com" in your ldap.
The node 'dbagents' has all the existing DB profile data. If you mess up the DB profile while experimenting LB setup, this backup will always come to your rescue. Other wise the respective OAM server will not start.
The node 'dbagents' has all the existing DB profile data. If you mess up the DB profile while experimenting LB setup, this backup will always come to your rescue. Other wise the respective OAM server will not start.
Subscribe to:
Posts (Atom)
