OLS integration w/OID
Hi,
I'm not sure if I'm in the right discussion forum, but I have a question regarding Oracle Label Security integration with Oracle Internet Directory.
I tried setting it up and got a lot of errors. I basically want to uninstall and then re-install to start over fresh.
I've uninstalled by:
1) running catnools.sql
2) removing Label Security using the Oracle Universal Installer deinstall option.
When I reinstalled, I tried to integrate with OID again and got errors such as the following:
Error updating provisioning profile -ERROR: Provisions Profile Already Exists..
The Provisioning Profile for the Application could not be created.
LDAP error code 20 uniquemember attribute has duplicate value
It doesn't seem as if it uninstalled properly because there are still traces of everything in OID.
How can I do a clean removal so that I can reinstall and start over again?
I've been trying to follow this documentation and ran into problems at Step: http://www.oracle.com/technology/deploy/security/database-security/howtos/ols_oid-how-to.html
When I tried to run 'execute sa_policy_admin.policy_subscribe('ACCESS_LOCATIONS'), I got the
error:
ERROR:
ORA-00604: error occurred at recursive SQL level 1
ORA-04045: errors during recompilation/revalidation of LBACSYS.LBAC_EVENTS
ORA-04064: not executed, invalidated
ORA-04064: not executed, invalidated package body "LBACSYS.LBAC_EVENTS"
ORA-06508: PL/SQL: could not find program unit being called:
"LBACSYS.LBAC_EVENTS"
ORA-06512: at line 2
ORA-06508: PL/SQL: could not find program unit being called:
"LBACSYS.LBAC_EVENTS"
ORA-06512: at line 2
When I check the LBACSYS procedures, packages, etc.. some are not valid. When I try to recompile, I get the same error.
So, everything was messed up completely which was why I wanted to uninstall.
Thanks,
Nora
hi, the technology that allows 3rd party directories to integrate with OID is called the OID "Directory Integration Platform" (DIP).
Documentation on the OID DIP can be found at:
http://download-west.oracle.com/otndoc/oracle9i/901_doc/network.901/a90151/pt_odip.htm#435787
Also, Oracle consulting services are available to support directory integration work. Please email me if you are interested in getting more information about Oracle Consulting.
Similar Messages
-
About OLS integration with OID whitepaper on OTN...
My OID Support customer tried to follow the steps in this how-to but it failed:
http://www.oracle.com/technology/deploy/security/db_security/howtos/ols_oid-how-to.html
PROBLEM:
Encountered an error at step 13. on page 6. If the DB had OLS the error statement was:
" Error updating provisioning profile -ERROR.
Provisioning Profile Already Exists..
The Provisioning Profile for the
Application could not be created." ,
else the error messages was,
" Error updating provisioning profile -ERROR [LDAP:error code 50 - Insufficient Access Rights]
The Provisioning Profile for the Application could not be created.",
CAUSE:
That cn=dbcreator account in the how-to does not have priviledges to create prov profile.
SOLUTION:
The OLS doc's says to use "an admin" so my customer tried root "cn=orcladmin" instead and it worked. (I have no idea if using this account would present any problems for OLS later on though.)
REQUEST:
Whomever wrote that how-to - please modify the steps to avoid this problem.
TxHi there,
thanks for reporting this glitch; will take care of this shortly, Peter -
Third Party Integration and OID Accounts
I'm planning on using OID with a sync with another LDAP such as AD or Novell. I am also going to integrate SSO with a third party SSO engine.
How do I log into Oracle SSO with a user neither defined in AD or my third party SSO engine? I am basically worried about accounts like PORTAL and ORCLADMIN. Is it possible to bypass the third party integration for these accounts or am I forced to create these accounts in AD and my third party SSO engine?Jon,
you can either authenticate locally e.g. cn=orcladmin or externally.
You have various option s (depending on the OID version) and how you organize the user base in OID. On a high level the authentication is based on objectclasses for an entry.
E.g. user being synchronized from AD to OID (using the Directory Integration Plaform) contain an objectclass "aduser" to distinguish them as external AD users within OID. So the external authentication plugin will "know" who is an AD user and try to authenticate this user externally with AD not OID. You can also configure the external authentication plugin to filter user who should not be externally authenticated.
If you store all external users in a dedictated subtree e.g. cn=AD_USERS or cn=EDIR_USER you can configure the external authentication plugin to authenticate those user to the respective external directories.
with OID 10.1.4.0.1 you could also make use of the server chaining authentication.
So there are a couple of options you have. See the documentation
Oracle Identity Management Integration Guide
http://download-west.oracle.com/docs/cd/B28196_01/idmanage.1014/b15995/toc.htm
Oracle Internet Directory Administrator's Guide
http://download-west.oracle.com/docs/cd/B28196_01/idmanage.1014/b15991/toc.htm
regards,
--Olaf -
OLS integration with Oracle E-Business Suite
Hi,
we want to implement OLS (9i DB) in Oracle E-Biz suite (11i.10) environment for data security both at backend (DB) and front-end for E-Biz applications. Can anyone please provide some material/ references highlighting the integration steps for the front end part, like:
- how to apply the OLS policy applicable to Application user to 'APPS' or other DB users which are actually interacting with the DB from E-Biz applications ?
- how to apply the OLS policy in case of batch jobs, advanced queues etc that are using different DB user(s), separate from 'APPS'
Whether it would be better if the E-Biz application front end security part is done using Data security and Role based access control (RBAC), roles matching with OLS policy etc when we compare that with OLS policy used for both front end and Database ?
Thanks in advance for your help!
Supro
Message was edited by:
user645454Hi there,
as a start: There is a Best Practices document for OLS and E-Business Suite available from the OLS homepage on OTN:
http://www.oracle.com/technology/deploy/security/database-security/label-security/index.html
Let me know should you have any more questions ...
Peter -
Webcenter JiveForums Integration with OID
Anybody had luck in Integrating Webcenter & JiveForums using LDAP/OID rather than JavaSSO specified by the document
http://download.oracle.com/docs/cd/E12483_01/webcenter.1013/b31074/jpsdg_jive.htm.
The document clearly says the LDAP configuration during Jive Admin setup is not supported. if I have to choose the default option, as stated by the document, for user authentication, how do i go about configuring LDAP/OID.
Appreciate if anybody could give steps to follow to achieve this.
ThanksDo you have same more logs? Maybe in AdminServer?
When you get
ADF_FACES-60098:Faces lifecycle receives unhandled exceptions in phase RENDER_RESPONSE 6
javax.el.ELException: java.lang.NullPointerException
Usually is a error that you isn't catched in some class and you get error in your jspx page. -
Workflow Integration with OID - wfdircsv.sql query
Hi all,
According to Workflow Guide Release 2.6.2 & metalink note 207225.1, when setting up OID integration you need to run the wfdircsv.sql script. This script sets the mappings of directory service views only to the WF_LOCAL tables.
However, because only the WF_LOCAL_USERS table is syncronised with OID, is it enough to ensure that WF_USERS only maps to its WF_LOCAL equivalent and not WF_ROLES?
This way we could leave WF_ROLES to map to other areas on our database, in addition to the union with WF_USERS and WF_LOCAL_ROLES. This is important to us because we have an exisiting dba_roles table that we want to union with.
Any ideas or inputs on whether this is possible would be much appreciated.
Paul.Paul,
You have multiple options:
1. Create the DBA roles as OID groups and use metalink note 210796.1 to synch OID groups.
2. You can create ad-hoc roles for the dba roles and assign users to that role (Check the guide for the API)
3. You can create custom directory service (Check the user's guide), but this option is not supporable.
Hope this helps..
Raja -
Integration between OID and AD - Error
Hi gurus.
I am using the IDM 10.1.4 to integrate the OID with AD. I am with the follow error:
Trace Log Started at Thu Sep 20 17:36:37 BRT 2007
0 >= 0
java.lang.ArrayIndexOutOfBoundsException: 0 >= 0
at java.util.Vector.elementAt(Vector.java:431)
at javax.naming.NameImpl.get(NameImpl.java:534)
at javax.naming.CompositeName.get(CompositeName.java:364)
at oracle.ldap.odip.gsi.ActiveReader.getNextChange(ActiveReader.java:400)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:634)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:376)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:237)
DIP_OIDREADER_ERROR_GET_NEXT_CHANGE
java.lang.NullPointerException
at oracle.ldap.odip.engine.Debug.logAudit(Debug.java:192)
at oracle.ldap.odip.engine.Debug.logAudit(Debug.java:185)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:821)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:376)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:237)
null
ActiveImport:Error in Mapping Enginenull
ActiveImportError in executionjava.lang.NullPointerException
java.lang.NullPointerException
at java.io.Writer.write(Writer.java:126)
at java.io.PrintStream.write(PrintStream.java:303)
at java.io.PrintStream.print(PrintStream.java:462)
at java.io.PrintStream.println(PrintStream.java:599)
at java.lang.Throwable.printStackTrace(Throwable.java:461)
at oracle.ldap.odip.engine.ODIException.printStackTrace(ODIException.java:321)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:398)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:237)
Updated Attributes
orclodipLastExecutionTime: 20070920173637
orclodipConDirLastAppliedChgNum: 0
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors: Mapping Failure, Agent Execution Not Attempted
Somebody can help me?
Thanks in advance.Check your mapping file and see If there are any syntactical error.
Also check the output of the foll. command.
ldapsearch -p port -h host -D cn=orcladmin -w password -b "orclodipagentname=<profile_name>,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" -s base "objectclass=*" -
Integration and reconciliation of OIM and OID
I need to do integration with OID and OIM, when i import the XML file, there are two XML files,
1) oimOIDuser
2) oimUser
which xml should be used for the integration of OIM and OID.
and for the trusted source Reconciliation.
-sudhan elango.oimOIDUser.xml
If you are using OIM 9.1.0 or later then you don't have to import the connector
You can install it by copying the contents of the installation in OIM_HOME/xellerate/ConnectorDefaultDirectory
and then Deployment Manager-> Install connector and from the connector list select OID connector and Load
Hope it helps,
Saggu -
Email Task users: JDeveloper and OID via Integration Service?
While building an email task in JDeveloper, we are trying to use the "Identity Lookup Dialog" box. When trying to access the OID users, we can see only the default (JAZN) accounts (oc4jadmin, bpeladmin, etc.) We do not see any of our actual users.
However, BPEL is integrated with OID. We have imported our AD users into OID. These users can access the worklistapp in this BPEL installation, so i feel comfortable that the BPEL Process Manager is configured with OID. Any idea how to get JDeveloper to see that info? JDeveloper is using the "Integration Server Connection", so it should see it, right?
Our BPEL install is in its own Application Server instance. It is version 10.1.3.3.
Any ideas on what i'm missing?
thank you,
iggy.Patrick N. _Futureweb OG,
Please use the following PowerShell to confirm your guest vm integration service has updated successfully, if not try to reinstall the IC.
Get-VM | ft Name, IntegrationServicesVersion
2. Please confirm your exchange vm the following service is running.
3. Please confirm your SYSTEM account have write permission on the following registry,
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
If not
please add full permission on it.
4. In exchange vm the
System Device manager must have a “Microsoft
Hyper-V virtual machine Bus” device.
More related information:
Assign permissions to a registry key
http://technet.microsoft.com/en-us/library/cc728310(v=ws.10).aspx
Updating Hyper-V Integration Components (IC)
http://blogs.technet.com/b/rmilne/archive/2013/06/17/updating-hyper-v-integration-components-ic.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Oracle E-Business Suite integration is failing with OSSO
Hi all,
We are integration EBS 12.1.1 with OSSO 10g (OID 10.1.4.3) using txkrun.pl script. This is a production environment and has 2 nodes of OID and 2 nodes of Database in RAC mode. When we run the txkrun.pl script we are getting the below error:
Mon Dec 13 15:06:38 GMT+05:30 2010 SSO database is jdbc:oracle:thin:@ldap://oid_hostName:389/idmprod,cn=oraclecontext
Mon Dec 13 15:06:38 GMT+05:30 2010 Exception while creating database connection :java.sql.SQLException: Io exception: The Network Adapter could not establish the connection
java.sql.SQLException: Io exception: The Network Adapter could not establish the connection
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:125)
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:162)
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:274)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:328)
at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:361)
at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:151)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:595)
at java.sql.DriverManager.getConnection(DriverManager.java:572)
at java.sql.DriverManager.getConnection(DriverManager.java:196)
at oracle.security.sso.SSORegistrar.main(SSORegistrar.java:327)
Mon Dec 13 15:06:38 GMT+05:30 2010 Check if your database is up and running.
The DB is up and running and we are able to telnet the OID ports from EBS machine. Please let me know if anyone has faced this error before.
This is very urgent and appreciate your quick response.
Thanks,
Mahendra.If you are running Oracle E-Business Suite Release 12.1.1 and integrating with OID 11g, you will also need to download and install TXK patch 7651166, which provides several fixes to Applications Technology code, including an update to the Oracle E-Business Suite OID registration scripts that adds support for OID 11g. The patch should be applied to all Oracle E-Business Suite middle tier nodes. This patch is not required if you are integrating with any other version of Oracle E-Business Suite.
Regards,
Prashant. -
Moving to OID, but...
hi! currently i'm using the Oracle 9iAS and Portal (both Release 1) to:
1. develop pl/sql base applications. I make use of the local security tables (wwsec_person$ etc) to grant access to applications, content areas and folders etc.
2. a trigger that uses system event trigger "after logon on portal30.schema" to call a procedure after a user logs in
3. some dynamic pages that has e.g., the following:
<Oracle>
declare cursor b_day is
Select * from portal30.wwsec_person$ where id = portal30.wwctx_api.get_user_id;
b_rec b_cur%rowtype;
begin
For b_rec in b_cur loop
htp.p('Hello');
htp.p(b_rec.user_name);
htp.p('Your birthdate is');
htp.p(b_rec.date_of_birth);
end;
</Oracle>
Questions:
a) Can I just "switch" the "Authentication Mechanism: LOCAL" under the Edit Login Server portlet to OID? if so, how? will i need to reassign all the access rights again in the content area, folder, applications etc.
b) what happens to all the user/group created under the wwsec_person$ etc? can I just "port them over"? if possible, how?
c) are those commands in Q3 still valid? if not, how can I achieve the same result?
also, the 9iAS Release 2 has actually "integrated" the OID with the portal. Should I just discard everything done on Release1 and re-create them on the R2?
kindly advise.
thank you.That is because you used a jar that is outside of your a2g.ear. That Oracle9iAS R2 doesn't seem to pick up your jars in the lib folder!!
-
OID and MS Active Directory LDAP information Synchronization
Do you know have to do the integration between OID and MS active Directory? How to synchronize the LDAP information between two?
Hi, I have the same question.
Thanks,
Malin -
OIM, OID and ADF - Confused!!!
Hi All,
I am starting to read about all this Identity Management stuff and I need some orientation about what to do and where to start since I have been loosing some time trying to understand the whole picture. I know Oracle Internet Directory is part of OIM but I am confused.
We are building a Webcenter Portal application and its security is intended to be managed through an OID (Oracle Internet Directory) which is already settled up and running. Now, the real problem is how to manage users/groups (entries in general) using our Webcenter Portal Application.
We are thinking at first some basics operation like if you are the admin you can create some user, assign roles and groups etc. All this without going to the OID Console. All this within our portal.
I know there are more than one approach I could take. Right now I am thinking to create our customs java classes in order to connect to the LDAP using the provided API. So
- Should I use a simple JNDI interfaces to do this?
- In JDeveloper if I write "OIDUser" in a java class I get a suggestion about the package "oracle.security.idm"... So shall I use this instead simple JNDI? If this is the case, is there any tutorial I can follow in order to achieve this?
- I was taking as example this http://code.google.com/p/ldapchai/ which is an API for LDAP using java jndi. However, this is not an oracle product and more than sure this kind of stuff have been already made by oracle. But exactly something like that I need. I am thinking to implement some interfaces with the following methods
create user
update user
create group
update group
assignUserToGroup
etc.
Hope you guys can help me out here.
Regards
P.S I give points to the useful questions and correct ones as well.
I just came out with this library ldapjclnt11.jar which is in OID_HOME. Shall I go for this since I am not using OIM. Just OID?
Regards
Edited by: Alejandro T. Lanz on Feb 13, 2013 8:15 AMHey Alejandro,
Management X Manager both are OIM concepts:
Let's start from the very beginning: OIM is one product that you can control 'user and group resources' as Active Directory users , Database users and OID users and groups. So, OID is not part of OIM(Oracle Identity Manager_). Maybe you are talking about the first concept that comes with Oracle application server , OID, DAS and SSO. All these products were called OIM(Oracle Identity Management_).
OIM is one WebApp deployed into AppServer with some client pieces(eg: Design Console, Remote Manager) , if needed.
OID is one LDAP.
Basically the standard control that you can do here is:
Have these tasks:
1)create user,update user,create group,update group,assignUserToGroup controled by OIM.
2) THen OIM has an 'integration' with OID, using LDAPSYNC or having OID Connector: http://thiagoleoncio.blogspot.com/2013/01/oid-sync-vs-oim-connector-into-oim-11g.html
3) WebCenter Portal is 'connected with LDAP(OID)'.
Regarding this:
We are thinking at first some basics operation like if you are the admin you can create some user, assign roles and groups etc. All this without going to the OID Console. All this within our portal.
I know there are more than one approach I could take. Right now I am thinking to create our customs java classes in order to connect to the LDAP using the provided API.
You can:
1) Do a class that have all ldapqueries to do whatever you want.
2) Do this integration above, then it will be much more easy to do this tasks and no develop part needed from user creation point of view.
I hope this helps you a bit,
Thiago Leoncio. -
Obiee 11.1.1.5 integration with OAM
Hi,
I integrated OBIEE 11.1.1.5 with OID11g (as a part of OAM integration),all OID users are getting reflected into obiee.Im able to login in to the ‘analytics’ but not able to access the reports.Also I'm not able to assign any BI groups to OID users.
Have anyone faced this kind of a scenario?Can anyone please help me?
If anyone have done obiee 11.1.1.5 integration with oam 11g,please provide me the document which you followed.
Thanks in advance,
Fathima farsatha.
Edited by: 927873 on Jul 16, 2012 12:11 AMHi,
Please try to access Analytics Webservices by using 'analytics-ws' instead of only 'analytics' in the URL as below,
http://<Host Name>:<Port>/analytics-ws/saw.dll?WSDL
Give a try with below link it may help you..
http://onlineappsdba.com/index.php/2011/12/05/integrate-obiee-11g-with-oam-11g-for-single-sign-on-in-13-steps/
http://fusionsecurity.blogspot.com/2012/06/integrating-obiee-11g-into-weblogics.html
http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/sso.htm#CEGJBAED
Thanks
Deva -
How to call OID delete user process task from AD process definition
Hi All,
I wanted to call OID delete user process task from AD process def. I have created a process task in AD Process def which will be integrated with OID Delete User adapter. How can i map OID related attributes to the adapter api?
Expected inputs for OID delete api :
root DN
orgDN
admin pwd
server
attr lookupcode
XLOrgFlag
sProcessInsKey
UserID
PDataOrg
port
AdminID
SSLFlag
here i cannot map some like : sProcessInsKey
any pointers would be appreciated.
Regards,
AshokOID delete user process task from AD process defWhy don't use call Revoke Resource API ?
http://otndnld.oracle.co.jp/document/products/id_mgmt/idm_904/doc_cd/javadocs/operations/Thor/API/Operations/tcUserOperationsIntf.html#revokeObject%28long,%20long%29
Use getObject API
Iterate through resultset.
If RONAME == OID User then call revokeObject
Maybe you are looking for
-
How do I find the voice memo file stored in the backup on my computer?
I am trying to find the file on my computer for the voice memos. I tried to save the voice memo and it was deleted from my iphone 5. I am trying to retrieve it from a previous backup on my computer.
-
"Network-related or instance specific error", Works OK for Administrator
I've been handed a legacy .Net Windows application that was previously used on Windows XP, and asked to debug a few problems encountered on Windows 7 clients. The original developers are all gone. I'm down to only a single error -- a seemingly comm
-
Querying CHAR columns with character length semantics unreliable
Hi again, It appears that there is a bug in the JDBC drivers whereby it is highly unlikely that the values of CHAR columns that use character length semantics can be accurately queried using ResultSet.getString(). Instead, the drivers return the valu
-
Lost Dock/Can't Shut Down/much more!
I gather that others are having major problems since installing 10.4.11, but haven't seen anyone with these odd symptoms: 1. lost my dock and can't get it back through my preferences. Every time I click a Location, the bubble refuses to be selected (
-
I upgraded to Mavericks & have both old & new Pages icon in dock.
I upgraded to Mavericks & got the new Pages with yellow-pen icon, I still have purple ink-well icon...