My Oracle Support Banner

ODIP / OUD - ManageSyncProfiles Error: "InvalidDomainConstructRule" (Doc ID 1562580.1)

Last updated on JANUARY 30, 2019

Applies to:

Oracle Unified Directory - Version 11.1.2.1.0 and later
Information in this document applies to any platform.

Goal

1. Problem Origin: After running syncProfileBootstrap on a large number of AD entries into OUD

This is error is output when a large number of AD entries have been uploaded into OUD after running the command  syncProfileBootstrap on a given profile.
As DIP admin server currently is launching an unindexed search request, any AD-OUD data with more than 4K entries uploaded will create this problem.

2. Triggering the problem using EM, or manageSyncProfile

The problem can be generated immediately either via EM (or using the command manageSyncProfiles) when trying to enable (or manipulate) the synchronization profile corresponding to the data just uploaded with syncProfileBootstrap.
The following error messages are output -

Map rules "orclodipattributemappingrules" have the following errors:
Domain rule "0" has error: Invalid domain construct rule: 'ou=people_ad_10000,dc=example,dc=com' not found
Domain rule "1" has error: Invalid domain construct rule: 'ou=people_ad_10000,dc=example,dc=com' not found
Domain rule "2" has error: Invalid domain construct rule: 'ou=people_ad_10000,dc=example,dc=com' not found
....

 

3. Diagnosing the problem

The problem is also characterized by the following warning/error messages:

wls_ods1-diagnostic.log

[2013-06-15T18:28:20.623+02:00] [wls_ods1] [NOTIFICATION] [DIP-85007] [oracle.dip.mbean.sync] [tid: SyncProfileMBean] [userId: weblogic] [ecid: 99ec54cedbab8a4c:3c9b5f0c:13f4322fdbc:-8000-0000000000006265,1:32247] [APP: DIP#11.1.1.2.0] saving the following attributes: [[
orclodipvalidationerrors: MAP_ERRORS:orclodipattributemappingrules:DOMAIN_RULE:0:Invalid domain construct rule: ''ou=people_ad_10000,dc=example,dc=com'' not found
orclodipagentcontrol: DISABLE 


OUD access log 

15/Jun/2013:16:37:50 +0000] SEARCH REQ conn=8799 op=6 msgID=7 base="ou=people_ad,dc=example,dc=com" scope=one filter="(objectClass=*)" attrs="ALL"
[15/Jun/2013:16:37:50 +0000] SEARCH RES conn=8799 op=6 msgID=7 result=50 message="You do not have sufficient privileges to perform an unindexed search" nentries=0 etime=3

The complete OUD access log with the failing transaction -

[15/Jun/2013:16:37:49 +0000] BIND REQ conn=8799 op=0 msgID=1 type=SIMPLE dn="cn=odisrv,cn=Registered Instances,cn=Directory Integration Platform,dc=example,dc=com"
[15/Jun/2013:16:37:49 +0000] BIND RES conn=8799 op=0 msgID=1 result=0 authDN="cn=odisrv,cn=Registered Instances,cn=Directory Integration Platform,dc=example,dc=com" etime=0
[15/Jun/2013:16:37:49 +0000] SEARCH REQ conn=8799 op=1 msgID=2 base="orclodipagentname=AD2OUD_10K,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,dc=example,dc=com" scope=base filter="(objectClass=*)" attrs="orclodipAttributeMappingRules"
[15/Jun/2013:16:37:49 +0000] SEARCH RES conn=8799 op=1 msgID=2 result=0 nentries=1 etime=1
[15/Jun/2013:16:37:49 +0000] SEARCH REQ conn=8799 op=2 msgID=3 base="" scope=base filter="(objectclass=*)" attrs="subschemasubentry"
[15/Jun/2013:16:37:49 +0000] SEARCH RES conn=8799 op=2 msgID=3 result=0 nentries=1 etime=1
[15/Jun/2013:16:37:49 +0000] SEARCH REQ conn=8799 op=3 msgID=4 base="cn=schema" scope=base filter="(objectClass=subschema)" attrs="objectClasses,attributeTypes,matchingRules,ldapSyntaxes,objectClass,javaSerializedData,javaClassName,javaFactory,javaCodeBase,javaReferenceAddress,javaClassNames,javaRemoteLocation"
[15/Jun/2013:16:37:50 +0000] SEARCH RES conn=8799 op=3 msgID=4 result=0 nentries=1 etime=26
[15/Jun/2013:16:37:50 +0000] ABANDON REQ conn=8799 op=4 msgID=5 idToAbandon=4
[15/Jun/2013:16:37:50 +0000] ABANDON RES conn=8799 op=4 msgID=5 result=119 etime=0
[15/Jun/2013:16:37:50 +0000] SEARCH REQ conn=8799 op=5 msgID=6 base="ou=people_ad_10000,dc=example,dc=com" scope=base filter="(objectclass=*)" attrs="1.1"
[15/Jun/2013:16:37:50 +0000] SEARCH RES conn=8799 op=5 msgID=6 result=0 nentries=1 etime=0
[15/Jun/2013:16:37:50 +0000] SEARCH REQ conn=8799 op=6 msgID=7 base="ou=people_ad_10000,dc=example,dc=com" scope=one filter="(objectClass=*)" attrs="ALL"
[15/Jun/2013:16:37:50 +0000] SEARCH RES conn=8799 op=6 msgID=7 result=50 message="You do not have sufficient privileges to perform an unindexed search" nentries=0 etime=3
[15/Jun/2013:16:37:50 +0000] MODIFY REQ conn=8799 op=7 msgID=8 dn="orclodipagentname=AD2OUD_10K,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,dc=example,dc=com"
[15/Jun/2013:16:37:50 +0000] MODIFY RES conn=8799 op=7 msgID=8 result=0 etime=1
[15/Jun/2013:16:37:50 +0000] MODIFY REQ conn=4065 op=1356 msgID=1357 dn="orclodipagentname=AD2OUD_10K,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,dc=example,dc=com"
[15/Jun/2013:16:37:50 +0000] MODIFY RES conn=4065 op=1356 msgID=1357 result=0 etime=1
[15/Jun/2013:16:37:50 +0000] SEARCH REQ conn=4065 op=1357 msgID=1358 base="orclodipagentname=AD2OUD_10K,cn=subscriber profile,cn=changelog subscriber,cn=directory integration platform,dc=example,dc=com" scope=base filter="(objectClass=*)" attrs="orclodipSynchronizationMode,orclVersion,orclodipAgentControl,orclodipInterfaceType,orclODIPCondirType"

  

This issue corresponds to Bug 16907941 - INVALID DOMAIN CONSTRUCT RULE WHEN CREATING DIP PROFILE - OUD - DIP - AD

A work around consisting of disabling the unindexed search is available for this bug, and described in the solution.

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.