| Oracle® Application Server Release Notes 10g Release 2 (10.1.2) for IBM zSeries Based Linux B25837-05 |
|
 Previous |
 Next |
| Oracle® Application Server Release Notes 10g Release 2 (10.1.2) for IBM zSeries Based Linux B25837-05 |
|
Previous |
Next |
This chapter describes the issues associated with Oracle Directory Integration and Provisioning. It includes the following topics:
This section describes administration issues and their workarounds for Oracle Directory Integration and Provisioning. It includes the following topics:
Section 22.1.2, "Directory Integration and Provisioning Assistant Does not Support SSL Mode 2"
Section 22.1.3, "Shell Script-based Profile Configuration Tools Are Being Deprecated"
In deployments with only a single domain of Microsoft Active Directory, you can simplify the default mapping rule installed with Oracle Directory Integration and Provisioning.
The default mapping rule is:
sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:toupper(truncl(userPrincipalName,'@'))+"$"+sAMAccountname
If your deployment has a single domain of Active Directory, then you can simplify the default mapping rule to this:
sAMAccountName: : :user:orclSAMAccountName::orclADUser
In 10g Release 2 (10.1.2), you can use the Directory Integration and Provisioning Assistant with either a non-SSL connection or an SSL connection with no authentication, namely SSL Mode 1, which provides encryption on the connection. You cannot use the Assistant with SSL mode 2 in which one-way (server only) SSL authentication is required.
Shell script-based profile configuration tools ldapcreateConn.sh, ldapdeleteConn.sh, and ldapUploadAgentFile.sh are being deprecated as of 10g Release 2 (10.1.2).
Oracle recommends that you use the Java-based Oracle Directory Integration and Provisioning Server Administration tool for configuring profiles.
In multimaster replication, the last change number is stored locally on an Oracle Internet Directory node. In a high availability environment, if that node fails, and the provisioning profile is moved to another Oracle Internet Directory node, then the last applied change number in the profile becomes invalid. That number in the profile must then be reset manually on the failover node. Even then, however, events may not be propagated or may be duplicated.
To determine whether to shut down, the Oracle Directory Integration and Provisioning server polls the registration entry stored under cn=odisrv,cn=subregistrysubentry. It does this every 30 seconds. If you stop, then restart, the server within 30 seconds, then the old server instance may not shut down before the new instance starts. To alleviate this, wait for 30 seconds before restarting the server.
If you use time-based change log purging with version 3.0 provisioning profiles, change logs entries are purged before the Oracle directory integration and provisioning server propagates the changes to any provisioning-integrated applications. This occurs because Oracle Directory Integration and Provisioning does not create version 3.0 provisioning profile entries in the default cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory change log subscriber container.
To resolve this problem, create a container in the default change log subscriber container for each version 3.0 provisioning profile and assign a value of 0 to each profile's orclLastAppliedChangeNumber attribute. The following sample LDIF file creates a provisioning profile container in the default change log subscriber container and assigns a value of 0 to the orclLastAppliedChangeNumber attribute:
dn: cn=profile_name,cn=changelog subscriber,cn=oracle internet directory orclsubscriberdisable: 0 orcllastappliedchangenumber: 0 objectclass: orclChangeSubscriber
