Skip Headers
Oracle® Application Server Release Notes
10g (10.1.4.0.1) for Linux Itanium

Part Number B32080-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

13 Oracle Directory Integration Platform

This chapter describes the issues associated with Oracle Directory Integration Platform. It includes the following topics:

In addition to these release notes, please also see Patch Notes 10g (10.1.4.3.0) and Note 743141.1 Oracle Identity Management 10g (10.1.4.3) Patch Set Notes Addendum for information about Oracle Directory Integration Platform.

13.1 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds for Oracle Directory Integration Platform. It includes the following topics:

13.1.1 Configuration Requirements for Synchronizations with Domain-Level Mappings

For import and export synchronization with OpenLDAP and for export synchronization to Sun Java System Directory, if you are using domain-level mapping during synchronization and synchronizing attributes that contain the dn values then you must modify the mapping rules. For example, to synchronize groups with domain-level mappings, you must modify the mappings for member, uniquemember, and owner entries, which typically contain dn values.

If you plan to create the synchronization profiles using the express configuration operation of the Directory Integration Assistant, then perform the following steps:

  1. Open in a text editor the mapping file for the third-party directory with which you will synchronize:

    • OpenLDAP export synchronization: $ORACLE_HOME/ldap/odi/samples/openldapexp.domainmap.master

    • OpenLDAP export synchronization: $ORACLE_HOME/ldap/odi/samples/openldapimp.domainmap.master

    • Sun Java System Directory export synchronization: $ORACLE_HOME/ldap/odi/samples/iplanetexp.domainmap.master

  2. Modify the contents of the preceding mapping files for the third-party directory with which you are synchronizing so they read as follows:

    member: : :groupofnames:member: :groupofnames: dnconvert(member)
    uniquemember: : :groupofuniquenames:uniquemember: :groupofuniquenames: dnconvert(uniquemember)
    owner: : :groupofuniquenames:owner: :groupofuniquenames: dnconvert(owner)
    

If you have already created synchronization profiles for a third-party directory, then perform the following steps:

  1. Open in a text editor the import and export mapping files for the third-party directory with which you are synchronizing.

  2. Modify the contents of the import and export synchronization mapping files so they read as follows:

    member: : :groupofnames:member: :groupofnames: dnconvert(member)
    uniquemember: : :groupofuniquenames:uniquemember: :groupofuniquenames: dnconvert(uniquemember)
    owner: : :groupofuniquenames:owner: :groupofuniquenames: dnconvert(owner)
    

13.1.2 Directory Integration Assistant Throws "LDAP: error code 2 - Decoding Error" When Uploading an Additional Configuration Information File

This error occurs because the file size of the Additional Configuration Information file for Synchronization Profiles cannot exceed 4 KB. To resolve this issue, perform the following steps to change the type of the OrclODIPAgentConfigInfo attribute from DirectoryString to Binary:

  1. Run the following command to start Oracle Directory Manager:

    oidadmin
    
  2. In the navigator pane, expand Oracle Internet Directory Servers, and then directory server instance.

  3. Select Schema Management. The Schema Management tab pages appear in the right pane.

  4. In the right pane, select Attributes.

  5. Click the Name column to order the attributes alphabetically.

  6. Locate and select the OrclODIPAgentConfigInfo attribute, and then click Edit.

  7. Change the Syntax option from DirectoryString to Binary, and then click OK.

  8. Use Directory Integration Assistant to upload the Additional Configuration Information file.

13.1.3 Reconfiguring the Oracle Password Filter for Microsoft Active Directory Generates Errors

When you install or reconfigure the Oracle Password Filter for Microsoft Active Directory, you may see the following errors on the command line:

User created failed
Delete failed failed 

The preceding errors occur when the default password that is used to reconfigure the Oracle Password Filter for Microsoft Active Directory does not meet the password policy requirements of the Microsoft Active Directory domain. To resolve this issue, create a file named password.txt in the directory where you installed the Oracle Password Filter for Microsoft Active Directory. Add to the password.txt file a single line containing a password that meets the password policy requirements of the Microsoft Active Directory domain. To secure the password.txt file, set its file permissions so that only administrative users can access it. Note that the password stored in the password.txt file does not represent a major security risk because its sole purpose is to create and then delete a user to test connectivity between the Oracle Password Filter and Microsoft Active Directory.

13.1.4 In a High Availability Environment Using Multimaster Replication, Provisioning Events May not Be Propagated or May Be Duplicated

In multimaster replication, the last change number is stored locally on an Oracle Internet Directory node. In a high availability environment, if that node fails, and the provisioning profile is moved to another Oracle Internet Directory node, then the last applied change number in the profile becomes invalid. That number in the profile must then be reset manually on the failover node. Even then, however, events may not be propagated or may be duplicated.

13.1.5 Manual Step Required After Configuring Oracle Directory Integration Platform from Oracle Enterprise Manager

After configuring Oracle Directory Integration Platform from Oracle Enterprise Manager, the ConnectDescriptor property for the Oracle Directory Integration Platform target in the targets.xml file is assigned a blank value. You must perform the following steps to assign the appropriate database connect descriptor to the ConnectorDescriptor property:

  1. On the computer that is running the Oracle directory integration server, open the $ORACLE_HOME/network/admint/tnsnames.ora file in a text editor.

  2. Note the database connect descriptor information in the tnsnames.ora file. For example, the database connect descriptor information in the following tnsnames.ora file is the value assigned to the ASDB property:

    ASDB =  (DESCRIPTION =  (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = host.mycompany.com)(PORT = 1521)))
    (CONNECT_DATA = (SERVICE_NAME = database.mycompany.com)))
    

    The database connect descriptor in the preceding statement is the following value:

    DESCRIPTION =  (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = host.mycompany.com)(PORT = 1521)))
    (CONNECT_DATA = (SERVICE_NAME = database.mycompany.com)))
    
  3. On the computer that is running the Oracle directory integration server, open the $ORACLE_HOME/sysman/emd/targets.xml file in a text editor.

  4. Search for the target with a type of oracle_eps_server and a name attribute of iasinstance_name_DIP.

  5. In the entry, locate the ConnectDescriptor property and assign to it the database connect descriptor information from the tnsnames.ora file.

  6. Execute the following commands to restart Oracle Enterprise Manager:

    $ORACLE_HOME/bin/emctl stop iasconsole
    $ORACLE_HOME/bin/emctl start iasconsole
    
  7. Follow the directions in the Oracle Identity Management Integration Guide to restart Oracle Directory Integration Platform.

13.1.6 Securing the Windows Registry Before Installing the Oracle Password Filter for Microsoft Active Directory

The Oracle Password Filter for Microsoft Active Directory stores operational information in the Windows registry. Before installing or configuring the Oracle Password Filter for Microsoft Active Directory, Oracle strongly recommends that you perform the following steps to secure the Windows registry:

  1. Create a text file named orclidmpwf.txt that contains the following text:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\orclidmpwf [1 5 17]
    
  2. Click the Windows Start menu and select Run. The Run dialog box displays.

  3. Enter cmd in the Run dialog box and click OK. The command prompt window opens.

  4. Run the following command to secure the Windows registry:

    regini path\orclidmpwf.txt
    
  5. Type exit and press Enter to close the command prompt window.

13.1.7 DIP_GEN_CREATECHG_EXCEPTION Raised When Source Directory Contains More than 10 Attributes to be Synchronized

If the number of attributes to be synchronized in the source directory contains more than 10 attributes, the synchronization fails with the exception DIP_GEN_CREATECHG_EXCEPTION. To resolve this issue, apply Patch 5710021.

13.1.8 Deletions Not Synchronized if a Domain Editing Rule Exists

If a domain editing rule exists, deletions are not synchronized unless all the attributes required in the domain construct rule are specified as required in the mapping file. In case where the required attributes are specified, the 'dn' value is not constructed because the required attributes are not being retrieved from the source directory. To resolve this issue, apply Patch 6263156.

13.1.9 Synchronizing modrdn from Sun Java System Directory Throws a Stack Trace

If you specify modrdn as the change type when synchronizing between Oracle Internet Directory and Sun Java System Directory, an exception is raised in the Sun Java System Directory stack trace file. To resolve this issue, apply Patch 6263156.

13.1.10 The SearchDeltaSize Parameter is Ignored During Synchronization

When synchronizing with Active Directory, eDirectory, or OpenLDAP, the SearchDeltaSize parameter is ignored. To resolve this issue, apply Patch 5913124.

13.1.11 Add Operations Not Synchronized and Synchronization Fails with an "objcls is NULL" Message in the Trace File

In some cases, add operations are not synchronized and synchronization fails with an "objcls is NULL" message in the trace file. To resolve this issue, apply Patch 6319399.

13.2 Administration Issues and Workarounds

This section describes administration issues and their workarounds for Oracle Directory Integration Platform. It includes the following topics:

13.2.1 Default Mapping Rule Can Be Simplified in Single-Domain Microsoft Active Directory Deployments

In deployments with only a single domain of Microsoft Active Directory, you can simplify the default mapping rule installed with Oracle Directory Integration Platform.

The default mapping rule is:

sAMAccountName,userPrincipalName: :
:user:orclSAMAccountName: :orclADUser:toupper(truncl(userPrincipalName,'@'))+"$"+sAMAccountname

If your deployment has a single domain of Active Directory, then you can simplify the default mapping rule to this:

sAMAccountName: : :user:orclSAMAccountName::orclADUser

13.2.2 Oracle Directory Integration Platform Not Sending Provisioning Events Due to Purged Change Log Entries

If you use time-based change log purging with version 3.0 provisioning profiles, change logs entries are purged before the Oracle directory integration platform propagates the changes to any provisioning-integrated applications. This occurs because Oracle Directory Integration Platform does not create version 3.0 provisioning profile entries in the default cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory change log subscriber container.

To resolve this problem, create a container in the default change log subscriber container for each version 3.0 provisioning profile and assign a value of 0 to each profile's orclLastAppliedChangeNumber attribute. The following sample LDIF file creates a provisioning profile container in the default change log subscriber container and assigns a value of 0 to the orclLastAppliedChangeNumber attribute:

dn: cn=profile_name,cn=changelog subscriber,cn=oracle internet directory
orclsubscriberdisable: 0
orcllastappliedchangenumber: 0
objectclass: orclChangeSubscriber

13.2.3 Oracle Internet Directory Field Unavailable in Oracle Identity Manager Grid Control Plug-in

If the Oracle directory integration server and the Oracle Internet Directory LDAP server are installed on a different computers, then the Oracle Internet Directory field will be unavailable in the Oracle Identity Manager Grid Control Plug-in. Perform the following steps to resolve this issue:

  1. On the computer that is running the Oracle Internet Directory LDAP server, open the $ORACLE_HOME/sysman/emd/targets.xml file in a text editor.

  2. Search for the target with a type of oracle_ldap and note the value assigned to the name attribute. This value is typically in the form iasinstance_name_LDAP.

  3. On the computer that is running the Oracle directory integration server, open the $ORACLE_HOME/sysman/emd/targets.xml file in a text editor.

  4. Search for the target with a type of oracle_eps_server and a name attribute of iasinstance_name_DIP.

  5. In the entry, locate the ASSOC_TARGET_NAME attribute beneath the AssocTargetInstance node. The value assigned to the ASSOC_TARGET_NAME attribute will be in the form iasinstance_name_LDAP.

  6. Assign to the ASSOC_TARGET_NAME attribute the same value that is assigned to the name attribute of the oracle_ldap target in the targets.xml file on the computer that is running the Oracle Internet Directory LDAP server.

13.2.4 Synchronizion from Novell eDirectory or OpenLDAP Fails When the Oracle Internet Directory Container is Within the Default Realm

Synchronization from Novell eDirectory or OpenLDAP to Oracle Internet Directory fails when the Oracle Internet Directory container is within the default realm. To resolve this issue, perform the following steps to create the necessary ACLs:

  1. Create a new file in a text editor.

  2. Enter the following statements, which add the Oracle Internet Directory container to the cn=odipgroup,cn=odi,cn=oracle internet directory group. Be sure to replace host with the host name (without the domain name) that is running the Oracle directory integration server.

    dn: cn=odipgroup,cn=odi,cn=oracle internet directory
    changetype: modify
    add: uniquemember
    uniquemember: cn=odisrv+orclhostname=host,cn=registered instances,cn=directory integration platform,cn=products,cn=oraclecontext
    
  3. Save the file as reconacls.ldif.

  4. Run the following command to upload the reconacls.ldif file:

    $ORACLE_HOME/bin/ldapmodify -h OID_host -p OID_port
    -D "DN of privileged OID user" -w "password of privileged OID user"
    -v -f reconacls.ldif