Skip Headers
Oracle® Fusion Middleware Release Notes
11g Release 1 (11.1.1) for HP-UX PA-RISC (64-Bit)

Part Number E14775-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

28 Oracle Internet Directory

This chapter describes issues associated with Oracle Product. It includes the following topics:

28.1 General Issues and Workarounds

This section describes general issue and workarounds. It includes the following topic:

28.1.1 ODSM Browser Window Becomes Unusable

Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.

As a workaround, go to the URL: http://host:port/odsm, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm. You can then use the ODSM window to log in to a server.

28.1.2 Creating Attribute Uniqueness Constraint Fails if Attribute Name is Not Lowercase

When you specify an attribute name for which you want to enforce value uniqueness, the operation fails if the attribute name contains uppercase letters. This occurs whether you use ODSM or the LDAP tools. You might see a message from the server indicating that the attribute is not indexed, even though it actually is indexed.

As a workaround, always use lowercase names when specifying an attribute for which you want to enforce value uniqueness.

28.1.3 Replication Server in New Oracle Internet Directory Instance Fails to Start

If you create a new Oracle Internet Directory instance that uses the same Oracle Database as an existing instance, then try to start the replication server on the new instance, the replication server fails to start. The reason is that the replication server's wallet contains an invalid password. You must change the wallet password using remtool. Proceed as follows:

  1. Connect to the host where the new instance is installed.

  2. Set the ORACLE _HOME and ORACLE_INSTANCE environment variables.

  3. Execute:

    remtool -pchgwalpwd -bind newinstance_host:port/replication_dn_pwd
    

    where replication_dn_pwd is, by default, the same as the ODS schema password.

Then start the replication server.

28.1.4 Replication Wizard Generates Errors After You Click Refresh

While you are using the replication wizard in Oracle Enterprise Manager Fusion Middleware Control, you might encounter errors after clicking Refresh. To resolve these errors, log out of the wizard and log back in again.

28.1.5 Do Not Delete Primary Node From the Replicas Page of the Replication Wizard

While your are setting up multimaster replication by using the replication wizard in Oracle Enterprise Manager Fusion Middleware Control, the default information about the primary node appears as the first entry on the Replicas page. Due to a bug, the wizard allows you to delete this entry. Do not do so! Deleting the primary node might cause inconsistent results on the subsequent wizard pages.

28.1.6 In ldapdelete Command -V Should Be The Last Parameter

For certain platforms command ldapdelete considers everything after -v, as parameter. A typical ldapdelete command looks like this:

ldapdelete -h hostname  -p portname  -v 's' -D cn=orcladmin -w welcome1

For Linux x86-64 and Microsoft Windows x64 the command mentioned here works fine. However, for Solaris Operating System (SPARC 64-Bit), AIX Based Systems (64-Bit), HP-UX PA-RISC (64-Bit), HP-UX Itanium platforms the above command fails.

Workaround

Use the flag -v as the last parameter when running the ldapdelete command. For example:

ldapdelete -h hostname  -p portname -D cn=orcladmin -w welcome1   -v 's'

28.1.7 Uppercase Characters in Database SID Cause Replication Information Display Problems in Fusion Middleware Control

The replicaid value of a replica subentry has the form OIDhost_DBSID, where DBSID is the SID of the Oracle Database used by Oracle Internet Directory. Because of a bug, when the SID portion of the replicaid value contains uppercase characters, Oracle Enterprise Manager Fusion Middleware Control does not display replication information properly. Specifically, replication agreements do not appear on the Oracle Internet Directory home page and the Replication tab of the Shared Parameters page is greyed out, even though replication agreements exist.

As a workaround, use only lowercase characters in the SID. If you have already created the database with uppercase letters in the SID, you must change the DN of the replica subentry so that characters in the SID portion of the replicaid are all lowercase. The command syntax is:

ldapmoddn -h OIDhost -p OIDport -b "orclreplicaid=OIDhost_oldDBSID,cn=replication configuration" -R "orclreplicaid=OIDhost_newDBSID" -r
 

For example, the following command changes the SID portion of the replicaid value in the replica subentry DN from DB456 to db456:

ldapmoddn -h Linux123 -p 3060 \
  -b "orclreplicaid=Linux123_DB456,cn=replication configuration" \  -R "orclreplicaid=Linux123_db456" -r 

28.1.8 On Windows, Change SSL Port to No-Auth Before Upgrade

On Windows, if Oracle Internet Directory's SSL port is configured for SSL Server Authentication Mode in 10g, you must change it to SSL No Authentication Mode prior to the upgrade to 11g Release 1 (11.1.1). If Oracle Directory Integration Platform is connected to Oracle Internet Directory's SSL port using SSL Server Authentication Mode, you must also reconfigure Oracle Directory Integration Platform to connect to Oracle Internet Directory using SSL No Authentication Mode mode prior to the upgrade to 11g Release 1 (11.1.1). For more information, see Oracle Internet Directory Administrator's Guide and Oracle Identity Management Integration Guide in the 10g (10.1.4.0.1) documentation library.

After the upgrade, reconfigure both Oracle Internet Directory and Oracle Directory Integration Platform for SSL Server Authentication Mode mode using wallets. For more information, see Chapter 25, "Configuring Secure Sockets Layer (SSL)" inOracle Fusion Middleware Administrator's Guide for Oracle Internet Directory and Chapter 4, "Managing the Oracle Directory Integration Platform" in Oracle Fusion Middleware Integration Guide for Oracle Identity Management in the 11g Release 1 (11.1.1) library.

These changes are not required on Linux or UNIX-based operating systems.

28.1.9 ODSM Does Not Warn You if You Remove an Equality Matching Rule

You cannot search for an attribute unless that attribute is indexed. You cannot index an attribute unless it has an equality matching rule. Due to a bug, however, ODSM does not warn you if remove an equality matching rule from an attribute. Avoid doing so if you need to index that attribute.

28.2 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

28.2.1 Server Chaining Entry for eDirectory is Missing

Oracle Internet Directory server chaining supports the following external servers:

  • Microsoft Active Directory

  • Sun Java System Directory Server, formerly known as SunONE iPlanet

  • Novell eDirectory

As shipped in 11g Release 1 (11.1.1), the container cn=OID Server Chaining,cn=subconfigsubentry has no entry for eDirectory. You must create cn=oidscedir,cn=OID Server Chaining,cn=subconfigsubentry in order to configure server chaining for eDirectory. For detailed information about creating this entry, see Note 821214.1.1 on My Oracle Support (formerly MetaLink), http://metalink.oracle.com.

28.2.2 After Upgrade, Instance-Specific orclmaxldapconns Attribute is Missing

When you upgrade Oracle Internet Directory to 11g Release 1 (11.1.1) from an earlier version, the attribute orclmaxldapconns is missing from the instance-specific configuration entry. Because of the missing attribute, the maximum number of concurrent connections per server process is always equal to the default value of 1024. You cannot update this value or list it in searches.

The workaround is to create the attribute orclmaxldapconns in the schema, then set the value in the desired instance-specific configuration entry. Proceed as follows:

  1. Create an LDIF file with the following content:

    dn: cn=subschemasubentry 
    changetype: modify 
    add: attributetypes 
    attributetypes: ( 2.16.840.1.113894.1.1.611 NAME 'orclmaxldapconns' EQUALITY
     integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) 
    
  2. Execute the following command:

    ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile 
    
  3. Set the orclmaxldapconns value in the desired instance-specific configuration entry. For example, to set orclmaxldapconns to 2000 in the component oid1, create an LDIF file with the following content:

    dn: cn=oid1,cn=osdldapd,cn=subconfigsubentrychangetype: modify
    replace: orclmaxldapconns
    orclmaxldapconns: 2000
    
  4. Then execute the ldapmodify command as shown in Step 2.

This issue occurs only in upgraded directories and not in fresh installations.

28.2.3 After Upgrade, Enabling Referential Integrity Might Require Additional Steps

In the "Configuring Referential Integrity" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, you are instructed to use oiddiag to identify violations in the DIT and correct them if you get an error when attempting to enable referential integrity. Sometimes, however, oiddiag reports that the DIT contains duplicate entries, but the LDAP tools do not list the duplicates. In that case, you cannot use LDAP tools to rectify the problem. If you encounter this situation, you must use SQL*Plus to delete the entry. Proceed as follows:

  1. Stop all currently running Oracle Internet Directory instances connected to the same Oracle Database.

    $ORACLE_INSTANCE/bin/opmnctl stopall
    
  2. Execute the following SQL*Plus commands to clean up the duplicate DNs.

    $ sqlplus /nolog  
    SQL> connect / as sysdba 
    SQL> delete from ct_orclnormdn where attrvalue like 
     '%cn=osdldapd,cn=subregistrysubentry'; 
    SQL> commit; 
    
  3. Restart Oracle Internet Directory on all instances connected to the same Oracle Database.

    $ORACLE_INSTANCE/bin/opmnctl  startall
     
    

After completing these steps, you should be able to enable referential integrity by using Oracle Enterprise Manager Fusion Middleware Control, as described in the "Configuring Referential Integrity" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

28.3 Documentation Errata

This section describes documentation errata. It includes the following topic:

28.3.1 Incorrect Command for Retrieving ODSM'S Java Keystore Password

In Appendix O, "Oracle Directory Services Manager Keystore Management," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the command for retrieving ODSM's Java Keystore Password is incorrect. The correct command sequence is as follows:

$ORACLE_HOME/common/bin/wlst.sh
connect()
listCred( map="ODSMMap", key="ODSMKey.Wallet" )

After the connect() command, you will be prompted for your WebLogic username and password, and for the server URL. An example server URL is t3://stadd54:7001.

28.3.2 Missing Documentation for Updating a Trusted Certificate Upon Its Expiration

Appendix O, "Oracle Directory Services Manager Keystore Management," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory should have included information about certificate expiration.

To list the valid dates for the certificate, list its contents as described in Appendix O, "Oracle Directory Services Manager Keystore Management," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

When the certificate has expired, delete it as described in Appendix O.

For general information about certificate expiration, see Chapter 7 of Oracle Fusion Middleware Administrator's Guide. Note, however, that ODSM does not provide a web based user interface for managing its keystore. You must manage ODSM's key store by using keytool.

28.3.3 Incorrect Attribute for Hashing Algorithm Specification

In Chapter 29 of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the section entitled "Userpassword Verifiers and Authentication to the Directory" contains the following sentence:

The directory server hashes this password by using the hashing algorithm specified in the DSE attribute userpassword.

This is incorrect. It should say:

The directory server hashes this password by using the hashing algorithm specified in the DSE attribute orclcryptoscheme.

28.3.4 Need Not Update Registration When Changing Ports by Using Fusion Middleware Control

In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, you are instructed to update the registration of an Oracle Internet Directory component in a registered Oracle instance whenever you change orclhostname, orclnonsslport, orclnonsslport, or userpassword.This content is found in the section of Chapter 8 entitled "Updating the Component Registration of an Oracle Instance by Using opmnctl," in Table 9-1, and in other places in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

This should be modified to say that when you update one of these attributes by using ldapmodify or ODSM, you must restart the server and update the registration. When you update one of these attributes using Oracle Enterprise Manager Fusion Middleware Control, however, you must restart the server but you need not refresh registration. Fusion Middleware Control updates the registration of the component for you.

28.3.5 StopManagedWeblogic.sh and StartManagedWeblogic.sh Command Lines In Appendix P are Incomplete

In Appendix P, "Stopping and Starting the Oracle Stack," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the command lines shown for the commands stopManagedWebLogic.sh and startManagedWebLogic.sh are incomplete.

The complete command line to stop WebLogic managed components is:

MW_HOME/user_projects/domains/DOMAIN_NAME/bin/stopManagedWebLogic.sh \
{SERVER_NAME} {ADMIN_URL} {USER_NAME} {PASSWORD}

The complete command line to start WebLogic managed components is:

MW_HOME/user_projects/domains/DOMAIN_NAME/bin/startManagedWebLogic.sh \
SERVER_NAME {ADMIN_URL}

When executing these scripts:

  • The default value for DOMAIN_NAME is IDMDomain

  • SERVER_NAME represents the name of the Oracle WebLogic Managed Server. Its default value is wls_ods1.

  • You will be prompted for values for USER_NAME and PASSWORD if you do not provide them as options when you execute the script.

  • The value for ADMIN_URL will be inherited if you do not provide it as an option when you execute the script.

28.3.6 Errors In Updating Component Registration Section Of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory

There are errors in the section of Chapter 8 entitled "Updating the Component Registration of an Oracle Instance by Using opmnctl" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

  • In Table 8-1, there are two rows with the attribute orclnonsslport. One of these should be orclsslport.

  • In the command syntax and example for opmnctl updatecomponentregistration, the option -port should be -Port.

28.3.7 Wrong Label for orclmaxconnincache on Server Properties Page, Performance Tab

The Oracle Enterprise Manager Fusion Middleware Control field associated with orclmaxconnincache is listed as "Size of privilege group membership cache (user)" in Chapter 33, Tuning and Sizing Oracle Internet Directory, in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. It is actually "Number of users in privilege group membership cache."

28.3.8 Incorrect Default Value Listed for orclsizelimit

The default value for the instance-specific configuration entry attribute orclsizelimit in 11g Release 1 (11.1.1) is 10000. The value is listed incorrectly as 1000 in several places in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, including:

  • Chapter 33, Tuning and Sizing

  • Chapter 40, Managing and Monitoring Replication

  • Table Q–1, Standard Error Messages

It is also listed incorrectly in Chapter 4, Oracle Internet Directory Replication Management Tools, in Oracle Fusion Middleware User Reference for Oracle Identity Management.

28.3.9 Not All Dynamic Groups are Included in Group Query Result

In the introduction to the "Managing Dynamic and Static Groups" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, there is a note indicating that when you query for the groups that a user belongs to, dynamic groups are automatically included in the result. Actually, only labeleduri-based dynamic groups are automatically included in the result. Dynamic groups based on the CONNECT_BY assertion have to be explicitly queried.

28.3.10 Only Oracle Database 11.1.0.7 Requires Patches for Database Vault

In the Database Vault section of the "Configuring Data Privacy" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, you are instructed to download and install patches for Bug 7244497 and Bug 7291157. You only need to do this for Oracle Database 11.1.0.7. The bugs have been fixed in later versions of Oracle Database.

28.3.11 Function Return Codes for DBMS_LDAP_UTL Functions are Incorrect

In Table 11-61, Function Return Codes, in Chapter 11 of Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management, some of the codes are incorrect and some are missing. The following codes should be removed:

Table 28-1 Function Return Codes

Name Return Code Description
ACCT_TOTALLY_LOCKED_EXCEPTION
-14

Returned by DBMS_LDAP_UTL.authenticate_user() function when a user account is locked. This error is based on the password policy set in the subscriber oracle context.

AUTH_PASSWD_CHANGE_WARN
-15

This return code is deprecated.


The following codes should be added:

Table 28-2 Function Return Codes

Name Return Code Description
ACCT_TOTALLY_LOCKED_EXCEPTION
9001

Returned by DBMS_LDAP_UTL.authenticate_user() function when a user account is locked.

PWD_EXPIRED_EXCEPTION 
9000

Returned by DBMS_LDAP_UTL.authenticate_user() function when a user's password has expired.

PWD_EXPIRE_WARN 
9002

Returned by DBMS_LDAP_UTL.authenticate_user() function when the user's password is about to expire.

PWD_MINLENGTH_ERROR 
9003

Returned by DBMS_LDAP_UTL.authenticate_user() function when the user's password is less than pwdMinLength.

PWD_NUMERIC_ERROR
9004

Returned by DBMS_LDAP_UTL.authenticate_user() function when

PWD_NULL_ERROR 
9005

Returned by DBMS_LDAP_UTL.authenticate_user() function when

PWD_INHISTORY_ERROR 
9006

Returned by DBMS_LDAP_UTL.authenticate_user() function when the password has previously been used and the password policy does not allow password reuse.

PWD_ILLEGALVALUE_ERROR
9007

Returned by DBMS_LDAP_UTL.authenticate_user() function when the password is illegal.

PWD_GRACELOGIN_WARN
9008

Returned by DBMS_LDAP_UTL.authenticate_user() function during a grace login period.

PWD_MUSTCHANGE_ERROR
9009

Returned by DBMS_LDAP_UTL.authenticate_user() function when the user is required to reset the password upon login.

USER_ACCT_DISABLED_ERROR
9050

Returned by DBMS_LDAP_UTL.authenticate_user() function when the user's account has been disabled.


28.3.12 Indexing an Existing Attribute by Using ODSM: Documentation is Inconsistent

In the introductory section of Chapter 19, Managing Directory Schema, it is stated that you can use Oracle Directory Services Manager to index an attribute only at the time when you create it, and that you cannot use Oracle Directory Services Manager to index an already existing attribute.

Later in the chapter, the section "Adding an Index to an Existing Attribute by Using Oracle Directory Services Manager" appears to contradict the introductory section.

Actually, both of those sections should be clarified to indicate at you can use ODSM to add an index to an attribute that exists but has not been used yet.