|Oracle® Fusion Middleware Release Notes
11g Release 1 (11.1.1) for Linux x86-64
Part Number E14770-50
|PDF · Mobi · ePub|
This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:
This section describes general issue and workarounds. It includes the following topics:
In a cloned Oracle Internet Directory environment, undesired host names can cause errors, failures, or performance degradation.
This problem can occur when you clone an Oracle Internet Directory instance and the cloned target instance gets undesired host names from the source instance. Some of these hosts might be outside of a firewall or otherwise inaccessible to the target instance.
The cloned Oracle Internet Directory instance assumes it is in a clustered environment and tries to access the undesired hosts for notifications and other changes. However, the cloned instance cannot access some of the hosts and subsequently fails, returns errors, or runs slowly.
For example, this problem can occur during the following operations for a cloned Oracle Internet Directory target instance:
faovmdeploy.sh createTopology command to create an Oracle Virtual Machine (VM)
Deploying Enterprise Manager agents in different Oracle Virtual Machines
To fix this problem, remove the undesired host names from the cloned Oracle Internet Directory instance, as follows:
Set the required environment variables. For example:
export ORACLE_INSTANCE=/u01/oid/oid_inst export ORACLE_HOME=/u01/oid/oid_home export PATH=$ORACLE_HOME/bin:$ORACLE_INSTANCE/bin:$PATH export TNS_ADMIN=$ORACLE_INSTANCE/config
Connect to the Oracle Database and delete the entries with the undesired Oracle Internet Directory host names. For example, in the following queries, substitute the undesired host name for sourceHostname:
sqlplus ods@oiddb delete ods_shm where nodename like '%sourceHostname%'; delete ods_guardian where instr(nodename,'%sourceHostname%'); delete ods_process_status where instr(hostname,'%sourceHostname%');commit;
Stop and then restart the cloned Oracle Internet Directory component. For example:
opmnctl stopproc ias-component=oid1 opmnctl startproc ias-component=oid1
cn entries with the undesired Oracle Internet Directory host names. For example:
ldapsearch -h oid_host -p oid_port -D cn=orcladmin -w admin_password -b "cn=subregistrysubentry" -s sub "objectclass=*" dn cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
From the results in the previous step, remove the entries with the undesired host names. For example:
ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password "cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry" ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password "cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry"
Verify that the undesired host names are removed. For example:
ldapsearch h oid_host -p oid_port -D cn=orcladmin -w admin_password -b "cn=subregistrysubentry" -s sub "objectclass=*" dn cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
"Cloning Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.
Oracle Internet Directory fails to start on the following Oracle Solaris SPARC system using Intimate Shared Memory (ISM):
5.11 11.1 sun4v sparc sun4v
As a workaround for this problem, set the following values, as shown in the next procedure:
Set the total amount of operating system physical locked memory allowed (
project.max-locked-memory) for Oracle Internet Directory to 2 GB or higher so that the value aligns with the supported page sizes. The
pagesize -a command lists all the supported page sizes on Solaris systems.
orclecachemaxsize attribute to less than the
project.max-locked-memory and ensure that the value aligns with the OS supported page sizes. For example, set the value to 256 MB.
In the following procedure, it is assumed that the Oracle Internet Directory services are managed by an operating system user named "oracle":
Log in to the Solaris SPARC system as the root user.
Check the project membership of the OID user.
If the OID user belongs to the default project:
Create a new project with the value of maximum locked memory set to 2 GB or higher, and associate the OID user with the newly created project. On Solaris 10 and 11, project id 3 represents the default project. For example:
# id -p oracle uid=2345(oracle) gid=529(dba) projid=3(default) # projadd -p 150 -K "project.max-locked-memory=(priv,2G,deny)" oidmaxlkmem # usermod -K project=oidmaxlkmem oracle
Verify that the value for the resource control
project.max-locked-memory was set to 2 GB, as expected. For example:
# su - oracle $ id -p oracle uid=2345(oracle) gid=529(dba) projid=150(oidmaxlkmem) $ prctl -n project.max-locked-memory -i project 150 project: 150: oidmaxlkmem NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-locked-memory privileged 2.00GB - deny - system 16.0EB max deny -
If the OID user belongs to a non-default project:
Modify the corresponding project to include the
project.max-locked-memory resource control and set the value to 2 GB or higher. For example:
# id -p oracle uid=2345(oracle) gid=529(dba) projid=125(oraproj) # projmod -a -K "project.max-locked-memory=(priv,2G,deny)" oraproj
Verify that the value for the resource control
project.max-locked-memory was set to 2 GB, as expected. For example:
# projects -l oraproj oraproj projid : 125 comment: "" users : (none) groups : (none) attribs: project.max-locked-memory=(priv,2147483648,deny) project.max-shm-memory=(priv,34359738368,deny) # su - oracle $ id -p uid=2345(oracle) gid=529(dba) projid=125(oraproj) $ prctl -n project.max-locked-memory -i project 125 project: 125: oraproj NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-locked-memory privileged 2.00GB - deny - system 16.0EB max deny -
Set the entry cache maximum size (
orclecachemaxsize attribute) to a value that is less than the maximum locked memory size allowed by the OS and that aligns with the OS supported page sizes.
For example, using SQL*Plus, set the value to 256 MB:
sqlplus ods@oiddb update ds_attrstore set attrval='256m' where entryid=940 and attrname='orclecachemaxsize'; commit;
config.sh script to configure Oracle Internet Directory.
If you set custom Audit Policy Settings for Oracle Internet Directory through 11g Oracle Enterprise Manager Fusion Middleware Control and select audit Custom events with Failures Only, no audit logs are generated and the audit process for failure events fails. Subsequently, other audit events are not logged later, even if the Audit Policy Settings are changed to a different value such as Low, Medium, or High.
To make auditing function again through Enterprise Manager, select a default policy or a policy with custom events other than All Failures and then recycle the Oracle Internet Directory server processes.
Alternatively, you can set custom audit policies using LDAP command-line tools such as
ldapmodify. For more information, see Section 23.4, "Managing Auditing from the Command Line" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
If you delete a mandatory
attributeTypes under the Oracle Internet Directory schema that is referenced by an
objectClass in the schema, no error is returned and the
attributeTypes is deleted successfully.This problem also occurs for a DN entry created using the
objectClass that uses the mandatory
attributeTypes. The mandatory attribute is missing from the DN entry without any notice when it is deleted from the schema.
orclguidAttribute is Not Mapped for Server Chaining
If you configure Oracle Internet Directory server chaining for Oracle Unified Directory 220.127.116.11 and then search for users, the
orclguid attribute is missing from the search results.
orclguid attribute is missing because Oracle Unified Directory uses the iplanet default mapping (
cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry), and the default iplanet mapping does not have
The Oracle Directory Services Manager online help section does not work in Internet Explorer 10 (IE10) web browsers.
Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.
As a workaround, go to the URL:
/odsm, where host and port specify the location where ODSM is running, for example,
http://myserver.example.com:7005/odsm. You can then use the ODSM window to log in to a server.
If Oracle Internet Directory is using Oracle Database 11g Release 1 (18.104.22.168.0), you might see
ORA-600 errors while performing
bulkmodify operations. To correct this problem, apply the fixes for Bug 7019313 and Bug 7614692 to the Oracle Database.
Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in Oracle Directory Services Manager and in command-line utilities.
By default, the
oidcmprec tool excludes operational attributes during comparison.That is,
oidcmprec does not compare the operational attributes values in source and destination directory entries. During reconciliation of user defined attributes however, operational attributes might be changed.
oidrealm tool supports creation, but not deletion, of a realm. A procedure for deleting a realm is provided in Note 604884.1, which is available on My Oracle Support at
If you use Oracle Database 22.214.171.124.0 with Oracle Internet Directory, apply Patch 9952216 (126.96.36.199.3 PSU) to Oracle Database. Purge jobs do not function properly without this patch.
The SQL of an OPSS one level
ldapsearch operation, with filter "
value" and required attributes, might take unreasonably high %DB CPU. If this search performance impacts the overall performance of the machine and other processes, you can alleviate the issue by performing the following steps in the Oracle Database:
Log in to the Oracle Database as user
ODS and execute the following SQL:
BEGIN DBMS_STATS.GATHER_TABLE_STATS(OWNNAME=>'ODS', TABNAME=>'CT_ORCLJAZNPRINCIPAL', ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE, CASCADE=>TRUE); END; /
Flush the shared pool by using the ALTER SYSTEM statement, as described in the Oracle Database SQL Language Reference.
If you start the replication server by using the command line, stop it by using the command line. If you attempt to stop it by using Oracle Enterprise Manager Fusion Middleware Control, the attempt fails.
Note 1313395.1 on My Oracle Support (formerly MetaLink):
The ODSM interface might not appear as described in Internet Explorer 7.
For example, the Logout link might not be displayed.
If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.
This section describes configuration issues and workarounds. It includes the following topic:
If you configure Oracle Internet Directory to use SSL in server authentication mode or mutual authentication mode on your test machine, and then move Oracle Internet Directory to a production machine, re-create the Oracle Internet Directory wallet on the production machine.
The old wallet contains the host name of the original machine as the DN in the certificate. This host name in the DN is not changed during the test to production move. Re-create the wallet on the production machine to avoid SSL communication issues.
This section describes documentation errata. It includes the following topics:
In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Section 7.4.3, "Configuring the SSO Server for ODSM Integration," does not document that to improve performance for SSO-ODSM integration, you should configure the ODSM URLs as follows:
/odsm/.../) files to excluded prevents these files from being validated by Oracle Access Manager, which can improve the performance of your deployment.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not fully explain the concept of expired users and how to determine if a user is in the expired state.
In some situations, you might want to determine expired users and then take a specific action, such as deleting those users from the directory.
Oracle Internet Directory expired users are not indicated by a specific attribute. An expired user is in a transient state that depends on the system time, the maximum inactive time allowed, and the user's last successful login time. The expired state is determined during a bind or password compare operation for the user.
To determine the expired users, your Oracle Internet Directory deployment must be configured as follows:
The tracking of each user's last successful login time must be enabled by setting the
orclPwdTrackLogin attribute to 1.
orclpwdmaxinactivitytime attribute must be set to a value other than 0 (the default). This attribute specifies the inactive time in seconds before a user's account is automatically considered to be expired.
To determine if a user's account is considered to be expired:
Determine the time stamp of the user's last successful login from the
Subtract the user's
orcllastlogintime value from the current system time. If the result is greater than the
orclpwdmaxinactivitytime value, then the user is considered to be in the expired state.
If you wish, delete the expired user from the directory.
For more information, see the "Managing Password Policies" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Section 12.6, "Creating Another Account With Superuser Privileges," does not mention that a new superuser account must be a direct member of the
DirectoryAdminGroup group to use all Oracle Directory Services Manager (ODSM) features.
To use all ODSM features including the Security and Advanced tabs, a new superuser account must be a direct member of the
DirectoryAdminGroup group. The new superuser account cannot be a member of a group that is in turn a member of the
DirectoryAdminGroup group. In this configuration, the superuser would be able to access only the ODSM Home, Schema, and Data Browser tabs.
In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the first bullet of the note in Section 27.1.3, "SSL Authentication Modes," mentions that you must have at least one Oracle Internet Directory server instance configured for the default authentication mode and anonymous SSL ciphers. This statement is true only for specific deployments.
The first bullet of the note should be revised as follows:
By default, the SSL authentication mode is set to 1 (encryption only, no authentication).
If you are using Oracle Delegated Administration Services 10g or other client applications such as legacy versions of Oracle Forms and Oracle Reports that expect to communicate with Oracle Internet Directory on an encrypted SSL port configured for anonymous SSL ciphers, then at least one Oracle Internet Directory server instance must be configured for this default authentication mode.
Otherwise, authentication mode 1 and anonymous SSL ciphers are not required for Oracle Internet Directory to function. The type of SSL ports that are made available and the ciphers that the SSL port will accept depend on your specific deployment requirements.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not fully describe the replication server (oidrepld) process control and failover in an Oracle Maximum Availability Architecture (MAA), including how to enable failover by setting the
orclfailoverenabled attribute is an OID Monitor configuration entry (
"cn=configset,cn=oidmon,cn=subconfigsubentry") that configures failover.
This attribute specifies the failover time in minutes before the OID Monitor will start failed processes on a surviving node. The default failover time is 5 minutes. A value of zero (0) disables failover for Oracle Internet Directory processes.
Additional information is provided in Note 1538250.1, which is available on My Oracle Support at:
The "Understanding Process Control of Oracle Internet Directory Components" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not document that if you add an encrypted attribute to the list of sensitive attributes, you must restart the Oracle Internet Directory server instance for the new attribute to be added to the new list of sensitive attributes and recognized by the server.
The attributes in Table 28-1 "Sensitive Attributes Stored in orclencryptedattributes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory are intended for use only by Oracle. Do not add to or modify the attributes shown in this table unless you are requested to do so by Oracle Support.
For more information, see the "Configuring Data Privacy" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not document that for Oracle Internet Directory to work with the Repository Creation Utility (RCU) for Oracle database version 11.2.x, the default PASSWORD_VERIFY_FUNCTION clause in the database must be set to NULL (which is the default value).
Neither the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory nor the Oracle Fusion Middleware Administrator's Guide describes how to set up Oracle Internet Directory SSL Client and Server Authentication. This information is provided in Note 1311791.1, which is available on My Oracle Support at:
In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Chapter 3, "Setting up Oracle Internet Directory Replication," is missing important information.
Specifically, the instructions do not work unless the new consumer node is empty.
For more information, see Section 40.1.7, "Rules for Configuring LDAP-Based Replication," in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
The Oracle Fusion Middleware Repository Creation Utility User's Guide documents the
-Q options to
ldapbind and other LDAP commands. The
-P option requires you to specify a wallet password on the command line. The
-Q option enables you to provide a password in response to a prompt, which is more secure than typing it on the command line.
The Oracle Fusion Middleware Repository Creation Utility User's Guide does not explain how to use these options when there is no password. This omission is significant because Oracle Internet Directory relies on AutoLogin wallets for SSL configuration, and AutoLogin wallets have no passwords.
When there is no wallet password, specify the password on the command line as a null string, using quote characters. For example:
If you are using
-Q, when prompted for the password, hit Enter.
Section 7.5, "Using Command-Line Utilities to Manage Oracle Internet Directory" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory
Section 1.1, "Using Passwords with Command-Line Tools" in the Oracle Fusion Middleware Reference for Oracle Identity Management
The Oracle Fusion Middleware Repository Creation Utility User's Guide does not mention
orclcompatibleversion, a new multivalued attribute of the DSE. Beginning with version 188.8.131.52,
orclcompatibleversion contains the Oracle Internet Directory version. Do not modify this attribute. It must be present for Oracle Internet Directory 184.108.40.206 or 220.127.116.11 to work with its schema.
The older attribute
orcldirectoryversion still exists, but it is no longer updated to indicate the Oracle Internet Directory version.
For more information, see "orclCompatibleVersion" in the Oracle Fusion Middleware Reference for Oracle Identity Management.