This chapter describes issues associated with Oracle Directory Integration Platform. It includes the following topics:
This section describes general issues and workarounds. It includes the following topics:
Be aware that enabling the domain-wide administration port on any WebLogic server running Directory Integration Platform will prevent you from using the DIP command line interface using a standard administrator account. Entering DIP commands will result in an error similar to the following:
User: "weblogic", failed to be authenticated
Administrators can still use the Enterprise Manager (EM) GUI to configure and manage Oracle Directory Integration Platform.
During directory synchronization, the
dnconvert() function does not properly apply the attribute mapping rule. The
dnconvert() function is supposed to take a
dnvalue as its only argument and transform the value based on the domain mapping rule. Instead, no transformation is taking place.
DomainRules cn=users,dc=ADdomain,dc=com:cn=users,dc=OIDdomain,dc=com:cn=%,dc=OIDdomain,c=com ### AttributeRules # attribute rule common to all objects objectguid: :binary:top:orclobjectguid:string:orclADObject:bin2b64(objectguid) ObjectSID: :binary:user:orclObjectSID:string:orclADObject:bin2b64(ObjectSID) distinguishedName: : :top:orclSourceObjectDN: :orclADObject: samaccountname:::user:cn::person: manager:::organizationalperson:manager::inetorgperson:dnconvert(manager)
In this example, the new entry from Active Directory to Oracle Internet Directory does not pull the
samAccountName value but rather the DN value for the
To use the Oracle Password Filter for Microsoft Active Directory, your Oracle back-end directory must be Oracle Internet Directory. The Oracle Unified Directory back-end directory and the Oracle Directory Server Enterprise Edition back-end directory do not support integration with the Oracle Password Filter for Microsoft Active Directory.
testProfileCommand Option to Fail if the LDIF File has Native Encoding
When running DIP Tester from a command-line, the
manageSyncProfiles testProfile command will fail if the
-ldiffile option is specified and the LDIF file contains non-ASCII characters.
Note that LDIF files with UTF-8 encoding are not impacted by this limitation. If an LDIF file containing multibyte characters cannot be saved with UTF-8 encoding, then use the following workaround:
From a command-line, add the entry using the
ldapadd command and include the
-E option to specify the locale. See the Oracle Fusion Middleware User Reference for Oracle Identity Management for the required command syntax.
Get the specific
changeNumber for the last add operation.
testProfile command using the
changeNumber from the previous step.
For more information, see "Section 18.104.22.168, Running DIP Tester From the WLST Command-Line Interface" in the Administrator's Guide for Oracle Directory Integration Platform.
If the source directory is heavily-loaded, a race condition may occur where database commits cannot keep pace with updates to the lastchangenumber. If this race condition occurs, Oracle Directory Integration Platform may not be able to synchronize some of the changes.
To work around this issue, perform the following steps to enable database commits to keep pace with the lastchangenumber:
Increase the value of the synchronization profile's Scheduling Interval.
Control the number of times the search is performed on the source directory during a synchronization cycle by setting the
searchDeltaSize parameter in the profile. Oracle suggests starting with a value of 10, then adjusting the value as needed.
If you stop the Oracle Directory Integration Platform application during synchronization, the synchronization process that the Quartz scheduler started will continue to run.
To work around this issue, restart the Oracle WebLogic Managed Server hosting Oracle Directory Integration Platform or redeploy the Oracle Directory Integration Platform application.
This section describes configuration issues and their workarounds. It includes the following topics:
If Directory Integration Platform is integrated with Novell eDirectory, or if you plan to integrate with Novell eDirectory later, edit the mapping rules in the
eDir profile, otherwise the installation program will return this error message:
Map rules "orclodipattributemappingrules" have the following errors: Attribute rule "0" has error: Invalid destination attribute's type: Expecting 'binary'; found 'string'.
If you have not yet integrated with Novell eDirectory, update the mapping file in the default template before registering a new profile.
Refer to the "Updating Mapping Rules" section in the Administrator's Guide for Oracle Directory Integration Platform for information about how to modify an entry in a mapping rule file.
Update the mapping rules in the existing profile or new profile for the following entry:
Replace it with this mapping:
Save your changes.
11g configuration fails on IBM AIX on POWER Systems (64-Bit) during the deployment of Oracle Directory Integration Platform with the following exception shown in the installation logs while upgrading from 10.1.4 IM:
2011-04-06T07:45:46.353+00:00] [as] [ERROR]  [oracle.as.provisioning] [tid: 2] [ecid: 0000IwdcrC07q2P_UdG7yc1Db11s000003,0] DIP-00004: Error in connecting to Oracle Internet Directory Server.[[ [2011-04-06T07:45:46.353+00:00] [as] [ERROR]  [oracle.as.provisioning] [tid: 2] [ecid: 0000IwdcrC07q2P_UdG7yc1Db11s000003,0] DIP-00022: Connection to LDAP server failed. [2011-04-06T07:45:46.353+00:00] [as] [ERROR]  [oracle.as.provisioning] [tid: 2] [ecid: 0000IwdcrC07q2P_UdG7yc1Db11s000003,0] DIP-00004: Error in connecting to Oracle Internet Directory Server.[[ javax.naming.CommunicationException: simple bind failed: stuzu23.us.oracle.com:636 [Root exception is javax.net.ssl.SSLException: Received fatal alert: unexpected_message] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:235)
This issue occurs as the starting point for Oracle Internet Directory (OID) upgrade is an an earlier version of OID. For example, 10.1.4.0.1.
To workaround this issue, upgrade to 10.1.4.3 version of OID before upgrading to 22.214.171.124.0 (PS4).
When configuring Oracle Directory Integration Platform against an existing Oracle Internet Directory—using either the installer's Install and Configure installation option or the Oracle Identity Management 11g Release 1 (11.1.1) Configuration Wizard—you must specify the hostname for Oracle Internet Directory using only its fully qualified domain name (such as myhost.example.com). Do not use
localhost as the Oracle Internet Directory hostname even if Oracle Directory Integration Platform and Oracle Internet Directory are collocated on the same host.
If you use
localhost as the Oracle Internet Directory hostname, you will not be able to start the Oracle WebLogic Managed Server hosting Oracle Directory Integration Platform.
After running dipConfigurator against an Oracle Unified Directory (OUD) endpoint, if you are unable to open the Directory Integration Platform (DIP) UI in Enterprise Manger, stop and start DIP to fix the UI problem.
If you are using Internet Explorer to view the Directory Integration Platform (DIP) UI, you may need to scroll past a large blank space to see the profile mapping rules section. This issue is not known to affect other browsers.
IDM domains on the same host share the same
Oracle home and are both configured to use
wls_ods1 managed servers, then the DIP home page will not display the resource usage charts if both instances are running at the same time.
There are no known documentation issues at this time.