Skip Headers
Oracle® Fusion Middleware Release Notes
11g Release 1 (11.1.1) for Oracle Solaris

Part Number E14772-54
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

24 Oracle Internet Directory

This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:

24.1 General Issues and Workarounds

This section describes general issue and workarounds. It includes the following topics:

24.1.1 Cloned Oracle Internet Directory Instance Fails or Runs Slowly

In a cloned Oracle Internet Directory environment, undesired host names can cause errors, failures, or performance degradation.

This problem can occur when you clone an Oracle Internet Directory instance and the cloned target instance gets undesired host names from the source instance. Some of these hosts might be outside of a firewall or otherwise inaccessible to the target instance.

The cloned Oracle Internet Directory instance assumes it is in a clustered environment and tries to access the undesired hosts for notifications and other changes. However, the cloned instance cannot access some of the hosts and subsequently fails, returns errors, or runs slowly.

For example, this problem can occur during the following operations for a cloned Oracle Internet Directory target instance:

  • Running the faovmdeploy.sh createTopology command to create an Oracle Virtual Machine (VM)

  • Deploying Enterprise Manager agents in different Oracle Virtual Machines

To fix this problem, remove the undesired host names from the cloned Oracle Internet Directory instance, as follows:

  1. Set the required environment variables. For example:

    export ORACLE_INSTANCE=/u01/oid/oid_inst
    export ORACLE_HOME=/u01/oid/oid_home
    export PATH=$ORACLE_HOME/bin:$ORACLE_INSTANCE/bin:$PATH
    export TNS_ADMIN=$ORACLE_INSTANCE/config
    
  2. Connect to the Oracle Database and delete the entries with the undesired Oracle Internet Directory host names. For example, in the following queries, substitute the undesired host name for sourceHostname:

    sqlplus ods@oiddb
    delete from ods_shm where nodename like '%sourceHostname%';
    delete from ods_shm_key where nodename like '%sourceHostname%';
    delete from ods_guardian where nodename like '%sourceHostname%';
    delete from ods_process_status where hostname like '%sourceHostname%';
    commit;
    
  3. Stop and then restart the cloned Oracle Internet Directory component. For example:

    opmnctl stopproc ias-component=oid1
    opmnctl startproc ias-component=oid1
    
  4. Find the cn entries with the undesired Oracle Internet Directory host names. For example:

    ldapsearch -h oid_host -p oid_port -D cn=orcladmin -w admin_password -b
    "cn=subregistrysubentry" -s sub "objectclass=*" dn
    cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry
    cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry
    cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
    
  5. From the results in the previous step, remove the entries with the undesired host names. For example:

    ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password
    "cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry"
    ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password
    "cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry"
    
  6. Verify that the undesired host names are removed. For example:

    ldapsearch h oid_host -p oid_port -D cn=orcladmin -w admin_password -b
    "cn=subregistrysubentry" -s sub "objectclass=*" dn
    cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
    

See Also:

"Cloning Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.

24.1.2 Oracle Internet Directory Fails to Start on Solaris SPARC System Using ISM

Oracle Internet Directory fails to start on the following Oracle Solaris SPARC system using Intimate Shared Memory (ISM): 5.11 11.1 sun4v sparc sun4v

As a workaround for this problem, set the following values, as shown in the next procedure:

  • Set the total amount of operating system physical locked memory allowed (project.max-locked-memory) for Oracle Internet Directory to 2 GB or higher so that the value aligns with the supported page sizes. The pagesize -a command lists all the supported page sizes on Solaris systems.

  • Set the orclecachemaxsize attribute to less than the project.max-locked-memory and ensure that the value aligns with the OS supported page sizes. For example, set the value to 256 MB.

In the following procedure, it is assumed that the Oracle Internet Directory services are managed by an operating system user named "oracle":

  1. Log in to the Solaris SPARC system as the root user.

  2. Check the project membership of the OID user.

    If the OID user belongs to the default project:

    1. Create a new project with the value of maximum locked memory set to 2 GB or higher, and associate the OID user with the newly created project. On Solaris 10 and 11, project id 3 represents the default project. For example:

      # id -p oracle
      uid=2345(oracle) gid=529(dba) projid=3(default)
      # projadd -p 150 -K "project.max-locked-memory=(priv,2G,deny)" oidmaxlkmem
      # usermod -K project=oidmaxlkmem oracle
      
    2. Verify that the value for the resource control project.max-locked-memory was set to 2 GB, as expected. For example:

      # su - oracle
      
      $ id -p oracle
      uid=2345(oracle) gid=529(dba) projid=150(oidmaxlkmem)
      
      $ prctl -n project.max-locked-memory -i project 150
      project: 150: oidmaxlkmem
      NAME    PRIVILEGE       VALUE    FLAG   ACTION                   RECIPIENT
      project.max-locked-memory
              privileged      2.00GB      -   deny                             -
              system          16.0EB    max   deny                             -
      

    If the OID user belongs to a non-default project:

    1. Modify the corresponding project to include the project.max-locked-memory resource control and set the value to 2 GB or higher. For example:

      # id -p oracle
      uid=2345(oracle) gid=529(dba) projid=125(oraproj)
      
      # projmod -a -K "project.max-locked-memory=(priv,2G,deny)" oraproj
      
    2. Verify that the value for the resource control project.max-locked-memory was set to 2 GB, as expected. For example:

      # projects -l oraproj
      oraproj
              projid : 125
              comment: ""
              users  : (none)
              groups : (none)
              attribs: project.max-locked-memory=(priv,2147483648,deny)
                       project.max-shm-memory=(priv,34359738368,deny)
      
      # su - oracle
      $ id -p
      uid=2345(oracle) gid=529(dba) projid=125(oraproj)
      
      $ prctl -n project.max-locked-memory -i project 125
      project: 125: oraproj
      NAME    PRIVILEGE       VALUE    FLAG   ACTION                   RECIPIENT
      project.max-locked-memory
              privileged      2.00GB      -   deny                             -
              system          16.0EB    max   deny                             -
      
  3. Set the entry cache maximum size (orclecachemaxsize attribute) to a value that is less than the maximum locked memory size allowed by the OS and that aligns with the OS supported page sizes.

    For example, using SQL*Plus, set the value to 256 MB:

    sqlplus ods@oiddb
    update ds_attrstore set attrval='256m'
      where entryid=940 and attrname='orclecachemaxsize';
    commit;
    
  4. Run the config.sh script to configure Oracle Internet Directory.

24.1.3 Custom Audit Policy Settings Fail When Set Through Enterprise Manager

If you set custom Audit Policy Settings for Oracle Internet Directory through 11g Oracle Enterprise Manager Fusion Middleware Control and select audit Custom events with Failures Only, no audit logs are generated and the audit process for failure events fails. Subsequently, other audit events are not logged later, even if the Audit Policy Settings are changed to a different value such as Low, Medium, or High.

To make auditing function again through Enterprise Manager, select a default policy or a policy with custom events other than All Failures and then recycle the Oracle Internet Directory server processes.

Alternatively, you can set custom audit policies using LDAP command-line tools such as ldapmodify. For more information, see Section 23.4, "Managing Auditing from the Command Line" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

24.1.4 Deleting Mandatory attributeTypes Referenced by objectClass is Successful

If you delete a mandatory attributeTypes under the Oracle Internet Directory schema that is referenced by an objectClass in the schema, no error is returned and the attributeTypes is deleted successfully.This problem also occurs for a DN entry created using the objectClass that uses the mandatory attributeTypes. The mandatory attribute is missing from the DN entry without any notice when it is deleted from the schema.

24.1.5 Oracle Unified Directory 11.1.2.0 orclguid Attribute is Not Mapped for Server Chaining

If you configure Oracle Internet Directory server chaining for Oracle Unified Directory 11.1.2.0 and then search for users, the orclguid attribute is missing from the search results.

The orclguid attribute is missing because Oracle Unified Directory uses the iplanet default mapping (cn=oidsciplanet,cn=oid server chaining,cn=subconfigsubentry), and the default iplanet mapping does not have orclguid mapped.

24.1.6 ODSM is Not Displaying Online Help Correctly in Internet Explorer 11

In Internet Explorer 11, the Oracle Directory Services Manager (ODSM) online Help does not display properly. Instead of showing the left pane with the navigation tree and the right pane with the Help contents, ODSM displays only links.

24.1.7 ODSM Browser Window Becomes Unusable

Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.

As a workaround, go to the URL: http://host:port/odsm, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm. You can then use the ODSM window to log in to a server.

24.1.8 In ldapdelete Command -V Should Be The Last Parameter

For certain platforms command ldapdelete considers everything after -v, as parameter. A typical ldapdelete command looks like this:

ldapdelete -h hostname  -p portname  -v 's' -D cn=orcladmin -w welcome1

For Linux x86-64 and Microsoft Windows x64 the command mentioned here works fine. However, for Solaris Operating System (SPARC 64-Bit), AIX Based Systems (64-Bit), HP-UX PA-RISC (64-Bit), HP-UX Itanium platforms the above command fails.

Workaround

Use the flag -v as the last parameter when running the ldapdelete command. For example:

ldapdelete -h hostname  -p portname -D cn=orcladmin -w welcome1   -v 's'

24.1.9 Upgrading from 10.1.2.0.2 Infrastructure to Application Server 11g Infrastructure

24.1.10 Bulkmodify Might Generate Errors

If Oracle Internet Directory is using Oracle Database 11g Release 1 (11.1.0.7.0), you might see ORA-600 errors while performing bulkmodify operations. To correct this problem, apply the fixes for Bug 7019313 and Bug 7614692 to the Oracle Database.

24.1.11 Turkish Dotted I Character is Not Handled Correctly

Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in Oracle Directory Services Manager and in command-line utilities.

24.1.12 OIDCMPREC Might Modify Operational Attributes

By default, the oidcmprec tool excludes operational attributes during comparison.That is, oidcmprec does not compare the operational attributes values in source and destination directory entries. During reconciliation of user defined attributes however, operational attributes might be changed.

24.1.13 OIDREALM Does Not Support Realm Removal

The oidrealm tool supports creation, but not deletion, of a realm. A procedure for deleting a realm is provided in Note 604884.1, which is available on My Oracle Support at https://support.oracle.com/.

24.1.14 Apply Patch to Oracle Database 11.2.0.1.0 to Fix Purge Job Problem

If you use Oracle Database 11.2.0.1.0 with Oracle Internet Directory, apply Patch 9952216 (11.2.0.1.3 PSU) to the Oracle Database after you install Oracle Internet Directory:

Without the patch, a purge jobs operation does not function properly, and these symptoms can occur:

  • Oracle Internet Directory change logs do not get purged, and the purge log shows ORA-23421 errors.

  • Executing change log purge jobs with orclpurgenow set to 1 hangs.

24.1.15 SQL of OPSS ldapsearch Might Take High %CPU

The SQL of an OPSS one level ldapsearch operation, with filter "orcljaznprincipal=value" and required attributes, might take unreasonably high %DB CPU. If this search performance impacts the overall performance of the machine and other processes, you can alleviate the issue by performing the following steps in the Oracle Database:

  1. Log in to the Oracle Database as user ODS and execute the following SQL:

    BEGIN
    DBMS_STATS.GATHER_TABLE_STATS(OWNNAME=>'ODS',
                                  TABNAME=>'CT_ORCLJAZNPRINCIPAL',
                                  ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE,
                                  CASCADE=>TRUE);
    END;
    /
    
  2. Flush the shared pool by using the ALTER SYSTEM statement, as described in the Oracle Database SQL Language Reference.

24.1.16 If you Start the Replication Server by Using the Command Line, Stop it Using the Command Line

If you start the replication server by using the command line, stop it by using the command line. If you attempt to stop it by using Oracle Enterprise Manager Fusion Middleware Control, the attempt fails.

See Also:

Note 1313395.1 on My Oracle Support (formerly MetaLink): https://support.oracle.com

24.1.17 ODSM Problems in Internet Explorer 7

The ODSM interface might not appear as described in Internet Explorer 7.

For example, the Logout link might not be displayed.

If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.

24.2 Configuration Issues and Workarounds

This section describes configuration issues and workarounds. It includes the following topic:

24.2.1 Re-Create Wallet After Moving Oracle Internet Directory from Test to Production

If you configure Oracle Internet Directory to use SSL in server authentication mode or mutual authentication mode on your test machine, and then move Oracle Internet Directory to a production machine, re-create the Oracle Internet Directory wallet on the production machine.

The old wallet contains the host name of the original machine as the DN in the certificate. This host name in the DN is not changed during the test to production move. Re-create the wallet on the production machine to avoid SSL communication issues.

24.3 Documentation Errata

This section describes documentation errata. It includes the following topics:

24.3.1 Description of the orclrevpwd Attribute Needs Clarification

In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the description of the orclrevpwd attribute in the "Managing Password Verifiers " chapter needs clarification. The "Introduction to Password Verifiers for Authenticating to the Directory" section should include the following information.

Oracle Internet Directory stores the user password in a reversible encrypted format in the orclrevpwd configuration attribute. The orclrevpwd attribute is generated only if the orclpwdencryptionenable attribute in the password policy entry is set to 1.

The orclrevpwd attribute is maintained securely within Oracle Internet Directory server and cannot be queried, even if you modify the attribute's access control policies (ACIs). Oracle Directory Integration Platform, however, is allowed to query the orclrevpwd attribute so that password synchronization can function.

24.3.2 LDAP Commands Do Not Support the -k|-K Option

In the Oracle Fusion Middleware Reference for Oracle Identity Management, Chapter 3, "Oracle Internet Directory Data Management Tools," documents the -k|-K option for LDAP commands. However, this option is not valid for the LDAP commands and should not be used.

24.3.3 Description of the orclOIDSCExtGroupContainer Attribute Needs Clarification

In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the description of the orclOIDSCExtGroupContainer attribute in the "Configuring Server Chaining" chapter needs clarification.

The description states that this attribute "is optional if the external user container and the external group container are the same." However, the attribute is required, and the description should include the following information:

If the external user container and the external group container are the same (that is, groups in the external directory server are stored in the same container as the users), the value for the orclOIDSCExtGroupContainer attribute must be the same as the value used for the user container (orclOIDSCExtUserContainer attribute).

24.3.4 Setting Up LDAP Replication Needs Clarification

The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Chapter 40, "Setting Up Replication," does not document the following requirements.

To setup replication for a directory that has more than 100,000 entries, you must use the command-line tools (ldifwrite and bulkload). Use the Replication Wizard in Oracle Enterprise Manager Fusion Middleware Control (automatic bootstrapping method) only for a directory that has fewer than 100,000 entries.

If you have a deployment with a combination of Oracle Internet Directory 10g nodes and 11gR1 nodes, replication from the 10g node to an 11gR1 node must be setup before replication between the 11gR1 nodes is setup. For example, consider a deployment as follows:

  • Two Oracle Internet Directory 10g nodes with a supplier node and consumer node

  • Two new Oracle Internet Directory 11gR1 nodes (nodes 1 and 2) with LDAP multimaster replication

To setup replication for this deployment:

  1. Setup LDAP one-way replication from one of the 10g nodes to 11gR1 node 1.

  2. Setup replication bootstrap (if fewer than 100,000 entries) and then start the replication server on the 11gR1 node 1. (If the diretory has more than 100,000 entries, use the command-line tools.)

  3. When the replication is complete, setup LDAP multimaster replication between 11gR1 node 1 and node 2.

  4. Setup the replication bootstrap (if fewer than 100,000 entries) on 11gR1 node 2 and then start the replication server.

24.3.5 Password Expired Response Control is Not Documented

Both the Oracle Fusion Middleware Reference for Oracle Identity Management and the Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management do not document the Oracle Internet Directory password expired response control:

  • Object Identifier: 2.16.840.1.113894.1.8.20

  • Name: OID_PWDEXPIRED_CONTROL

  • Description: Password policy control. The response control that the server sends when the password has expired, there are no grace logins remaining, and the client sends a request control.

24.3.6 Configuring the SSO Server for ODSM Integration Needs Clarification

In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Section 7.4.3, "Configuring the SSO Server for ODSM Integration," does not document that to improve performance for SSO-ODSM integration, you should configure the ODSM URLs as follows:

  • Protected: /odsm/odsm-sso.jsp

  • Unprotected: /odsm/faces/odsm.jspx

  • Excluded: /odsm/.../

Setting the CSS, JavaScript, and graphics (/odsm/.../) files to excluded prevents these files from being validated by Oracle Access Manager, which can improve the performance of your deployment.

24.3.7 Determining Expired Users in Oracle Internet Directory

The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not fully explain the concept of expired users and how to determine if a user is in the expired state.

In some situations, you might want to determine expired users and then take a specific action, such as deleting those users from the directory.

Note:

Oracle Internet Directory expired users are not indicated by a specific attribute. An expired user is in a transient state that depends on the system time, the maximum inactive time allowed, and the user's last successful login time. The expired state is determined during a bind or password compare operation for the user.

To determine the expired users, your Oracle Internet Directory deployment must be configured as follows:

  • The tracking of each user's last successful login time must be enabled by setting the orclPwdTrackLogin attribute to 1.

  • The orclpwdmaxinactivitytime attribute must be set to a value other than 0 (the default). This attribute specifies the inactive time in seconds before a user's account is automatically considered to be expired.

To determine if a user's account is considered to be expired:

  1. Determine the time stamp of the user's last successful login from the orcllastlogintime attribute.

  2. Subtract the user's orcllastlogintime value from the current system time. If the result is greater than the orclpwdmaxinactivitytime value, then the user is considered to be in the expired state.

  3. If you wish, delete the expired user from the directory.

For more information, see the "Managing Password Policies" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

24.3.8 New Superuser Account Must be Direct Member of DirectoryAdminGroup Group

In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, Section 12.6, "Creating Another Account With Superuser Privileges," does not mention that a new superuser account must be a direct member of the DirectoryAdminGroup group to use all Oracle Directory Services Manager (ODSM) features.

To use all ODSM features including the Security and Advanced tabs, a new superuser account must be a direct member of the DirectoryAdminGroup group. The new superuser account cannot be a member of a group that is in turn a member of the DirectoryAdminGroup group. In this configuration, the superuser would be able to access only the ODSM Home, Schema, and Data Browser tabs.

24.3.9 SSL Authentication Mode 1 and Anonymous SSL Ciphers Need Clarification

In the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, the first bullet of the note in Section 27.1.3, "SSL Authentication Modes," mentions that you must have at least one Oracle Internet Directory server instance configured for the default authentication mode and anonymous SSL ciphers. This statement is true only for specific deployments.

The first bullet of the note should be revised as follows:

  • By default, the SSL authentication mode is set to 1 (encryption only, no authentication).

    If you are using Oracle Delegated Administration Services 10g or other client applications such as legacy versions of Oracle Forms and Oracle Reports that expect to communicate with Oracle Internet Directory on an encrypted SSL port configured for anonymous SSL ciphers, then at least one Oracle Internet Directory server instance must be configured for this default authentication mode.

    Otherwise, authentication mode 1 and anonymous SSL ciphers are not required for Oracle Internet Directory to function. The type of SSL ports that are made available and the ciphers that the SSL port will accept depend on your specific deployment requirements.

24.3.10 Documentation of Replication Server Control and Failover is Incomplete

The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not fully describe the replication server (oidrepld) process control and failover in an Oracle Maximum Availability Architecture (MAA), including how to enable failover by setting the orclfailoverenabled attribute.

The orclfailoverenabled attribute is an OID Monitor configuration entry ("cn=configset,cn=oidmon,cn=subconfigsubentry") that configures failover.

This attribute specifies the failover time in minutes before the OID Monitor will start failed processes on a surviving node. The default failover time is 5 minutes. A value of zero (0) disables failover for Oracle Internet Directory processes.

Additional information is provided in Note 1538250.1, which is available on My Oracle Support at:

https://support.oracle.com/

See Also:

The "Understanding Process Control of Oracle Internet Directory Components" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

24.3.11 Server Restart After Adding an Encrypted Attribute is Not Documented

The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not document that if you add an encrypted attribute to the list of sensitive attributes, you must restart the Oracle Internet Directory server instance for the new attribute to be added to the new list of sensitive attributes and recognized by the server.

Note:

The attributes in Table 28-1 "Sensitive Attributes Stored in orclencryptedattributes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory are intended for use only by Oracle. Do not add to or modify the attributes shown in this table unless you are requested to do so by Oracle Support.

For more information, see the "Configuring Data Privacy" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

24.3.12 PASSWORD_VERIFY_FUNCTION Must be Set to NULL to Work with RCU is Not Documented

The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory does not document that for Oracle Internet Directory to work with the Repository Creation Utility (RCU) for Oracle database version 11.2.x, the default PASSWORD_VERIFY_FUNCTION clause in the database must be set to NULL (which is the default value).

24.3.13 Setting Up Oracle Internet Directory SSL Mutual Authentication

Neither the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory nor the Oracle Fusion Middleware Administrator's Guide describes how to set up Oracle Internet Directory SSL Client and Server Authentication. This information is provided in Note 1311791.1, which is available on My Oracle Support at:

https://support.oracle.com/

24.3.14 Replication Instructions in Tutorial for Identity Management are Incomplete

In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Chapter 3, "Setting up Oracle Internet Directory Replication," is missing important information.

Specifically, the instructions do not work unless the new consumer node is empty.

For more information, see Section 40.1.7, "Rules for Configuring LDAP-Based Replication," in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.