6 Oracle Internet Directory

This chapter describes issues associated with Oracle Internet Directory. It includes the following topics:

Topics

6.1 General Oracle Internet Directory Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

6.1.1 (Bug 25875893) ODS Schema details not getting auto-filled using Schemas Option

Issue

When you are upgrading from 11g Release 1(11.1.1.9.0) in the Upgrade Assistant, if you select All Schemas Used By a Domain option, the schema details are not auto-populated in ODS Schemas screen.

Workaround

As a workaround, user has to manually provide ODS schema details such as Database Type, string etc.

6.1.2 (Bug 25814730) OID12cPS3: Startup fails because low system shared memory on Solaris

Issue

OID server startup fails on Solaris platforms due to low system shared memory.

Workaround

To fix this issue, you need to increase shared memory on Solaris system platform when DB is collocated. If you are installing only OID, then you need 1.5GB shared memory.

For example, as a root user, if you increase project.max-shm-memory to 12GB(from 8 GB), the OID instance is brought up.

prctl -n project.max-shm-memory -v 12gb -r -i project default
$ prctl -n project.max-shm-memory $$
process: 7423: bash 

NAME    PRIVILEGE       VALUE    FLAG   ACTION                   RECIPIENT
project.max-locked-memory
        privileged      12.0GB      -   deny                          -
        system          16.0EB    max   deny                          -

6.1.3 (Bug 26564247)PS3 OID: Help link on ODSM URL does not work

Issue

When you login to ODSM and click on Help, help pages are not accessible.

Workaround

Though the help is not accessible via ODSM help, we can access the pages through OID document library. See Overview of Oracle Directory Service Manager

6.1.4 (Bug 19898973)Substring Filter Not Supported for Collective Attributes

Issue

Oracle Internet Directory does not provide support for substring filter for collective attributes. For instance, the following substring filter is not supported:

tenantguid=*234*

Workaround

However, the equality filter for instance, tenantguid=12345 is supported for collective attributes.

6.1.5 (Bug 14079791) Search on rootDSE lastchangenumber Attribute Works For One Attribute At A Time

Issue

If you perform ldapsearch on rootDSE to fetch the lastchangenumber attribute along with other attributes, then lastchangenumber is not retrieved.

For instance, when you run the following command then lastchangenumber attribute is not retrieved:

ldapsearch -p port -D "cn=orcladmin" -w password -b "" -s base "objectclass=*"
changelog lastchangenumber

Workaround

The workaround for this problem is to perform ldapsearch on rootDSE only for lastchangenumber attribute as follows:

ldapsearch -p <port> -h <hostname> -b ' ' -s base '(objectclass=*)' lastchangenumber

lastchangenumber=4714

6.1.6 (Bug 17348090) Search with Filter Containing AND Operation of Collective Attributes Not Supported

Issue

When the search filter contains only collective attribute expressions, and an AND (&) operation is performed, then the server does not return expected results.

For example, if you run the following commands having collective attributes only, then if you run an AND operation, the server fails to return the desired result.

ldapsearch -b 'cn=u1,cn=collandbug' '&(description=coll1 desc) 
(description=coll2 desc)' dn 

Workaround

There is no workaround for this issue.

6.1.7 (Bug 17435510) Oracle Database Requires Patch to Fix Purge Job Problems

Issue

Some versions of Oracle Database, such as 10.1.0.5.0rec.jul10, 10.2.0.4.5.psu, 10.2.0.5.1psu, 11.1.0.7.4psu, and 11.2.0.1.2psu require a patch to fix Oracle Internet Directory purge job problems.

Without the patch, a purge jobs operation does not function properly, and these symptoms can occur:

  • Oracle Internet Directory change logs do not get purged, and the purge log shows ORA-23421 errors.

  • Executing change log purge jobs with orclpurgenow set to 1 hangs.

Workaround

If you are experiencing the preceding purge job problems with any of the listed Oracle Database versions, then apply the latest Patch Set Update (PSU) for your Oracle Database that fixes RDBMS bug 9294838. If so, apply the RDBMS patch for your database. You can apply the patch after you have installed Oracle Internet Directory.

6.1.8 (Bug 18196425) ODSM Adds Fake Entries to the Chained Container and Displays Duplicate Entries During Export

Issue

In ODSM, when you set up server chaining with Oracle Directory Server Enterprise Edition (ODSEE) as the backend the following issues emerge:

  • If you create an entry through ODSM, then ODSM pretends to add the entry to the remote server through chaining. However, the entry does not get added on the remote server, ODSEE.

  • If you add the preceding entry directly to the remote backend, and navigate to the parent entry through the Data Explorer tab, and then export to LDIF the same entry, you will see duplicate entries.

Workaround

There is no workaround for this issue.

6.1.9 (Bug 18695967) ODSM Does Not Create Entry of Custom objectclass With Custom Mandatory Field

Issue

On the Schema tab, create a custom attribute and a custom objectclass, and also select custom attribute as indexed. Now, on the Data Browser tab if you create an entry of objectclass="custom object class" then it does not allow you to enter the mandatory value in the custom attribute field.

Workaround

There is no workaround for this issue.

6.1.10 (Bug 19521548) Oracle Internet Directory Upgrade from 10.1.4.3 to 11.1.1.9.0 Fails During Configuration on AIX

Issue

This issue occurs when you upgrade Oracle Internet Directory from 10.1.4.3 to 11.1.1.9.0 on AIX. The upgrade fails during configuration with the following error:

javax.net.ssl.SSLException: Received fatal alert: illegal_parameter

Workaround

The workaround for this issue is to add the java option to disable ECDH ciphers while configuring Oracle Internet Directory 11.1.1.9.0, as shown in the following example:

ORACLE_HOME/config.sh -Doracle.ldap.odi.sslsocketfactory.disable-ecc=true

6.1.11 (Bug 12833947) ODSM Problems in Internet Explorer 7

Issue

The ODSM interface might not appear as described in Internet Explorer 7.

For example, the Logout link might not be displayed.

Workaround

If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.

6.1.12 (Bug 16964666) Cloned Oracle Internet Directory Instance Fails or Runs Slowly

Issue

In a cloned Oracle Internet Directory environment, undesired host names can cause errors, failures, or performance degradation.

This problem can occur when you clone an Oracle Internet Directory instance and the cloned target instance gets undesired host names from the source instance. Some of these hosts might be outside of a firewall or otherwise inaccessible to the target instance.

The cloned Oracle Internet Directory instance assumes it is in a clustered environment and tries to access the undesired hosts for notifications and other changes. However, the cloned instance cannot access some of the hosts and subsequently fails, returns errors, or runs slowly.

For example, this problem can occur during the following operations for a cloned Oracle Internet Directory target instance:

  • Running the faovmdeploy.sh createTopology command to create an Oracle Virtual Machine (VM)

  • Deploying Enterprise Manager agents in different Oracle Virtual Machines

Workaround

To fix this problem, remove the undesired host names from the cloned Oracle Internet Directory instance, as follows:

  1. Set the required environment variables. For example:
    export ORACLE_INSTANCE=/u01/oid/oid_inst
    export ORACLE_HOME=/u01/oid/oid_home
    export PATH=$ORACLE_HOME/bin:$ORACLE_INSTANCE/bin:$PATH
    export TNS_ADMIN=$ORACLE_INSTANCE/config
    
  2. Connect to the Oracle Database and delete the entries with the undesired Oracle Internet Directory host names. For example, in the following queries, substitute the undesired host name for sourceHostname:
    sqlplus ods@oiddb
    delete from ods_shm where nodename like '%sourceHostname%';
    delete from ods_shm_key where nodename like '%sourceHostname%';
    delete from ods_guardian where nodename like '%sourceHostname%';
    delete from ods_process_status where hostname like '%sourceHostname%';
    commit;
    
  3. Stop and then restart the cloned Oracle Internet Directory component. For example:
    opmnctl stopproc ias-component=oid1
    opmnctl startproc ias-component=oid1
    
  4. Find the cn entries with the undesired Oracle Internet Directory host names. For example:
    ldapsearch -h oid_host -p oid_port -D cn=orcladmin -w admin_password -b
    "cn=subregistrysubentry" -s sub "objectclass=*" dn
    cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry
    cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry
    cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
    
  5. From the results in the previous step, remove the entries with the undesired host names. For example:
    ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password
    "cn=oid1_1_hostName1,cn=osdldapd,cn=subregistrysubentry"
    ldapdelete h oid_host -p oid_port -D cn=orcladmin -w admin_password
    "cn=oid1_1_hostName2,cn=osdldapd,cn=subregistrysubentry"
    
  6. Verify that the undesired host names are removed. For example:
    ldapsearch h oid_host -p oid_port -D cn=orcladmin -w admin_password -b
    "cn=subregistrysubentry" -s sub "objectclass=*" dn
    cn=oid1_1_myhost.example.com,cn=osdldapd,cn=subregistrysubentry
    

See Also:

"Cloning Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.

6.1.13 (Bug 16498988) Oracle Internet Directory Fails to Start on Solaris SPARC System Using ISM

Issue

Oracle Internet Directory fails to start on the following Oracle Solaris SPARC system using Intimate Shared Memory (ISM): 5.11 11.1 sun4v sparc sun4v

Workaround

As a workaround for this problem, set the following values, as shown in the next procedure:

  • Set the total amount of operating system physical locked memory allowed (project.max-locked-memory) for Oracle Internet Directory to 2 GB or higher so that the value aligns with the supported page sizes. The pagesize -a command lists all the supported page sizes on Solaris systems.

  • Set the orclecachemaxsize attribute to less than the project.max-locked-memory and ensure that the value aligns with the OS supported page sizes. For example, set the value to 256 MB.

In the following procedure, it is assumed that the Oracle Internet Directory services are managed by an operating system user named "oracle":

  1. Log in to the Solaris SPARC system as the root user.

  2. Check the project membership of the OID user.

    If the OID user belongs to the default project:

    1. Create a new project with the value of maximum locked memory set to 2 GB or higher, and associate the OID user with the newly created project. On Solaris 10 and 11, project id 3 represents the default project. For example:

      # id -p oracle
      uid=2345(oracle) gid=529(dba) projid=3(default)
      # projadd -p 150 -K "project.max-locked-memory=(priv,2G,deny)" oidmaxlkmem
      # usermod -K project=oidmaxlkmem oracle
      
    2. Verify that the value for the resource control project.max-locked-memory was set to 2 GB, as expected. For example:

      # su - oracle
      
      $ id -p oracle
      uid=2345(oracle) gid=529(dba) projid=150(oidmaxlkmem)
      
      $ prctl -n project.max-locked-memory -i project 150
      project: 150: oidmaxlkmem
      NAME    PRIVILEGE       VALUE    FLAG   ACTION                   RECIPIENT
      project.max-locked-memory
              privileged      2.00GB      -   deny                             -
              system          16.0EB    max   deny                             -
      

    If the OID user belongs to a non-default project:

    1. Modify the corresponding project to include the project.max-locked-memory resource control and set the value to 2 GB or higher. For example:

      # id -p oracle
      uid=2345(oracle) gid=529(dba) projid=125(oraproj)
      
      # projmod -a -K "project.max-locked-memory=(priv,2G,deny)" oraproj
      
    2. Verify that the value for the resource control project.max-locked-memory was set to 2 GB, as expected. For example:

      # projects -l oraproj
      oraproj
              projid : 125
              comment: ""
              users  : (none)
              groups : (none)
              attribs: project.max-locked-memory=(priv,2147483648,deny)
                       project.max-shm-memory=(priv,34359738368,deny)
      
      # su - oracle
      $ id -p
      uid=2345(oracle) gid=529(dba) projid=125(oraproj)
      
      $ prctl -n project.max-locked-memory -i project 125
      project: 125: oraproj
      NAME    PRIVILEGE       VALUE    FLAG   ACTION  RECIPIENT
      project.max-locked-memory
              privileged      2.00GB      -   deny    -
              system          16.0EB    max   deny    -
      
  3. Set the entry cache maximum size (orclecachemaxsize attribute) to a value that is less than the maximum locked memory size allowed by the OS and that aligns with the OS supported page sizes.

    For example, using SQL*Plus, set the value to 256 MB:

    sqlplus ods@oiddb
    update ds_attrstore set attrval='256m'
      where entryid=940 and attrname='orclecachemaxsize';
    commit;
    
  4. Run the config.sh script to configure Oracle Internet Directory.

6.1.14 ODSM Browser Window Becomes Unusable

Issue

Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.

Workaround

As a workaround, go to the URL: http://host:port/odsm, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm. You can then use the ODSM window to log in to a server.

6.1.15 (Bug 9050432) Bulkmodify Might Generate Errors

Issue

If Oracle Internet Directory is using Oracle Database 11g Release 1 (11.1.0.7.0), you might see ORA-600 errors while performing bulkmodify operations.

Workaround

To correct this problem, apply the fixes for Bug 7019313 and Bug 7614692 to the Oracle Database.

6.1.16 (Bug 8464130)Turkish Dotted I Character is Not Handled Correctly

Issue

Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in ODSM and in command-line utilities.

Workaround

There is no workaround for this issue.

6.1.17 (Bug 10383377) SQL of OPSS ldapsearch Might Take High CPU%

Issue

The SQL of an OPSS one level ldapsearch operation, with filter "orcljaznprincipal=value" and required attributes, might take unreasonably high percentage DB CPU.

Workaround

If this search performance impacts the overall performance of the machine and other processes, you can resolve the issue by performing the following steps in the Oracle Database:

  1. Log in to the Oracle Database as user ODS and execute the following SQL:
    BEGIN
    DBMS_STATS.GATHER_TABLE_STATS(OWNNAME=>'ODS',
                                  TABNAME=>'CT_ORCLJAZNPRINCIPAL',
                                  ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE,
                                  CASCADE=>TRUE);
    END;
    /
    
  2. Flush the shared pool by using the ALTER SYSTEM statement, as described in the Oracle Database SQL Language Reference.

6.2 Oracle Internet Directory Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

6.2.1 Accept TLS Protocol for SSL support

Issue

While configuring Oracle Internet Directory in SSL mode, if SSLv3 is disabled and you try to enable the TLS mode only, then the Oracle Internet Directory configuration hangs. This happens when orclsslciphersuite attribute is populated with unsupported cipher suites.

Workaround

The workaround is to remove the unsupported cipher suite from the orclsslciphersuite attribute. For more information about the supported cipher suite list, see "Supported Cipher Suites" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

In addition, you must completely disable SSLv3 and TLS 1.0, and enable TLS for configuring Oracle Internet Directory in SSL mode. For enabling only TLS (and disabling SSLv3), you need to modify the value of orclcryptoversion attribute to 24. This value refers to TLS 1.1 and TLS 1.2. For more information, see "Supported Protocol Versions" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

Run the ldapmodify command to update the value of orclcryptoversion to 24 as follows:

ldapmodify -D "cn=orcladmin" -q -p portNum -h hostname -f ldifFile

Here ldifFile contains:

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclcryptoversion
orclcryptoversion: 24

6.2.2 Warning When Creating a Remote Oracle Internet Directory Instance

Issue

When you create an Oracle Internet Directory instance targeted to a remote node, on first machine, the following warning is displayed in the Administration Server logs:

 <Warning> <Management> <BEA-141296> <Unable  to contact Node Manager on "oidhost2". 
Activation for system component "oid2"  is deferred until "oidhost2" becomes available.  
java.lang.RuntimeException: Node Manager is not available on machine oidhost2 

Workaround

This warning can be ignored.

6.3 Documentation Errata

This section describes documentation errata. It includes the following topics:

6.3.1 Replication Instructions in Tutorial for Identity Management are Incomplete

In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Setting up Oracle Internet Directory Replication, is missing important information.

Specifically, the instructions do not work unless the new consumer node is empty. If the new consumer node has pre-loaded data, then various conflict resolution and invalid attribute name format messages will appear in the replication logs.

For more information, see Rules for Configuring LDAP-Based Replication in the Oracle Fusion Middleware Administering Oracle Internet Directory.