6 Oracle Internet Directory
Topics
Note:
-
Bundle Patch for Oracle internet Directory 12c (12.2.1.3.180315) release is available. For more information see, Bundle Patch for Oracle Internet Directory 12c (12.2.1.3.180315).
6.1 General Oracle Internet Directory Issues and Workarounds
This section describes general issues and workarounds. It includes the following topics:
-
(Bug 25875893) ODS Schema details not getting auto-filled using Schemas Option
-
(Bug 25814730) OID12cPS3: Startup fails because low system shared memory on Solaris
-
(Bug 19898973)Substring Filter Not Supported for Collective Attributes
-
(Bug 14079791) Search on rootDSE lastchangenumber Attribute Works For One Attribute At A Time
-
(Bug 17348090) Search with Filter Containing AND Operation of Collective Attributes Not Supported
-
(Bug 17435510) Oracle Database Requires Patch to Fix Purge Job Problems
-
(Bug 18695967) ODSM Does Not Create Entry of Custom objectclass With Custom Mandatory Field
-
(Bug 16964666) Cloned Oracle Internet Directory Instance Fails or Runs Slowly
-
(Bug 16498988) Oracle Internet Directory Fails to Start on Solaris SPARC System Using ISM
-
(Bug 8464130)Turkish Dotted I Character is Not Handled Correctly
-
Unable to set up OID replication in Oracle Enterprise Manager
-
Unable to estimate OID tuning and sizing needs in Oracle Enterprise Manager
-
Unable to manage wallet for OID in Oracle Enterprise Manager
6.1.1 (Bug 25875893) ODS Schema details not getting auto-filled using Schemas Option
Issue
When you are upgrading from 11g Release 1(11.1.1.9.0) in the Upgrade Assistant, if you select All Schemas Used By a Domain option, the schema details are not auto-populated in ODS Schemas screen.
Workaround
As a workaround, user has to manually provide ODS schema details such as Database Type, string etc.
6.1.2 (Bug 25814730) OID12cPS3: Startup fails because low system shared memory on Solaris
Issue
OID server startup fails on Solaris platforms due to low system shared memory.
Workaround
To fix this issue, you need to increase shared memory on Solaris system platform when DB is collocated. If you are installing only OID, then you need 1.5GB shared memory.
For example, as a root user, if you increase project.max-shm-memory
to 12GB(from 8 GB), the OID instance is brought up.
prctl -n project.max-shm-memory -v 12gb -r -i project default $ prctl -n project.max-shm-memory $$ process: 7423: bash NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-locked-memory privileged 12.0GB - deny - system 16.0EB max deny -
6.1.3 (Bug 26564247)PS3 OID: Help link on ODSM URL does not work
Issue
When you login to ODSM and click on Help, help pages are not accessible.
Workaround
Though the help is not accessible via ODSM help, we can access the pages through OID document library. See Overview of Oracle Directory Service Manager
6.1.4 (Bug 19898973)Substring Filter Not Supported for Collective Attributes
Issue
Oracle Internet Directory does not provide support for substring filter for collective attributes. For instance, the following substring filter is not supported:
tenantguid=*234*
Workaround
However, the equality filter for instance, tenantguid=12345
is supported for collective attributes.
6.1.5 (Bug 14079791) Search on rootDSE lastchangenumber
Attribute Works For One Attribute At A Time
Issue
If you perform ldapsearch
on rootDSE to fetch the lastchangenumber
attribute along with other attributes, then lastchangenumber
is not retrieved.
For instance, when you run the following command then lastchangenumber
attribute is not retrieved:
ldapsearch -p port -D "cn=orcladmin" -w password -b "" -s base "objectclass=*" changelog lastchangenumber
Workaround
The workaround for this problem is to perform ldapsearch
on rootDSE only for lastchangenumber
attribute as follows:
ldapsearch -p <port> -h <hostname> -b ' ' -s base '(objectclass=*)' lastchangenumber lastchangenumber=4714
6.1.6 (Bug 17348090) Search with Filter Containing AND Operation of Collective Attributes Not Supported
Issue
When the search filter contains only collective attribute expressions, and an AND (&) operation is performed, then the server does not return expected results.
For example, if you run the following commands having collective attributes only, then if you run an AND operation, the server fails to return the desired result.
ldapsearch -b 'cn=u1,cn=collandbug' '&(description=coll1 desc) (description=coll2 desc)' dn
Workaround
There is no workaround for this issue.
6.1.7 (Bug 17435510) Oracle Database Requires Patch to Fix Purge Job Problems
Issue
Some versions of Oracle Database, such as 10.1.0.5.0rec.jul10, 10.2.0.4.5.psu, 10.2.0.5.1psu, 11.1.0.7.4psu, and 11.2.0.1.2psu require a patch to fix Oracle Internet Directory purge job problems.
Without the patch, a purge jobs operation does not function properly, and these symptoms can occur:
-
Oracle Internet Directory change logs do not get purged, and the purge log shows ORA-23421 errors.
-
Executing change log purge jobs with
orclpurgenow
set to 1 hangs.
Workaround
If you are experiencing the preceding purge job problems with any of the listed Oracle Database versions, then apply the latest Patch Set Update (PSU) for your Oracle Database that fixes RDBMS bug 9294838. If so, apply the RDBMS patch for your database. You can apply the patch after you have installed Oracle Internet Directory.
6.1.8 (Bug 18196425) ODSM Adds Fake Entries to the Chained Container and Displays Duplicate Entries During Export
Issue
In ODSM, when you set up server chaining with Oracle Directory Server Enterprise Edition (ODSEE) as the backend the following issues emerge:
-
If you create an entry through ODSM, then ODSM pretends to add the entry to the remote server through chaining. However, the entry does not get added on the remote server, ODSEE.
-
If you add the preceding entry directly to the remote backend, and navigate to the parent entry through the Data Explorer tab, and then export to LDIF the same entry, you will see duplicate entries.
Workaround
There is no workaround for this issue.
6.1.9 (Bug 18695967) ODSM Does Not Create Entry of Custom objectclass With Custom Mandatory Field
Issue
On the Schema tab, create a custom attribute and a custom objectclass, and also select custom attribute as indexed. Now, on the Data Browser tab if you create an entry of objectclass="custom object class"
then it does not allow you to enter the mandatory value in the custom attribute field.
Workaround
There is no workaround for this issue.
6.1.10 (Bug 19521548) Oracle Internet Directory Upgrade from 10.1.4.3 to 11.1.1.9.0 Fails During Configuration on AIX
Issue
This issue occurs when you upgrade Oracle Internet Directory from 10.1.4.3 to 11.1.1.9.0 on AIX. The upgrade fails during configuration with the following error:
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
Workaround
The workaround for this issue is to add the java option to disable ECDH ciphers while configuring Oracle Internet Directory 11.1.1.9.0, as shown in the following example:
ORACLE_HOME
/config.sh -Doracle.ldap.odi.sslsocketfactory.disable-ecc=true
6.1.11 (Bug 12833947) ODSM Problems in Internet Explorer 7
Issue
The ODSM interface might not appear as described in Internet Explorer 7.
For example, the Logout link might not be displayed.
Workaround
If this causes problems, upgrade to Internet Explorer 8 or 9 or use a different browser.
6.1.12 (Bug 16964666) Cloned Oracle Internet Directory Instance Fails or Runs Slowly
Issue
In a cloned Oracle Internet Directory environment, undesired host names can cause errors, failures, or performance degradation.
This problem can occur when you clone an Oracle Internet Directory instance and the cloned target instance gets undesired host names from the source instance. Some of these hosts might be outside of a firewall or otherwise inaccessible to the target instance.
The cloned Oracle Internet Directory instance assumes it is in a clustered environment and tries to access the undesired hosts for notifications and other changes. However, the cloned instance cannot access some of the hosts and subsequently fails, returns errors, or runs slowly.
For example, this problem can occur during the following operations for a cloned Oracle Internet Directory target instance:
-
Running the
faovmdeploy.sh createTopology
command to create an Oracle Virtual Machine (VM) -
Deploying Enterprise Manager agents in different Oracle Virtual Machines
Workaround
To fix this problem, remove the undesired host names from the cloned Oracle Internet Directory instance, as follows:
See Also:
"Cloning Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.
6.1.13 (Bug 16498988) Oracle Internet Directory Fails to Start on Solaris SPARC System Using ISM
Issue
Oracle Internet Directory fails to start on the following Oracle Solaris SPARC system using Intimate Shared Memory (ISM): 5.11 11.1 sun4v sparc sun4v
Workaround
As a workaround for this problem, set the following values, as shown in the next procedure:
-
Set the total amount of operating system physical locked memory allowed (
project.max-locked-memory
) for Oracle Internet Directory to 2 GB or higher so that the value aligns with the supported page sizes. Thepagesize -a
command lists all the supported page sizes on Solaris systems. -
Set the
orclecachemaxsize
attribute to less than theproject.max-locked-memory
and ensure that the value aligns with the OS supported page sizes. For example, set the value to 256 MB.
In the following procedure, it is assumed that the Oracle Internet Directory services are managed by an operating system user named "oracle":
-
Log in to the Solaris SPARC system as the root user.
-
Check the project membership of the OID user.
If the OID user belongs to the default project:
-
Create a new project with the value of maximum locked memory set to 2 GB or higher, and associate the OID user with the newly created project. On Solaris 10 and 11, project id 3 represents the default project. For example:
# id -p oracle uid=2345(oracle) gid=529(dba) projid=3(default) # projadd -p 150 -K "project.max-locked-memory=(priv,2G,deny)" oidmaxlkmem # usermod -K project=oidmaxlkmem oracle
-
Verify that the value for the resource control
project.max-locked-memory
was set to 2 GB, as expected. For example:# su - oracle $ id -p oracle uid=2345(oracle) gid=529(dba) projid=150(oidmaxlkmem) $ prctl -n project.max-locked-memory -i project 150 project: 150: oidmaxlkmem NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-locked-memory privileged 2.00GB - deny - system 16.0EB max deny -
If the OID user belongs to a non-default project:
-
Modify the corresponding project to include the
project.max-locked-memory
resource control and set the value to 2 GB or higher. For example:# id -p oracle uid=2345(oracle) gid=529(dba) projid=125(oraproj) # projmod -a -K "project.max-locked-memory=(priv,2G,deny)" oraproj
-
Verify that the value for the resource control
project.max-locked-memory
was set to 2 GB, as expected. For example:# projects -l oraproj oraproj projid : 125 comment: "" users : (none) groups : (none) attribs: project.max-locked-memory=(priv,2147483648,deny) project.max-shm-memory=(priv,34359738368,deny) # su - oracle $ id -p uid=2345(oracle) gid=529(dba) projid=125(oraproj) $ prctl -n project.max-locked-memory -i project 125 project: 125: oraproj NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-locked-memory privileged 2.00GB - deny - system 16.0EB max deny -
-
-
Set the entry cache maximum size (
orclecachemaxsize
attribute) to a value that is less than the maximum locked memory size allowed by the OS and that aligns with the OS supported page sizes.For example, using SQL*Plus, set the value to 256 MB:
sqlplus ods@oiddb update ds_attrstore set attrval='256m' where entryid=940 and attrname='orclecachemaxsize'; commit;
-
Run the
config.sh
script to configure Oracle Internet Directory.
6.1.14 ODSM Browser Window Becomes Unusable
Issue
Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.
Workaround
As a workaround, go to the URL: http://
host
:
port
/odsm
, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm
. You can then use the ODSM window to log in to a server.
6.1.15 (Bug 9050432) Bulkmodify Might Generate Errors
Issue
If Oracle Internet Directory is using Oracle Database 11g Release 1 (11.1.0.7.0), you might see ORA-600
errors while performing bulkmodify
operations.
Workaround
To correct this problem, apply the fixes for Bug 7019313 and Bug 7614692 to the Oracle Database.
6.1.16 (Bug 8464130)Turkish Dotted I Character is Not Handled Correctly
Issue
Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in ODSM and in command-line utilities.
Workaround
There is no workaround for this issue.
6.1.17 (Bug 10383377) SQL of OPSS ldapsearch Might Take High CPU%
Issue
The SQL of an OPSS one level ldapsearch
operation, with filter "orcljaznprincipal=
value
" and required attributes, might take unreasonably high percentage DB CPU.
Workaround
If this search performance impacts the overall performance of the machine and other processes, you can resolve the issue by performing the following steps in the Oracle Database:
6.1.18 Unable to set up OID replication in Oracle Enterprise Manager
Issue
The wizard for setting up replication is no longer available in Oracle Enterprise Manager Fusion Middleware Control 12c Administration menu.
Workaround
You can use the command line tools for setting up LDAP-based replication. See Command-line Tools to Setup and Modify Replication in Administering Oracle Internet Directory.
6.1.19 Unable to estimate OID tuning and sizing needs in Oracle Enterprise Manager
Issue
The wizard for estimating sizing and tuning needs is no longer available in Oracle Enterprise Manager Fusion Middleware Control 12c Administration menu.
Workaround
For recommendations on sizing and tuning Oracle Internet Directory, see Tuning and Sizing Oracle Internet Directory in Administering Oracle Internet Directory.
6.1.20 Unable to manage wallet for OID in Oracle Enterprise Manager
Issue
The wallet option is no longer available in Oracle Enterprise Manager Fusion Middleware Control 12c Security menu.
Workaround
You can use the orapki tool or the keystore service to create a wallet, see Wallet Management and Keystore Management in Administering Oracle Fusion Middleware.
6.2 Oracle Internet Directory Configuration Issues and Workarounds
This section describes configuration issues and their workarounds. It includes the following topics:
6.2.1 Accept TLS Protocol for SSL support
Issue
While configuring Oracle Internet Directory in SSL mode, if SSLv3 is disabled and you try to enable the TLS mode only, then the Oracle Internet Directory configuration hangs. This happens when orclsslciphersuite
attribute is populated with unsupported cipher suites.
Workaround
The workaround is to remove the unsupported cipher suite from the orclsslciphersuite
attribute. For more information about the supported cipher suite list, see "Supported Cipher Suites" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
In addition, you must completely disable SSLv3 and TLS 1.0, and enable TLS for configuring Oracle Internet Directory in SSL mode. For enabling only TLS (and disabling SSLv3), you need to modify the value of orclcryptoversion
attribute to 24
. This value refers to TLS 1.1 and TLS 1.2. For more information, see "Supported Protocol Versions" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
Run the ldapmodify
command to update the value of orclcryptoversion
to 24
as follows:
ldapmodify -D "cn=orcladmin" -q -p portNum -h hostname -f ldifFile
Here ldifFile
contains:
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclcryptoversion orclcryptoversion: 24
6.2.2 Warning When Creating a Remote Oracle Internet Directory Instance
Issue
When you create an Oracle Internet Directory instance targeted to a remote node, on first machine, the following warning is displayed in the Administration Server logs:
<Warning> <Management> <BEA-141296> <Unable to contact Node Manager on "oidhost2".
Activation for system component "oid2" is deferred until "oidhost2" becomes available.
java.lang.RuntimeException: Node Manager is not available on machine oidhost2
Workaround
This warning can be ignored.
6.3 Documentation Errata
This section describes documentation errata. It includes the following topics:
6.3.1 Replication Instructions in Tutorial for Identity Management are Incomplete
In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Setting up Oracle Internet Directory Replication, is missing important information.
Specifically, the instructions do not work unless the new consumer node is empty. If the new consumer node has pre-loaded data, then various conflict resolution and invalid attribute name format messages will appear in the replication logs.
For more information, see Rules for Configuring LDAP-Based Replication in the Oracle Fusion Middleware Administering Oracle Internet Directory.