Oracle Internet Directory Release 2.1.1.0.0 (for Oracle9iAS 1.0.2.2) May 15, 2001 ------------------------------------------------------------- Copyright (C) Oracle Corporation 2000, 2001 This software/documentation contains proprietary information of Oracle Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited. If this software/documentation is delivered to a U.S. Government Agency of the Department of Defense, then it is delivered with Restricted Rights and the following legend is applicable: RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of DFARS 252.227-7013, Rights in Technical Data and Computer Software (October 1988). If this software/documentation is delivered to a U.S. Government Agency not within the Department of Defense, then it is delivered with "Restricted Rights," as defined in FAR 52.227-14, Rights in Data - General, including Alternate III (June 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065. The information in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this document is error free. Oracle, Oracle8, Oracle8i are trademarks of Oracle Corporation. All trade names referenced are the service mark, trademark, or registered trademark of the respective manufacturer. ------------------------------------------------------------------------------- TABLE OF CONTENTS =================== 0. Introduction 0.1 ABOUT ORACLE INTERNET DIRECTORY 0.2 ABOUT THIS README 0.3 COVER LETTER AND LICENSING 0.4 ORACLE INTERNET DIRECTORY 2.1.1.0.0 Documentation 1. Installation Process 1.1 FRESH INSTALLATION 1.2 UPGRADE INSTALLATION 2. Oracle Internet Directory Server 2.1.1.0.0 2.1 DATABASE COMPATIBILITY 2.2 LDAP SERVER NEW FEATURES and ENHANCEMENTS 2.3 REPLICATION NEW FEATURES and ENHANCEMENTS 2.4 LDAP SERVER LIMITATIONS 2.5 REPLICATION LIMITATIONS 2.6 LOG FILE LOCATIONS 3. Oracle Internet Directory Client 2.1.1.0.0 3.1 LDAP TOOLS LIMITATIONS 3.2 LDAP TOOLS ENHANCEMENTS 3.3 ORACLE DIRECTORY MANAGER (oidadmin) 3.4 ORACLE INTERNET DIRECTORY PL/SQL API (DBMS_LDAP) 4. Windows 95, 98, 2000 and NT specific issues 5. Corrections to Oracle Internet Directory Administrator's Guide (Release 2.1.1) ---------------------------------------------- 0. Introduction ============ 0.1 About Oracle Internet Directory ----------------------------------- Oracle Internet Directory (OID) version 2.1.1.0.0 is an LDAP-v3 compliant directory server that is powered by Oracle8i. It exploits the Oracle RDBMS technology to achieve scalability and sophisticated data management capabilities. Oracle Internet Directory 2.1.1.0.0 is bundled with Oracle9iAS version 1.0.2.2. There are two components of Oracle Internet Directory: - OID Server 2.1.1.0.0 This component installs the OID LDAP server and all of its related components. - OID Client 2.1.1.0.0 This component installs the LDAP client and administration tools required for accessing and managing data in Oracle Internet Directory remotely. The files installed as part of client installation are a subset of the files that would be installed as part of the server installation. 0.2 About this Release Note --------------------------- This Release Note is relevant only to the Oracle Internet Directory 2.1.1.0.0 and its integral components delivered as part of the Oracle9iAS version 1.0.2.2 software bundle. This Release Note documents any differences between the shipped software (and its integral parts) and its documented functionality, as well as fixed bugs, and known problems and workarounds. This file is provided in lieu of other release notes, system bulletins, or similar publications. 0.3 Cover Letter and Licensing ------------------------------ Please read the cover letter that may be included with your Oracle9iAS version 1.0.2.2 software distribution. It may contain important information about the licensing terms of Oracle Internet Directory 2.1.1.0.0. 0.4 Oracle Internet Directory, 2.1.1.0.0 Documentation ------------------------------------------------------ The following documentation should be used with this release of Oracle Internet Directory: - Oracle Internet Directory Installation Guide (Release 2.1.1) - Oracle Internet Directory Application Developer's Guide (Release 2.1.1) - Oracle Internet Directory Administrator's Guide (Release 2.1.1) The following documentation may also help to achieve optimal use of Oracle Internet Directory. This documentation is available at Oracle Technet at http://otn.oracle.com/docs/products/oracle8i/doc_index.htm - Oracle8i Administrator's Reference (Release 8.1.7) - Oracle8i Administrator's Guide (Release 8.1.7) - Oracle8i Concepts (Release 8.1.7) - Oracle8i Designing and Tuning for Performance (Release 8.1.7) - Oracle8i Reference (Release 8.1.7) 1.0 INSTALLATION PROCESS: ========================= 1.1 FRESH INSTALLATION ---------------------- 1.1.1 INSTALLING OID ON TOP OF A PRE-EXISTING 8.1.7 DATABASE You may use an existing 8.1.7 database that resides in the same ORACLE_HOME for OID usage. The database needs to be up and running before you start the installer, and it must be using the UTF8 character set. When providing the SID to identify the DB instance, use upper-case letters. In the case of installations on Windows, be sure to temporarily unset the ORACLE_HOME environment variable before starting the Installer as directed in the note above. 1.1.2 INSTALLER CANNOT INSTALL OID AGAINST A REMOTE DATABASE In order to get OID 2.1.1.0.0 to work against a remote database, you must perform an installation of OID and the database on the local machine as well as on the remote machine. After both installations have completed, the OID running on the first machine can be configured by the administrator to connect to the database running on the second machine by making appropriate changes to the tnsnames.ora file. 1.1.3 CUSTOM INSTALLATION During a custom installation of OID, DBCA (Database Configuration Assistant) will be launched in its custom mode. The SID and global database name that you have selected earlier during the installation will appear. Do not change these values. Otherwise, OIDCA will fail. 1.1.4 POST-INSTALLATION CONFIGURATION TOOL NetCA - In a typical installation of OID, select typical configuration. Do not perform Directory Service Access Configuration when installing OID. 1.1.5 INSTALLATION OF ORACLE SPECIFIC SCHEMA IN THE DIRECTORY. For all installation types, the OID installation process will load the product-specific schema required for other products in the 8.1.7 bundle. This schema is backwards-compatible with Oracle products shipped with the 8.1.6 bundle. The LDAP schema loading is done automatically at the end of the installation. If this step does not go through, then the following files should be loaded into the directory in the order listed, using ldapadd: $ORACLE_HOME/ldap/admin/oidbaseacl.ldif -> this implements the default security policy. $ORACLE_HOME/ldap/admin/oidbase.ldif -> this loads the common schema required by all Oracle LDAP enabled products. $ORACLE_HOME/ldap/admin/oidnet.ldif -> this loads the schema required for LDAP support in Net8. $ORACLE_HOME/ldap/admin/oidrdbms.ldif -> this loads the schema required for Oracle8i RDBMS to use Oracle Internet Directory. The above scripts can be launched collectively using $ORACLE_HOME/ldap/admin/schema_ext.sh 1.1.6 SILENT INSTALLATION For a typical silent installation, you need to use oidtyp.rsp along with netca.rsp which controls the behavior of NetCA. The location of this netca.rsp file is needed in oidtyp.rsp. For a custom silent installation, you need to use oidcus.rsp along with netca.rsp and dbca.rsp for NetCA and DBCA respectively. The location of these files are needed in oidcus.rsp. For an OID client silent installation, you need to use oidclnttyp.rsp. 1.1.7 OID 2.1.1.0.0 DOES NOT SUPPORT DOWNGRADE There is no support for downgrading to earlier versions from OID 2.1.1.0.0 1.1.8 WINDOWS-SPECIFIC PRE-INSTALLATION REQUIREMENTS Make sure that ORACLE_HOME is not set in the Windows system environment before attempting to install Oracle Internet Directory 2.1.1.0.0. Net8 Configuration Assistant will hang if ORACLE_HOME is set when you launch the Installer. 1.2 UPGRADE INSTALLATION ------------------------ 1.2.1 OID 2.1.1.0.0 supports upgrade from OID release 2.0.4.0.0 and 2.0.6.0.0. To upgrade from either of these versions, select OID 2.1.1.0.0 to be installed in the same ORACLE_HOME and the installer will prompt the user to upgrade. Oracle strongly recommends that you allow Oracle Data Migration Assistant to create a database backup/restore script of the existing database when prompted, early on in the upgrade process. In the case of upgrades on Windows, be sure to temporarily unset the ORACLE_HOME environment variable before starting the Installer as directed in note 1.1.3 above. 1.2.2 Before starting an upgrade, please comment out the "job_queue_processes" parameter in the "init.ora" file. If this is not done, the Oracle Data Migration Assistant (ODMA) will complain that the "job_queue_processes" parameter is not set to zero. If this occurs, do not exit from ODMA. Simply shutdown the database and comment out the "job_queue_processes" parameter on a separate window. Then return to ODMA and proceed. After upgrade, user must restore the "job_queue_processes" parameter and restart the database and the OID server. 1.2.3 During the deinstallation phase of the upgrade, errors regarding the invocation of certain makefiles may appear. Please ignore them by clicking on "Ignore" to proceed. 1.2.4 During the installation phase of the upgrade, the installer complains with the following error message: "Error in creating link from /jre/1.1.8 to <$ORACLE_HOME>/JRE". Please delete the $ORACLE_HOME/JRE subdirectory using a separate window, then click on the "Retry" button to proceed. 1.2.5 The Installer will not verify the "ods" user password or the OID Administrator password as you enter them. Please take special care in entering them, as invalid passwords will cause the OID Upgrade Assistant to fail. 1.2.6 If ODMA hangs during the upgrade, you will need the database restore script created in step 1.2.1 above in order to recover your data. 1) Manually kill the installation process. 2) Run the database restore script created by ODMA to restore the database. 3) Manually execute $ORACLE_HOME/ldap/postcfg/OidUpgrade to finish the rest of the upgrade procedures. 1.2.7 During database migration, ODMA will indicate to the user that the Advanced Replication Option is not upgraded. Please proceed. 1.2.8 During execution of the OID Upgrade Assistant, the progress meter stays at "4%" for a considerable amount of time due to the execution of $ORACLE_HOME/rdbms/admin/catrep.sql. 1.2.9 The following files in $ORACLE_HOME/network/admin are modified during the upgrade procedure by the Oracle Data Migration Assistant: - listener.ora - tnsnames.ora - sqlnet.ora The original files are backed up in the same directory as .ora.bak Please restore these files and restart the listener before starting up OID. 1.2.10 After exiting the installer from an upgrade, you must run "$ORACLE_HOME/ldap/bin/cryptupgrd.sh". This script prompts you for the service name and the "ods" user password as inputs. If step 1.2.9 is not carried out properly, the script may hang. Abort the script and try again with the appropriate service name. 1.2.11 After an upgrade, the password of the super user (cn=orcladmin), guest user, and the proxy user will be reset to their default values. In an LDIF-based upgrade, the above passwords as well as the password for the "ods" database user will be reset to their default values. 1.2.12 In an LDIF-based upgrade, "backup_oid.sh" does not export the configsets. hence the configsets must re-created by the user after the upgrade. 1.2.13 In an LDIF-based upgrade, the "cn=oracleschemaversion" subtree is exported by "backup_oid.sh" into $ORACLE_HOME/ldap/load/orcl_schemaver.ldif. However, "restore_oid.sh" does not restore this subtree. Any user-defined entries in $ORACLE_HOME/ldap/load/orcl_schemaver.ldif must be manually re-added through the OID server. 1.2.14 During the transient period of a multi-node upgrade in a replication environment, do not use the new password encryption scheme until the entire network has been upgraded. Otherwise, inconsistencies in password values will occur, disabling authentication. 1.2.15 After the successful upgrade of all nodes in a replication environment, you need to manually set the attribute "orclupgradeinprogress" in the DSE root to FALSE in each individual node. 2.0 ORACLE INTERNET DIRECTORY SERVER 2.1.1.0.0 ============================================== 2.1 DATABASE COMPATIBILITY -------------------------- OID Server 2.1.1.0.0 is certified to work against Oracle8i, release 8.1.7 only. The database being used as the data-store for OID should be dedicated for OID. Since OID itself accesses its backend database as a regular database user, using some of the LDAP enabled features in other Oracle products has a potential of causing circular dependencies. In particular, it is recommended that the following database access mechanisms NOT be used for OID's own database connections: 1. Net8 LDAP naming. This feature allows Net8 clients to look up an LDAP server for resolving database service names. Making OID's database connections use this feature can prevent OID from starting up. 2. Enterprise Users and Roles (part of the Advanced Security Option). When using this feature, the database refers to an LDAP server to determine which Enterprise Roles have been granted to a particular Enterprise User. OID cannot login to its own database as an Enterprise User. 2.2 LDAP SERVER NEW FEATURES and ENHANCEMENTS --------------------------------------------- 2.2.1 USE OF LANGUAGE CODE (RFC 2596) IS NOW SUPPORTED OID allows use of language codes to store values for the same attribute in different languages as defined in RFC 2596. Users can now store and query data with appropriate language codes. 2.2.2.1 REFERRAL SUPPORT IN LDAPSEARCH, LDAPADD, LDAPDELETE and LDAPMODIFY Referral support is now available for LDAP v3 clients. All referral objects below the base of the search will be returned as part of an ldapsearch request. 2.2.2.2 REFERRAL SUPPORT IN LDAPSEARCH FOR LDAPv2 CLIENTS OID supports returning referrals to LDAP v2 clients as defined in the document http://www.umich.edu/~dirsvcs/ldap/doc/other/ldap-ref.html. OID uses LDAP_PARTIAL_RESULT (0x09) return code to indicate that the additional information field of LDAP Message contains the referral information. 2.2.2.3 SUPPORT FOR manageDSA CONTROL TO ADMINISTER REFERRALS IN OID Directory administrators can use manageDSA control to administer REFERRALS in OID. If manageDSA control is set in the ldapsearch operation, OID returns referrals as regular entries. The control type for manageDSA control is 2.16.840.1.113730.3.4.2. 2.2.3 ENHANCED PASSWORD ENCRYPTION SUPPORT OID supports multiple encryption schemes to encrypt userPassword values. Directory administrators can choose one of the following schemes as the default encryption scheme. Supported encryption schemes are: No Encryption, MD4, MD5, SHA-1 or UNIX Crypt. Note: Directory administrators can change the default encryption scheme at anytime; however, existing entries will not be re-hashed as a result. 2.2.4 PERFORMANCE ENHANCEMENT FOR COMPLEX QUERIES The following filter types will see a performance improvement in this release: 1. All simple AND filter types with and without NOT filters. Some examples are as follows: "(&(postalcode=wx*)(cn=hm))", "(&(postalcode=*)(!(sn=johnson))" 2. Simple OR filters with no NOT filters and the OR operator applying only to the same attribute type. Some examples are as follows: "(|(objectclass=person)(objectclass=inetorgperson))", "(|(postalcode=*wv*)(postalcode=B1 9XX))" Some examples of simple OR filters that will not see performance difference are as follows: "(|(objectclass=person)(postalcode=*))", => different attribute types "(|(!(postalcode=B1 9XX))(postalcode>=1000))", => Not filter present 3. Compound AND filters containing simple OR filters, the limitation on the simple OR filters being mentioned in case 2. above. For example: "(&(objectclass=inetorgperson)(cn=hm)(|(postalcode=*wv*)(postalcode=*XX)) (!(sn=johnson)))" 2.2.5 SUPPORT FOR DEFAULT REFERRALS IN LDAPSEARCH. Administrators can configure default referral in OID by creating a 'ref' attribute containing host name and port of other known OID directory servers in the referral network. The 'ref' attribute should be created in the DSE (Root) Entry. 2.2.6 SUPPORT FOR RUN TIME DEBUG LEVEL SWITCH Directory Administrators can now modify the debug level of the OID server by setting the 'orcldebugflag' parameter in ROOT DSE entry with a different debug level. The change will take effect without needing to restart the Server. The old 'orcldebuglevel' parameter in Oracle Internet configset has been removed. 2.2.7 SUPPORT FOR RESOLVING OBJECTCLASS HIERARCHY WHILE ADDING OBJECTS Oracle Internet Directory now resolves the objectClass hierarchy when adding a new entry. Users can choose to specify only the most specific objectClass for a new entry, and OID will transparently include all other needed objectClasses. For example, a new entry in the organizationalPerson class no longer needs to specify "top" and "person" objectClasses (which are ancestors of organizationalPerson) at entry definition time. 2.3 REPLICATION NEW FEATURES and ENHANCEMENTS --------------------------------------------- 2.3.1 REPLICATION CYCLE FOR HUMAN INTERVENTION QUEUE IS NOW CONFIGURABLE Changes which fail to be applied a number of times on the consumer directory are moved into a 'human intervention queue'. Those changes will then be re-attempted at a configurable interval as defined in the orclHIQSchedule parameter in the Replication Agreement. orclHIQSchedule is defaulted to 10 minutes. 2.3.2 HUMAN INTERVENTION QUEUE MANIPULATION TOOL IS NOW AVAILABLE Changes being in 'human intervention queue' can now be moved to 'purge queue' if no longer needed, or moved to 'retry queue' if need be re-attempted at a higher frequency. 2.3.3 REPLICATION RECONCILIATION TOOL IS NOW AVAILABLE Oracle Internet Directory can now repair inconsistent data between different directories. You can use the new OID reconciliation tool to synchronize the entries on the consumer node with those on the supplier node. This tool can be used to repair a leaf entry as well as the entire subtree. 2.3.4 DELETE NODE PROCEDURE IS NOW AVAILABLE The OID administrator can now delete a node from a DRG. An administrator might want to delete a node in the following situations: (a) Failed to add a new node due to some unexpected system errors such as running out of table space while loading LDIF data. In this case, the administrator needs to delete the new node from the DRG. (b) In case of DRG requirement change, an administrator may want to delete a node from DRG and use it for other purposes. 2.3.5 SUPPORT OF CHANGE SUBSCRIPTION FOR OTHER DIRECTORIES Other Directories can now register themselves as change subscription clients to an Oracle Internet Directory. This gives the client directories access to change log objects stored in OID and enables them to synchronize with an Oracle Internet Directory. 2.4 LDAP SERVER LIMITATIONS AND ISSUES -------------------------------------- 2.4.1 MULTIPLE INSTANCES OF OID 2.1.1.0.0 SERVER RUNNING AGAINST ONE DATABASE MUST RUN ON SAME MACHINE You can run multiple instances of the OID Server 2.1.1.0.0 server on the same machine. For example, one server can be running in SSL mode while the other may be running in non-SSL mode. However, all instances of OID server using a given database server MUST run on the same machine. For example: running two OID servers, one on Machine A and another on Machine B, against a database on Machine C is NOT supported. However, running both the OID Servers on Machine A against a database on Machine B is supported. 2.4.2 NO SSL SUPPORT FOR REPLICATION SERVER CONNECTIONS TO THE LDAP SERVER In this release of OID, oidrepld server processes cannot use SSL to connect to SSL-based oidldapd processes. 2.4.3 SSL V2 CLIENTS CANNOT CONNECT TO SERVER LDAP clients using SSL v2 may experience "Can't Contact LDAP server" errors sporadically in attempting to bind to Oracle Internet Directory 2.1.1.0.0 servers. 2.4.4 ORACLE INTERNET DIRECTORY DATABASE USER/PASSWORD SHOULD BE CHANGED After installing Oracle Internet Directory, administrators may reset the password used by the OID server processes to connect to and access the underlying Oracle8i database tables by running the OID Database Password utility ("oidpasswd"). Refer to the Oracle Internet Directory Administrator's Guide for instructions on using "oidpasswd". The initial password is "ODS". 2.4.5 THE DEFAULT ACP DENIES WRITE ACCESS TO ALL USERS EXCEPT SUPER USERS. The default access control policy being shipped with Oracle Internet Directory 2.1.1.0.0 will deny write access in the directory to all users except the super user ("cn=orcladmin"). Site administrators can relax this policy based on actual security considerations. The default ACL policy is loaded after the installation has been successful using an LDIF file called "oidbaseacl.ldif". Please refer to Section 1.5 of this document for further details. 2.4.6 INDEXED ATTRIBUTE NAMES CANNOT EXCEED 28 CHARACTERS Using catalog.sh to create an index on an attribute will not succeed if the attribute has more than 28 characters in its name. 2.4.7 ONLY ATTRIBUTES WITH EQUALITY MATCHING RULE MAY BE INDEXED Indexes can be created for only those attributes that have an equality matching rule specified in the attribute definition. If an attribute does not have an equality matching rule specified, you must assign an equality matching rule before indexing that attribute. See the Oracle Internet Directory Administrator's Guide for more details on using the catalog.sh utility and on supported matching rules. 2.4.8 INTEGER MATCH FOR EQUALITY OF INDEXED ATTRIBUTES BEHAVES LIKE A STRING MATCH When an attribute with integerMatch for EQUALITY is indexed using catalog.sh, the matching rule of the attribute works like that of a string rather than that of an integer. 2.4.9 ALIAS DEREFERENCING NOT SUPPORTED IN LDAP OPERATIONS Oracle Internet Directory 2.1.1.0.0 does not support alias de-referencing in LDAP operations. 2.4.10 SYNTAX CHECKING IS NOT SUPPORTED IN LDAP SERVER LDAP Server does not verify the syntax of the attribute values entered by users during entry addition and modification. 2.4.11 SLOWNESS IN SINGLE AVA FILTER WITH HIGH SELECTIVITY Subtree and one level search cases will be slow with single AVA filter, where the filter is not specific i.e. the catalog of interest has high selectivity. The search will be slow even if the DN is very specific. 2.4.12 USE OF ATTRIBUTE OPTIONS IN REQUIRED ATTRIBUTE LIST NOT SUPPORTED. The current release of Oracle Internet Directory does not support the use of attribute options and hence does not support the language codes in the required attribute list in search operations. OID ignores any language codes or attribute options specified in required attributes, instead returns all the values (with or without any attribute options) of the attributes mentioned in the required attribute list. 2.5 REPLICATION LIMITATIONS --------------------------- 2.5.1 CREATING NEW DIRECTORY REPLICATION GROUPS (DRGs) The Oracle Internet Directory Administrator's Guide section for creating new Directory Replication Groups (DRGs) assumes that there is no pre-existing directory data on any of the nodes being used for the DRG. 2.5.2 ADDING NEW NODES TO EXISTING DIRECTORY REPLICATION GROUPS When adding a new node to an existing Directory Replication Group, there should not be any pre-existing directory data on the new node. Any pre-existing data will not be replicated to the other participants in the DRG. If it is necessary to replicate the pre-existing data, that data should first be extracted to an LDIF file using 'ldapsearch -L' option and re-loaded using 'ldapadd' utility after the new node has been added to the DRG and is capable of replicating new data to other nodes. 2.5.3 LOCAL SYSTEM-SPECIFIC METADATA IS NOT REPLICATED EXCEPT ACL POLICY INFORMATION DSE root-specific data, server configuration data, and replication agreement data are not included in the data replicated between servers in a Directory Replication Group. The only exception to the above rule is that DSE root-specific ACL policy attributes, orclaci and orclentrylevelaci, are replicated. 2.5.4 REPLICATION SERVER DOES NOT PRESERVE SPACES BETWEEN RDN COMPONENTS Replication Server does not always preserve the spaces between RDN components in the DN during entry replication. In some rare cases, it may not preserve the case of the letters in the DN. 2.5.5 DO NOT USE BULKLOAD.SH TO ADD DATA TO A NODE THAT IS ALREADY PART OF AN ACTIVE REPLICATION AGREEMENT Once an LDAP server instance is participating in a replication agreement, bulkload.sh should not be used to add data into the node. The 'ldapadd' tool should be used to load the data. 2.6 LOG FILE LOCATIONS ---------------------- The Oracle Internet Directory components output their log and trace information to log files that are maintained within the ORACLE_HOME environment. The components and the location of their log files are listed here: Component Log File Name ++++++++++ +++++++++++++++++++++++++++++++++++++ LDAP Dispatcher $ORACLE_HOME/ldap/log/oidldapdXX.log process "oidldapd" where XX = Server instance # LDAP Server $ORACLE_HOME/ldap/log/oidldapdXXs.log process "oidldapd" where XX = Server instance # = Server process Id Replication Server $ORACLE_HOME/ldap/log/oidrepldXX.log process "oidrepld" where XX = Replication server instance # Monitor $ORACLE_HOME/ldap/log/oidmon.log process "oidmon" Bulk Loader $ORACLE_HOME/ldap/log/install.log "bulkload.sh" Catalog Manager $ORACLE_HOME/ldap/log/catalog.log "catalog.sh" Replication Setup $ORACLE_HOME/ldap/admin/logs/ldaprepl.log "ldaprepl.sh" 3.0 ORACLE INTERNET DIRECTORY CLIENT 2.1.1.0.0 ============================================== 3.1 OID command line tools enhancements --------------------------- 3.1.1 PARALLEL BULK LOADING IS NOW SUPPORTED ON SOLARIS The bulkload.sh tool supports a '-parallel' option, which can be specified to perform the data loading in parallel (Solaris only). 3.1.2 SUPPORT FOR BINARY DATA LOAD IN BULKLOAD TOOL The bulkload.sh tool now supports binary data load. This makes it possible to add a new node using the ldifwrite-based node-adding procedure when the existing nodes contain binary data. 3.2 OID command line tools limitations -------------------------- 3.2.1 INCORRECT LDIF DATA CAUSES SEGMENTATION FAULTS IN LDAP TOOLS (bug 1103958) If you are loading data using the LDIF format but have not included the distinguished name of an object, the 'ldapadd' or 'ldapmodify' tool may crash. To recover from this crash, delete any entries which were successfully loaded, correct the LDIF file and re-run the command. 3.2.2 LDAP SEARCH LIMITATION Approximate matching (or Fuzzy Matching) of entries is not supported. 3.2.3 LDAPSEARCH WILL NOT GENERATE LDIF OUTPUT BY DEFAULT To generate LDIF-formatted output from the ldapsearch command line tool, use the -L flag. 3.2.4 CATALOG MANAGER USAGE ISSUE The Catalog Index Management Tool (catalog.sh) allows users to convert previously non-searchable attributes into searchable ones by indexing them. It also allows users to define and delete indexes on new attributes. Be careful not to use the catalog.sh -delete option to remove indexes on attributes unless you are absolutely sure that the indexes were not created by the base schema that was installed with Oracle Internet Directory. Removing indexes from base schema attributes can adversely impact the operation of Oracle Internet Directory. Also see the server side INDEXED ATTRIBUTE limitations in notes 2.4.6 - 2.4.8. You need to restart any running OID processes in order for them to recognize the newly catalogued attribute(s). 3.2.5 COMMAND LINE TOOLS HANG WHILE ACCESSING OID IN SSL MODE WHEN -U OPTION IS NOT SPECIFIED The -U option must be specified when using LDAP command line tools to connect to an LDAP Server in SSL mode. Without doing so, the command line tool will hang. 3.2.6 BULKMODIFY RETURNS MISLEADING ERROR IF FILTER CONTAINS NON-CATALOGED ATTRIBUTE If one tries to run the 'bulkmodify' utility using a search filter that contains a non-indexed (i.e., non-searchable) attribute, the error reported to the user is "Subtree Search failed". To rectify the situation, either index the attribute by running catalog.sh on it, or change the filter criteria to use only indexed attributes. 3.2.7 LDAPADD WITH "-r" OPTION IS NOT SUPPORTED ldapadd with "-r" option should replace the entry if there is an entry with the same dn already in the directory. An "object already exists" message will be reported when an entry of the same distinguished name already exists in the directory information tree. You must delete the existing entry manually in this case before creating the updated version, or use ldapmodify instead. 3.3 Oracle Directory Manager (ODM, OID Administration Utility, 'oidadmin') --------------------------------------------------------------------- 3.3.1 BUG FIXES AND ENHANCEMENT IN ODM SINCE 2.0.6 -------------------------------------------------- 3.3.1.1 ODM ENTRY MANAGEMENT SUPPORTS THE DISPLAY OF OPERATIONAL ATTRIBUTES The operational attributes can be the creator name, creation time stamp, modifier name and modification time stamp. 3.3.1.2 ODM SUPPORTS CUSTOMIZED ACCESS CONTROL POLICY POINT (ACP) DISPLAY (bug 988852) When more than 5000 ACPs exist, it is better to utilize this new feature to avoid potential hangs in ODM. Please refer to "Chapter 9: Managing Directory Access Control" in Oracle Internet Directory Administrator's Guide, Release 2.1.1. 3.3.1.3 "MAKE OPTIONAL" BUTTON IN THE OBJECT CLASS EDITING FORM DOES NOT WORK PROPERLY (bug 918761) For modification of object classes under "Schema Management", after pressing "Make Optional" button with selection of the mandatory attribute, the selected attribute disappears from the "Mandatory" list. However the attribute below the selected mandatory attribute would appear in the optional list, which means the same attribute is displayed in both the mandatory and optional list boxes. Thus, the change cannot be saved successfully. 3.3.1.4 ODM DOESN’T HANDLE CACHE PROPERLY FOR CONFIGURATION SET MODIFICATION (bug 918691) Under "Server Management"->"Directory Server"->"Default Conf Set", choose "SSL Setting" tab and make some change. If clicking on other window, ODM would display a dialog box for confirmation. If clicking on "NO" for discarding the change, the dialog is dismissed. However, if returning back to the previously edited configuration set and clicking on other window, ODM would still display the confirmation dialog box. 3.3.1.5 DUPLICATE ENTRIES ARE SHOWN IN "MEMBER" ATTRIBUTE WHEN CREATING GROUP ENTRY (bug 914256) Under "Entry Management", choose any entry with member or uniquemember attributes. On the right panel, press the "Browse" button next to the attribute such that the search engine dialog will be displayed. Do entry search and highlight one entry in the result listbox and press OK. There are duplicated entries, selected from the search engine, displayed in the attribute field. 3.3.1.6 TWO OVERLAPPING MENUS APPEAR WHEN RIGHT CLICKING ON SOME MANAGEMENT CONTAINERS (bug 908781) When "Subtree Access Management", "Entry Management", "Server Management", "Schema Management" or "Audit log Management" are not highlighted, right clicking on any of them causes two overlapping menus to appear over the one clicked. 3.3.1.7 ODM REPORTS "FUNCTION NOT IMPLEMENTED" ERROR (bug 903472) If the LDAP server is down, 'oidadmin' reports a vague error message like "Function Not Implemented" instead of reporting that the LDAP server is down. 3.3.1.8 THE SEARCH CRITERIA OPERATION IN SEARCH ENGINE CANNOT BE CHANGED (bug 903463) Under "Entry Management", the search engine is displayed on the right panel. After configuring the search criteria over some period, users cannot make more criteria change. To get around this limitation, delete the entire search criteria and create a new one. 3.3.1.9 USER LOGON WITHOUT PASSWORD SHALL BE TREATED AS ANONYMOUS LOGON When an administrator logs into ODM without supplying a password, they are not logged in as a particular user, but as anonymous. No warning is given. 3.3.1.10 ODM DOESN'T POP UP A DIALOG BOX INDICATING WHEN SUCCESSFUL OPERATIONS HAVE COMPLETED (bug 760412) The "Executed Successfully" message will be displayed in the status bar when the operation finishes without any error. 3.3.1.11 ODM DOESN'T SAVE USER SETTING ACROSS SESSIONS (bug 760406) ODM saves the configuration information for customizing ACPs display and the last server/port combination in the $HOME/osdadmin.ini file. 3.3.2 Current Limitations of 'oidadmin' --------------------------------------- 3.3.2.1 ADMINISTERING OLDER VERSIONS OF OID WITH OIDADMIN 2.1.1.0.0 The version of ODM shipped with the 2.1.1 release will only work with the following versions of OID Server: 2.0.4.x 2.0.5.x 2.0.6.x 2.1.1 3.3.2.2 ADMINISTERING THIRD-PARTY DIRECTORIES USING OIDADMIN Administering LDAP directories other than OID with 'oidadmin' is not supported. 3.3.2.3 IMAGE FETCH EXCEPTION THROWN WHEN MACHINE DOES NOT HAVE ENOUGH MEMORY OR WHEN THE NETWORK IS SLOW (JDK bug #4112007 from JavaSoft) One workaround is to call ulimit before running 'oidadmin' and increase the number of file descriptors to 1024. 3.3.2.4 "BIND FAILED" MESSAGE WHEN LOGGING INTO THE DIRECTORY USING 'oidadmin' This error message can be caused by invalid user name or password. If this error message occurs when logging in using SSL, it could indicate an invalid SSL location, password, or authentication level. 3.3.2.5 NOT SHOWING EMPTY ATTRIBUTES (bug 1370786) ODM does not show all empty attributes in the "show all" attributes tab under entry management if "top" is not defined as the last value in the entry's objectclass attribute. Workaround: Define top as the last value in the entry's objectclass attribute. 3.3.2.6 HELP BUTTON IS NOT WORKING IN ODM STRUCTURAL ACCESS ITEM (bug 1369808) After connecting to a Directory Server, click Access Control, click Default ACP. Click on the "Create via Wizard" button in the "Structural Access Item" tab display. The "Help" button in this window does not function properly. Also, the label "Create via Wizard" has not been translated into other language versions of ODM. 3.3.2.7 ODM FAILS TO CREATE AN ENTRY WITH OBJECTCLASS THAT DOES NOT INHERIT FROM ANY OTHER (bug 1360090) Create an object class with no parent objectclasses. Then create an entry which includes this objectclass. You will get entry creation failure message. Workaround: While creating structural object classes, always include top as parent if it does not inherit from any other object classes. 3.3.2.8 ERROR CODE=112 NOT DOCUMENTED (bug 1271471) 3.3.2.9 UNABLE TO DISPLAY ACP AT CN=AUDITLOG USING ODM (bug 1261398) 3.4 ORACLE INTERNET DIRECTORY PL/SQL API (DBMS_LDAP) --------------------------------------------------------------------- The database release 8.1.7 has the capability to interact with LDAP servers from the PL/SQL programming environment. This is accomplished using a new PL/SQL package called DBMS_LDAP. Oracle Internet Directory Server need not be installed in order to use this package. Any 8.1.7 database can be enabled to use the DBMS_LDAP package by running a SQL script called catldap.sql which is available in the $ORACLE_HOME/rdbms/admin directory. Please refer to the Oracle Internet Directory Application Developer's Guide (Release 2.1.1) for further details on using the DBMS_LDAP package. 4.0 Windows 95, 98, 2000 and NT specific issues ===================================== 4.1 BULKMODIFY & BULKLOAD CANNOT BE USED TO LOAD DATA These tools cannot be used to load data from Windows 95 & 98 machines to OID servers running on Windows NT or Windows 2000. Instead, use ldapaddmt or ldapmodifymt to perform bulk operations. 4.2 PATH SETTINGS DO NOT TAKE EFFECT UNTIL THE SERVER IS REBOOTED After the installation, path settings do not take effect until the machine is rebooted. As a result, Oracle Directory Manager cannot be started until after a reboot. 4.3 'BIND FAILED' OCCURS WHEN LAUNCHING ODM THE FIRST TIME AFTER INSTALLING OID ON WINDOWS 98 Workaround: Close Oracle Directory Manager, then launch it again. 4.4 NT WORKSTATION LIMITATION OF CONCURRENT CONNECTIONS If you are installing the OID on Windows NT workstation, please be aware that Windows NT workstation restricts the maximum number of simultaneous inbound connections to six. If you expect to use OID at a higher load, you should install it on Windows NT Server and purchase additional user licenses. Please contact Microsoft for further details on concurrent usage. 4.5 BULK TOOLS LIMITATION All bulktools are implemented as Unix shell scripts and can only be used under a UNIX shell emulator on NT and Windows 2000. The following toolkits have been certified against the OID 2.1.1.0.0 shell scripts: - MKS Toolkit v5.1 or higher -- http://webstore.mks.com/webstore/ - Red Hat's Cygwin -- http://sources.redhat.com/cygwin/ 5.0 Corrections to Oracle Internet Directory Administrator's Guide (Release 2.1.1) ===================================== 5.1 Corrections to Chapters 3 - Preliminary Tasks --------------------------------------------------------------------- 5.1.1 ILLEGAL LDIF IN SETTING UPGRADE STATUS On page 3-13 and 3-16, the text now reads: Edit the input file as follows: dn: modify:replace replace:orclupgradeinprogress orclupgradeinprogress:FALSE It should read: Edit the input file as follows: dn: changetype:modify replace:orclupgradeinprogress orclupgradeinprogress:FALSE